The following RPMs are included in this version:
| RPM | Issue |
|---|---|
|
|
|
| augeas-libs-1.12.0-8.el8.x86_64.rpm | - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild |
| - Ssh: parse Match options (RHBZ#1716359) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Rsyslog: support include() directive (RHBZ#1652832) | |
| - Add patches for bugs 247 and 248 (JSON lens) | |
| - Disable static libraries, not needed in RHEL. | |
| - Rsyslog: support multiple actions in filters and selectors (RHBZ#1660884) | |
| - riscv64: Disable gnulib tests on riscv64 architecture. | |
| - New upstream release (RHBZ#1709416) | |
| * Fstab: allow leading whitespaces (RHBZ#1671950) | |
| - New upstream version 1.9.0 (RHBZ#1482713) | |
| - Add -static subpackage (RHBZ#1405600) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Rebuild for readline 7.x | |
| - New upstream version 1.10.0 (RHBZ#1538846). | |
| - Remove upstream patch. | |
| - New tool ‘augmatch’. | |
| - Remove separate xorg.aug, included in upstream source | |
| - New upstream version 1.8.1. | |
| - Fixes CVE-2017-7555 (RHBZ#1482340). | |
| - New version | |
| - New version; removed patch pathx-whitespace-ea010d8 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Include new xorg lens from upstream | |
| - Install fadot | |
| - New version | |
| - Fix ownership of /usr/share/augeas. BZ 569393 | |
| - Fix parsing of mke2fs.conf files | |
| resolves: rhbz#1807010 | |
| - Grub: better handle invalid grub.conf files (RHBZ#1649262) | |
| - Sudoers: handle "always_query_group_plugin" option (RHBZ#1649299) | |
| - Update to 1.7.0 | |
| - Update to 1.3.0; remove all patches | |
| - New version | |
| - Grub: handle '+' in kernel command line options (RHBZ#1769314) | |
| - Fix parsing of semanage.conf ignoredirs | |
| resolves: rhbz#1931058 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Update to 1.8.0 | |
| - Patches based on upstream fix for BZ 600141 | |
| - New version | |
| - New program /usr/bin/fadot | |
| - Don't package lenses in tests/ subdirectory. | |
| - New version | |
| - Fix completion with special characters in augtool. (RHBZ#1232224) | |
| - Krb5: improve handling of [dbmodules]; allow include/includedir directives | |
| everywhere (RHBZ#1798486) | |
| - Systemd: improve parsing of quoted variables of Environment (RHBZ#1798922) | |
| - Anaconda: new lens (RHBZ#1657192) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Update to version 0.7.4 | |
| - Add simple tests (RHBZ#1653994) | |
| - Fix /etc/sysconfig/network (RHBZ#904222). | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Semanage: new lens (RHBZ#1652840) | |
| - Add "Provides: bundled(gnulib)" to augeas-libs, as it embeds gnulib | |
| (RHBZ#1653768) | |
| - Update to 1.4.0 | |
| - Update to 1.1.0; remove all patches | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - New version | |
| - New version | |
| - Backport some upstream commits to fix few memory leaks, and potential | |
| memory issues (RHBZ#1602446) | |
| - New version | |
| - New version | |
| - Install vim syntax files | |
| - Add patch for Krb5, parse braces in values (RHBZ#1079444) | |
| - Update to 1.6.0 | |
| - New version; remove all patches | |
| - Update to 1.5.0 | |
| - Remove patch vim-ftdetect-syntax.patch. It's upstream | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Fix ftdetect file for vim | |
| - Upstream patch proposed to fix GCC optimization bug (RHBZ#651992). | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Update to 1.2.0, add check section | |
| - Update source URL to download.augeas.net (RHBZ#996032) | |
| - New version | |
| - Initial specfile | |
| - Add patch to resolve missing libxml2 requirement in augeas.pc. | |
| - fadot isn't being installed just yet | |
| - Add patch pathx-whitespace-ea010d8.patch to fix BZ 700608 | |
| - Remove upstream patches | |
| - New upstream version 1.10.1 | |
|
|
|
| autofs-5.1.4-114.el8_10.6.x86_64.rpm | - Add the /etc/sysconfig/autofs file, and supporting infrastructure in |
| the init script. | |
| - Add support for UNDERSCORE_TO_DOT for those who want it. | |
| - We no longer own /net. Move it to the filesystem package. | |
| - bz1638487 - Drop dependency on hesiod | |
| - actually update the spec file with the hesiod removal. | |
| - Related: rhbz#1638487 | |
| - Add in an error case that was omitted in the multi-over patch. | |
| - Update our auto.net to reflect the changes that went into 4.1.4_beta2. | |
| This fixes a problem seen by at least one customer where a malformed entry | |
| appeared first in the multimount list, thus causing the entire multimount | |
| to be ignored. This new auto.net places that entry at the end, purely by | |
| luck, but it fixes the problem in this one case. | |
| - fix status privilege error (bz627605). | |
| - Change hard-coded paths in the spec file to the %{_xxx} variety. | |
| - Update to upstream 4.1.2. | |
| - Add a STRIPDASH option to /etc/sysconfig/autofs which allows for | |
| compatibility with the Sun automounter options specification syntax in | |
| auto.master. See /etc/sysconfig/autofs for more information. Addresses | |
| bug 113950. | |
| - cthon corrections for shutdown patch below and fix shutdown expire. | |
| - Removed the /misc entry from the default auto.master. auto.misc has | |
| an entry for the cdrom device, and the preferred method of mounting the | |
| cd is via udev/hal. | |
| - bz1841456 - automount program crashes with "malloc(): invalid next size | |
| (unsorted) | |
| - fix autofs mount options construction. | |
| -Related: rhbz#1841456 | |
| - bz1887681 - automount force unlink option (-F) does not work as expected | |
| on autofs-5.0.7-109.el7 | |
| - fix direct mount unlink_mount_tree() path. | |
| - fix unlink mounts umount order. | |
| - fix incorrect logical compare in unlink_mount_tree(). | |
| - use bit flag for force unlink mounts. | |
| - improve force unlink mounts option description. | |
| - remove logpri fifo on autofs mount fail. | |
| - add force unlink mounts and exit option. | |
| - cleanup stale logpri fifo pipes on unlink and exit. | |
| - Resolves: rhbz#1887681 | |
| - add configuration variable to control appending of global options (bz 214684). | |
| - add command option to set a global mount options string (bz 214684). | |
| - bz2023740 - autofs: send FAIL cmd/ioctl mess when encountering problems | |
| with mount trigger | |
| - fix kernel mount status notification. | |
| - Resolves: rhbz#2023740 | |
| - fix mntent.h not included before use of setmntent_r(). | |
| - rename program map parsing bug fix patch. | |
| - use CLOEXEC flag functionality for setmntent also, if present. | |
| - update patch fix initialization in rpc create_client() (bz821847). | |
| - Upstream source version 5.0.4. | |
| - fix portmap not trying proto v2. | |
| - fix libtirpc name clash (bz821847). | |
| - bz1841456 - automount program crashes with "malloc(): invalid next size | |
| (unsorted) | |
| - initialize struct addrinfo for getaddrinfo() calls. | |
| - fix quoted string length calc in expandsunent(). | |
| -Resolves: rhbz#1841456 | |
| - fix email in last two changelog entries. | |
| - Add patch to use LDAP_DEPRICATED compile option. (bz #173833) | |
| - Ian has a new fix for replicated server and multi-mounts. Updated the | |
| patch for testing. Still beta. (Ian Kent) | |
| - improve hostname lookup error logging. | |
| - configure: allow cross compilation update. | |
| - fix date in changelog entry. | |
| - add LSB init script parameter block. | |
| - make nfs4 default for replicated selection configuration (bz579949). | |
| - add simple bind authentication option (bz579951). | |
| - add mutex call return check in defaults.c. | |
| - enable hesiod support over libbind | |
| - fix master map mount options matching. | |
| - fix master map bogus keywork match. | |
| - fix fix map entry duplicate offset detection. | |
| - add a number of fixes based on a Covarity report. | |
| - Fix a race between mounting a share and updating the cache in the parent | |
| process. If the mount completed first, the parent would not expire the | |
| stale entry, leaving it first on the list. This causes map updates to not | |
| be recognized (well, worse, they are recognized after the first expire, but | |
| not subsequent ones). Fixes a regression, bug #137026 (rhel3 bug). | |
| - include krb5.h in lookup_ldap.h (some openssl doesn't implicitly include it). | |
| - correct initialization of local var in parse_server_string. | |
| - The sort command no longer accepts options of the form "+0". This broke | |
| auto.net, so the option was removed. Fixes bz #172111. | |
| - Add bad chdir patch from Ian Kent. | |
| - Add a typo fix for the mtab lock file. | |
| - Nuke the stripdash patch. It didn't solve a problem. | |
| - add back test for nested mount in program map lookup. | |
| - I must have commented this out for a reason. I guess we'll | |
| find out soon enough. | |
| - bz2025963 - autofs service has not proper limits set to be able to handle many mounts | |
| - fix set open file limit. | |
| - improve descriptor open error reporting. | |
| - Resolves: rhbz#2025963 | |
| - RHEL-111930 - automount blocked when attempting to lookup ldap maps | |
| - fix missing unlock in sasl_do_kinit_ext_cc(). | |
| - Resolves: RHEL-111930 | |
| - remove URL tag as there is not official autofs wiki (bz529804). | |
| - check for path mount location in generic module. | |
| - dont fail mount on access fail. | |
| - change mount "device" from "automount" to the map name. | |
| - check for buffer overflow in mount_afs.c. | |
| - replace tempnam with mkdtemp. | |
| - Merged my and Ian's socket leak fixes into one, smaller patch. Only | |
| partially addresses bz #128966. | |
| - Fix some more echo lines for internationalization. bz #77820 | |
| - Revert the only one auto.master patch until we implement the +auto_master | |
| syntax. Temporarily addresses bz #133055. | |
| - Clarify documentation on direct maps. | |
| - Send automount daemons a HUP signal during reload. This tells them to | |
| re-read maps (otherwise they use a cached version. Patch from the autofs | |
| maintainer. | |
| - Remove old crufty coreutils requires | |
| - Fixed a problem with backwards compatability. Specifying local | |
| maps without '/etc/' prepended to them now works. (bz #136038) | |
| - Bug 426401: CVE-2007-6285 autofs default doesn't set nodev in /net [rawhide] | |
| - use mount option "nodev" for "-hosts" map unless "dev" is explicily specified. | |
| - revert wait for master map to be available at start. | |
| - cthon fix expire of wildcard and program mounts broken by recent | |
| patches. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - ignore "winbind" if it appears in "automount" nsswitch.conf (bz 214632). | |
| - clean up obsolete spec file directives. | |
| - Add patch to allow customization of arguments to the | |
| autofs-ldap-auto-master program (bz #187525). | |
| - Add patch to escap "#" characters in exports from auto.net | |
| program mount (bz#178304). | |
| - Fixed regression causing any entries after a wildcard in an | |
| indirect map to be ignored. (bz #151668). | |
| - Fixed regression which caused local hosts to be mount instead | |
| of --bind local directories. (bz #146887) | |
| - fix add locality as valid ldap master map attribute (bz575863). | |
| - bz1638487 - Drop dependency on hesiod | |
| - better handle hesiod support not built in. | |
| - exclude hesiod support from configure options | |
| - remove hesiod depends. | |
| - Resolves: rhbz#1638487 | |
| - fix deadlock in alarm manager module. | |
| - expire individual submounts. | |
| - add ino_index locking. | |
| - fix nested submount expiring away when pwd is base of submount. | |
| - more expire re-work to cope better with shutdown following cthon tests. | |
| - allow hostname to start with numeric when validating. | |
| - update master map tokenizer to admit "slasify-colons" option. | |
| - update location validation to accept "_" (bz 219445). | |
| - set close-on-exec flag on open sockets (bz 215757). | |
| - update patch to prevent failure on empty master map. | |
| - if there's no "automount" entry in nsswitch.conf use "files" source. | |
| - add LDAP schema discovery if no schema is configured. | |
| - merge LDAP authentication update for GSSAPI (Jeff Moyer). | |
| - update default auth config to add options documenetation (Jeff Moyer). | |
| - workaround segfaults at exit after using GSSAPI library. | |
| - fix not checking return in init_ldap_connection (jeff Moyer). | |
| - Add conflicts kernel < 2.6.17. | |
| - Fix submount operation broken by connectathon updates. | |
| - fix bad token declaration in master map parser. | |
| - fix memory leak on reload (bz545137). | |
| - add build requires for gcc. | |
| - Umount loopback filesystems under automount points when stopping the | |
| automounter. | |
| - Uncomment the map expiry patch. | |
| - change a close to an fclose in lookup_file.c | |
| - rebuilt for new gcc4.1 snapshot and glibc changes | |
| - bz1613630 - On Red Hat 7.x systems if you try to access local | |
| filesystems using the automounter through /net then the shell | |
| and mount could lock up *if* the filesystem your accessing is | |
| double exported. | |
| - set bind mount as propagation slave. | |
| - add master map pseudo options for mount propagation. | |
| - Resolves: rhbz#1613630 | |
| - fix nonstrict multi-mount handling (bz 219383). | |
| - correct detection of duplicate indirect mount entries (bz 220799). | |
| - update source to latest upstream version. | |
| - this is essentially a consolidation of the patches already in this rpm. | |
| - add dist tag to match latest RHEL-5 package tag format. | |
| - Fixed one off bug in the submount-variable-propagation patch. | |
| (bz #143074) | |
| - Fixed a bug in the init script which wouldn't find the -browse | |
| option if it was preceded by another option. (fz #113494) | |
| - update to upstream release, 5.1.0. | |
| - fix reset flex scan buffer on init. | |
| - fix fix negative status being reset on map read. | |
| - fix out of order amd timestamp lookup. | |
| - fix ldap default schema config. | |
| - fix ldap default master map name config. | |
| - fix map format init in lookup_init(). | |
| - fix incorrect max key length in defaults get_hash(). | |
| - fix xfn sets incorrect lexer state. | |
| - fix old style key lookup. | |
| - fix expire when server not responding. | |
| - fix ldap_uri config update. | |
| - fix typo in conf_load_autofs_defaults(). | |
| - fix hash on confg option add and delete. | |
| - add plus to path match pattern. | |
| - fix multi entry ldap option handling. | |
| - cleanup options in amd_parse.c. | |
| - allow empty value for some map options. | |
| - allow empty value in macro selectors. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - rebuilt | |
| - add map-type-in-map-name fix patch to sync with upstream and RHEL. | |
| - don't readmap on HUP for new mount. | |
| - add NIS_PARTIAL to map entry not found check and fix use after free bug. | |
| - RHEL-7997 - multi mount detection fails for share with blank+dash | |
| causing SEGV crash | |
| -fix multi-mount check. | |
| -Resolves: RHEL-7997 | |
| - fix compile error in defaults.c. | |
| - add serialization to sasl init. | |
| - dont allocate dev_ctl_ops too early. | |
| - fix incorrect round robin host detection. | |
| - fix race accessing qdn in get_query_dn(). | |
| - fix leak in cache_push_mapent(). | |
| - fix config entry read buffer not checked. | |
| - fix FILE pointer check in defaults_read_config(). | |
| - fix memory leak in conf_amd_get_log_options(). | |
| - fix signed comparison in inet_fill_net(). | |
| - fix buffer size checks in get_network_proximity(). | |
| - fix leak in get_network_proximity(). | |
| - fix buffer size checks in merge_options(). | |
| - check amd lex buffer len before copy. | |
| - add return check in ldap check_map_indirect(). | |
| - check host macro is set before use. | |
| - check options length before use in parse_amd.c. | |
| - fix some out of order evaluations in parse_amd.c. | |
| - fix copy and paste error in dup_defaults_entry(). | |
| - allow --with-systemd to take a path arg. | |
| - fix WITH_LIBTIRPC function name. | |
| - fix ipv6 libtirpc getport (bz1033918). | |
| - fix LDAP schema discovery. | |
| - fix default path used for unitdir. | |
| - fix changelog inconsistent dates. | |
| - bz1835547 - [RHEL8]autofs cannot mount samba/cifs shares that end with a | |
| dollar sign | |
| - fix trailing dollar sun entry expansion. | |
| - Resolves: rhbz#1835547 | |
| - Fixed tree mounts. | |
| - Corrected transciption error in autofs4-2.4.18 kernel module | |
| - fix rpc build error. | |
| - add sss lookup module. | |
| - teach automount about sss source. | |
| - fix "-fstype=nfs4" handling (bz 208757). | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - correct test for existence of auth config file. | |
| - bz1689467 - path_resolution on an autofs managed path resets the timer. Can | |
| this be made configurable? | |
| - support strictexpire mount option. | |
| - Resolves: rhbz#1689467 | |
| - Fixed the duplicate map detection code to detect if maps try | |
| to mount on top of existing maps. | |
| - rename two incorrectly named patches. | |
| - add missing change entry to another patch. | |
| - fix ext4 "preen" fsck at mount. | |
| - add missing spec file entries for dir-type change (bz719208). | |
| - bz1912106 - Using -hosts option does not resolve host from /etc/hosts and mount | |
| failes | |
| - use defines for expire type. | |
| - remove unused function dump_master(). | |
| - fix additional typing errors. | |
| - make bind mounts propagation slave by default. | |
| - fix browse dir not re-created on symlink expire. | |
| - update list.h. | |
| - add hashtable implementation. | |
| - change mountpoint to mp in struct ext_mount. | |
| - make external mounts independent of amd_entry. | |
| - make external mounts use simpler hashtable. | |
| - add a hash index to mnt_list. | |
| - use mnt_list for submounts. | |
| - use mnt_list for amdmounts. | |
| - make umount_autofs() static. | |
| - remove force parameter from umount_all(). | |
| - fix remount expire. | |
| - fix stale offset directories disable mount. | |
| - use struct mnt_list to track mounted mounts. | |
| - use struct mnt_list mounted list for expire. | |
| - remove unused function tree_get_mnt_list(). | |
| - only add expre alarm for active mounts. | |
| - move submount check into conditional_alarm_add(). | |
| - move lib/master.c to daemon/master.c. | |
| - use master_list_empty() for list empty check. | |
| - add helper to construct mount point path. | |
| - add xdr_exports(). | |
| - remove mount.x and rpcgen dependencies. | |
| - dont use realloc in host exports list processing. | |
| - use sprintf() when constructing hosts mapent. | |
| - fix mnts_remove_amdmount() uses wrong list. | |
| - eliminate cache_lookup_offset() usage. | |
| - fix is mounted check on non existent path. | |
| - simplify cache_get_parent(). | |
| - set offset parent in update_offset_entry(). | |
| - remove redundant variables from mount_autofs_offset(). | |
| - remove unused parameter form do_mount_autofs_offset(). | |
| - refactor umount_multi_triggers(). | |
| - eliminate clean_stale_multi_triggers(). | |
| - simplify mount_subtree() mount check. | |
| - fix mnts_get_expire_list() expire list construction. | |
| - fix inconsistent locking in umount_subtree_mounts(). | |
| - fix return from umount_subtree_mounts() on offset list delete. | |
| - pass mapent_cache to update_offset_entry(). | |
| - fix inconsistent locking in parse_mount(). | |
| - remove unused mount offset list lock functions. | |
| - eliminate count_mounts() from expire_proc_indirect(). | |
| - eliminate some strlen calls in offset handling. | |
| - don't add offset mounts to mounted mounts table. | |
| - reduce umount EBUSY check delay. | |
| - cleanup cache_delete() a little. | |
| - rename path to m_offset in update_offset_entry(). | |
| - don't pass root to do_mount_autofs_offset(). | |
| - rename tree implementation functions. | |
| - fix program map multi-mount lookup after mount fail. | |
| - add some multi-mount macros. | |
| - remove unused functions cache_dump_multi() and cache_dump_cache(). | |
| - add a len field to struct autofs_point. | |
| - make tree implementation data independent. | |
| - add mapent tree implementation. | |
| - add tree_mapent_add_node(). | |
| - add tree_mapent_delete_offsets(). | |
| - add tree_mapent_traverse_subtree(). | |
| - fix mount_fullpath(). | |
| - add tree_mapent_cleanup_offsets(). | |
| - add set_offset_tree_catatonic(). | |
| - add mount and umount offsets functions. | |
| - switch to use tree implementation for offsets. | |
| - remove obsolete functions. | |
| - remove redundant local var from sun_mount(). | |
| - use mount_fullpath() in one spot in parse_mount(). | |
| - pass root length to mount_fullpath(). | |
| - remove unused function master_submount_list_empty(). | |
| - move amd mounts removal into lib/mounts.c. | |
| - check for offset with no mount location. | |
| - remove mounts_mutex. | |
| - Resolves: rhbz#1912106 | |
| - RHEL-12369 - autofs attempts to mount nonexistant ".hidden" filesystems | |
| - update patch "allow -null map in indirect maps". | |
| - Resolves: RHEL-12369 | |
| - amd lookup update lookup ldap to handle amd keys | |
| - inadvertantly drop from initial series. | |
| - amd lookup update lookup hesiod to handle amd keys | |
| - inadvertantly drop from initial series. | |
| - fix wildcard key lookup. | |
| - check for non existent negative entries in lookup_ghost(). | |
| - Fixed i18n bug #107461 | |
| - bz1689469 - [autofs] The log no longer print PID of automount process | |
| - remove autofs4 module load code. | |
| - add NULL check in prepare_attempt_prefix(). | |
| - update build info with systemd. | |
| - use flags for startup boolean options. | |
| - move close stdio descriptors to become_daemon(). | |
| - add systemd service command line option. | |
| - Resolves: rhbz#1689469 | |
| - bz1660145 - autofs.schema doesn't work in RHEL8 | |
| - update spec file doc inclusions for schema definition update. | |
| - Related: rhbz#1660145 | |
| - dont probe rdma mounts. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Comment out map expiry (and related) patch for an FC3 build. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Fix the large program map patch. | |
| - fix another expire regression introduced in the "mitigate manual umount" | |
| patch (bz 222872). | |
| - correct check for busy offset mounts before offset umount (bz 222872). | |
| - add a preun script to remove autofs | |
| - Stop automount from pinging hosts if there is only one host (#146887) | |
| - add patch to ignore the "bg" and "fg" mount options as they | |
| aren't relevant for autofs mounts (bz #184386). | |
| - Fix tag confusion. | |
| - make the init script only recognize redhat systems. Nalin seems to remember | |
| some arcane build system error that can be caused if we don't do this. | |
| - fix use after free in do_master_list_reset(). | |
| - include usage in usage message. | |
| - dont wait forever to restart. | |
| - add option description to man page. | |
| - fix null map entry order handling. | |
| - make description of default MOUNT_WAIT setting clear. | |
| - configure.in: allow cross compilation. | |
| - README: update mailing list subscription info. | |
| - allow non root user to check status. | |
| - fix systemd argument passing. | |
| - fix get_nfs_info() can incorrectly fail. | |
| - fix offset directory removal. | |
| - add correct patch for "fix improve mount location error reporting". | |
| - add correct patch for "fix fix wait for master source mutex". | |
| - update to release tar. | |
| - fix return check for getpwuid_r and getgrgid_r. | |
| - patch to give up trying to update exports list while host is mounted. | |
| - fix to "@network" matching. | |
| - patch to check for fstab update and retry if not updated. | |
| - dont connect at ldap lookup module init. | |
| - fix random selection option. | |
| - fix disable timeout. | |
| - fix strdup() return value check. | |
| - add patch to use "cifs" instead of smbfs and escape speces | |
| in share names (bz #163999, #187732). | |
| - RHEL-84118 - autofs hang - autofs-5.1.4-114.el8_10.2 | |
| - fix lock ordering deadlock in expire_cleanup(). | |
| - change spec file %patchN to %patch -P N as required by rpm(8). | |
| - Resolves: RHEL-84118 | |
| - fix map entry duplicate offset detection. | |
| - Allow nsswitch.conf to not contain "automount:" lines. | |
| - remove SIGCHLD handler because it is no longer needed and was | |
| causing expire problems. | |
| - alter expire locking of multi-mounts to lock sub-tree instead of | |
| entire tree. | |
| - review verbose message feedback and update. | |
| - correction for expire of multi-mounts. | |
| - spelling corrections to release notes (Jeff Moyer). | |
| - add back sloppy mount option, removed for Connectathon testing. | |
| - disable mtab locking again. | |
| - Added work around for O(1) patch oddity. | |
| - update systemd scriplet macros (bz850040). | |
| - fix parse confusion between attribute and attribute value. | |
| - fix get_query_dn not looking in subtree for LDAP search (missed | |
| econd occurance). | |
| - allow additional common LDAP attributes in map dn. | |
| - Resolves: rhbz#205997 | |
| - fix cache entrys not being cleaned up on submount expire. | |
| - use intr option as hosts mount default. | |
| - sync kernel includes with upstream kernel. | |
| - dont umount existing direct mount on master re-read. | |
| - fix incorrect shutdown introduced by library relaod fixes. | |
| - improve manual umount recovery. | |
| - dont fail on ipv6 address when adding host. | |
| - always read file maps multi map fix. | |
| - always read file maps key lookup fixes. | |
| - add support for LDAP_URI="ldap:/// |
|
| - change random multiple server selection option name to be consistent | |
| with upstream naming. | |
| - Update to autofs-5.1.1. | |
| - bz2208408 - autofs fails to start with combination of +auto.master and | |
| local direct map lookups after upgrading to 5.1.4-93.el8 | |
| - fix memory leak in sasl_do_kinit() (Coverity). | |
| - fix fix mount tree startup reconnect. | |
| - Resolves: rhbz#2208408 | |
| - fix a bug in the program map parsing routine | |
| - add upstream bug fix patches | |
| - add command line option to override is running check. | |
| - don't use proc fs for is running check. | |
| - fix fail on included browse map not found. | |
| - fix incorrect multi source messages. | |
| - clear stale flag on map read. | |
| - fix proximity other rpc ping timeout. | |
| - refactor mount request vars code. | |
| - make handle_mounts startup condition distinct. | |
| - fix submount shutdown handling. | |
| - try not to block on expire. | |
| - add configuration paramter UMOUNT_WAIT. | |
| - fix multi mount race. | |
| - fix nfs4 colon escape handling. | |
| - check replicated list after probe. | |
| - add replicated server selection debug logging. | |
| - update replicated server selection documentation. | |
| - use /dev/urandom instead of /dev/random. | |
| - check for mtab pointing to /proc/mounts. | |
| - fix interface config buffer size. | |
| - fix percent hack heap corruption. | |
| - fix "null" domain netgroup match for "-hosts" map. | |
| - Drop ancient 2.6 kernel patches from docs | |
| - fix syncronize of handle_mounts() shutdown. | |
| - fix submount tree not all expiring. | |
| - Code cleanup and fixes for connectathon tests. | |
| - fix array out of bounds accesses and cleanup couple of other alloca() calls. | |
| - Undo mistake in copy order for submount path introduced by rev 11 patch. | |
| - add check for alternate libxml2 library for libxml2 tsd workaround. | |
| - add check for alternate libtirpc library for libtirpc tsd workaround. | |
| - cleanup configure defines for libtirpc. | |
| - add WITH_LIBTIRPC to -V status report. | |
| - add libtirpc-devel to BuildRequires. | |
| - add nfs mount protocol default configuration option. | |
| - fix custom autofs.conf not being installed. | |
| - init qdn before use in get_query_dn(). | |
| - fix typo in update_hosts_mounts(). | |
| - fix hosts map update on reload. | |
| - fix incorrect committer changelog entries. | |
| - add current released upstream patches. | |
| - fix handling of master map entry update (bz # 193718). | |
| - fix program map handling of invalid multi-mount offsets. | |
| - bz1689466 - Sanitize autofs logging | |
| - make expire remaining log level debug. | |
| - bz1685805 - autofs doesn't expand macros in amd map selectors | |
| - allow period following macro in selector value. | |
| - fix macro expansion in selector values. | |
| - Resolves: rhbz#1689466 rhbz#1685805 | |
| - bz2025509 - Autofs auto.smb awk script fails on shares with dollar signs | |
| - fix double quoting in auto.smb. | |
| - fix double quoting of ampersand in auto.smb as well. | |
| - Resolves: rhbz#2025509 | |
| - bz1577700 - automount leaves FDs in half-open state | |
| - fix fd leak in rpc_do_create_client(). | |
| - Resolves: rhbz#1577700 | |
| - fix context init error (introduced by memory leak patch). | |
| - bz2213267 - filesystems mount and expire immediately | |
| - fix expire retry looping. | |
| - Resolves: rhbz#2213267 | |
| - correct test for libhesiod. | |
| - fix ipv6 name lookup check. | |
| - fix ipv6 rpc calls. | |
| - fix ipv6 configure check. | |
| - add piddir to configure. | |
| - add systemd unit support. | |
| - fix MNT_DETACH define. | |
| - fix call restorecon when misc device file doesn't exist. | |
| - Fixed the use of +ypmapname so the maps included with +ypmapname | |
| are used in the correct order. (In the past the '+' entries | |
| were always processed after local entries.) | |
| - fix mount point directory creation for bind mounts. | |
| - add quoting for exports gathered by hosts map. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - fix an RPC fd leak. | |
| - don't block signals we expect to dump core. | |
| - fix pthread push order in expire_proc_direct(). | |
| - fix fix LDAP result leaks on error paths. | |
| - report map not read when debug logging. | |
| - duplicate parent options for included maps. | |
| - update ->timeout() function to not return timeout. | |
| - move timeout to map_source. | |
| - fix kernel verion check of version components. | |
| - dont retry ldap connect if not required. | |
| - check if /etc/mtab is a link to /proc/self/mounts. | |
| - fix nfs4 contacts portmap. | |
| - make autofs wait longer for shutdown. | |
| - fix sss map age not updated. | |
| - fix remount deadlock. | |
| - fix umount recovery of busy direct mount. | |
| - fix offset mount point directory removal. | |
| - remove move mount code and configure option. | |
| - fix remount of multi mount. | |
| - fix devce ioctl alloc path check. | |
| - refactor hosts lookup module. | |
| - remove cache update from parse_mount(). | |
| - add function to delete offset cache entry. | |
| - allow update of multi mount offset entries. | |
| - add hup signal handling to hosts map. | |
| - Check the return code of is_local_addr in get_best_mount. (bz #169523) | |
| - fix some automount(8) typos (bz664178). | |
| - I reversed the checking for multimount entries, breaking those configs! | |
| This update puts the code back the way it was before I broke it. | |
| - fix localhost replicated mounts not working (bz 208757). | |
| - update hesiod module (Jeff Moyer). | |
| - add mutex to protect against overlapping mount requests. | |
| - update return from mount request to give more sensible NSS_* | |
| values. | |
| - fix stale initialization for file map instance. | |
| - remove now unused patch files (bz1020242). | |
| - bz2177998 - deadlock while reading amd maps | |
| - rebuild to avoid possible NVR problems. | |
| - Related: rhbz#2177998 | |
| - fix expire calling kernel more often than needed. | |
| - fix unlink of mount tree incorrectly causing autofs mount fail. | |
| - add miscellaneous device node interface library. | |
| - use miscellaneous device node, if available, for active restart. | |
| - device node and active restart fixes. | |
| - update is_mounted to use device node ioctl, if available. | |
| - fix task cancelation at shutdown (more) | |
| - fix concurrent mount and expire race with nested submounts. | |
| - Change Copyright to License in the spec file so it will build. | |
| - correct buffer length setting in autofs-5.0.3-fix-ifc-buff-size-fix.patch. | |
| - another try a fixing lexer matching map type in map name. | |
| - fix a couple of compiler warnings. | |
| - move autofs4 module loading back to init script (part bz # 194061). | |
| - Make local options apply to all maps in a multi-map entry. | |
| - ignore duplicate exports in auto.net. | |
| - add kernel verion check function. | |
| - add function to check mount.nfs version. | |
| - reinstate singleton mount probe. | |
| - rework error return handling in rpc code. | |
| - catch EHOSTUNREACH and bail out early. | |
| - systemd support fixes. | |
| - fix segmentation fault in do_remount_indirect(). | |
| - bz1664561 - incorrect of start service command in autofs man page | |
| - fix incorrect systemctl command syntax in autofs(8). | |
| -Resolves: rhbz#1664561 | |
| - Implemented LDAP direct map handling for nisMap and automountMap schema | |
| - Fixed autofs4 ghosting patch for 2.4.19 and above (again) | |
| - Added locking to fix overlapping internal calls to (u)mount | |
| - Added wait for mtab~ to improve tolerance of overlapping external calls to (u)mount | |
| - Fixed ghosted directory removal after failed mount attempt | |
| - Fix broken multi-mounts. test patch. (Ian Kent) | |
| - Update to upstream version 5.0.7. | |
| - fix fix wait for master source mutex. | |
| - fix improve mount location error reporting (bz783496). | |
| - consolidate to beta6, including: | |
| - mode change update for config file. | |
| - correction to get_query_dn fix from beta5-4. | |
| - update source to 5.0.6. | |
| - fix ipv6 name for lookup fix. | |
| - add dir map-type patch. | |
| - don't close file handle for rootless direct mounti-mount at mount. | |
| - wait submount expire thread completion when expire successful. | |
| - add inadvertantly ommitted server list locking in LDAP module. | |
| - lookup_init cleanup and fix missed memory leak. | |
| - use nis map order to check if update is needed. | |
| - fix couple of memory leaks in lookup_yp.c. | |
| - fix pasre error in replicated server module. | |
| - add %config(noreplace) for auto.* config files. | |
| - revert miscellaneous device node related patches. | |
| - add missing check for zero length NIS key. | |
| - fix incorrect match of map type name when included in map name. | |
| - update rev 7 sasl callbacks patch. | |
| - bz1681956 - autofs changes blocked until gating tests are added | |
| - correct test name in gating.yaml. | |
| - Related: rhbz#1681956 | |
| - fix schema selection in LDAP schema discovery. | |
| - check for "*" when looking up wildcard in LDAP. | |
| - fix couple of edge case parse fails of timeout option. | |
| - add SEARCH_BASE configuration option. | |
| - add random selection as a master map entry option. | |
| - re-read config on HUP signal. | |
| - add LDAP_URI, LDAP_TIMEOUT and LDAP_NETWORK_TIMEOUT configuration options. | |
| - fix deadlock in submount mount module. | |
| - fix lack of ferror() checking when reading files. | |
| - fix typo in autofs(5) man page. | |
| - fix map entry expansion when undefined macro is present. | |
| - remove unused export validation code. | |
| - add dynamic logging (adapted from v4 patch from Jeff Moyer). | |
| - fix recursive loopback mounts (Matthias Koenig). | |
| - add map re-load to verbose logging. | |
| - fix handling of LDAP base dns with spaces. | |
| - handle MTAB_NOTUPDATED status return from mount. | |
| - when default master map, auto.master, is used also check for auto_master. | |
| - update negative mount timeout handling. | |
| - fix large group handling (Ryan Thomas). | |
| - fix for dynamic logging breaking non-sasl build (Guillaume Rousse). | |
| - eliminate NULL proc ping for singleton host or local mounts. | |
| - bz1912106 - Using -hosts option does not resolve host from /etc/hosts and mount | |
| failes | |
| - fix unapplied patch. | |
| - remove unused variable from get_exports(). | |
| - Related: rhbz#1912106 | |
| - The lookup_yp module only dealt with YPERR_KEY, all other errors were | |
| treated as success. As a result, if the ypdomain was not bound, the | |
| subprocess that starts mounts would SIGSEGV. This is now fixed. | |
| - Option parsing in the init script was not precise enough, sometimes matching | |
| filesystem options to one of --ghost, --timeout, --verbose, or --debug. | |
| The option-parsing patch addresses this issue by making the regexp's much | |
| more precise. | |
| - Ian has rolled a third version of the replicated mount fixes. | |
| - fix include check full patch for file map of same name. | |
| - fix incorrect changelog entry for bug 1802251. | |
| - Related: rhbz#1802251 | |
| - re-instate v4 directory cleanup (bz# 193832 again). | |
| - backout master map lookup changes made to beta3. | |
| - change default master map from /etc/auto.master to auto.master | |
| so that we always use nsswitch to locate master map. | |
| - change default installed master map to include "+auto.master" | |
| to pickup NIS master map (all bz# 193831 again). | |
| - Correction to host name validation test for connectathon tests. | |
| - Pass a socket into clntudp_bufcreate so that we don't use up additional | |
| reserved ports. This patch, along with the socket leak fix, addresses | |
| bz #128966. | |
| - add missing "multi" map support. | |
| - add multi map nsswitch lookup. | |
| - expand export access checks to include missing syntax options. | |
| - make "-hosts" module try to be sensitive to exports list changes. | |
| - Update to upstream release 5.0.2. | |
| - Prevent startup if a mountpoint is already mounted. | |
| - fix initialization in rpc create_client() (bz821847). | |
| - Finish up with the merge breakage. | |
| - Temporary fix for the multimount detection code. It seems half-baked. | |
| - Fix a call to spawnl which forgot to specify a lock file. (nphilipp) | |
| - drop "DEFAULT_" prefix from configuration names. | |
| - add option to select replicated server at random (instead of | |
| ping response time) (bz 227604). | |
| - fix incorrect cast in directory cleanup routines (bz 231864). | |
| - remove fullstop from Summary tag. | |
| - change Buildroot to recommended form. | |
| - replace Prereq with Requires. | |
| - bz2216877 - When looking up included maps, sometimes autofs does not | |
| consult all the included files in order | |
| - fix the "fix incorrect matching of cached wildcard key" patch. | |
| - Related: rhbz#2216877 | |
| - correct shutdown log message print. | |
| - correct auth init test when no credentials required. | |
| - add free for working var in get_default_logging. | |
| - add inialisation for kver in autofs_point struct. | |
| - fix sources list corruption in check_update_map_sources. | |
| - fix memory leak in walk_tree. | |
| - fix memory leak in rpc_portmap_getport and rpc_ping_proto. | |
| - fix memory leak in initialisation of lookup modules. | |
| - remove ERR_remove_state() openssl call. | |
| - fix incorrect dclist free. | |
| - srv lookup handle endianness. | |
| - fix bug introduced by library reload changes which causes autofs to | |
| not release mount thread resources when using submounts. | |
| - fix notify mount message path. | |
| - try harder to work out if we created mount point at remount. | |
| - fix double free in do_sasl_bind(). | |
| - manual umount recovery fixes. | |
| - fix map type info parse error. | |
| - fix return start status on fail. | |
| - fix double free in expire_proc(). | |
| - bz1954430 - Please, rebuild autofs-5.1.4-66.el8 | |
| - rebuild with fixed binutils. | |
| - Resolves: rhbz#1954430 | |
| - misc man page fixes (bz948517). | |
| - Fix bug in get_best_mount, whereby if there is only one option, we | |
| choose nothing. This is primarily due to the fact that we pass 0 in to | |
| the get_best_mount function for the long timeout parameter. So, we | |
| timeout trying to contact our first and only server, and never retry. | |
| - fix gcc5 complaints (bz1204685). | |
| - Add beta map expiry code for wider testing. (Ian Kent) | |
| - Fix check for ghosting option. I forgot to check for it in DAEMONOPTIONS. | |
| - Remove STRIPDASH from /etc/sysconfig/autofs | |
| - Fix a socket leak in the rpc_subs, causing mounts to fail since we are | |
| running out of port space fairly quickly. | |
| - comment out /net and /misc from the default auto.master. /net is important | |
| since in a default shipping install, we can neatly co-exist with amd. | |
| - fix nobind man page description. | |
| - fix nested submount expire deadlock. | |
| - fix lsb init script header. | |
| - fix memory leak reading ldap master map. | |
| - fix st_remove_tasks() locking. | |
| - reset flex scanner when setting buffer. | |
| - zero s_magic is valid. | |
| - Bug 421371: CVE-2007-5964 autofs defaults don't restrict suid in /net [rawhide] | |
| - use mount option "nosuid" for "-hosts" map unless "suid" is explicily specified. | |
| - bz2177998 - deadlock while reading amd maps | |
| - fix return status of mount_autofs(). | |
| - don't close lookup at umount. | |
| - fix deadlock in lookups. | |
| - dont delay expire. | |
| - make amd mapent search function name clear. | |
| - rename statemachine() to signal_handler(). | |
| - make signal handling consistent. | |
| - fix incorrect print format specifiers in get_pkt(). | |
| - eliminate last remaining state_pipe usage. | |
| - add function master_find_mapent_by_devid(). | |
| - use device id to locate autofs_point when setting log priotity. | |
| - add command pipe handling functions. | |
| - switch to application wide command pipe. | |
| - get rid of unused field submnt_count. | |
| - fix mount tree startup reconnect. | |
| - fix unterminated read in handle_cmd_pipe_fifo_message() (Coverity). | |
| - Resolves: rhbz#2177998 | |
| - use weight only for server selection. | |
| - fix isspace() wild card substition. | |
| - auto adjust ldap page size. | |
| - fix prune cache valid check. | |
| - fix mountd vers retry. | |
| - fix expire race. | |
| - add lsb force-reload and try-restart. | |
| - add export access list matching to "hosts" lookup module (bz # 193585). | |
| - Merge in the multi-over patch. This resolves an issue whereby multimounts | |
| (such as those used for /net) could be processed in the wrong order, | |
| resulting in directories not showing up in a multimount tree. The fix | |
| is to process these directories in order, shortest to longer path. | |
| - correct auto.net installed as auto.smb. | |
| - update LDAP auth - add autodectect option. | |
| - Fixed autofs4 ghosting patch for 2.4.19 and above (again) | |
| - Fixed autofs directory removal on failure of autofs mount | |
| - Fixed lock file wait function overlapping calls to (u)mount | |
| - Changed to sort -k 1, since that should be the same as +0. | |
| - link with full reloc options. | |
| - fix get_query_dn not looking in subtree for LDAP search. | |
| - allow syntax "--timeout |
|
| (bz 193948). | |
| - make masked_match independent of hostname for exports comparison | |
| (bz 209638). | |
| - correct configure test for ldap page control functions. | |
| - fix handling of autofs filesystem mount fail on init. | |
| - rebuild | |
| - bz2149206 - RHEL9: automount does not handle null option string after | |
| "-" anymore | |
| - fix changelog entry. | |
| - Related: rhbz#2149206 | |
| - bz1681956 - autofs changes blocked until gating tests are added | |
| - add gating.yaml for manual gate testing. | |
| - Related: rhbz#1681956 | |
| - change file map lexer to allow white-space only blank lines (bz 229434). | |
| - bz1664561 - incorrect of start service command in autofs man page | |
| - actually apply fix patch. | |
| - fix dates and recent status messages in changelog. | |
| -Related: rhbz#1664561 rhbz#1858742 | |
| - another easy alloca replacements fix. | |
| - remove extra read master map call. | |
| - remove extra cache create call in master_add_map_source(). | |
| - fix error handing in do_mount_indirect(). | |
| - expire thread use pending mutex. | |
| - explicity link against the Kerberos library. | |
| - remove some log message duplication for verbose logging. | |
| - bz2148872 - autofs: errors in autofs-5.1.4-83.el8.x86_64 when restarting | |
| autofs with busy directories | |
| - fix incorrect path for is_mounted() in try_remount(). | |
| - Resolves: rhbz#2148872 | |
| - fix pidof init script usage. | |
| - Fix "Source:" URL and changelog anotations. | |
| - update "@network" matching patch. | |
| - Incorporate patch from Ian which fixes an infinite loop seen by those | |
| running older versions of the kernel patches (triggered by non-strict mounts | |
| being the default). | |
| - fix recursive mount deadlock. | |
| - increase file map read buffer size. | |
| - handle new location of systemd. | |
| - Add a BuildPrereq for cyrus-sasl-devel | |
| - add upstream bug fixes | |
| - bug fix for mtab check. | |
| - bug fix for zero length nis key. | |
| - update for ifc buffer handling. | |
| - bug fix for kernel automount handling. | |
| - warning: I found a bunch of patches that were present but not | |
| being applied. | |
| - remove redundant rpath link option (prep for move to Extras). | |
| - clear rpc client on lookup fail. | |
| - add error handling for ext_mount_add(). | |
| - account for recent libnsl changes. | |
| - use_hostname_for_mounts shouldn't prevent selection among replicas. | |
| - fix monotonic_elapse. | |
| - Makefiles.rules: remove 'samples' from SUBDIRS. | |
| - Update to upstream 4.1.3. | |
| - bz2232402 - autofs attempts to mount nonexistant ".hidden" filesystems | |
| - allow -null map in indirect maps. | |
| - Resolves: rhbz#2232402 | |
| - bz1660145 - autofs.schema doesn't work in RHEL8 | |
| - update ldap READMEs and schema definitions. | |
| - Resolves: rhbz#1660145 | |
| - bz2139504 - segfault due to lookup_mod->context address being freed | |
| and reused while multiple threads were using it | |
| - fix hosts map deadlock on restart. | |
| - fix deadlock with hosts map reload. | |
| - Related: rhbz#2139504 | |
| - update to upstream 5.1.3 release. | |
| - Fix ldap init code to parse server name and options correctly. | |
| - New map expiry patch from Ian. | |
| - Fix a couple signal races. No known problem reports of these, but they | |
| are holes, none-the-less. | |
| - alter nfs4 host probing to not use portmap lookup and add options | |
| check for "port=" parameter (bz 208757). | |
| - correct semantics of "-null" map handling (bzs 214800, 208091). | |
| - fix parsing of bad mount mount point in master map (bz 215620). | |
| - fix use after free memory access in cache.c and lookup_yp.c (bz 208091). | |
| - eliminate use of pthread_kill to detect task completion (bz 208091). | |
| - fix interface address null check. | |
| - fix typo in patch to allow dumping core. | |
| - remove unnecessary nfs-utils BuildRequires (bz1277669). | |
| - bump again for double-long bug on ppc(64) | |
| - make default installed master map for /net use "-hosts" instead | |
| of auto.net. | |
| - fix included map recursive map key lookup. | |
| - Somehow the -browse patch either didn't get committed or got reverted. | |
| Fixed. | |
| - bz1858742 - autofs share doesn't mount when using nobind over RDMA where | |
| nfs-server and nfs-client are the same systems. | |
| - mount_nfs.c fix local rdma share not mounting. | |
| -Resolves: rhbz#1858742 | |
| - dont allow trailing slash in master map mount points. | |
| - fix libresolv configure check. | |
| - add fedfs-getsrvinfo.c. | |
| - add mount.fedfs.c. | |
| - add fedfs-map-nfs4.c | |
| - add conditional inclusion of fedfs binaries. | |
| - add an example fedfs master map entry to the installed master map. | |
| - bz1965862 - A recent Coverity change can cause an infinit loop on map reload | |
| - fix lookup_prune_one_cache() refactoring change. | |
| - bz1963129 - auto.master manpage doesn't mention -null or other built-in maps | |
| - add missing desciption of null map option. | |
| - Resolves: rhbz#1965862 rhbz#1963129 | |
| - remove unused option UNDERSCORETODOT from default config files. | |
| - RHEL-61670 - sporadic autofs daemon segfaults | |
| - fix submount shutdown race. | |
| - RHEL-52402 - Sporadic mount failures with amd program maps on RHEL8 | |
| - fix amd external mount error handling. | |
| - fix amd external mount mount handling. | |
| - don't free ext mount if mounted. | |
| - refactor amd function do_program_mount(). | |
| - refactor umount_amd_ext_mount(). | |
| - add flags argument to amd do_program_mount(). | |
| - Resolves: RHEL-61670 RHEL-52402 | |
| - fix timeout in connect_nb(). | |
| - bz1912106 - Using -hosts option does not resolve host from /etc/hosts and mount | |
| failes | |
| - Coverity fixes | |
| - add missing free in handle_mounts(). | |
| - remove redundant if check. | |
| - fix possible memory leak in master_parse(). | |
| - fix possible memory leak in mnts_add_amdmount(). | |
| - fix double unlock in parse_mount(). | |
| - add length check in umount_subtree_mounts(). | |
| - fix flags check in umount_multi(). | |
| - dont try umount after stat() ENOENT fail. | |
| - remove redundant assignment in master_add_amd_mount_section_mounts(). | |
| - fix dead code in mnts_add_mount(). | |
| - fix arg not used in error print. | |
| - fix missing lock release in mount_subtree(). | |
| - fix double free in parse_mapent(). | |
| - refactor lookup_prune_one_cache() a bit. | |
| - cater for empty mounts list in mnts_get_expire_list(). | |
| - add ext_mount_hash_mutex lock helpers. | |
| - Related: rhbz#1912106 | |
| - cleanup defaults_read_config (Jeff Moyer). | |
| - Version 3 of Ian's map expiry changes. | |
| - Fixed documentation so users know that any local mounts override | |
| any other weighted mount. | |
| - bz1973025 - /net mount being not cleanly mounted and unmounted | |
| - correct patch, fix nonstrict offset mount fail handling. | |
| - Related: rhbz#1973025 | |
| - correct directory cleanup in mount modules. | |
| - merge key and wildcard LDAP query for lookups (bz 197746). | |
| - cthon fix some shutdown races. | |
| - update to upstream 5.1.2 release. | |
| - correct mkdir command in %install section, bz481132. | |
| - RHEL-72524 - autofs: deadlock between mnts_lookup_mount and mnts_remove_mount | |
| - fix deadlock in master_notify_submount(). | |
| -Resolves: RHEL-72524 | |
| - cthon fix expire of various forms of nested mounts. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - dont fail on master map self include. | |
| - fix wildcard multi map regression. | |
| - fix file descriptor leak when reloading the daemon. | |
| - depricate nosymlink pseudo option. | |
| - add symlink pseudo option. | |
| - update kernel include files. | |
| - fix requires in spec file. | |
| - fix libtirpc build option. | |
| - fix systemd unidir in spec file. | |
| - document browse option in man page. | |
| - fix automounter support on parisc. | |
| - correct return status from do_mkdir (bz 223480). | |
| - fix add null check in parse_server_string() (bz979155). | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Added a variable to determine if we created the directory or not | |
| so we don't accidently remove a directory that we didn't create when | |
| we stop autofs. (bz #134399) | |
| - bz1974309 - Removal of default intr mount option while using -hosts | |
| and host.net | |
| - remove intr hosts map mount option. | |
| - fix previous changelog entry revision. | |
| - Resolves: rhbz#1974309 | |
| - allow global macro defines to override system macros. | |
| - correct spelling error in default config files missed by | |
| previous update. | |
| - misc correctness and a memory leak fix. | |
| - make double quote handing consistent (at least as much as we can). | |
| - fix handling of trailing white space in wildcard lookup (forward port bz 199720). | |
| - check fqdn of each interface when matching export access list (bz 213700). | |
| - Update patch for changed semantics of mkdir in recent kernels. | |
| - fix macro table locking (bz 208091). | |
| - fix nsswitch parser locking (bz 208091). | |
| - allow only one master map read task at a time. | |
| - fix misc memory leaks. | |
| - deal with changed semantics of mkdir in recent kernels. | |
| - Ported forward Red Hat's patches from 3.1.7 that were not already present | |
| in 4.1.0. | |
| - Moving autofs from version 3.1.7 to 4.1.0 | |
| - bz2161336 - Users can trigger a simple autofs DoS with wildcard automounter maps | |
| - fail on empty trailing replicated host name. | |
| - Resolves: rhbz#2161336 | |
| - tidy up directory cleanup and add validation check to rmdir_path. | |
| - another fix for don't fail on empty master map. | |
| - update "replace-tempnam" patch to create temp files in sane location. | |
| - update to upstream version 5.0.8 (bz1020242). | |
| - Add more general patch to translate "_" to "." in map names. (bz #147765) | |
| - use misc device ioctl interface by default, if available. | |
| - fix included map read fail handling. | |
| - refactor ldap sasl authentication bind to eliminate extra connect | |
| causing some servers to reject the request. | |
| - add mount wait parameter to allow timeout of mount requests to | |
| unresponsive servers. | |
| - special case cifs escape handling. | |
| - fix libxml2 workaround configure. | |
| - more code analysis corrections (and fix a typo in an init script). | |
| - fix backwards #ifndef INET6. | |
| - check for protocol option. | |
| - use ulimit max open files if greater than internal maximum. | |
| - tiny patch for autofs typo and possible bug. | |
| - add units After line to include statd service. | |
| - use systemd sd_notify() at startup. | |
| - add "BuildRequires: systemd-devel". | |
| - fix NFS version mask usage. | |
| - fix incorrect date in changelog. | |
| - More code cleanup and corrections for connectathon tests. | |
| - make negative cache update consistent for all lookup modules. | |
| - ensure negative cache isn't updated on remount. | |
| - dont add wildcard to negative cache. | |
| - make service want network-online (bz1071591). | |
| - bz1958487 - autofs amd mounts present in the configuration get umounted | |
| on reload | |
| - fix amd section mounts map reload. | |
| - bz1958485 - autofs amd type host mounts fail for certain host names | |
| - fix amd hosts mount expire. | |
| - Resolves: rhbz#1958487 rhbz#1958485 | |
| - Add openssl-devel to the BuildRequires, as it is needed for the LDAP | |
| authentication bitsi also. | |
| - bz2139504 - segfault due to lookup_mod->context address being freed | |
| and reused while multiple threads were using it | |
| - coverity fix for invalid access. | |
| - Related: rhbz#2139504 | |
| - Fix the umount loop device function in the init script. | |
| - fix handling of quoted slash alone (bz 248943). | |
| - add "condrestart" to init script (bz 228860). | |
| - add "@network" and .domain.name export check. | |
| - fix display map name in mount entry for "-hosts" map. | |
| - Fix some bugs in the parser | |
| - allow -net instead of /etc/auto.net | |
| - Fix a buffer overflow with large key lengths | |
| - Don't allow autofs to unlink files, only to remove directories | |
| - change to the upstream reentrant syslog patch from the band-aid deferred | |
| syslog patch. | |
| - Get rid of the init script patch that hard-coded the release to redhat. | |
| This should be handled properly by all red hat distros. | |
| - use -fPIC instead of -fpic for modules and honor other RPM_OPT_FLAGS | |
| - bz1602447 - Please review important issues found by covscan in | |
| "autofs-5.1.4-18.el8+7" | |
| - covarity fixes. | |
| -Resolves: rhbz#1602447 | |
| - bz2052122 - autofs attempts unmount on directory in use | |
| - make umount_ent() recognise forced umount. | |
| - remove nonstrict parameter from tree_mapent_umount_offsets(). | |
| - fix handling of incorrect return from umount_ent(). | |
| - Resolves: rhbz#2052122 | |
| - fix function to check mount.nfs version. | |
| - bz1593492 - Ignore trailing slashes at the end of executable maps in | |
| auto.master config file | |
| - add-man page note about extra slashes in paths | |
| - Resolves: rhbz#1593492 | |
| - correct mistake in logic test in wildcard lookup. | |
| - fix race when setting task done (bz 227268). | |
| - update to beta4. | |
| - should address at least bzs 193798, 193770, 193831 and | |
| possibly 193832. | |
| - fix fd leak at multi-mount non-fatal mount fail. | |
| - fix incorrect multi-mount mountpoint calcualtion. | |
| - change conflicts to requires | |
| - fix license tag | |
| - Perform an icmp ping request before rpc_pings, since the rpc clnt_create | |
| function has a builtin default timeout of 60 seconds. This could result | |
| in a long delay when a server in a replicated mount setup is down. | |
| - For non-replicated server entries, ping a host before attempting to mount. | |
| (Ian Kent) | |
| - Change to %configure. | |
| - Put version-release into .version to allow for automount --version to | |
| print exact info. | |
| - Nuke my get-best-mount patch which always uses the long timeout. This | |
| should no longer be needed. | |
| - Put name into changelog entries to make them consistent. Add e:n-v-r | |
| into Florian's entry. | |
| - Stop autofs before uninstalling | |
| - remove ability to use multiple indirect mount entries in master | |
| map (bz 218616). | |
| - Rebuilt for libtirpc soname bump | |
| - actually apply fix use after free in do_master_list_reset(). | |
| - fix deadlock in dumpmaps. | |
| - fix rpcgen dependency problem. | |
| - review and fix master map options update for map reload. | |
| - Checked and merged most of the RedHat v3 patches | |
| - Fixed kernel module handling wu-ftpd login problem (again) | |
| - fix ipv6 link local address handling. | |
| - fix fix ipv6 libtirpc getport. | |
| - get_nfs_info() should query portmapper if port is not given. | |
| - fix rpc_portmap_getport() proto not set. | |
| - add missing BuildRequires. | |
| - mitigate manual umount of automounts where possible. | |
| - fix multiply recursive bind mounts. | |
| - check kernel module version and require 5.00 or above. | |
| - fix expire regression introduced in the "mitigate manual umount" patch. | |
| - still more on multiply recursive bind mounts. | |
| - don't fail on empty master map. | |
| - add support for the "%" hack for case insensitive attribute schemas. | |
| - Escape macros in %changelog | |
| - Update version label to avoid package update problems. | |
| - bz1654541 - autofs crash when parsing master map | |
| - fix hesiod string check in master_parse(). | |
| - Resolves: rhbz#1654541 | |
| - Only read one auto.master map (instead of concatenating all found sources). | |
| - Uncomment Ian's experimental mount expiry patch. | |
| - fix directory cleanup at exit. | |
| - update multi map nsswitch patch. | |
| - upstream fix for filesystem is local check. | |
| - disable exports access control check (bz 203277). | |
| - fix patch to add command option for set a global mount options (bz 214684). | |
| - bz2165143 - Autofs reports can't connect to sssd, retry for 10 seconds when | |
| real problem is empty LDAP object | |
| - improve handling of ENOENT in sss setautomntent(). | |
| - dont immediately call function when waiting. | |
| - Resolves: rhbz#2165143 | |
| - bz1892184 - autofs: return a connection failure until maps have been fetched | |
| - fix lookup_nss_read_master() nsswicth check return. | |
| - fix typo in open_sss_lib(). | |
| - fix sss_master_map_wait timing. | |
| - add sss ECONREFUSED return handling. | |
| - use mapname in sss context for setautomntent(). | |
| - add support for new sss autofs proto version call. | |
| - fix retries check in setautomntent_wait(). | |
| - refactor sss setautomntent(). | |
| - improve sss setautomntent() error handling. | |
| - refactor sss getautomntent(). | |
| - improve sss getautomntent() error handling. | |
| - sss introduce calculate_retry_count() function. | |
| - move readall into struct master. | |
| - sss introduce a flag to indicate map being read. | |
| - update sss timeout documentation. | |
| - refactor sss getautomntbyname(). | |
| - improve sss getautomntbyname() error handling. | |
| - use a valid timeout in lookup_prune_one_cache(). | |
| - dont prune offset map entries. | |
| - simplify sss source stale check. | |
| - Resolves: rhbz#1892184 | |
| - fix restart not working (bz624694). | |
| - bz1615782 - autofs master map age is incorrectly set | |
| - fix age setting at startup. | |
| - Resolves: rhbz#1615782 | |
| - bz2069097 - libnss_sss: threads stuck at sss_nss_lock from initgroups | |
| - dont use initgroups() at spawn. | |
| - Resolves: rhbz#2069097 | |
| - bz2130034 - automount -m crashes with Segmentation fault (core dumped) | |
| - fix invalid tsv access. | |
| - Resolves: rhbz#2130034 | |
| - Change LDAP message severity from crit to degug (bz# 183893). | |
| - Corrections to INSTALL and README.v5.release. | |
| - Add patch to fix segv on overlength map keys in file maps (Jeff Moter). | |
| - Add patch to restrict scanning of /proc to pid directories only (Jeff Moyer). | |
| - update source to version 5.0.0_beta3. | |
| - add patch to remove extra debug print. | |
| - add patch to | |
| - fix memory alloc error in nis lookup module. | |
| - add "_" to "." mapname translation to nis lookup module. | |
| - add patch to add owner pid to mount list struct. | |
| - add patch to disable NFSv4 when probing hosts (at least foe now). | |
| - add patch to fix white space handling in replicated server selection code. | |
| - add patch to prevent striping of debug info macro patch (Jeff Moyer). | |
| - add patch to add sanity checks on rmdir_path and unlink (Jeff Moyer). | |
| - add patch to fix e2fsck error code check (Jeff Moyer). | |
| - fix master map source server unavailable handling. | |
| - add autofs_ldap_auth.conf man page. | |
| - fix random selection for host on different network. | |
| - make redhat init script more lsb compliant. | |
| - don't hold lock for simple mounts. | |
| - fix remount locking. | |
| - fix wildcard map entry match. | |
| - fix parse_sun() module init. | |
| - dont check null cache on expire. | |
| - fix null cache race. | |
| - fix cache_init() on source re-read. | |
| - fix mapent becomes negative during lookup. | |
| - check each dc server individually. | |
| - fix negative cache included map lookup. | |
| - remove state machine timed wait. | |
| - Add patch to support parsing nsswitch.conf to determine map sources. | |
| - Disable this patch, and Ian's map expiry patch for a FC build. | |
| - fix fuzz in CHANGELOG hunk when applying patch26. | |
| - Cleaned up an restructured my added code | |
| - Corrected ghosting problem with 2.4.19 and above | |
| - Added autofs4 ghosting patch for 2.4.19 and above | |
| - Implemented HUP signal to force update of ghosted maps | |
| - check base of offset mount tree is not a mount before umounting | |
| its offsets. | |
| - fix replicated mount parse for case where last name in list | |
| fails lookup. | |
| - correct indirect mount expire broken by the wildcard lookup fix. | |
| - fix up multi-mount handling when wildcard map entry present. | |
| - update source to version 5.0.3. | |
| - fixed numeric export match (bz 231188). | |
| - fix file map lookup when reading included or nsswitch sources. | |
| - a regression introduced by file map lookup optimisation in rev 9. | |
| - bz1961492 - autofs: regression in offset ordering | |
| - fix offset entries order. | |
| - use mapent tree root for tree_mapent_add_node(). | |
| - eliminate redundant cache lookup in tree_mapent_add_node(). | |
| - fix hosts map offset order. | |
| - fix direct mount deadlock. | |
| - Resolves: rhbz#1961492 | |
| - fix wait time resolution in alarm and state queue handlers (bz 247711). | |
| - Add in the deferred syslog patch. This fixes a hung automounter issue | |
| related to unsafe calls to syslog in signal handler context. | |
| - add cacheing of negative lookups to reduce unneeded map | |
| lookups (bz 197746 part 2). | |
| - fix negative caching of non-existent keys. | |
| - fix ldap library detection in configure. | |
| - use CLOEXEC flag functionality if present. | |
| - fix select(2) fd limit. | |
| - make hash table scale to thousands of entries. | |
| - fix libxml2 non-thread-safe calls. | |
| - fix direct map cache locking. | |
| - fix patch "dont umount existing direct mount on reread" deadlock. | |
| - rebuild for new ldap | |
| - don't use master_lex_destroy() to clear parse buffer. | |
| - make documentation for set-log-priority clearer. | |
| - bz2207801 - amd map format netgoup selector function not working | |
| - fix date for revision 104 changelog entry. | |
| - fix use_ignore_mount_option description. | |
| - include addtional log info for mounts. | |
| - fix amd selector function matching. | |
| - get rid entry thid field. | |
| - continue expire immediately after submount check. | |
| - add buffer length checks to autofs mount_mount(). | |
| - eliminate realpath from mount of submount. | |
| - eliminate root param from autofs mount and umount. | |
| - remove redundant fstat from do_mount_direct(). | |
| - get rid of strlen call in handle_packet_missing_direct(). | |
| - remove redundant stat call in lookup_ghost(). | |
| - set mapent dev and ino before adding to index. | |
| - change to use printf functions in amd parser. | |
| - dont call umount_subtree_mounts() on parent at umount. | |
| - dont take parent source lock at mount shutdown. | |
| - eliminate buffer usage from handle_mounts_cleanup(). | |
| - fix possible use after free in handle_mounts_exit(). | |
| - make submount cleanup the same as top level mounts. | |
| - eliminate some more alloca usage. | |
| - add soucre parameter to module functions. | |
| - add ioctlfd open helper. | |
| - make open files limit configurable. | |
| - Resolves: rhbz#2207801 | |
| - add missing sasl mutex callbacks. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - fix stale initialization for file map instance patch was not applied. | |
| - Fix compile error. | |
| - fix incorrect pthreads condition handling for mount requests. | |
| - Fix potential double free in cache_release. This bug showed up in a | |
| multi-map setup. Two calls to cache_release would result in a SIGSEGV, | |
| and the automount process would never exit. | |
| - dont use array for path when not necessary. | |
| - fix prefix option handling in expand_entry(). | |
| - fix sublink option not set from defaults. | |
| - fix error return in do_nfs_mount(). | |
| - force disable browse mode for amd format maps. | |
| - fix hosts map options check in lookup_amd_instance(). | |
| - fix memory leak in create_client(). | |
| - fix memory leak in get_exports(). | |
| - fix memory leak in get_defaults_entry(). | |
| - fix out of order clearing of options buffer. | |
| - fix reset amd lexer scan buffer. | |
| - ignore multiple commas in options strings. | |
| - fix typo in flagdir configure option. | |
| - clarify multiple mounts description. | |
| - gaurd against incorrect umount return. | |
| - update man page autofs(8) for systemd. | |
| - remove ancient kernel Requires. | |
| - improve mount location error reporting. | |
| - fix paged query more results check. | |
| - fix dumpmaps not reading maps. | |
| - fix result null check in read_one_map(). | |
| - Fix LDAP result leaks on error paths. | |
| - code analysis fixes 1. | |
| - fix not bind mounting local filesystem. | |
| - update dir map-type patch for changed patch order. | |
| - fix wait for master source mutex. | |
| - fix submount shutdown race | |
| - fix fix map source check in file lookup. | |
| - add disable move mount configure option. | |
| - Moved the freeing of ap.path to cleanup_exit, as we would otherwise | |
| reference an already-freed variable. | |
| - make dump maps check for duplicate indirect mounts (bz961312). | |
| - document allowed map sources in auto.master(5) (bz961312). | |
| - add enable sloppy mount option to configure. | |
| - RHEL-18035 - SIGSEGV using hierarchical map entries on reload with | |
| autofs-5.1.4-109 | |
| - fix get parent multi-mount check in try_remount(). | |
| - fix deadlock in remount. | |
| - Resolves: RHEL-18035 | |
| - update the "task done race" patch to fix a deadlock. | |
| - added URL tag. | |
| - removed obsoletes autofs-ldap. | |
| - replaced init directory paths with %{_initrddir} macro. | |
| - bz2149206 - RHEL9: automount does not handle null option string after | |
| "-" anymore | |
| - fix concat_options() error handling. | |
| - fix minus only option handling in concat_options(). | |
| - Resolves: rhbz#2149206 | |
| - Fix init script to print out failures where appropriate. | |
| - Build the automount daemon as a PIE. | |
| - fix segv during library re-open. | |
| - fix incorrect pthreads condition handling for expire requests. | |
| - fix master map lexer eval order. | |
| - fix bad alloca usage. | |
| - use spec file systemd unit file location. | |
| - fix undefined authtype_requires_creds err if ldap enabled but without sasl. | |
| - fix master map type check. | |
| - fix task manager not getting signaled. | |
| - always read file maps mount lookup map read fix. | |
| - fix direct map not updating on reread. | |
| - add external bind method. | |
| - fix add simple bind auth. | |
| - add option to dump configured automount maps. | |
| - wait for master map to be available at start. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - fix error in %post scriplet. | |
| - correct spelling error in default config. | |
| - fix default auth config not being installed. | |
| - change LDAP query method as my test db was incorrect. | |
| - change ldap defaults code to handle missing auth config. | |
| - fix mistake in parsing old style LDAP specs. | |
| - update LDAP so that new query method also works for old syntax. | |
| - Fix the install permissions for auto.master and auto.misc. | |
| - fix fix master map type check. | |
| - fix install permissions of auto.net and auto.smb. | |
| - bz1973025 - /net mount being not cleanly mounted and unmounted | |
| - fix nonstrict offset mount fail handling. | |
| - Resolves: rhbz#1973025 | |
| - add patch from rth to avoid an infinite loop | |
| - add ldaps support. | |
| - note: it's no longer possible to have multiple hosts in an ldap map spec. | |
| - note: to do this you need to rely on the ldap client config. | |
| - consolidate to rc3. | |
| - fix typo in Fix typo in var when removing temp directory (bz 221847). | |
| - add Conflicts to ensure we get fixed cyrus-sasl-lib for rev 21 change. | |
| - Added a patch to fix the automounter failing on ldap maps | |
| when it couldn't get the whole map. (ie. when the search | |
| limit was lower than the number of results) | |
| - fix version passed to get_supported_ver_and_cost (bz 249574). | |
| - cthon more parser corrections and attempt to fix multi-mounts | |
| with various combinations of submounts (still not right). | |
| - replace GPLv3 code with GPLv2 equivalent. | |
| - bz1802251 - Autofs will only mount share once if sss is first ini | |
| nsswitch.conf | |
| - fix a regression with map instance lookup. | |
| - Resolves: rhbz#1802251 | |
| - Fix program maps so that they can have gt 4k characters. (Neil Horman) | |
| Addresses bz #138994. | |
| - Add a space after the colon here "Starting automounter:" in init script. | |
| Fixes bz #138513. | |
| - fix tokenizer to distinguish between global option and dn string (bz 214684). | |
| - fix incorrect return from spawn. | |
| - fix submount offset delete. | |
| - fix init script status return. | |
| - fix use get_proximity() without libtirpc. | |
| - don't use dirent d_type to filter out files in scandir(). | |
| - don't schedule new alarms after readmap. | |
| - use numeric protocol ids instead of protoent structs. | |
| - lib/defaults.c: use WITH_LDAP conditional around LDAP types. | |
| - make yellow pages support optional. | |
| - modules/replicated.c: use sin6_addr.s6_addr32. | |
| - workaround missing GNU versionsort extension. | |
| - fix "-fstype=nfs4" server probing (part 2 of bz 208757). | |
| - set close-on-exec flag on open files where possible (bz 207678). | |
| - fix master map lexer to admit "." in macro values. | |
| - misc fixes for things found while investigating map re-read problem. | |
| - fix lsb service name in init script 2 (bz712504). | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - fix probe each nfs version in turn for singleton mounts (bz973537). | |
| - fix included map lookup. | |
| - fix directory cleanup on expire. | |
| - fix task cancelation at shutdown. | |
| - fix included map wild card key lookup. | |
| - fix file handle leak in nsswitch parser (bz 207678). | |
| - fix memory leak in mount and expire request processing (bz 207678). | |
| - add additional check to prevent running of cancelled tasks. | |
| - fix potential file handle leakage in rpc_subs.c for some failure | |
| cases (bz 207678). | |
| - fix file handle leak in included map lookup (bz 207678). | |
| - fix lsb service name in init script (bz692963). | |
| - fix fix gcc5 complaints. | |
| - update libtirpc workaround for new soname. | |
| - make use of spaces and tabs in spec file consistent. | |
| - escape embedded macro text in %changelog. | |
| - eliminate redundant %version and %release. | |
| - remove redundant conditional check from %clean. | |
| - remove redundant exit from %preun. | |
| - correct %defattr spec. | |
| - remove empty %doc and redundant %dir misc lines. | |
| - combine program module spec lines into simpler one line form. | |
| - Bug 397591 SELinux is preventing /sbin/rpc.statd (rpcd_t) "search" to |
|
| - prevent fork between fd open and setting of FD_CLOEXEC. | |
| - bz2216877 - When looking up included maps, sometimes autofs does not | |
| consult all the included files in order | |
| - fix incorrect matching of cached wildcard key | |
| - Resolves: rhbz#2216877 | |
| - fix LDAP lookup delete cache entry only if entry doesn't exist. | |
| - add missing socket close in replicated host check (Jeff Moyer). | |
| - enable mtab locking until I can resolve the race with it. | |
| - Update to 4.1.1, as it fixes problems with wildcards that people are | |
| seeing quite a bit. | |
| - bz1611866 - autofs reload is unable to activate new map entries, | |
| it is autofs restart which shows new map entries. | |
| - fix update_negative_cache() map source usage. | |
| - bz1613621 - [autofs]Removed entries still can be accessed | |
| - mark removed cache entry negative. | |
| - Resolves: rhbz#1611866 rhbz#1613621 | |
| - fix handling of autofs specific mount options (bz 199777). | |
| - Update to upstream 5.1.4 release. | |
| - check for nohide mounts (bz 442618). | |
| - ignore nsswitch sources that aren't supported (bz 445880). | |
| - remove empty command line arguments (passed by systemd). | |
| - fix flag file permission. | |
| - fix directory create permission. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - add patch to initialize sasl callbacks unconditionally on autofs | |
| LDAP lookup library load. | |
| - RHEL-90238 - autofs fails to mount shares when using kerberised LDAP (RHEL 8) | |
| - fix ldap sasl reconnect problem. | |
| - always recreate credential cache. | |
| - fix always recreate credential cache. | |
| - Resolves: RHEL-90238 | |
| - Fix up the one-auto-master patch. My "improvements" had side-effects. | |
| - revert fix libtirpc name clash patch (an old 5.0.6 patch). | |
| - update patches, documentation and comments only change. | |
| - rename patch and add to CVS. | |
| - fix rpc fail on large export list (bz543023). | |
| - fix typo in patch for incorrect pthreads condition handling patch. | |
| - Update to autofs-5.0.1-beta1. | |
| - mark map instances stale so they aren't "cleaned" during updates. | |
| - fix large file compile time option. | |
| - bz2139504 - segfault due to lookup_mod->context address being freed | |
| and reused while multiple threads were using it | |
| - fix parse module instance mutex naming. | |
| - serialise lookup module open and reinit. | |
| - Resolves: rhbz#2139504 | |
| - fix hosts map use after free. | |
| - fix uri list locking (again). | |
| - check for stale SASL credentials upon connect fail. | |
| - add "forcestart" and "forcerestart" init script options to allow | |
| use of 5.0.3 strartup behavior if required. | |
| - always read entire file map into cache to speed lookups. | |
| - make MAX_ERR_BUF and PARSE_MAX_BUF use easier to audit. | |
| - make some easy alloca replacements. | |
| - update to configure libtirpc if present. | |
| - update to provide ipv6 name and address support. | |
| - update to provide ipv6 address parsing. | |
| - Pass --libdir= to ./configure so we get this right on 64 bit platforms that | |
| support backwards compat. | |
| - bz2139504 - segfault due to lookup_mod->context address being freed | |
| and reused while multiple threads were using it | |
| - fix memory leak in update_hosts_mounts(). | |
| - Related: rhbz#2139504 | |
| - fix install mode of autofs_ldap_auth.conf. | |
| - Add a sysconfig entry to disable direct map support, and set this to | |
| 1 by default. | |
| - Disable the beta map expiry logic so I can build into a stable distro. | |
| - Add defaults for all of the sysconfig variables to the init script so | |
| we don't trip over user errors (i.e. deleting /etc/sysconfig/autofs). | |
| - Fixed a bug which caused directories to never be unmounted. (bz #134403) | |
| - bz2214444 - The sss lookup modules handles error return incorrectly | |
| in some cases | |
| - fix some sss error return cases. | |
| - Resolves: rhbz#2214444 | |
| - fix nobind sun escaped map entries. | |
| - fix use cache entry after free mistake. | |
| - fix ipv6 proximity calculation. | |
| - fix parse buffer initialization. | |
| - fix typo in automount(8). | |
| - correction to the correction for handling of LDAP base dns with spaces. | |
| - avoid using UDP for probing NFSv4 mount requests. | |
| - use libldap instead of libldap_r. | |
| - catch "-xfn" map type and issue "no supported" message. | |
| - another correction for handling of LDAP base dns with spaces. | |
| - Make autofs understand -[no]browse. Addresses fz #113494. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - add libsss_autofs as a build dependency. | |
| - fix lexer ambiguity in match when map type name is included in map name. | |
| - Add in the map expiry patch | |
| - Bring in other patches that have been committed to other branches. This | |
| version should now contain all fixes we have to date | |
| - Merge conflicts due to map expiry changes | |
| - Fix some merging breakages that caused the package not to build. | |
| - Add patch to implement directory ghosting and direct mounts | |
| - Add patch to for autofs4 module to support ghosting | |
| - don't abuse the ap->ghost field on NFS mount. | |
| - multi-map doesn't pickup NIS updates automatically. | |
| - eliminate redundant DNS name lookups. | |
| - mount thread create condition handling fix. | |
| - allow directory create on NFS root. | |
| - check direct mount path length. | |
| - fix incorrect in check in get user info. | |
| - fix a couple of memory leaks. | |
| - promote to beta5. | |
| - updated hesiod patch. | |
| - add descriptive comments to config about LDAP schema discovery. | |
| - work around segfault at exit caused by libxml2. | |
| - fix foreground logging (also fixes shutdown needing extra signal bug). | |
| - bz1743442 - getmntent returns additional "-hosts" entries when | |
| automounter is used with "hosts" map (userspace part) | |
| - also use strictexpire for offsets (mounts). | |
| - change expire type naming to better reflect usage. | |
| - remove unused function has_fstab_option(). | |
| - remove unused function reverse_mnt_list(). | |
| - remove a couple of old debug messages. | |
| - fix amd entry memory leak. | |
| - fix unlink_mount_tree() not umounting mounts. | |
| - add ignore mount option. | |
| - use ignore option for offset mounts as well. | |
| - add config option for "ignore" mount option. | |
| - use bit flags for autofs mount types in mnt_list. | |
| - use mp instead of path in mnt_list entries. | |
| - always use PROC_MOUNTS to make mount lists. | |
| - add glibc getmntent_r(). | |
| - use local getmntent_r in table_is_mounted(). | |
| - refactor unlink_active_mounts() in direct.c. | |
| - don't use tree_is_mounted() for mounted checks. | |
| - use single unlink_umount_tree() for both direct and indirect mounts. | |
| - move unlink_mount_tree() to lib/mounts.c. | |
| - use local_getmntent_r() for unlink_mount_tree(). | |
| - use local getmntent_r() in get_mnt_list(). | |
| - use local getmntent_r() in tree_make_mnt_list(). | |
| - fix missing initialization of autofs_point flags. | |
| - Resolves: rhbz#1743442 | |
| - add some new upstream memory leak and use after free bug fixes. | |
| - fix wait for master map to be available at start. | |
| - Fixed an error in the init script which caused duplicate entries to be | |
| displayed when asking for autofs status. | |
| - rebuilt | |
| - bz1703876 - [RFE] Enable additional logging information for autofs | |
| - add NULL check for get_addr_string() return. | |
| - use malloc(3) in spawn.c. | |
| - add mount_verbose configuration option. | |
| - optionally log mount requestor process info. | |
| - log mount call arguments if mount_verbose is set. | |
| - Resolves: rhbz#1703876 | |
| - bz1612565 - Man page scan results for autofs | |
| - fix program usage message. | |
| - Resolves: rhbz#1612565 | |
| - Removed ineffective lock stuff | |
| - Added -n to bind mount to prevent mtab update error | |
| - Added retry to autofs umount to clean matb after fail | |
| - Redirected messages from above to debug log and added info message | |
| - Fixed autofs4 module reentrancy, pwd and chroot handling | |
| - Program maps can repeat the last character of output. Fix this. | |
| Addresses bz #138606 | |
| - Return first entry when there are duplicate keys in a map. Addresses | |
| bz #140108. | |
| - Propagate custom map variables to submounts. Fixes bz #143074. | |
| - Create a sysconfig variable to control whether we source only one master | |
| map (the way sun does), or source all maps found (which is the default for | |
| backwards compatibility). Addresses bz #143126. | |
| - Revised version of the get_best_mount patch. (#146887) cfeist@redhat.com | |
| The previous patch introduced a regression. Non-replicated mounts would | |
| not have the white space stripped from the entry and the mount would fail. | |
| - Handle comment characters in the middle of the automount line in | |
| /etc/nsswitch.conf. Addresses bz #127457. | |
| - fix segfault upon reconnect cannot find valid base dn. | |
| - Change BuildPrereq to BuildRequires as per the package guidelines. | |
| - Add libxml2-devel to the BuildRequires, as it is needed for the LDAP | |
| authentication bits. | |
| - When using ldap if auto.master doesn't exist we now check for auto_master. | |
| Addresses bz #130079 | |
| - When using an auto.smb map we now remove the leading ':' from the path which | |
| caused mount to fail in the past. Addresses bz #147492 | |
| - Autofs now checks /etc/nsswitch.conf to determine in what order files & nis | |
| are checked when looking up autofs submount maps which don't specify a | |
| maptype. Addresses IT #57612. | |
| - Replace check-is-multi with more general multi-parse-fix. | |
| - Add fix for premature return when waiting for lock file. | |
| - Update copyright declaration for reentrant-syslog source. | |
| - Add patch for configure option to disable locking during mount. | |
| But don't disable locking by default. | |
| - Add ability to handle automount schema used in Sun directory server. | |
| - Quell compiler warning about getsockopt parameter. | |
| - Quell compiler warning about yp_order parameter. | |
| - bz1630190 - yum update hanging while restarting autofs | |
| - fix incorrect locking in sss lookup. | |
| - bz1630194 - after upgrading to autofs-5.0.7-83.el7.x86_64 on | |
| RHEL 7 clients, amd maps /defaults key mount options are no | |
| longer working | |
| - fix amd parser opts option handling. | |
| - Resolves: rhbz#1630190 rhbz#1630194 | |
| - fix directory creation for browse mounts. | |
| - fix wildcard map handling and improve nsswitch source map update. | |
| - fix changelog message commit dates. | |
| - RHEL-127179 - sssd autofs fails to get correct EHOSTDOWN if requested | |
| incorrect mount after upgrade to sssd-2.9.1-4.el8_9.5.x86_64 | |
| [rhel-8.10.z] | |
| - handle sss special case getautomntbyname() error. | |
| - Resolves: RHEL-127179 | |
| - and another try at fixing lexer matching map type in map name. | |
| - fix typo in libtirpc file name. | |
| - fix rework error return handling in rpc code. | |
| - allow MOUNT_WAIT to override probe. | |
| - improve UDP RPC timeout handling. | |
| - fix segfault in get_query_dn(). | |
| - use strtok_r() in linux_version_code(). | |
| - fix sss wildcard match. | |
| - fix dlopen() error handling in sss module. | |
| - fix configure string length tests for sss library. | |
| - bz1969210 - autofs: already mounted as other than autofs or failed to unlink | |
| entry in tree | |
| - fix empty mounts list return from unlink_mount_tree(). | |
| - Resolves: rhbz#1969210 | |
| - Fixed regression with -browse not taking effect. | |
| - Import 4.1.4 and merge. | |
| - Bump revison for inclusion in RHEL 3. | |
| - Change icmp ping to an rpc ping. (Ian Kent) | |
| - Fix i18n patch | |
| o Remove the extra \" from one echo line. | |
| o Use echo -e if we are going to do a \n in the echo string. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - correct config names in default.c (jpro@bas.ac.uk). | |
| - bz2033552 - Using -hosts option does not work after upgrading from 8.4 to 8.5 | |
| - fix root offset error handling. | |
| - fix nonstrict fail handling of last offset mount. | |
| - dont fail on duplicate offset entry tree add. | |
| - fix loop under run in cache_get_offset_parent(). | |
| - simplify cache_add() a little. | |
| - fix use after free in tree_mapent_delete_offset_tree(). | |
| - fix memory leak in xdr_exports(). | |
| - avoid calling pthread_getspecific() with NULL key_thread_attempt_id. | |
| - fix sysconf(3) return handling. | |
| - Resolves: rhbz#2033552 | |
| - fix parsing of numeric host names in LDAP map specs (bz 205997). | |
| - consolidate to rc2. | |
| - fix colon escape handling. | |
| - fix recusively referenced bind automounts. | |
| - update kernel patches. | |
| - bz1621938 - autofs can no longer get maps from IPA server | |
| - fix use after free in parse_ldap_config(). | |
| - Resolves: rhbz#1621938 | |
| - add after sssd dependency to unit file (bz984089). | |
| - fix libxml2 version check for deciding whether to use workaround. | |
| - fix "nosymlink" option handling and add desription to man page. | |
|
|
|
| bluez-libs-5.63-5.el8_10.x86_64.rpm | - Update to 4.42 |
| - Fix rpmlint problems | |
| - Fix input device handling | |
| - Update to 4.58 | |
| - Update to 4.52 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Update to 4.33 | |
| - Don't allow installing bluez-compat on its own | |
| - Update to 4.27 | |
| + bluez-5.50-2 | |
| - Fixing CVE-2018-10910 (#1606373) | |
| - This update fixes Sixaxis PS3 joypad detection | |
| - Add non-upstreamable patch to make bluetooth-sendto work again | |
| - Update to 4.47 | |
| - Fix a possible crasher | |
| - Work-around broken devices that export their names in ISO-8859-1 | |
| (#450081) | |
| - Update to 5.35 | |
| - Put hid2hci into its own (optional) subpackage, so that people who | |
| just want to use their HID proxying HCI with the keyboard and mouse | |
| it came with, will have things working out of the box. | |
| - Put udev rules in /lib/udev, where package installed udev rules belong | |
| - Update to 4.62 | |
| - Add -vif to autoreconf to fix build issues | |
| - Move the rfcomm.conf to the compat package, otherwise | |
| the comments at the top of it are confusing | |
| - Update to 4.50 | |
| - Fix SDP parsing to XML when it contains NULLs | |
| - Switch to on-demand start/stop using udev | |
| - A (slightly) different fix for parsing to XML when it contains a NULL | |
| - Rebuilt for libjson-c.so.4 (json-c v0.13.1) on fc28 | |
| + bluez-5.52-5 | |
| - Fixing (#1961511) | |
| - Update to 4.22 | |
| - Obsolete blueman-nautilus as well | |
| - Update to 4.5 | |
| - Fix initscript to actually start bluetoothd by hand | |
| - Add chkconfig information to the initscript | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Fix NAP connections (rh #1230461) | |
| - rebuild for ICU 57.1 | |
| - Own /usr/lib*/bluetooth and children (#474632) | |
| - Rebuilt for libjson-c.so.3 | |
| - Enable pairing Wiimote support (#847481) | |
| - Update to 4.7 | |
| - Fix possible crasher on resume from suspend | |
| - Update to 5.33 | |
| - Update to 5.11 | |
| - bluez builds fine on s390(x) and the packages are required to build | |
| other packages, drop ExcludeArch | |
| - Update to 4.95 | |
| - sync release number (but not package) with F-14 | |
| - Update to 4.65 | |
| - Don't crash when audio devices are registered and the adapter | |
| is removed | |
| - Update to 4.98 | |
| - sdpd heap fixes | |
| Resolves: rhbz#1490911 | |
| - Rebuild for readline 7.x | |
| - rebuild for libical 2.0.0 | |
| - Update to 4.72 | |
| - Update to 5.41 | |
| - Update to 4.93 | |
| - Initial build | |
| - hid2hci was recently removed from udev and added to bluez in 4.93, | |
| udev in Fedora-16 no longer has hid2hci -> enable it in our bluez builds. | |
| This fixes bluetooth not working on machines where the bluetooth hci | |
| initially shows up as a hid device, such as with many Dell laptops. | |
| - Split obexd out into a sub package | |
| - Add patch for udev change to fix FTBFS on rawhide | |
| - Drop sbc patch as fixed in gcc 4.7 final | |
| - Update to 4.89 | |
| - Change main utils package name to 'bluez'; likewise its subpackages | |
| - Remove references to obsolete initscripts (hidd,pand,dund) | |
| - Configure systemctl settings for bluez-obexd correctly | |
| - Resolves rhbz#1259827 | |
| - Update to 5.8 | |
| - Hardened build | |
| - Use systemd rpm macros | |
| - New upstream 5.47 bugfix release | |
| - Initial support for Bluetooth LE mesh | |
| - Blueooth 5 fixes and improvements | |
| - Update to 4.19 | |
| - don't require the pin helper on s390(x) now, we can disable the whole | |
| bluetooth stack in the future | |
| - Update to 4.94 | |
| + bluez-5.49-5 | |
| - Fix accessing NULL adv_manager (#1602779) | |
| - Update to 5.34 | |
| - Update to 4.82 | |
| - Rebuild for libical 3.x | |
| - Update to 4.57 | |
| - Fix problem unsetting discoverable | |
| + bluez-5.50-4 | |
| - Fixing CVE-2020-0556 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Update to 4.77 | |
| - Rebuilt for libjson-c.so.4 (json-c v0.13.1) | |
| + bluez-5.49-3 | |
| - Fix crash on non-LE adapters (#1567622) | |
| - Update to 5.25 | |
| - Update to 5.42 | |
| + bluez-5.63-5 | |
| - Resolves: RHEL-35371 | |
| - Fixing CVE-2023-27349 | |
| - Resolves: RHEL-35492 | |
| - Fixing CVE-2023-51589 | |
| - SDP browse fixes | |
| - Update to 4.32 | |
| - Update to 4.96 | |
| - Update to 4.16 | |
| - Update to 5.48 | |
| - Enable bluetoothd on all upgrades from 4.87-6 and older, in order to fix up broken F15 installations | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| + bluez-5.52-4 | |
| - Fixing (#1885378) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Remove a few obsolete BRs and deps, thanks to Marcel Holtmann | |
| - Update to 5.10 | |
| - Update to 4.15 | |
| + bluez-5.47-4 | |
| - Fix invalid paths in service file (#1499518) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - Update to 4.44 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - Update to 4.45 | |
| - Default to the XDG cache dir for receiving files | |
| - Update to 5.14 | |
| + bluez-5.52-3 | |
| - Revering the 5.52-2 patch due some mismatch with upsream patch. | |
| - Update to 4.88 | |
| - Update to 5.32 | |
| - Update udev rules (#246840) | |
| - Update to 4.61 | |
| - Remove Wacom tablet enabler, now in the kernel | |
| - Fix linking with new DSO rules (#564799) | |
| - Update to 4.59 | |
| - Fix patch application | |
| - Obsolete blueman and obex-data-server | |
| - Update to 5.36 | |
| - disable 0001-Add-icon-for-other-audio-device.patch, already upstream | |
| - Fix the cups backend being a libtool stub | |
| - Rebuilt for gcc bug 634757 | |
| - Update to 4.56 | |
| + bluez-5.47-3 | |
| - Fix adapter name not picking up PrettyHostname | |
| - Update cable pairing plugin to use libudev | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Update to 4.86 | |
| - Update to 4.6 | |
| - Switch Wacom Bluetooth tablet to mode 2 | |
| - And actually apply the aforementioned patch | |
| - Update to 4.17 | |
| - Update to 4.87 | |
| - Update to 5.31 | |
| - Update to 4.12 | |
| - Update to 5.37 | |
| - Fix sdp_copy_record(), so records are properly exported through D-Bus | |
| - Update to 5.44 | |
| - Enable deprecated option to keep all usual tools | |
| - Ship btattach tool | |
| - Minor spec cleanups | |
| + bluez-5.63-3 | |
| - Add back the tests for OSCI. | |
| - Update to 4.35 | |
| - Update to 4.14 | |
| - Fix cups discovery the first time we discover a device | |
| - Update to 4.90 | |
| + bluez-5.63-2 | |
| - Change default of ClassicBondedOnly to true to align with HID specification. | |
| - Resolves: RHEL-18429 | |
| - Fixing CVE-2021-41229 | |
| - Update to 4.85 | |
| - Clean up requires and build requires | |
| - Use CUPS macro (#772236) | |
| - Enable audio socket so a2dp works in PulseAudio again (#874015) | |
| - Fix hid2hci not working with recent kernels (#877998) | |
| - Re-add Requires: dbus-bluez-pin-helper, since blueman is now in | |
| - More upstream CUPS fixes | |
| - Install gatttool and mpris-proxy | |
| - Update to 4.28 | |
| - Update to 4.41 | |
| + bluez-5.56-1 | |
| - Fixing (#1965057) | |
| - Removing bccmd, enabling hid2hci as upstream removed the support in bluez-5.56 | |
| - Start/stop the bluetooth service via udev (#484345) | |
| - Bluez-alsa needs to provide/obsolete bluez-utils-alsa | |
| - Use versioned Obsoletes: | |
| - Update to 4.74 | |
| - Update to 4.30 | |
| - Remove socket interface enablement for A2DP (#964031) | |
| - Add patch to allow Sixaxis pairing | |
| - Update to 4.64 | |
| - Don't pull in -libs for the other subpackages | |
| - Remove a stray .la file | |
| + bluez-5.56-3 | |
| - Fixing (#2027434) | |
| - Fixing CVE-2021-41229 | |
| - Use bzipped upstream tarball. | |
| - Update to 4.66 | |
| - Update to 5.23 | |
| - Update patches to apply correctly | |
| - First compilable version with hostnamed support | |
| - Add script to autoload uinput on startup, so the PS3 remote | |
| works out-of-the-box | |
| - Enable unit tests (Marek Kasik) | |
| - Resolves: #1502677 | |
| - Make headers compilable with g++ 4.7 (bug #791292) | |
| - Update to 4.69 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Update to 5.38 | |
| - Comment out Requires: dbus-bluez-pin-helper for bootstrapping. Otherwise | |
| it drags in the old blueman, built against python-2.6 | |
| + bluez-5.52-1 | |
| - Fixing (#1830397) | |
| - Fix pairing and using mice, due to recent BtIO changes | |
| - Update to 4.25 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Update to 4.60 | |
| - Fix trust setting in Sixaxis devices | |
| - Move hidd, pand and dund man pages to the -compat | |
| sub-package (#593578) | |
| - Add rfkill plugin to restore the state of the adapters | |
| after coming back from a blocked adapter | |
| - Fix permissions on the udev rules (#479348) | |
| - Fix typo in init script (#558993) | |
| - Update to 4.9 | |
| - Update to 5.39 bugfix relesae | |
| - Update to 5.40 bugfix relesae | |
| - Update to 4.54 | |
| - Remove hid2hci calls, they're in udev now | |
| - Work-around udev bug, bluetoothd wasn't getting enabled | |
| on coldplug | |
| + bluez-5.63-4 | |
| - Resolves: RHEL-35501 | |
| - Fixing CVE-2023-50230 | |
| - Resolves: RHEL-35504 | |
| - Fixing CVE-2023-50229 | |
| - Update to 4.79 | |
| - Remove obsoleted patches | |
| - Add another CUPS backend patch | |
| - Update cable pairing patch for new build system | |
| - Update to 4.97 | |
| - Update to 4.8 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Update to 5.5, based on earlier work from | |
| https://bugzilla.redhat.com/show_bug.cgi?id=974145 | |
| - Use git to manage distro patches | |
| - Add numerous upstream and downstream patches (#892929) | |
| - Update to 4.36 | |
| - Update to 4.38 | |
| - Update to 4.70 | |
| - Split off dund, pand, hidd, and rfcomm helper into a compat package | |
| (#477890, #473892) | |
| - Update to 4.99 | |
| - Add crasher fixes (rhbz #1027365) | |
| - Add mmx patch to fix build of sbc component | |
| - clean up spec, drop ancient obsoletes | |
| - Update to 5.28 | |
| - Update to 4.13 | |
| + bluez-5.46-4 | |
| - Patches cleanup | |
| - Add DualShock4 cable pairing support | |
| - BIND_NOW support for RELRO | |
| - iCade autopairing support | |
| + bluez-5.52-2 | |
| - Fixing (#1885378) | |
| - Update to 4.100 | |
| - Update to 4.39 | |
| - Update to 5.17 | |
| - Update to 5.46 | |
| - Update to 4.73 | |
| - Update to 4.11 | |
| - Update to 5.29 | |
| - Add scripts to automatically btattach serial-port / uart connected | |
| Broadcom HCIs found on some Atom based x86 hardware | |
| - Fix PulseAudio interaction on resume (#1534857) | |
| - Update to 5.45 | |
| - Minor spec cleanups | |
| - Include api docs in devel package | |
| + bluez-5.50-1 | |
| - Update to 5.50 (#1504689) | |
| - Update to 5.18 | |
| + bluez-5.63-1 | |
| - Fixing (#) | |
| - systemd hookup and cleanups from Lennart | |
| - Update to 4.4 | |
| - Update source address, and remove unneeded deps (thanks Marcel) | |
| - Up the required udev requires so bluetoothd gets started | |
| on boot when an adapter is present | |
| - Update to 4.34 | |
| - Update to 4.81 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Update to 4.18 | |
| - Update to 4.76 | |
| + bluez-5.50-3 | |
| - Bump the version | |
| - Add fuzz | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Update to 4.40 | |
| + bluez-5.47-2 | |
| - Lockdown Bluetooth systemd service | |
| - Update to 5.43 | |
| - Update to 5.12 | |
| - Sixaxis PS3 joypad support is now upstream | |
| - Update to 4.55 | |
| - Add libcap-ng support to drop capabilities (#517660) | |
| - fix header file | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Update to 4.46 | |
| - Fix D-Bus configuration for latest D-Bus (#475069) | |
| - Update to 5.30 | |
| - Use %license | |
| - Update systemd patch to make it possible to disable bluez | |
| - Update cable plugin for gudev changes | |
| - Update to 4.29 | |
| - Update to 4.71 | |
| - Update to 4.43 | |
| - Enable bluetoothd by default | |
| - Follow-up on https://bugzilla.redhat.com/show_bug.cgi?id=694519 also fixing upgrades | |
| + bluez-5.49-6 | |
| - Disabling Mesh Networking for crypto issue while code reviewing. | |
| - Avoid disconnecting audio devices straight after they're connected | |
| - Update to 4.21 | |
| - Fix OBEX connections | |
| - Update to 4.80 | |
| - Update to 4.78 | |
| - Update to 4.37 | |
| - Update to 4.26 | |
| - Update to 5.13 | |
| - Enable sixaxis plugin by default | |
| - Another pass at fixing A2DP support (#964031) | |
| - Own /var/lib/bluetooth (#468717) | |
| - Add patch to activate the Socket Mobile CF kit (#498756) | |
| - obexd fixes to prevent crashes | |
| - add /etc/bluetooth/main.conf config file | |
| - set 'AutoEnable=true' in /etc/bluetooth/main.conf file | |
| + bluez-5.56-2 | |
| - Fixing (#1968392) | |
| - Removing bccmd check from tests | |
| - Update to 5.9 | |
| - Update to 4.31 | |
| - Fix PS3 BD remote input event generation | |
| - Update to 4.51 | |
| - Add PS3 BD Remote patches (power saving) | |
| - Fix a couple of warnings in the CUPS/BlueZ 4.x patch | |
| - Update to 5.49 | |
| - Switch to %ldconfig_scriptlets | |
| - Update to 5.16 | |
| - Update to 4.63 | |
| - Update to 4.53 | |
| - Port CUPS backend to BlueZ 4.x | |
| - don't buildrequire libusb1 on s390* | |
| - Update to 4.10 | |
|
|
|
| bpftool-4.18.0-553.97.1.el8_10.x86_64.rpm | - libceph: fix potential use-after-free in have_mon_and_osd_map() (CKI Backport Bot) [RHEL-137395] {CVE-2025-68285} |
| - media: rc: fix races with imon_disconnect() (Kate Hsuan) [RHEL-124396] {CVE-2025-39993} | |
| - media: imon: fix a race condition in send_packet() (Kate Hsuan) [RHEL-124396] | |
| - media: imon: reorganize serialization (Kate Hsuan) [RHEL-124396] | |
| - media: imon: drop references only after device is no longer used (Kate Hsuan) [RHEL-124396] | |
| - media: rc: Add support for another iMON 0xffdc device (Kate Hsuan) [RHEL-124396] | |
| - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping (CKI Backport Bot) [RHEL-129107] {CVE-2025-40154} | |
| - Bluetooth: hci_event: call disconnect callback before deleting conn (CKI Backport Bot) [RHEL-137039] {CVE-2023-53673} | |
| - drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE (CKI Backport Bot) [RHEL-134423] {CVE-2025-40277} | |
| - xen: delay xen_hvm_init_time_ops() if kdump is boot on vcpu>=32 (John J Coleman) [RHEL-111354] | |
| - xen: Fix x86 sched_clock() interface for xen (John J Coleman) [RHEL-111354] | |
| - x86/xen/time: Output xen sched_clock time from 0 (John J Coleman) [RHEL-111354] | |
| - Adding prod certs and changed cert date to 20210620 (Sherif Nagy) | |
| - Adding Rocky secure boot certs (Sherif Nagy) | |
| - Fixing vmlinuz removal (Sherif Nagy) | |
| - Fixing UEFI CA path (Sherif Nagy) | |
| - Porting to 8.10, debranding and Rocky branding (Louis Abel) | |
| - Fixing pesign_key_name values (Sherif Nagy) | |
| - Adding prod certs and changed cert date to 20210620 (Sherif Nagy) | |
| - Adding Rocky secure boot certs (Sherif Nagy) | |
| - Fixing vmlinuz removal (Sherif Nagy) | |
| - Fixing UEFI CA path (Sherif Nagy) | |
| - Porting to 8.10, debranding and Rocky branding (Louis Abel) | |
| - Fixing pesign_key_name values (Sherif Nagy) | |
| - NFSv4: xattr handlers should check for absent nfs filehandles (Scott Mayhew) [RHEL-129945] | |
| - gfs2: Do not cancel internal demote requests (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: run_queue cleanup (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: simplify finish_xmote (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Get rid of unnecessary test_and_set_bit (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Retries missing in gfs2_{rename,exchange} (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: glock cancelation flag fix (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Minor do_xmote cancelation fix (Andreas Gruenbacher) [RHEL-135355] | |
| - sctp: avoid NULL dereference when chunk data buffer is missing (CKI Backport Bot) [RHEL-133999] {CVE-2025-40240} | |
| - redhat: introduce RELEASE_LOCALVERSION variable (Jan Stancek) | |
| - cifs: fix automount with passwords that contain commas (Paulo Alcantara) [RHEL-125963] | |
| - perf/x86/intel/ds: Fix the conversion from TSC to perf time (Anubhav Shelat) [RHEL-127171] | |
| - perf/x86/intel/pebs: Fix PEBS timestamps overwritten (Anubhav Shelat) [RHEL-127171] | |
| - ceph: fix client race condition where r_parent becomes stale before sending message (Alex Markuze) [RHEL-120226] | |
| - ceph: fix client race condition validating r_parent before applying state (Alex Markuze) [RHEL-120226] | |
| - blk-mq: setup queue ->tag_set before initializing hctx (Ming Lei) [RHEL-30744] | |
| - blk-mq: add helper for checking if one CPU is mapped to specified hctx (Ming Lei) [RHEL-30744] | |
| - blk-mq: don't schedule block kworker on isolated CPUs (Ming Lei) [RHEL-30744] | |
| - sched/isolation: add cpu_is_isolated() API (Ming Lei) [RHEL-30744] | |
| - mm: compaction: update the COMPACT[STALL|FAIL] events properly (Lucas Oakley) [RHEL-132449] | |
| - drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies (Mika Penttilä) [RHEL-125456] {CVE-2025-40096} | |
| - drm/i915: mark requests for GuC virtual engines to avoid use-after-free (CKI Backport Bot) [RHEL-124682] {CVE-2023-53552} | |
| - NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() (Olga Kornievskaia) [RHEL-132819] | |
| - vsock: Ignore signal/timeout on connect() if already established (CKI Backport Bot) [RHEL-139273] {CVE-2025-40248} | |
| - scsi: lpfc: avoid crashing in lpfc_nlp_get() if lpfc_nodelist was freed (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Prevent failure to reregister with NVMe transport after PRLI retry (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Ignore ndlp rport mismatch in dev_loss_tmo callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Modify handling of ADISC based on ndlp state and RPI registration (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Delete NLP_TARGET_REMOVE flag due to obsolete usage (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Prevent NDLP reference count underflow in dev_loss_tmo callback (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Check devloss callbk done flag for potential stale NDLP ptrs (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Ensure DA_ID handling completion before deleting an NPIV instance (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix kref imbalance on fabric ndlps from dev_loss_tmo handler (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Update PRLO handling in direct attached topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix unsolicited FLOGI kref imbalance when in direct attached topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix handling of fully recovered fabric node in dev_loss callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Add condition to delete ndlp object after sending BLS_RJT to an ABTS (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Remove NLP_RCV_PLOGI early return during RSCN processing for ndlps (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Allow lpfc_plogi_confirm_nport() logic to execute for Fabric nodes (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix list_entry null check warning in lpfc_cmpl_els_plogi() (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix possible file string name overflow when updating firmware (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Validate ELS LS_ACC completion payload (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Remove extra ndlp kref decrement in FLOGI cmpl for loop topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Revise NPIV ELS unsol rcv cmpl logic to drop ndlp based on nlp_state (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix double free in lpfc_cmpl_els_logo_acc() caused by lpfc_nlp_not_used() (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Move scsi_host_template outside dynamically allocated/freed phba (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fill in missing ndlp kref puts in error paths (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login (Ewan D. Milne) [RHEL-32324] | |
| - net: atlantic: fix fragment overflow handling in RX path (CKI Backport Bot) [RHEL-139482] {CVE-2025-68301} | |
| - smb: client: let recv_done verify data_offset, data_length and remaining_data_length (Paulo Alcantara) [RHEL-131387] {CVE-2025-39933} | |
| - smb: client: Fix use-after-free in cifs_fill_dirent (CKI Backport Bot) [RHEL-134369] {CVE-2025-38051} | |
|
|
|
| certmonger-0.79.17-2.el8.x86_64.rpm | - update to 0.21 |
| - getcert/*-getcert: relay the desired CA to the local service, whether | |
| specified on the command line (in getcert) or as a built-in hard-wired | |
| default (in *-getcert) (#584983) | |
| - flesh out the default certmonger.conf so that people can get a feel for | |
| the expected formatting (Jenny Galipeau) | |
| - allow for 'certmonger -P abstract:...' to work, too | |
| - fix a self-test that broke because one-year-from-now is now a day's worth | |
| of seconds further out than it was a few days ago | |
| - clarify that the command passed to getcert -C is a "post"-save command | |
| - add a "pre"-save command option to getcert, specified with the -B flag (#9) | |
| - after we notify of an impending not-valid-after approaching, don't do it | |
| again immediately | |
| - also save state when we exit due to SIGHUP | |
| - don't get tripped up when enrollment helpers hand us certificates which | |
| include CRLF line terminators (ticket #25) | |
| - be tolerant of certificate issuer names, subject names, DNS, email, and | |
| Kerberos principal namem subjectAltNames, and crl distribution point URLs | |
| that contain newlines | |
| - read and cache the certificate template extension in certificates | |
| - enforce different minimum key sizes depending on the type of key we're | |
| trying to generate | |
| - store DER versions of subject, issuer and template subject, if we have | |
| them (Jan Cholasta, ticket #26) | |
| - when generating signing requests with subject names that don't quite parse | |
| as subject names, encode what we're given as PrintableString rather than | |
| as a UTF8String | |
| - always chdir() to a known location at startup, even if we're not becoming | |
| a daemon | |
| - fix a couple of memory leaks (static analysis) | |
| - add missing buildrequires: on which | |
| - mostly documentation updates | |
| - when using an NSS database, skip loading the module database (#743042) | |
| - when using an NSS database, skip loading root certs | |
| - generate SPKAC values when generating CSRs, though we don't do anything | |
| with SPKAC values yet | |
| - internally maintain and use challenge passwords, if we have them | |
| - behave better when certificates have shorter lifetimes | |
| - add/recognize/handle notification type "none" | |
| - getcert: error out when "list -c" finds no matching CA (#743488) | |
| - getcert: error out when "list -i" finds no matching request (#743485) | |
| - update to 0.9 | |
| - run external submission helpers correctly | |
| - fix signing of signing requests generated for keys stored in files | |
| - only care about new interface and route notifications from netlink, | |
| and ignore notifications that don't come from pid 0 | |
| - fix logic for determining expiration status | |
| - correct the version number in self-signed certificates | |
| - update to 0.15 | |
| - notice that a directory with a trailing '/' is the same location as the | |
| directory without it | |
| - fix handling of the pid file when we write one (by actually giving it | |
| contents) | |
| - Rebuild for new annobin (#1708095) | |
| - initial package | |
| - Address more issues uncovered by static analysis (#1632449) | |
| - add a -w (wait) flag to the getcert's request/resubmit/start-tracking | |
| commands, and add a non-waiting status command | |
| - Rebuild for new annobin (#1708095) | |
| - update to 0.22 | |
| - new translations | |
| - de by Fabian Affolter! | |
| - certmaster-submit: don't fall over when we can't find a certmaster.conf | |
| or a minion.conf (i.e., certmaster isn't installed) (#588932) | |
| - when reading extension values from certificates, prune out duplicate | |
| principal names, email addresses, and hostnames | |
| - Fix local CA to work under FIPS (#1950132) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Update gating requirements | |
| - avoid premature exit on CA data analysis failures (should fix an issue | |
| reported by Natxo Asenjo) | |
| - adjust internals of logic for talking to dogtag to at least have a | |
| concept of non-agent cases | |
| - when talking to an IPA server's internal Dogtag instance, infer which | |
| ports the CA is listening on from the "dogtag_version" setting in the | |
| IPA configuration (Ade Lee) | |
| - send a notification (or log a message, whatever) when we save a new | |
| certificate (#766167) | |
| - ipa-submit: when we fail to locate/contact LDAP or XML-RPC servers, | |
| use discovery to find them (#1136900) | |
| - treat the ability to access keys in an NSS database without using a PIN, | |
| when we've been told we need one, as an error (#692766, really this time) | |
| - Rebase to 0.79.13 (#1891743) | |
| - Move systemd tmpfiles from /var/run to /run (#1804928) | |
| - Improve logging in the SCEP helper (#1807691) | |
| - Fix sort order of certificates passed into PKCS7_verify (#1808052) | |
| - Add -N option to SCEP helper to separate web server chain from | |
| SCEP issuer chain (#1808613) | |
| - Add template profile, MS v2 template and issuer to getcert list | |
| output (#1734451) | |
| - update %docs list because README is now README.md | |
| - log the state in 'getcert status' verbose mode | |
| - fix self-test errors that we trigger with new OpenSSL | |
| - fix a build error that would sometimes happen when we're told to | |
| build PIE binaries | |
| - quiet a compile warning | |
| - getcert: distinguish between {stat() succeeds but isn't a directory} and | |
| {stat() failed} when printing an error message (#739903) | |
| - getcert resubmit/start-tracking: when we're looking for an existing request | |
| by ID, and we don't find one, note that specifically (#741262) | |
| - explicitly require "dbus" to try to ensure we have a running system bus | |
| when we get started (#639126) | |
| - getcert: fix a buffer overrun preparing a request for the daemon when | |
| there are more parameters to encode than space in the array (#696185) | |
| - updated translations: de, es, id, pl, ru, uk | |
| - add a command option (-T) to getcert for specifying which enrollment | |
| profile to tell a CA that we're using, in case it cares (#10) | |
| - fix the "getcert start-tracking" -L and -l options (#1249753) | |
| - output diagnostics about the second request when scep-submit encounters an | |
| error during a second request to the SCEP server | |
| - Ensure that files read in have a trailing new-line (#1829490) | |
| - update to 0.72 | |
| - support generating DSA parameters and keys on sufficiently-new OpenSSL | |
| and NSS | |
| - support generating EC keys when OpenSSL and NSS support it, using key | |
| size to select the curve to use from among secp256r1, secp384r1, | |
| secp521r1 (which are the ones that are usually available, though | |
| secp521r1 isn't always, even if the other two are) | |
| - stop trying to cache public key parameters at all and instead cache public | |
| key info properly | |
| - encode the friendlyName attribute in signing requests as a BMPString, | |
| not as a PrintableString | |
| - catch more filesystem permissions problems earlier (more of #996581) | |
| - Fix use-after-free issue when retrieving CA chain (#1710632) | |
| - at startup, if we resume the state machine for a given certificate to a state | |
| which expects to have the newly-added lock already acquired, acquire it | |
| before moving on with the certificate's work (still aimed at fixing #883484) | |
| - update to 0.27 | |
| - portability and test fixes | |
| - update to 0.17 | |
| - fix a hang in the daemon (Rob Crittenden) | |
| - documentation updates | |
| - fix parsing of submission results from IPA (Rob Crittenden) | |
| - update to 0.6 | |
| - man pages | |
| - 'getcert stop-tracking' actually makes the server forget now | |
| - 'getcert request -e' was redundant, dropped the -e option | |
| - 'getcert request -i' now sets the request nickname | |
| - 'getcert start-tracking -i' now sets the request nickname | |
| - note that SELinux usually confines us to writing only to cert_t in | |
| doc/getting-started.txt (#765599) | |
| - fix crashes when we add a request during our first run when we're | |
| populating the hard-coded CA list | |
| - properly deal with cases where a path is passed to us is "./XXX" | |
| - in session mode, create our data directories as we go | |
| - update to 0.23 | |
| - new translations | |
| - pl by Piotr DrÄ…g! | |
| - cancel daemon startup if we can't gain ownership of our well-known | |
| service name on the DBus (#596719) | |
| - don't display PINs in "getcert list" output (#42) | |
| - clean up launching of a private instance in "getcert" | |
| - expand on the don't-delete-private-key fix from 0.77.3 by letting NSS's | |
| own safety checks have an effect | |
| - backport record-keeping of key generation dates and counts of how many | |
| times we've gotten certificates using a given key pair | |
| - rework the state machine so that we save an issued certificate's associated | |
| CA certificates, then re-read the certificate, then run the post hook and | |
| issue notifications, in that order, instead of saving CA certificates after | |
| running the post hook, which was always a surprising order (#1131700) | |
| - add a generic dogtag-submit helper that doesn't include any IPA defaults, | |
| to make it easier to know the difference between paramenters it requires | |
| and parameters which are optional (#12) | |
| - Rebuild for rpm bug 1131960 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - backport change from git to not choke if X509_REQ_to_X509() fails when we're | |
| self-signing using OpenSSL | |
| - backport another change from git to represent this as a CA-rejected error | |
| - call poptGetOptArg() correctly, to fix parsing of the -R flag to scep-submit | |
| and the -O and -o flags to dogtag-submit (#1244914) | |
| - don't discard the priority value in DNS SRV records | |
| - add a missing test case file (whoops) | |
| - read and cache whether or not we saw a noOCSPcheck extension in certificates | |
| - documentation updates | |
| - update to 0.79.2: | |
| - fix 'make distcheck' target | |
| - Fix test failure on some platforms | |
| - update to 0.24 | |
| - keep the lock on the pid file, if we have one, when we fork, and cancel | |
| daemon startup if we can't gain ownership of the lock (the rest of #596719) | |
| - make the man pages note which external configuration files we consult when | |
| submitting requests to certmaster and ipa CAs | |
| - fix a data loss bug when saving renewed certificates to NSS databases - the | |
| private key could be removed in error since 0.77 | |
| - fixes for bugs found by static analysis | |
| - fix self-tests when built with OpenSSL 1.0.2 | |
| - fix a failure in self-tests | |
| - Include &message=CA-IDENT with GetCACaps/GetCACert requests (#1843009) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - update to 0.28 | |
| - fix self-signing certificate notBefore and notAfter values on 32-bit | |
| machines | |
| - allow root to use our implementation of org.freedesktop.DBus.Properties | |
| - take more care to not emit useless PropertiesChanged signals | |
| - more gracefully handle manual daemon startups and cleaning up of unexpected | |
| crashes (still more of #596719) | |
| - start populating the optional unique identifier fields in self-signed | |
| certificates | |
| - update to 0.14 | |
| - check key and certificate location at add-time to make sure they're | |
| absolute paths to files or directories, as appropriate | |
| - IPA: dig into the 'result' item if the named result value we're looking | |
| for isn't in the result struct | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - add the "local" signer, a local toy CA that signs anything you'll | |
| ask it to sign | |
| - try to SIGHUP the messagebus daemon at first install so that it'll | |
| let us claim our service name if it isn't restarted before we are | |
| first started (#636876) | |
| - update to 0.19 | |
| - correctly initialize NSS databases that need to be using a PIN | |
| - add certmonger.conf, for customizing notification timings and settings, | |
| and use of digests other than the previously-hard-coded SHA256, and | |
| drop those settings from individual requests | |
| - up the default self-sign validity interval from 30 days to 365 days | |
| - drop the first default notification interval from 30 days to 28 days | |
| (these two combined to create a fun always-reissuing loop earlier) | |
| - record the token which contains the key or certificate when we're | |
| storing them in an NSS database, and report it | |
| - improve handling of cases where we're supposed to use a PIN but we | |
| either don't have one or we have the wrong one | |
| - teach getcert to accept a PIN file's name or a PIN value when adding | |
| a new entry | |
| - update the IPA submission helper to use the new 'request_cert' signature | |
| that's landing soon | |
| - more tests | |
| - update to 0.1 | |
| - Reformat certificates returned by Dogtag. Dogtag was including | |
| a spurious newline before -----END CERTIFICATE----- | |
| - retrieve CA information from CAs, if the helpers can do so, and | |
| add a command to explicitly refresh that data: "getcert refresh-ca" | |
| - offer to save CA certificates to files and databases, when specified with | |
| new -a and -F flags to getcert request/resubmit/start-tracking (#1098208, | |
| trac #31) | |
| - add IP address subject alternate names when getcert request/resubmit | |
| is passed the -A option (trac #35) | |
| - read and cache the freshestCRL extension in certificates | |
| - properly interpret KDC-unreachable errors encountered in the IPA | |
| submission error as a server-unreachable error that we will retry, | |
| rather than a misconfiguration error which we won't | |
| - don't let tests get tripped up by new formatting used in dos2unix status | |
| messages (#1099080) | |
| - updated translations | |
| - be explicit that we are going to use bashisms in test scripts by calling | |
| the shell interpreter as 'bash' rather than 'sh' (trac #27) | |
| - update to 0.79.4 | |
| - fix CA option name for ipa cert-request | |
| - fix minor memory leak | |
| - fix build warnings | |
| - fix an incorrect date in the .spec changelog | |
| - bump gettext version to avoid warning | |
| - require a single certificate to be specified to 'getcert status' (#1148001, | |
| - shorten the default help message which getcert prints when it's not given | |
| a specific command (#1131704) | |
| - add private listener (-l, -L, -P) mode to certmonger, to allow it to listen | |
| for connections directly from clients running under the same UID | |
| - add a command mode (-c) to certmonger, in which once it's started, it | |
| launches a specified command, and after that command exits, the daemon exits | |
| - when getcert is invoked with no bus running, if it's running as root, run | |
| certmonger in private listener mode with the same invocation of getcert as | |
| the command to start and wait for (#1134497) | |
| - self-tests: assume that certutil won't generate DSA keys with more than 1024 | |
| bits, and will often short us by a few | |
| - updates to 0.73 | |
| - getcert no longer claims to be stuck when a CA is unreachable, | |
| because the daemon isn't actually stuck | |
| - build as position-independent executables with early binding (#883966) | |
| - also don't tag the unit file as a configuration file (internal tooling) | |
| - Fix unit tests. NSS crypto policy disallows keys < 1024 | |
| - update to 0.8 | |
| - encode windows UPN values in requests correctly | |
| - watch for netlink routing changes and restart stalled submission requests | |
| - 'getcert resubmit' can force a regeneration of the CSR and submission | |
| - certmonger creates CSRs with invalid DER syntax for X509v3 extensions | |
| with critical=FALSE (#2012258) | |
| - Add long command-line options to man pages and help output (#1782838) | |
| - update to 0.10 | |
| - add some compiler warnings and then fix them | |
| - don't incorrectly assume that CERT_ImportCerts() returns a NULL-terminated | |
| array (#742348) | |
| - update to 0.79: | |
| - getcert now offers an option (-X) for requesting processing by a particular | |
| CA if the server we're contacting is running more than one | |
| - getcert also offers options (--for-ca, --not-for-ca, --ca-path-length) for | |
| requesting BasicConstraints values | |
| - getcert now displays times in local time instead of UTC, which was | |
| previously the only way they were displayed; the --utc option can often be | |
| used to switch back to its previous behavior | |
| - the SCEP enrollment helper now correctly issues GetCACertChain requests to | |
| SCEP servers, instead of issuing a GetCAChain request, which isn't part of | |
| the protocol; from report by Jason Garland | |
| - when issuing SCEP requests, the ID of the CA included in the HTTP request | |
| is now URL-encoded, as it should be | |
| - renewal or notification-of-impending-expiration logic is now triggered | |
| closer to TTL thresholds rather than waiting for a periodic check to pass a | |
| threshold | |
| - properly builds with OpenSSL 1.1, thanks to Lukas Slebodnik and Tomas Mraz | |
| for a lot of the legwork | |
| - resync .spec file with Fedora | |
| - upstream project migrated from fedorahosted.org to pagure.io | |
| - oops, rfc5280 says we shouldn't be populating unique identifiers, so | |
| make it a configuration option and default the behavior to off | |
| - Switch BR from /usr/include/popt.h to popt-devel | |
| - update to 0.79.3: | |
| - fix self-signing self-test cases that used DSA or EC keys | |
| - pull up a patch from master to adapt self-tests to certutil's diagnostic | |
| output having changed (#992050) | |
| - update to 0.20 | |
| - correctly parse certificate validity periods given in years (spotted by | |
| Stephen Gallagher) | |
| - setup for translation | |
| - es by Héctor Daniel Cabrera! | |
| - ru by Yulia Poyarkova! | |
| - uk by Yuri Chornoivan! | |
| - fix unpreprocessed defaults in certmonger.conf's man page | |
| - tweak the IPA-specific message that indicates a principal name also needs | |
| to be specified if we're not using the default subject name (#579542) | |
| - make the validity period of self-signed certificates into a configuration | |
| setting and not a piece of the state information we track about the signer | |
| - init script: exit with status 2 instead of 1 when invoked with an | |
| unrecognized argument (#584517) | |
| - Rebase to 0.79.7 (#1708095) | |
| - treat the ability to access keys in an NSS database without using a PIN, | |
| when we've been told we need one, as an error (#692766) | |
| - when handling "getcert resubmit" requests, if we don't have a key yet, | |
| make sure we go all the way back to generating one (#694184) | |
| - getcert: try to clean up tests for NSS and PEM file locations (#699059) | |
| - don't try to set reconnect-on-exit policy unless we managed to connect | |
| to the bus (#712500) | |
| - handle cases where we specify a token but the storage token isn't | |
| known (#699552) | |
| - getcert: recognize -i and storage options to narrow down which requests | |
| the user wants to know about (#698772) | |
| - output hints when the daemon has startup problems, too (#712075) | |
| - add flags to specify whether we're bus-activated or not, so that we can | |
| exit if we have nothing to do after handling a request received over | |
| the bus if some specified amount of time has passed | |
| - explicitly disallow non-root access in the D-Bus configuration (#712072) | |
| - migrate to systemd on releases newer than Fedora 15 or RHEL 6 (#718172) | |
| - fix a couple of incorrect calls to talloc_asprintf() (#721392) | |
| - update to 0.34 | |
| - explicitly note the number of requests we're tracking in the output of | |
| "getcert list" (#652049) | |
| - try to offer some suggestions when we get certain specific errors back | |
| in "getcert" (#652047) | |
| - updated translations | |
| - es | |
| - update to 0.25 | |
| - new translations | |
| - in by Okta Purnama Rahadian! | |
| - fix detection of cases where we can't access a private key in an NSS | |
| database because we don't have the PIN | |
| - teach '*getcert start-tracking' about the -p and -P options which the | |
| '*getcert request' commands already understand (#621670), and also | |
| the -U, -K, -E, and -D flags | |
| - double-check that the nicknames of keys we get back from | |
| PK11_ListPrivKeysInSlot() match the desired nickname before accepting | |
| them as matches, so that our tests won't all blow up on EL5 | |
| - fix dynamic addition and removal of CAs implemented through helpers | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - update to 0.35 | |
| - self-test fixes to rebuild properly in mock (#670322) | |
| - fix an inconsistency in how we parse cookie values returned by CA helpers, | |
| in that single-line values would lose the end-of-line after a daemon | |
| restart, but not before | |
| - handle timeout values and exit status values when calling CA helpers | |
| in non-SUBMIT, non-POLL modes (#1118468) | |
| - rework how we save CA certificates so that we save CA certificates associated | |
| with end-entity certificates when we save that end-entity certificate, which | |
| requires running all of the involved pre- and post-save commands | |
| - drop package Requires: on systemd-sysv (#1104138) | |
| - Mass rebuild 2013-12-27 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuild against fixed libtevent version | |
| - Update to upstream 0.79.17 (#2139523) | |
| - Certificate format validation when adding the SCEP server's CA (#2150025) | |
| - Certmonger SCEP renewal should not use old challenges (#2150030) | |
| - certmonger SEGV during rekey in FIPS mode (#2150070) | |
| - Fix test failure in 039-fromfile | |
| - modify the systemd .service file to be a proper 'dbus' service (more | |
| of #718172) | |
| - update to 0.13 | |
| - change the default so that we default to trying to auto-refresh | |
| certificates unless told otherwise | |
| - preemptively enforce limitations on request nicknames so that they | |
| make valid D-Bus object path components | |
| - update to 0.18 | |
| - add support for using encrypted storage for keys, using PIN values | |
| supplied directly or read from files whose names are supplied | |
| - don't choke on NSS database locations that use the "sql:" or "dbm:" | |
| prefix | |
| - serialize access to NSS databases and the running of pre- and post-save | |
| commands which might also access them (possibly fixing part of #883484) | |
| - update to 0.29 | |
| - fix 64-bit cleanliness issue using libdbus | |
| - actually include the full set of tests in tarballs | |
| - dogtag-submit: accept additional options to pass to the server when | |
| approving requests using agent creds (#1165155, patch by Jan Cholasta) | |
| - getcert: print help output when 'status' isn't given any args (#1163541) | |
| - Rebuild for xmlrpc-c | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Skip the keygen tests when executed as root. | |
| - add a --with-homedir option to configure, and use it, since subprocesses | |
| which we run and which use NSS may attempt to write to $HOME/.pki, and | |
| 0.69's strategy of setting that to "/" was rightly hitting SELinux policy | |
| denials (#1047798) | |
| - update to 0.79.1: | |
| - update translations | |
| - fix 'make archive' target | |
| - depend on the e2fsprogs libuuid on Fedora and RHEL releases where it's | |
| not part of util-linux-ng | |
| - make the trust settings we apply to CA-supplied certificates while | |
| saving them to NSS databases run-time configurable | |
| - fix compiling against EL5-era OpenSSL | |
| - when saving CA certificates we pull from an IPA server, nickname | |
| it using the realm name with " IPA CA" appended rather than just | |
| naming it "IPA CA" | |
| - fix the local signer so that when it issues itself a new certificate, | |
| it uses the same subject name | |
| - add a -w flag to getcert's request, resubmit, and start-tracking | |
| commands, telling it to wait until either the certificate is issued, | |
| we get to a state where we know that we won't be able to get one, or | |
| we are waiting for a CA | |
| - avoid potential use-after-free after a CA is removed dynamically (thanks to | |
| Keenan Brock) (#1125342) | |
| - add a "external-helper" property to CA objects | |
| - Remove BR on mktemp. It is now provided by coreutils. | |
| - Patch to fix NSS handling of keys in sqlite databases | |
| - Patches to fix tests now that sqlite is the NSS default. | |
| - add a "dogtag-ipa-renew-agent" CA so that we can renew certificates using | |
| an IPA server's internal Dogtag instance | |
| - export the requested profile and old certificate to enrollment helpers | |
| - make libxml and libcurl into hard build-time requirements | |
| - serialize all pre/save/post sequences to make sure that stop/save/start | |
| doesn't become stop1/save1/stop2/start1/save2/start2 when we're stopping | |
| a service while we muck with more than one of its certificates | |
| - update to 0.4 | |
| - Rebuilt for gcc bug 634757 | |
| - check for cases where we fail to allocate memory while reading a request | |
| or CA entry from disk (John Haxby) | |
| - only handle one watch at a time, which should avoid abort() during | |
| attempts to reconnect to the message bus after losing our connection | |
| to it (#1055521) | |
| - update to 0.26 | |
| - when canceling a submission request that's being handled by a helper, | |
| reap the child process's status after killing it (#624120) | |
| - fix a crash in the self-tests | |
| - read information about the keys we've just generated before proceeding | |
| to generating a CSR (part of #694184, part of #695675) | |
| - when processing a "resubmit" request from getcert, go back to key | |
| generation if we don't have keys yet, else go back to CSR generation as | |
| before (#694184, #695675) | |
| - configure with --with-tmpdir=/var/run/certmonger and own /var/run/certmonger | |
| (#687899), and add a systemd tmpfiles.d control file for creating | |
| /var/run/certmonger on Fedora 15 and later | |
| - let session instances exit when they get disconnected from the bus | |
| - use a lock file to make sure there's only one session instance messing | |
| around with the user's files at a time | |
| - fix errors saving certificates to NSS databases when there's already a | |
| certificate there with the same nickname (#695672) | |
| - make key and certificate location output from 'getcert list' more properly | |
| translatable (#7) | |
| - document the -R, -N, -o, and -t flags for dogtag-ipa-renew-agent-submit | |
| - stop checking that we can generate 512 bit keys during self-tests | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Mass rebuild 2014-01-24 | |
| - add a %trigger to remove knowledge of the "dogtag-ipa-renew-agent" CA | |
| when we detect certmonger versions prior to 0.58 being installed, to | |
| avoid cases where some older versions choke on CAs with nicknames that | |
| contain characters that can't legally be part of a D-Bus name (#948993) | |
| - add a 'refresh' option to the getcert command | |
| - add a '-a' flag to the getcert command's 'refresh-ca' option | |
| - update to 0.38 | |
| - catch cases where we can't read a PIN file, but we never have to log | |
| in to the token to access the private key (more of #688229) | |
| - Add BuildRequires on python3-devel (#1615507) | |
| - instead of using killall to send a SIGHUP to the system bus daemon in %post | |
| to get it to reload its configuration, use dbus-send to send a ReloadConfig | |
| request over the bus (should fix #1277573) | |
| - avoid potential use-after-free and read overrun after a CA is added | |
| dynamically (thanks to Jan Cholasta) | |
| - Call the secport equivalent of PR_ErrorToString | |
| - Remove a couple of unused varaibles found by coverity | |
| - add a -K option to ipa-submit, to use the current ccache, which makes | |
| it easier to test | |
| - update to 0.16 | |
| - set a umask at startup (Dan Walsh) | |
| - update to 0.33 | |
| - new translations | |
| - id by Okta Purnama Rahadian! | |
| - updated translations | |
| - pl, uk | |
| - roll up assorted fixes for defects | |
| - update to 0.36 | |
| - fix some use-after-free bugs in the daemon (#689776) | |
| - fix a copy/paste error in certmonger-ipa-submit(8) | |
| - getcert now suppresses error details when not given its new -v option | |
| (#683926, more of #681641/#652047) | |
| - updated translations | |
| - de, es, pl, ru, uk | |
| - indonesian translation is now for "id" rather than "in" | |
| - Improve handling of NSS tokens (#1624930) | |
| - Pull in upstream fixes discovered in coverity and clang (#1632449) | |
| - when generating keys using OpenSSL, if key generation fails, try | |
| again with the default key size, in case we're in FIPS mode | |
| - documentation updates | |
| - update to 0.30 | |
| - fix errors computing the time at the end of an interval that were | |
| caught by self-tests | |
| - updates for 0.73 | |
| - set the flag to encode EC public key parameters using named curves | |
| instead of the default of all-the-details when using OpenSSL | |
| - don't break when NSS supports secp521r1 but OpenSSL doesn't | |
| - also pass the CA nickname to enrollment helpers in the environment as | |
| a text value in "CERTMONGER_CA_NICKNAME", so they can use that value | |
| when reading configuration settings | |
| - also pass the SPKAC value to enrollment helpers in the environment as | |
| a base64 value in "CERTMONGER_SPKAC" | |
| - also pass the request's SubjectPublicKeyInfo value to enrollment helpers | |
| in the environment as a base64 value in "CERTMONGER_SPKI" (part of #16) | |
| - when generating signing requests using NSS, be more accommodating of | |
| requested subject names that don't parse properly | |
| - update to 0.7 | |
| - first cut at a getting-started document | |
| - refactor some internal key handling with NSS | |
| - check for duplicate request nicknames at add-time | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - notice when the OpenSSL RNG isn't seeded | |
| - notice when saving certificates or keys fails due to filesystem-related | |
| permission denial (#996581) | |
| - Exit gracefully if dbus is restarted (#1687698) | |
| - documentation updates | |
| - check specifically for cases where a specified token that we need to | |
| use just isn't present for whatever reason (#697058) | |
| - correct encoding/decoding of variant-typed data which we receive and send | |
| as part of the org.freedesktop.DBus.Properties interface over the bus, and | |
| add some tests for them (based on patch from David Kupka, ticket #36) | |
| - Update to upstream 0.79.6 | |
| - Fix unit tests to work with python 3 | |
| - large changes to the D-Bus glue, exposing a lot of data which we were | |
| providing via D-Bus getter methods as properties, and providing more | |
| accurate introspection data | |
| - emit a signal when the daemon saves a certificate to the destination | |
| location, and provide an option to have the daemon spawn an arbitrary | |
| command at that point, too (#766167) | |
| - enable starting the service by default on RHEL (#765600) | |
| - pass $CERTMONGER_REQ_IP_ADDRESS to enrollment helpers if the signing request | |
| includes IP address subjectAltName values | |
| - correctly verify signatures on SCEP server replies when the signer is neither | |
| the top-level CA nor the RA (feedback in #1161768) | |
| - correctly verify signatures on SCEP server replies when there is more than | |
| one certificate in the chain between the RA and the top-level CA (feedback in | |
| - don't create the daemon pidfile until after we've connected to the D-Bus | |
| (still more of #596719) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - update to 0.77 | |
| - add initial, still rough, SCEP support (#1140241,#1161768) | |
| - add an scep-submit helper to handle part of it | |
| - getcert: add add-ca/add-scep-ca/modify-ca/remove-ca commands | |
| - getcert: add -l, -L flags to request/resubmit/start-tracking commands | |
| to provide a way to set a ChallengePassword in signing requests | |
| - lay some groundwork for rekeying support | |
| - bundled dogtag enrollment helpers now output debugging info to stderr (#) | |
| - ipa-getcert: fix a crash when using DNS discovery to locate servers (#39) | |
| - getcert: fix displaying of pre-request pre-/post-save commands (#1178190, | |
| - use Zanata for translations | |
| - getcert list: list the certificate's profile name, if it contains one | |
| - fix a possible uninitialized memory read (possibly #1260871) | |
| - log a diagnostic error when we fail to initialize libkrb5 | |
| - Certmonger SCEP renewal should not use old challenges (#1577570) | |
| - Certmonger segfault after cert renewal request (#1881500) | |
| - Include certificate NotBefore date in output of the 'getcert list' command | |
| (#1940261) | |
| - Certmonger certificates stuck in NEED_GUIDANCE (#2001079) | |
| - update to 0.37 | |
| - be more careful about checking if we can read a PIN file successfully | |
| before we even call an API that might need us to try (#688229) | |
| - fix strict aliasing warnings | |
| - add some self-tests | |
| - simplify the internal submit-to-CA logic | |
| - fixes for more problems found through static analysis | |
| - add a -u flag to getcert to enable requesting a keyUsage extension value | |
| - request subjectKeyIdentifier extensions from CAs, and include them in | |
| self-signed certificates | |
| - request basicConstraints from CAs, defaulting to requests for end-entity | |
| certificates | |
| - when requesting CA certificates, also request authorityKeyIdentifier | |
| - add support for requesting CRL distribution point and authorityInfoAccess | |
| extensions that specify OCSP responder locations | |
| - don't crash when OpenSSL can't build a template certificate from a request | |
| when we're in FIPS mode | |
| - put NSS in FIPS mode, when the system booted that way, except when we're | |
| trying to write certificates to a database | |
| - fix CSR generation and self-signing in FIPS mode with NSS | |
| - fix self-signing in FIPS mode with OpenSSL | |
| - new languages from the translation team: mai, ml, nn, ga | |
| - fix setting the group ID when spawning the post-save command | |
| - correctly read CA not-valid-after dates on 32-bit machines (also reported by | |
| Natxo Asenjo), so that we don't spin on polling them (#1163023) | |
| - fix creation and packaging of the "local" CA's data directory | |
| - tweak how we decide whether we're on the master or a minion when we're | |
| told to use certmaster as a CA | |
| - clean up one of the tests so that it doesn't have to work around internal | |
| logging producing duplicate messages | |
| - when logging errors while setting up to contact xmlrpc servers, explicitly | |
| note that the error is client-side | |
| - don't abort() due to incorrect locking when an attempt to save an issued | |
| certificate to the designated location fails (part of #1032760/#1033333, | |
| ticket #22) | |
| - when reading an issued certificate from an enrollment helper, ignore | |
| noise before or after the certificate itself (more of #1032760/1033333, | |
| ticket #22) | |
| - run subprocesses in a cleaned-up environment (more of #1032760/1033333, | |
| ticket #22) | |
| - clear the ca-error that we saved when we had an error talking to the CA if we | |
| subsequently succeed in talking to the CA | |
| - various other static-analysis fixes | |
| - when saving certificates to NSS databases, try to preserve the trust | |
| value assigned to a previously-present certificate with the same nickname | |
| and subject, if one is found | |
| - when saving certificates to NSS databases, also prune certificates from | |
| the database which have both the same nickname and subject as the one | |
| we're adding, to avoid tripping up tools that only fetch one certificate | |
| by nickname | |
| - really fix these this time: | |
| - getcert: error out when "list -c" finds no matching CA (#743488) | |
| - getcert: error out when "list -i" finds no matching request (#743485) | |
| - fix a regression in reading old request tracking files where the | |
| request was in state NEED_TO_NOTIFY or NOTIFYING | |
| - update to 0.40 | |
| - fix validation check on EKU OIDs in getcert (#691351) | |
| - get session bus mode sorted | |
| - add a list of recognized EKU values to the getcert-request man page | |
| - make pathname canonicalization slightly smarter, to handle ".." in | |
| locations (#1131758) | |
| - updates to self-tests (#1144082) | |
| - update to 0.11 | |
| - add XML-RPC submission for certmaster and IPA | |
| - prune entries with duplicate names from the data store | |
| - update to 0.12 | |
| - add a crucial bit of error reporting when CAs reject our requests | |
| - count the number of configured CAs correctly | |
| - don't tag the D-Bus session .service file as a configuration file (internal | |
| tooling) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - make the D-Bus configuration file (noreplace) (#541072) | |
| - make the %check section and the deps we have just for it conditional on | |
| the same macro (#541072) | |
| - Rebuild with xmlrpc-c support enabled (#1687698) | |
| - updates to 0.73 | |
| - also pass the key type to enrollment helpers in the environment as | |
| a the value of "CERTMONGER_KEY_TYPE" | |
| - fix a bad %preun scriptlet | |
| - when attempting to contact an IPA LDAP server, if no "ldap_uri" is set in | |
| default.conf, and no "host" is set either, try to construct the server URI | |
| using the "server" setting (#1126985) | |
| - Replace the previous fix for dbus restarting with PartOf in the | |
| certmonger systemd service file to link the two (#1687698) | |
| - reintroduce package Requires: on systemd-sysv on F19 and EL6 and older, | |
| conditionalized it so that it's ignored on newer releases, and make | |
| whether or not we call systemd-sysv-convert in triggers depend on that, | |
| too (#1104138) | |
| - init script: ensure that the subsys lock is created whenever we're called to | |
| "start" when we're already running (even more of #596719) | |
| - Optimize closing of file descriptors on fork (#1763745) | |
| - Remove NOMODDB flag flag from context init, look for full tokens (#1746543) | |
| - Retrieve full IPA CA chain (#1710632) | |
| - if xmlrpc-c's struct xmlrpc_curl_xportparms has a gss_delegate field, set | |
| it to TRUE when we're doing Negotiate auth (#727864, #727863, #727866) | |
| - fixes for bugs found by static analysis | |
| - handle IDN correctly when doing service location using SRV records | |
| - documentation updates | |
| - Add BuildRequires on gcc | |
| - expose the certificate's not-valid-before and not-valid-after dates as a | |
| property over D-Bus (ticket #41) | |
| - give the local signer its own configuration option to set the lifetime | |
| of its signing certificate, falling back to the lifetime configured for | |
| the self-signer as a default to match the previous behavior | |
| - fix a potential read segfault parsing the output of an enrollment helper, | |
| introduced in 0.77 (thanks to Steve Neuharth) | |
| - read the ns-certtype extension value in certificates | |
| - request an enrollment certtype extension to CSRs if we have a profile name | |
| that we want to use (ticket #17, possibly part of IPA ticket #57) | |
| - when a caller sets the is-default flag on a CA, and another CA is no longer | |
| the default, emit the PropertiesChanged signal on the CA which is not the | |
| default, instead on the new default a second time | |
| - drop some dead code from the D-Bus message handlers (static analysis, | |
| - cache public keys when we read private keys | |
| - go back to printing an error indicating that we're missing a required | |
| argument when we're missing a required argument, not that the option is | |
| invalid (broken since 0.51, #796542) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - update to 0.39 | |
| - fix use of an uninitialized variable in the xmlrpc-based submission | |
| helpers (#690886) | |
| - when getcert is passed a -a flag, to indicate that CA root certificates | |
| should be stored in the specified database, don't ignore locations which | |
| don't include a storage scheme (#1129537) | |
| - when called to 'start-tracking' with the -a or -F flags, if we have | |
| applicable certificates on-hand for a CA that we're either told to use | |
| or which we decide is the correct one, save the certificates (#1129696) | |
| - tweak initialization so that we set up for providing our D-Bus API before we | |
| register our name with the bus, so that we can handle any requests that | |
| arrive before the acknowledgement of that registration | |
| - on systems that run systemd, add the right data file so that the service gets | |
| started when someone tries to talk to the daemon (ticket #38) | |
| - correctly check for error responses when sending GetCAChain requests to SCEP | |
| servers | |
| - update to 0.5 | |
| - packaging fixes | |
| - add a selfsign-getcert client | |
| - self-signed certs now get basic constraints and their own serial numbers | |
| - accept id-ms-kp-sc-logon as a named EKU value in a request | |
| - Rebuild | |
| - update to 0.79.5: | |
| - getcert start-tracking: use issuer option when specified | |
| - add support for specifying the MS certificate template | |
| - Reformat certificates returned by Dogtag to strip extra newline | |
| - add backported fix to wait a reasonable amount of time after calling the | |
| 'resubmit' method for a new certificate to be issued when we're exercising | |
| the D-Bus API during tests (Jan Cholasta, #1351052) | |
| - switch to using popt for parsing command line arguments, continuing to | |
| use old help text for now so that we can catch up with translations (print | |
| old text for --help, new text (with longopts!) for -H) | |
| - add some plumbing for eventually receiving per-certificate roots in | |
| addition to issued certificates and chain certificates | |
| - add a "rekey" command to getcert, for triggering enrollment using a new | |
| key pair (#1087932) | |
| - scep-submit: check for the Renewal capability, and default to taking | |
| advantage of it during rekeying, unless the new -n flag is specified to it | |
| - dogtag-submit: add flags for passing user names, UDNs, passwords, and PINs | |
| to the helper (part of ticket #12) | |
| - dogtag-submit: add a flag for using the agent creds to do TLS client auth | |
| while submitting enrollment requests (more of ticket #12) | |
| - dogtag-submit: handle cases where we submit a request and the server | |
| returns a success code rather than just queuing the request (#12 again) | |
| - ipa-submit: pass requested profile names to the server as an argument | |
| named "profile_id"; if the server gives us an "unrecognized argument" | |
| error, retry without it for compatibility's sake (part of IPA ticket #57) | |
| - keygen: fix a possible crash if keygen fails to return a key from NSS | |
| - correct the certmonger(8) man page's description of the -c flag, which it | |
| used to call the -C flag | |
| - add logic for setting ownership and permissions on certificates and keys | |
| when saving them to disk | |
| - add configuration options "max_key_lifetime" and "max_key_use_count" for | |
| making automatic renewal prefer rekeying | |
| - api: lift restrictions on characters used in request and CA nicknames by | |
| making their object names not incorporate their nicknames | |
| - api: add find_request_by_nickname and find_ca_by_nickname | |
| - certmonger-ipa-submit.8: list -k, -K, -t in the summary, document -K | |
| - getcert: print "invalid option" error messages ourselves (#756291) | |
| - ipa-submit: supply a Referer: header when submitting requests to IPA | |
| (#750617, needed for #747710) | |
|
|
|
| cockpit-310.6-1.el8_10.x86_64.rpm | - Remove recommends on subscription-manager-cockpit if applicable |
| - Remove recommends on subscription-manager-cockpit if applicable | |
| - networking: Fix renaming of bridges and other groups (RHEL-131249) | |
| - networkmanager: use connection.type as a fallback (RHEL-131244) | |
|
|
|
| cockpit-bridge-310.6-1.el8_10.x86_64.rpm | - Remove recommends on subscription-manager-cockpit if applicable |
| - Remove recommends on subscription-manager-cockpit if applicable | |
| - networking: Fix renaming of bridges and other groups (RHEL-131249) | |
| - networkmanager: use connection.type as a fallback (RHEL-131244) | |
|
|
|
| cockpit-system-310.6-1.el8_10.noarch.rpm | - Remove recommends on subscription-manager-cockpit if applicable |
| - Remove recommends on subscription-manager-cockpit if applicable | |
| - networking: Fix renaming of bridges and other groups (RHEL-131249) | |
| - networkmanager: use connection.type as a fallback (RHEL-131244) | |
|
|
|
| cockpit-ws-310.6-1.el8_10.x86_64.rpm | - Remove recommends on subscription-manager-cockpit if applicable |
| - Remove recommends on subscription-manager-cockpit if applicable | |
| - networking: Fix renaming of bridges and other groups (RHEL-131249) | |
| - networkmanager: use connection.type as a fallback (RHEL-131244) | |
|
|
|
| compat-openssl10-1.0.2o-4.el8_10.1.x86_64.rpm | - minor upstream release 1.0.2o fixing security issues |
| - updated to 1.0.2j and modified Summary | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - add back -devel subpackage as a stop-gap measure for software | |
| that cannot be ported to new API easily | |
| - compat package created | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - removed Buildroot and clean section | |
| - added Conflicts with old openssl | |
| - Fix CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates | |
| Resolves: rhbz#2077418 | |
| - provide and use compat openssl10.cnf as the non-compat one is incompatible | |
| - renamed to compat-openssl10, additional cleanups | |
| - minor upstream release 1.0.2m fixing security issues | |
| - fix locking of RNG in FIPS mode for some obscure use-cases | |
| - Add flags for riscv64. | |
| - Fix CVE-2023-0286 X.400 address type confusion in X.509 GeneralName | |
| Resolves: RHEL-9699 | |
| - fix -devel subpackage conflict with man-pages package (#1387175) | |
| - add missing ldconfig call to post script | |
| - minor upstream release 1.0.2n fixing security issues | |
| - correct wrong Requires in -devel subpackage | |
| - apply RPM_LD_FLAGS properly (#1548117) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
|
|
|
| cups-libs-2.2.6-66.el8_10.x86_64.rpm | - fix use-after-free reported by OSH |
| - RHEL-129729 CVE-2025-58436 cups: Slow client communication leads to a possible DoS attack | |
| - RHEL-129720 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues | |
|
|
|
| device-mapper-1.02.181-15.el8_10.3.x86_64.rpm | - Allow integrity to use multiple segments for metadata. |
|
|
|
| device-mapper-event-1.02.181-15.el8_10.3.x86_64.rpm | - Allow integrity to use multiple segments for metadata. |
|
|
|
| device-mapper-event-libs-1.02.181-15.el8_10.3.x86_64.rpm | - Allow integrity to use multiple segments for metadata. |
|
|
|
| device-mapper-libs-1.02.181-15.el8_10.3.x86_64.rpm | - Allow integrity to use multiple segments for metadata. |
|
|
|
| flac-libs-1.3.2-11.el8.x86_64.rpm | - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild |
| - update to 1.3.1 (CVE-2014-8962, CVE-2014-9028) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - rebuilt for new gcc4.1 snapshot and glibc changes | |
| - #119551 flac-xmms -> xmms-flac to match fedora.us and freshrpms.net | |
| - Obsoletes flac-libs to upgrade smoothly from fedora.us | |
| - update to 1.3.2 | |
| - Removed xmms-flac subpackage | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - Update GNU stack patch to cover all the NASM sources used | |
| - Rebuild for build ID | |
| - fix building with gcc-4.3 | |
| - reenable some assembly optimizations | |
| - hide private libFLAC symbols (#285961) | |
| - update license tag | |
| - add %check | |
| - remove -maltivec from CFLAGS | |
| - Added self-obsoletes to help multilib upgrades | |
| - add xmms-flac plugin as a conditionalized subpackage | |
| - update to 1.3.0pre3 | |
| - fix memory corruption in metaflac (#969259) | |
| - disable slower assembly code | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Update link-ogg patch for 1.1.4 | |
| - Update for 1.20 and drop obsolete patches (#285161) | |
| - Rebuild (flac picked up a dependancy on it's older version) | |
| - rebuilt | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Rebuilt for Fedora 23 Change | |
| https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code | |
| - update to 1.3.0pre1 | |
| - make some dependencies arch-specific | |
| - rebuilt | |
| - rebuild for gcc 4.0 | |
| - Rebuild to fix FTBFS | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Update to upstream version 1.1.2 | |
| - Replace flac-1.1.0-libtool.patch with flac-1.1.2-libtool.patch | |
| - fix memory leak in parsing of vorbis comments (CVE-2017-6888) | |
| - add gcc to build requirements | |
| - A few fixes from the the Fedora merge review | |
| - Remove the static library | |
| - rebuild for -devel deps | |
| - rebuilt | |
| - disable nasm to avoid gaps in annobin coverage (#1630561) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Update to upstream 1.1.4 | |
| - bump again for double-long bug on ppc(64) | |
| - New patch flac-1.1.0-gnu-stack.patch from Ulrich Drepper to mark asm | |
| as not requiring an executable stack | |
| - initial build | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - rebuilt | |
| - rebuild | |
| - Fixed warnings in shipped m4 file. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Make a few functions hidden, to try and avoid textrels | |
| - Disable optimisations on x86 for the same reason | |
| (#285961) | |
| - fix x86_64 linkage (#117893) | |
| - Switch to %ldconfig_scriptlets | |
| - Update with work from Matthias Clasen |
|
| to upstream 1.1.3 (#229462) | |
| - Remove xmmx-flac Obsolete, as we don't ship the xmms plugin | |
| - update to 1.3.0 | |
| - update to 20121204gita43f56 | |
| - create libs subpackage | |
| - split documentation to base and devel subpackages | |
| - drop defattr macros | |
| - add GFDL to License tag | |
| - drop xmms-flac subpackage (#1578806) | |
| - speed up decoding | |
| - CFLAGS cleanup | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Autorebuild for GCC 4.3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - rebuild | |
| - Try building w/ glib2-devel | |
| - BuildRequire glib-devel for xmms plugin | |
| - BuildRequire nasm | |
| - don't free memory that is still used after realloc() error (CVE-2020-22219) | |
| - Fix buildreqs (#154649 thias) | |
| - obsolete older xmms-flac | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Also include the new pkgconfig files | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Update to 1.2.1 | |
| - Rebuilt for GCC 5 C++11 ABI change | |
| - The byteSwap symbol shouldn't be global, reported by Joe Orton | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
|
|
|
| glib2-2.56.4-168.el8_10.x86_64.rpm | - Add patch for CVE-2025-13601 |
| - Fix GUnixMount issues | |
| - Enable testsuite during RPM check phase | |
|
|
|
| glib2-devel-2.56.4-168.el8_10.x86_64.rpm | - Add patch for CVE-2025-13601 |
| - Fix GUnixMount issues | |
| - Enable testsuite during RPM check phase | |
|
|
|
| glx-utils-8.4.0-5.20181118git1830dcb.el8.x86_64.rpm | - Rebuild for new glew soname |
| - Rebuilt for GLEW soname bump | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - rebuilt for glew 1.10 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild | |
| - update to 8.0.1 (git checkout from 20121218) | |
| - update xdriinfo to 1.0.4 | |
| - remove non-free files (bz892925) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild | |
| - 8.2.0 upstream release | |
| - package upstream demos release 8.1.0 (mainly for new glxinfo) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Rebuild for RHEL 8.3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Initial build. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Rebuild for glew 1.13 | |
| - New git snapshot | |
| - Build with --as-needed so glxinfo doesn't needlessly drag in GLEW | |
| - Install rgba images too (#640688) | |
| - Rebuild for glew 1.9.0 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Rebuilt for glew 2.1.0 | |
| - Copy glxinfo to glxinfo%{__isa_bits}, to allow people to check that their | |
| compatibility drivers are working. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Start using proper git version strings for rawhide | |
| - Enabling building of wayland and freetype demos | |
| - Fix xdriinfo not working with libglvnd (rhbz#1429894) | |
| - fix install of gears/info (#647947) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - 8.3.0 | |
| - Rebuild for glew 2.0.0 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Rebuilt for Fedora 23 Change | |
| https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Today's git snapshot | |
| - Arbitrary EVR bump to be newer than when the mesa source package dropped | |
| the demos subpackage. | |
| - New git snapshot | |
| - New git snap | |
| - Add EGL/GLES buildreqs and egl-utils subpackage | |
|
|
|
| gnupg2-2.2.20-4.el8_10.x86_64.rpm | - Fix CVE-2025-68973 (gpg.fail/memcpy) |
|
|
|
| gnupg2-smime-2.2.20-4.el8_10.x86_64.rpm | - Fix CVE-2025-68973 (gpg.fail/memcpy) |
|
|
|
| gsm-1.0.17-5.el8.x86_64.rpm | - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - 1.0.10-0.fdr.7: applied patch from Ville, remove epoch since it's allowed | |
| - Update to 1.0.13 | |
| - Upload sources | |
| - fix some warnings | |
| - fix 64bit testsuite issue as described at gsm homepage | |
| - add compatibility header symlink | |
| - split off binaries into a separate package | |
| - switch to new release field | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - 1.0.10-0.lvn.10: Clean up installation | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - install symlinks instead of binaries in -devel | |
| - rebuilt for unwind info generation, broken in gcc-4.1.1-21 | |
| - update homepage and source URLs | |
| - ensure binaries are linked with Fedora LDFLAGS (#1548532) | |
| - use ldconfig_scriptlets macro | |
| - add proper man links for tcat and untoast | |
| - 1.0.10-0.fdr.4: remove epoch mentions | |
| - Defines changed to globals | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - update to 1.0.17 (#1465878) | |
| - ease future updates by better macro use | |
| - drop obsolete patch hunks | |
| - fix missing prototype for fchown warning | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Rebuild for GCC 4.3 | |
| - fix parallel make | |
| - 1.0.10-0.lvn.8: Use -fPIC on non ix86 | |
| - Fix dangling symlinks for shared lib, thanks to Lucian Langa for pointing out the issue. | |
| - Fixed build failure, defuzzified gsm-warnings patch | |
| Resolves: rhbz#757136 | |
| - 0:1.0.10-0.fdr.1: initial RPM release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - 0:1.0.10-0.fdr.6: remove second makeinstall | |
| - update to 1.0.16 (#1397242) | |
| - use license macro | |
| - drop obsolete stuff and simplify | |
| - 0:1.0.10-0.fdr.5 | |
| - added back epochs, I surrender | |
| - fix RPM_OPT_FLAGS hackery | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - 1.0.10-0.fdr.2 | |
| - Fix libgsm.so.* being files instead of symlinks | |
| - 1.0.10-11 | |
| - rebuild for FC6 | |
| - 1.0.10-0.fdr.3 | |
| - pull in RPM_OPT_FLAGS in patch instead of using perl to wedge it in | |
| - fix group | |
| - -p'ize ldconfig | |
| - 1.0.10-0.lvn.9: mv libgsm.a only when needed | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Update to Release 1.0 Patchlevel 12. | |
| - Build with -fPIC not just for non-ix86. | |
| - Add check section to ensure proper library version. | |
| - Remove static library. | |
| - add dist | |
| - rebuild for BuildID | |
| - specfile cleanups | |
|
|
|
| gstreamer1-1.16.1-2.el8.x86_64.rpm | - Update to 1.2.1. |
| - Update to 1.6.1 | |
| - Update to 1.8.2 | |
| - Update to 1.13.90 | |
| - Update to 1.12.2 | |
| - Remove lib64 rpaths from newly added binaries | |
| - Update to 1.0.6. | |
| - Remove BR on PyXML. | |
| - Update to 1.4.5 | |
| - Update to 1.2.3. | |
| - Update to 1.3.91 | |
| - Update to 1.4.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Use %global instead of %define. | |
| - Remove rpath. | |
| - Update to 1.13.91 | |
| - fix doc dependencies | |
| - Update to 1.12.0 | |
| - Update to 1.16.2 for correctly pick up for side gating | |
| - Resolves: rhbz#1756299 | |
| - %build: --disable-fatal-warnings --disable-silent-rules | |
| - fix rpath harder | |
| - use %ldconfig_scriptlets, %make_build, %make_install | |
| - -devel: tighten deps with %{_isa} | |
| - Update to 1.9.90 | |
| - remove obsolete patches | |
| - Update to 1.0.3 | |
| - Update to 1.12.3 | |
| - Update to 1.1.90. | |
| - Update to 1.1.2. | |
| - Update to 1.10.2 | |
| - Update to 1.0.7. | |
| - Update to 1.4.2 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuilt for Fedora 23 Change | |
| https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code | |
| - Update to 1.2.4. | |
| - Update to 1.0.1 | |
| - Update to 1.10.0 | |
| - Update to 1.11.2 | |
| - Update to 1.7.90 | |
| - Update to 1.14.0 | |
| - Update to 1.12.1 | |
| - Add gst-stats manpage | |
| - Update to 1.4.4 | |
| - Update to 1.6.0 | |
| - Use license macro for COPYING | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - fix build | |
| - Rebuilt for gobject-introspection 1.41.4 | |
| - Update to 1.7.91 | |
| - Update to 1.2.0. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Remove (obsolete since 1.2.0) xfig build dependency. | |
| - Update to 1.5.2 | |
| - Update to 0.11.99 | |
| - Add patch to gst-inspect to generate RPM provides | |
| - Add RPM find-provides script | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - -devel: Conflicts: gstreamer1-plugins-bad-free-devel < 1.13 | |
| - Update to 1.16.1 | |
| - Enable libcap for the ptp helper permissions | |
| - Resolves: rhbz#1756299 | |
| - Update to 1.5.90 | |
| - Update to 1.6.2 | |
| - Update to 1.8.1 | |
| - Update to 1.1.3. | |
| - Update to 1.11.90 | |
| - Update to 0.11.93. | |
| - Bump minimum version of glib2 needed. | |
| - Update to 1.7.1 | |
| - update rpm inspect patch | |
| - add gst-stats | |
| - add core traces | |
| - Update to 1.5.91 | |
| - Enable verbose build | |
| - fix build on s390x | |
| - Initial Fedora spec file. | |
| - Update to 1.9.1 | |
| - Update to 1.11.91 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Update to 1.12.4 | |
| - Tweak BRs for RHEL | |
| - Update to 0.11.94. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Update to 1.10.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - rebuild for https://github.com/UnitedRPMs/packages/issues/106#issuecomment-290404434 | |
| - Update to 1.0.2. | |
| - Update to 1.8.0 | |
| - Update to 1.4.0 | |
| - Update to 1.2.2. | |
| - Use python3 for docs generation | |
| - Update to 1.5.1 | |
| - add new bash-completion scripts | |
| - gstconfig.h got moved | |
| - Cleanup spec file conditionals | |
| - fix build on Power64 | |
| - Update to 1.0.5. | |
| - Update to 1.7.2 | |
| - Update to 1.0.4 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Update to 1.9.2 | |
| - gstconfig.h was moved to normal include dir | |
| - Update to 1.11.1 | |
| - update rpm patch | |
| - Update to 1.1.4. | |
| - Update to 1.3.90 | |
| - Update to 1.13.1 | |
| - Update rpm patch | |
| - Fix compiler error | |
| - Update to 1.0.0. | |
|
|
|
| gstreamer1-plugins-bad-free-1.16.1-5.el8_10.x86_64.rpm | - Update to 1.0.2 |
| - Update to 1.2.1. | |
| - Update to 1.6.1 | |
| - rebuild (openexr) | |
| - Update to 1.8.2 | |
| - Rebuild for opencv | |
| - Disable opencv, the version is too new | |
| - Update to 1.12.2 | |
| - Update to 1.0.5 | |
| - Update to 1.0.6. | |
| - Drop BR on PyXML. | |
| - Update to 1.9.1 | |
| - add musepack plugin | |
| - add kmssink plugin | |
| - Update to 1.6.0 | |
| - Remove lib64 rpaths from a few more libraries | |
| - Use license macro for COPYING and COPYING.LIB | |
| - Rebuild for chromaprint .so change | |
| - Update to 1.2.3. | |
| - Update to 1.4.0. | |
| - Update to 1.16.1 | |
| - Remove upstreamed patches | |
| - Remove dependency on removed package | |
| - Add sctp and closedcaption plugins | |
| - The vcdsrc plugin was removed | |
| - Resolves: rhbz#1756299 | |
| - Fixes for problems found by covscan | |
| - Resolves: rhbz#1602534 | |
| - Update to 1.7.1 | |
| - rename fragmented -> hls | |
| - remove liveadder | |
| - add gstplayer | |
| - add teletextdec and videoframe_audiolevel | |
| - Update to 1.12.0 | |
| - Update to 1.9.2 | |
| - Build gobject-introspection support. (#1028156) | |
| - Update to 1.0.3 | |
| - Update to 1.12.3 | |
| - Update to 1.1.90. | |
| - Update to 1.1.2. | |
| - Build opus plugin. | |
| - Update to 1.11.90 | |
| - Update plugin names | |
| - Remove old rawparse plugin | |
| - Add new allocator lib and legacyrawparse | |
| - Update to 1.10.2 | |
| - Rebuild (libwebp) | |
| - Update to 1.4.2. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Update to 1.0.7. | |
| - Added missing buildrequire on EGL | |
| - Update to 1.9.90 | |
| - Fix permission on tarball clean-up script. | |
| - Re-enable soundtouch-devel. | |
| - Add COPYING.LIB to package. | |
| - Use %global instead of %define. | |
| - Update to 1.10.0 | |
| - Update to 1.7.2 | |
| - remove rtpbad plugin, it was moved | |
| - add new libraries and netsim plugin | |
| - Update to 1.0.1 | |
| - Add frei0r plugin to file list. | |
| - Build ladspa, libkate, and wildmidi plugins. | |
| - Update to 1.13.91 | |
| - Update to 1.4.4 | |
| - Rebuild for new libsrtp | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Build fluidsynth plugin. (#1024906) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Enable verbose build | |
| - remove rpath from gtksink and mxf | |
| - Fix description line too long | |
| - Update to 1.2.0. | |
| - Update to 1.5.2 | |
| - Build the srtp plugin. (#1055669) | |
| - Rebuilt for nettle soname bump | |
| - 1.13.1 | |
| - use %ldconfig_scriptlets %make_build %make_install | |
| - fix rpath in gst-p-bad-cleanup.sh | |
| - tighten subpkg deps with %{?_isa} | |
| - -gtk subpkg now empty. FIXME | |
| - Update to 0.11.99 | |
| - Add optional data to AppStream metadata. | |
| - Rebuild for soundtouch ABI break (#1311323) | |
| - Update to 1.7.90 | |
| - the opus plugin was moved to -base. | |
| - Update to 1.5.90 | |
| - Update to 1.11.1 | |
| - Add audiobuffersplit | |
| - Dataurisrc was moved to core | |
| - Add ttmlsubs plugin | |
| - Update to 1.6.2 | |
| - Fix RTP/RTCP muxing (#1199578) | |
| - Update to 1.13.90 | |
| - Add audiolatency | |
| - Schrodinger element was removed | |
| - Add BR on gnutls-devel for HLS support. (#1030491) | |
| - The soundtouch-devel BR should be on, even with extras disabled | |
| - Update to 1.8.1 | |
| - Update to 1.1.3. | |
| - Rebuild with binutils fix for ppc64le (#1475636) | |
| - Bump (libass) | |
| - Remove obsolete liboil BR (#1588303) | |
| - Only build extras on Fedora | |
| - bluez is not in extras | |
| - vdpau is in extras | |
| - Update to 1.14.0 | |
| - add webrtc gir and typelib | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Update to 1.2.4. | |
| - Update to 1.5.91 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Update to 1.7.91 | |
| - The opus parse was not moved so we still need opus-devel and we still | |
| ship a plugin. | |
| - the plugin was renamed to opusparse | |
| - Append --disable-fatal-warnings to %configure to prevent | |
| building from aborting for negligible warnings (Fix F24FTBFS) | |
| - Append --disable-silent-rules to %configure to make | |
| building verbose. | |
| - Don't remove buildroot before installing. | |
| - Update to 1.3.91. | |
| - Remove old libraries | |
| - fix for CVE-2025-3887 | |
| Resolves: RHEL-93051 | |
| - Register as an AppStream component. | |
| - Update to 1.11.91 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Patch CVE-2023-44446: MXF demuxer use-after-free | |
| - Resolves: RHEL-16794 | |
| - Update to 1.12.4 | |
| - Update to 0.11.94. | |
| - Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Bump to avoid conflict with z stream. | |
| - Resolves: RHEL-16794 | |
| - Update to 1.10.1 | |
| - Build the wayland video output plugin | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Remove celt buildreq, the plugin was removed and so is celt-devel | |
| - Patch CVE-2023-40474: Integer overflow | |
| - Patch CVE-2023-40475: Integer overflow | |
| - Patch CVE-2023-40476: Integer overflow in H.265 video parser | |
| - Resolves: RHEL-19500, RHEL-19504, RHEL-19507 | |
| - Enable more plugins: gtksink, webp, bluez, bs2b, gme, ofa, openal, | |
| opencv, openjpeg | |
| - Rebuild for new wildmidi | |
| - Move libgstdecklink to its correct place in extras; needed for RHEL | |
| - drop -gtk subpkg, moved to gst1-plugins-good | |
| - Initial Fedora spec file. | |
| - rebuild (libwebp) | |
| - Update to 0.11.93. | |
| - Use openjpeg2 instead of openjpeg (#1553079) | |
| - Rebuilt for GCC 5 C++11 ABI change | |
| - Add BuildRequest python3-devel | |
| - Update to 1.4.1. | |
| - Update to 1.8.0 | |
| - Update to 1.2.2. | |
| - Update to 1.4.5 | |
| - Update to 1.12.1 | |
| - Put the fluidsynth plugin in its own subpackage and make it require | |
| soundfont2-default (rhbz#1078925) | |
| - Cleanup spec file conditionals | |
| - Merge patches from Kevin Kofler (#1267665) | |
| - Split gtksink into a -gtk subpackage (#1295444) | |
| - Split wildmidi plugin into a -wildmidi subpackage (#1267665) | |
| - BR mesa-libGLES-devel to enable OpenGL ES 2 support in GstGL (#1308290) | |
| - Update to 1.5.1 | |
| - Drop old patch | |
| - add chromaprint plugin | |
| - Update to 1.0.4 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Rebuild for soundtouch 2.0.0 | |
| - Update to 1.11.2 | |
| - add audiomixmatrix | |
| - Update to 1.1.4. | |
| - Enable uvch264 | |
| - Update to 1.0.0. | |
|
|
|
| gstreamer1-plugins-base-1.16.1-5.el8_10.x86_64.rpm | - Update to 1.6.1 |
| - Update to 1.8.2 | |
| - Update to 1.13.90 | |
| - Update to 1.12.2 | |
| - Fix build on big-endian | |
| - Improve conditional SSE and SSE2 compilation | |
| - Update to 1.2.3. | |
| - Drop patch to fix build on aarch64. Fixed upstream. | |
| - Add opus that was moved from -bad-free | |
| - Update to 1.4.5 | |
| - Fix man file names for Flatpak builds | |
| - Resolves: rhbz#1895935 | |
| - Add optional data to AppStream metadata. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Update to 1.4.0. | |
| - Add patch to fix missing mp3 codec discovery. (#680809, #896018) | |
| - Update to 1.12.0 | |
| - tigten subpkg deps | |
| - fix rpaths | |
| - update %files | |
| - use %ldconfig_scriptlets %make_build %make_install | |
| - %build: --disable-fatal-warnings --disable-silent-rules | |
| - Conflicts: gstreamer1-plugins-bad-free < 1.13 | |
| - Update to 1.0.3 | |
| - Update to 1.12.3 | |
| - Update to 1.13.1 | |
| - Add patch to fix aliasing compilation error | |
| - Add GL buildrequires | |
| - Update to 1.10.2 | |
| - Update to 1.4.2. | |
| - Update to 1.0.7. | |
| - Update to 1.5.1 | |
| - add missing headers | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Backport new missing plugins API | |
| - Update to 1.2.4. | |
| - Update to 1.0.1 | |
| - Update to 0.11.93. | |
| - Package gst-visualise. | |
| - Update to 1.10.0 | |
| - Upstream patch to fix contrast/brightness in video playback | |
| - Add upstream patch to fix build on aarch64 | |
| - Update to 1.11.2 | |
| - Update to 1.7.90 | |
| - Update to 1.14.0 | |
| - Update to 1.4.4 | |
| - Remove cdparanoia dependency | |
| - Resolves: rhbz#1605265 | |
| - Fixes for CVE-2024-47538, CVE-2024-47607, CVE-2024-47615 | |
| Resolves: RHEL-70974, RHEL-71010, RHEL-70986 | |
| - Update to 1.6.0 | |
| - Use license macro for COPYING | |
| - Rebuilt for gobject-introspection 1.41.4 | |
| - Update to 1.7.91 | |
| - Update to 1.2.0. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Add upstream fix for excessive alsasink CPU usage | |
| - Update to 1.9.2 | |
| - drop upstreamed patch | |
| - add new files | |
| - Update to 0.11.99 | |
| - CVE-2023-37328 gstreamer1-plugins-base: heap overwrite in subtitle parsing | |
| - Resolves: RHEL-19472 | |
| - Update to 1.5.90 | |
| - Update to 1.1.2. | |
| - Drop contrast/brightness video playback patch. Fixed upstream. | |
| - Update to 1.6.2 | |
| - Update to 1.8.1 | |
| - Update to 1.1.3. | |
| - Update to 1.5.2 | |
| - Don't produce gir and typlib for GstRiff | |
| - Add multiview headers | |
| - Drop gst-visualise mention from description. (#947658) | |
| - Update to 1.16.1 | |
| - Resolves: rhbz#1756299 | |
| - Update to 1.3.91. | |
| - Fix potential deadlock on startup when playing audio files | |
| - Update to 1.11.1 | |
| - Update to 1.5.91 | |
| - Update to 1.11.90 | |
| - Add new plugins | |
| - Update to 1.7.1 | |
| - Add new files | |
| - Enable verbose build | |
| - Register as an AppStream component. | |
| - Initial Fedora spec file. | |
| - Update to 1.9.1 | |
| - add audio-resampler.h | |
| - Update to 1.12.4 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Update to 0.11.94. | |
| - Update to 1.13.91 | |
| - Add new prelude .h files | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Update to 1.10.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Update to 1.9.90 | |
| - rebuild for new libvisual | |
| - Update to 1.0.2. | |
| - Update to 1.4.1. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Enable Wayland support (previously disabled due to missing wayland-devel | |
| as a BR - before it was probably brought in by something else). | |
| - Update to 1.8.0 | |
| - Update to 1.2.2. | |
| - Update to 1.12.1 | |
| - Update to 1.2.1. | |
| - Drop patch to fix potential deadlock on startup. Fixed upstream. | |
| - Update to 1.0.6. | |
| - Drop BR on PyXML. | |
| - Drop alsa delay patch. Fixed upstream. | |
| - Remove rpath. | |
| - Update to 1.11.91 | |
| - Add new headers | |
| - Update to 1.1.90. | |
| - Bump minimum version of orc needed. | |
| - Update to 1.0.5. | |
| - Add BuildRequest python3-devel | |
| - Update to 1.7.2 | |
| - fix for renamed header | |
| - Update to 1.0.4 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - CVE-2024-4453 gstreamer1: EXIF Metadata Parsing Integer Overflow | |
| - Resolves: RHEL-38509 | |
| - Update to 1.1.4. | |
| - Update to 1.0.0. | |
|
|
|
| ipa-client-4.9.13-20.module+el8.10.0+2067+377bdd64.x86_64.rpm | - Updated to upstream 3.0.0 GA |
| - Set minimum for samba to 4.0.0-153. | |
| - Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so | |
| plugin to /dev/null since they cannot be used when trusts are configured | |
| - Restrict krb5-server to 1.10. | |
| - Update BR for 389-ds-base to 1.3.0 | |
| - Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca | |
| - Add Requires on zip for generating FF browser extension | |
| - Update to 4.7.90-pre1 | |
| Related: RHBZ#1684528 | |
| - Removed patches 0002 to 0031 as these are upsteram and part of 4.7.90-pre1 | |
| - Added new patches 0001-revert-minssf-defaults.patch and | |
| 0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch | |
| - Require slapi-nis 0.47.7 delivering a core feature of 3.3.0 release | |
| - Use default crypto policy for TLS and enable TLS 1.3 support | |
| Resolves: RHBZ#1777809 | |
| - Covscan fixes | |
| Resolves: RHBZ#1777920 | |
| - Change pki_version to 10.8.0 | |
| Related: RHBZ#1748987 | |
| - Updated to upstream 3.0.0 beta 2 | |
| - Respin after the tarball has been re-released upstream | |
| New hash is 506c9c92dcaf9f227cba5030e999f177 | |
| - Do not add krbPwdPolicyReference for new accounts, hardcode it (#1045218) | |
| - Increase default timeout for IPA services (#1033273) | |
| - Error while running trustdomain-find (#1054376) | |
| - group-show lists SID instead of name for external groups (#1054391) | |
| - Fix IPA server NetBIOS name in samba configuration (#1030517) | |
| - dnsrecord-mod produces missing API version warning (#1054869) | |
| - Hide trust-resolve command as internal (#1052860) | |
| - Add Trust domain Web UI (#1054870) | |
| - ipasam cannot delete multiple child trusted domains (#1056120) | |
| - diffstat was missing as a build dependency causing multilib problems | |
| - kdb: Use-krb5_pac_full_sign_compat() when available | |
| Resolves: RHBZ#2176406 | |
| - OTP: fix-data-type-to-avoid-endianness-issue | |
| Resolves: RHBZ#2218293 | |
| - Upgrade: fix replica agreement | |
| Resolves: RHBZ#2216551 | |
| - Upgrade: add PKI drop-in file if missing | |
| Resolves: RHBZ#2215336 | |
| - Use the python-cryptography parser directly in cert-find | |
| Resolves: RHBZ#2164349 | |
| - Backport test updates | |
| Resolves: RHBZ#221884 | |
| - Initial rpm version | |
| - Re-enable otptoken_yubikey plugin | |
| - Resolves: #805188 [RFE] "ipa migrate-ds" ldapsearches with scope=1 | |
| - Resolves: #1019272 With 20000+ users, adding a user to a group intermittently | |
| throws Internal server error | |
| - Resolves: #1035494 Unable to add Kerberos principal via kadmin.local | |
| - Resolves: #1045153 ipa-managed-entries --list -p |
|
| DM password | |
| - Resolves: #1125950 ipa-server-install --uinstall doesn't remove port 7389 | |
| from ldap_port_t | |
| - Resolves: #1132540 [RFE] Expose service delegation rules in UI and CLI | |
| - Resolves: #1145584 ipaserver/install/cainstance.py creates pkiuser not | |
| matching uidgid | |
| - Resolves: #1176036 IDM client registration failure in a high load environment | |
| - Resolves: #1183116 Remove Requires: subscription-manager | |
| - Resolves: #1186054 permission-add does not prompt to enter --right option in | |
| interactive mode | |
| - Resolves: #1187524 Replication agreement with replica not disabled when | |
| ipa-restore done without IPA installed | |
| - Resolves: #1188195 Fax number not displayed for user-show when kinit'ed as | |
| normal user. | |
| - Resolves: #1189034 "an internal error has occurred" during ipa host-del | |
| --updatedns | |
| - Resolves: #1193554 ipa-client-automount: failing with error LDAP server | |
| returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled. | |
| - Resolves: #1193759 IPA extdom plugin fails when encountering large groups | |
| - Resolves: #1194312 [ipa-python] ipalib.errors.LDAPError: failed to decode | |
| certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. | |
| - Resolves: #1194633 Default trust view can be deleted in lower case | |
| - Resolves: #1196455 ipa-server-install step [8/27]: starting certificate | |
| server instance - confusing CA staus message on TLS error | |
| - Resolves: #1198263 Limit deadlocks between DS plugin DNA and slapi-nis | |
| - Resolves: #1199527 [RFE] Use datepicker component for datetime fields | |
| - Resolves: #1200867 [RFE] Make OTP validation window configurable | |
| - Resolves: #1200883 [RFE] Switch apache to use mod_auth_gssapi | |
| - Resolves: #1202998 CVE-2015-1827 ipa: memory corruption when using | |
| get_user_grouplist() [rhel-7.2] | |
| - Resolves: #1204637 slow group operations | |
| - Resolves: #1204642 migrate-ds: slow add o users to default group | |
| - Resolves: #1208461 IPA CA master server update stuck on checking getStatus | |
| via https | |
| - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) | |
| - Resolves: #1211708 ipa-client-install gets stuck during NTP sync | |
| - Resolves: #1215197 ipa-client-install ignores --ntp-server option during time | |
| sync | |
| - Resolves: #1215200 ipa-client-install configures IPA server as NTP source | |
| even if IPA server has not ntpd configured | |
| - Resolves: #1217009 OTP sync in UI does not work for TOTP tokens | |
| - Related: #1204809 Rebase ipa to 4.2 | |
| - Update to upstream 4.2.0.alpha1 | |
| - Rebuild against samba4 beta4 | |
| - Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to | |
| users in IdM | |
| - store certificates issued for user entries as | |
| - user-show: add --out option to save certificates to file | |
| - Resolves: #1145748 [RFE] IPA running with One Way Trust | |
| - Fix upgrade of sidgen and extdom plugins | |
| - Resolves: #1195339 ipa-client-install changes the label on various files | |
| which causes SELinux denials | |
| - Use 'mv -Z' in specfile to restore SELinux context | |
| - Resolves: #1198796 Text in UI should describe differing LDAP vs Krb behavior | |
| for combinations of "User authentication types" | |
| - webui: add LDAP vs Kerberos behavior description to user auth | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - ULC: Fix stageused-add --from-delete command | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - certprofile-import: do not require profileId in profile data | |
| - Give more info on virtual command access denial | |
| - Allow SAN extension for cert-request self-service | |
| - Add profile for DNP3 / IEC 62351-8 certificates | |
| - Work around python-nss bug on unrecognised OIDs | |
| - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality | |
| - Validate vault's file parameters | |
| - Fixed missing KRA agent cert on replica. | |
| - Resolves: #1225866 display browser config options that apply to the browser. | |
| - webui: add Kerberos configuration instructions for Chrome | |
| - Remove ico files from Makefile | |
| - Resolves: #1246342 Unapply idview raises internal error | |
| - idviews: Check for the Default Trust View only if applying the view | |
| - Resolves: #1248102 [webui] regression - incorrect/no failed auth messages | |
| - webui: fix regressions failed auth messages | |
| - Resolves: #1248396 Internal error in DomainValidator.__search_in_dc | |
| - dcerpc: Fix UnboundLocalError for ccache_name | |
| - Resolves: #1249455 ipa trust-add failed CIFS server configuration does not | |
| allow access to \\pipe\lsarpc | |
| - Fix selector of protocol for LSA RPC binding string | |
| - dcerpc: Simplify generation of LSA-RPC binding strings | |
| - Resolves: #1250192 Error in ipa trust-fecth-domains | |
| - Fix incorrect type comparison in trust-fetch-domains | |
| - Resolves: #1251553 Winsync setup fails with unexpected error | |
| - replication: Fix incorrect exception invocation | |
| - Resolves: #1251854 ipa aci plugin is not parsing aci's correctly. | |
| - ACI plugin: correctly parse bind rules enclosed in | |
| - Resolves: #1252414 Trust agent install does not detect available replicas to | |
| add to master | |
| - adtrust-install: Correctly determine 4.2 FreeIPA servers | |
| - Add ipa-rmkeytab tool | |
| - Update Requires on selinux-policy to 3.13.1-4 | |
| - Update to upstream 4.1.0 (#1109726) | |
| - Fixed weekday in 4.8.4-2 changelog date | |
| Related: RHBZ#1784003 | |
| - adtrust: print DNS records for external DNS case after role is enabled | |
| Resolves: RHBZ#1665051 | |
| - AD user without override receive InternalServerError with API | |
| Resolves: RHBZ#1782572 | |
| - ipa-client-automount fails after repeated installation/uninstallation | |
| Resolves: RHBZ#1790886 | |
| - install/updates: move external members past schema compat update | |
| Resolves: RHBZ#1803165 | |
| - kdb: make sure audit_as_req callback signature change is preserved | |
| Resolves: RHBZ#1803786 | |
| - Fix otptoken_sync plugin | |
| Resolves: RHBZ#1777811 | |
| - Create systemd-user HBAC service and rule | |
| Resolves: RHBZ#1664974 | |
| - ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned | |
| Resolves: RHBZ#1664023 | |
| - ipa-kdb: fix error handling of is_master_host() | |
| Resolves: RHBZ#2214638 | |
| - ipatests: enable firewall rule for http service on acme client | |
| Resolves: RHBZ#2230256 | |
| - User plugin: improve error related to non existing idp | |
| Resolves: RHBZ#2224572 | |
| - Prevent admin user from being deleted | |
| Resolves: RHBZ#1821181 | |
| - Fix memory leak in the OTP last token plugin | |
| Resolves: RHBZ#2227783 | |
| - Rebuild for broken deps in rawhide | |
| - Fix 389-ds-base strict dep to be 1.3.0.3 | |
| - Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos | |
| aliases) | |
| - harden the check for trust namespace overlap in new principals | |
| - Resolves: #1351142 CLI is not using session cookies for communication with | |
| IPA API | |
| - Fix session cookies | |
| - Resolves: #1353888 Fix the help for ipa otp and other topics | |
| - help: Add dnsserver commands to help topic 'dns' | |
| - Resolves: #1354406 host-del updatedns options complains about missing ptr | |
| record for host | |
| - Host-del: fix behavior of --updatedns and PTR records | |
| - Resolves: #1355718 ipa-replica-manage man page example output differs actual | |
| command output | |
| - Minor fix in ipa-replica-manage MAN page | |
| - Resolves: #1358229 Traceback message should be fixed, seen while editing | |
| winsync migrated user information in Default trust view. | |
| - baseldap: Fix MidairCollision instantiation during entry modification | |
| - Resolves: #1358849 CA replica install logs to wrong log file | |
| - unite log file name of ipa-ca-install | |
| - Resolves: #1359130 ipa-server-install command fails to install IPA server. | |
| - DNS Locations: fix update-system-records unpacking error | |
| - Resolves: #1359237 AVC on dirsrv config caused by IPA installer | |
| - Use copy when replacing files to keep SELinux context | |
| - Resolves: #1359692 ipa-client-install join fail with traceback against | |
| RHEL-6.8 ipa-server | |
| - compat: fix ping call | |
| - Resolves: #1359738 ipa-replica-install --domain= |
|
| does not work | |
| - replica-install: Fix --domain | |
| - Resolves: #1360778 Vault commands are available in CLI even when the server | |
| does not support them | |
| - Revert "Enable vault-* commands on client" | |
| - client: fix hiding of commands which lack server support | |
| - Related: #1281704 Rebase to softhsm 2.1.0 | |
| - Remove the workaround for softhsm bug #1293340 | |
| - Related: #1298288 [RFE] Improve performance in large environments. | |
| - Create indexes for krbCanonicalName attribute | |
| - Rebuild against samba4 beta8 | |
| - Require the Python interpreter directly instead of using the package name | |
| - Related: rhbz#1619153 | |
| - Require mod_nss-1.0.7-2 for mod_proxy fixes | |
| - Drop workaround for building on AArch64 (#1482244) | |
| - Temporarily reduce Requires on python-netaddr to 0.7.5-7 (#1506485) | |
| - ipa-kdb: Detect and block Bronze-Bit attacks | |
| Resolves: RHEL-9984 | |
| - Fix for CVE-2023-5455 | |
| Resolves: RHEL-12578 | |
| - Rebase to upstream release 4.9.10 | |
| Remove upstream patches 0002 to 0016 that are part of version 4.9.10 | |
| Remove patches 1101 that is part of version 4.9.10 | |
| Rename patch 0001 to 1002 as it will be used in future RHEL 8 releases | |
| Add patches 0001 and 0002 to fix build on RHEL 8.7 | |
| Resolves: RHBZ#2079466 | |
| Resolves: RHBZ#2063155 | |
| Resolves: RHBZ#1958777 | |
| Resolves: RHBZ#2068088 | |
| Resolves: RHBZ#2004646 | |
| Resolves: RHBZ#782917 | |
| Resolves: RHBZ#2059396 | |
| Resolves: RHBZ#2092015 | |
| - webui: Allow grace login limit | |
| Resolves: RHBZ#2109243 | |
| - check_repl_update: in progress is a boolean | |
| Resolves: RHBZ#2117303 | |
| - Disabling gracelimit does not prevent LDAP binds | |
| Resolves: RHBZ#2109236 | |
| - Set passwordgracelimit to match global policy on group pw policies | |
| Resolves: RHBZ#2115475 | |
| - Add missing part of backported CVE-2024-3183 fix | |
| Resolves: RHEL-29927 | |
| - Update to upstream 3.3.0 Beta 2 (#991064) | |
| - Update to upstream GA release | |
| - Automatically apply updates when the package is upgraded | |
| - Moved directory install/static to install/ui | |
| - Upstream pre release FreeIPA 4.9.0rc2 | |
| Related: RHBZ#1891832 | |
| - Synchronize spec file with upstream and Fedora | |
| Related: RHBZ#1891832 | |
| - Traceback while doing ipa-backup | |
| Resolves: RHBZ#1901068 | |
| - ipa-client-install changes system wide ssh configuration | |
| Resolves: RRBZ#1544379 | |
| - ipa-kdb: support subordinate/superior UPN suffixes | |
| Resolves: RHBZ#1891056 | |
| - KRA Transport and Storage Certificates do not renew | |
| Resolves: RHBZ#1872603 | |
| - Move where the restore state is marked during IPA server upgrade | |
| Resolves: RHBZ#1569011 | |
| - Intermittent IdM Client Registration Failures | |
| Resolves: RHBZ#1812871 | |
| - Nightly test failure in test_acme.py::TestACME::test_third_party_certs | |
| (updates-testing) | |
| Resolves: RHBZ#1903025 | |
| - Add IPA RA Agent to ACME group on the CA | |
| Resolves: RHBZ#1902727 | |
| - 4.7.1 | |
| - Fixes: rhbz#1633105 - rebase to 4.7.1 | |
| - Remove the IPA DNA plugin, use the DS one | |
| - Conditionally restart also dirsrv and httpd when upgrading | |
| - Set krb5 DAL version to 7.0 (#1580711) | |
| - Rebuild aclocal and configure during build | |
| - Remove dependency on nss_ldap/nss-pam-ldapd | |
| - The official client is sssd and that's what we use by default. | |
| - Resolve user/group names in idoverride*-find | |
| Resolves: RHBZ#1657745 | |
| - PKI database is ugraded during replica installation (#1075118) | |
| - Server install failure during client enrollment shouldn't | |
| roll back (#1023086) | |
| - nsds5ReplicaStripAttrs are not set on agreements (#1023085) | |
| - ipa-server conflicts with mod_ssl (#1018172) | |
| - Updated to current upstream state of 3.0.0 beta 2 development | |
| - Pull upstream changelog 722 | |
| - Add Conflicts mod_ssl (435360) | |
| - Resolves: #1318186 Misleading error message during external-ca IPA master | |
| install | |
| - httpinstance: make sure NSS database is backed up | |
| - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR | |
| CA certificate chain in ... incomplete" | |
| - httpinstance: make sure NSS database is backed up | |
| - Resolves: #1393726 Enumerate all available request type options in ipa | |
| cert-request help | |
| - Hide request_type doc string in cert-request help | |
| - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping | |
| - spec file: bump libsss_nss_idmap-devel BuildRequires | |
| - server: make sure we test for sss_nss_getlistbycert | |
| - Resolves: #1437378 ipa-adtrust-install produced an error and failed on | |
| starting smb when hostname is not FQDN | |
| - adtrust: make sure that runtime hostname result is consistent with the | |
| configuration | |
| - Resolves: #1437555 ipa-replica-install with DL0 fails to get annonymous | |
| keytab | |
| - Always check and create anonymous principal during KDC install | |
| - Remove duplicate functionality in upgrade | |
| - Resolves: #1437946 Upgrade to FreeIPA 4.5.0 does not configure anonymous | |
| principal for PKINIT | |
| - Upgrade: configure PKINIT after adding anonymous principal | |
| - Remove unused variable from failed anonymous PKINIT handling | |
| - Split out anonymous PKINIT test to a separate method | |
| - Ensure KDC is propery configured after upgrade | |
| - Resolves: #1437951 Remove pkinit-related options from server/replica-install | |
| on DL0 | |
| - Fix the order of cert-files check | |
| - Don't allow setting pkinit-related options on DL0 | |
| - replica-prepare man: remove pkinit option refs | |
| - Remove redundant option check for cert files | |
| - Resolves: #1438490 CA-less installation fails on publishing CA certificate | |
| - Get correct CA cert nickname in CA-less | |
| - Remove publish_ca_cert() method from NSSDatabase | |
| - Resolves: #1438838 Avoid arch-specific path in /etc/krb5.conf.d/ipa-certmap | |
| - IPA-KDB: use relative path in ipa-certmap config snippet | |
| - Resolves: #1439038 Allow erasing ipaDomainResolutionOrder attribute | |
| - Allow erasing ipaDomainResolutionOrder attribute | |
| - Improve otptoken help messages (#919228) | |
| - Ensure users exist when assigning tokens to them (#919228) | |
| - Enable QR code display by default in otptoken-add (#919228) | |
| - Show warning instead of error if CA did not start (#1158410) | |
| - CVE-2014-7850 freeipa: XSS flaw can be used to escalate privileges (#1165774) | |
| - Traceback when adding zone with long name (#1164859) | |
| - Backup & Restore mechanism (#951581) | |
| - ignoring user attributes in migrate-ds does not work if uppercase characters | |
| are returned by ldap (#1159816) | |
| - Allow ipa-getkeytab to optionally fetch existing keys (#1007367) | |
| - Failure when installing on dual stacked system with external ca (#1128380) | |
| - ipa-server should keep backup of CS.cfg (#1059135) | |
| - Tracebacks with latest build for --zonemgr cli option (#1167270) | |
| - webui: use domain name instead of domain SID in idrange adder dialog | |
| (#891984) | |
| - webui: normalize idview tab labels (#891984) | |
| - Resolves: #1442233 IPA client commands fail when pointing to replica | |
| - httpinstance: wait until the service entry is replicated | |
| - Resolves: #1456769 ipaAnchorUUID index incorrectly configured and then | |
| not indexed | |
| - Fix index definition for ipaAnchorUUID | |
| - Resolves: #1438016 gssapi errors after IPA server upgrade | |
| - Avoid possible endless recursion in RPC call | |
| - rpc: preparations for recursion fix | |
| - rpc: avoid possible recursion in create_connection | |
| - Resolves: #1446087 services entries missing krbCanonicalName attribute. | |
| - Changing cert-find to do not use only primary key to search in LDAP. | |
| - Resolves: #1452763 ipa certmaprule change not reflected in krb5kdc workers | |
| - ipa-kdb: reload certificate mapping rules periodically | |
| - Resolves: #1455541 after upgrade login from web ui breaks | |
| - kdc.key should not be visible to all | |
| - Resolves: #1435606 Add pkinit_indicator option to KDC configuration | |
| - ipa-kdb: add pkinit authentication indicator in case of a successful | |
| certauth | |
| - Resolves: #1455945 Enabling OCSP checks in mod_nss breaks certificate | |
| issuance when ipa-ca records are not resolvable | |
| - Turn off OCSP check | |
| - Resolves: #1454483 rhel73 ipa ui - cannot del server - IPA Error 903 - | |
| server_del - TypeError: 'NoneType' object is not iterable | |
| - fix incorrect suffix handling in topology checks | |
| - Upstream release FreeIPA 4.9.2 | |
| Related: RHBZ#1891832 | |
| - Remove ipa-server dependency from ipa-selinux subpackage | |
| - Related: RHBZ#1891832 | |
| - Resolves: #1249226 IPA dnssec-validation not working for AD dnsforwardzone | |
| - DNSSEC: fix forward zone forwarders checks | |
| - Resolves: #1250190 idrange is not added for sub domain | |
| - trusts: format Kerberos principal properly when fetching trust topology | |
| - Resolves: #1252334 User life cycle: missing ability to provision a stage user | |
| from a preserved user | |
| - Add user-stage command | |
| - Resolves: #1252863 After applying RHBA-2015-1554 errata, IPA service fails to | |
| start. | |
| - spec file: Add Requires(post) on selinux-policy | |
| - Resolves: #1254304 Changing vault encryption attributes | |
| - Change internal rsa_(public|private)_key variable names | |
| - Added support for changing vault encryption. | |
| - Resolves: #1256715 Executing user-del --preserve twice removes the user | |
| pernamently | |
| - improve the usability of `ipa user-del --preserve` command | |
| - Prevent multilib failures in *.pyo and *.pyc files | |
| - Set minimum pki-ca and pki-silent versions to 9.0.0 | |
| - Update to upstream 3.3.0 (#991064) | |
| - Remove release from krb5-server in strict sub-package to allow for rebuilds. | |
| - Deletion of active subdomain range should not be allowed (#1075615) | |
| - ipa-kdb: Fix double free in ipadb_reinit_mspac() | |
| Resolves: RHEL-25742 | |
| - kra: set RSA-OAEP as default wrapping algo when FIPS is enabled | |
| Resolves: RHEL-12153 | |
| - Vault: improve vault server archival/retrieval calls error handling | |
| Resolves: RHEL-12153 | |
| - Vault: add support for RSA-OAEP wrapping algo | |
| Resolves: RHEL-12153 | |
| - Add missing entry for /var/cache/ipa/kpasswd (444624) | |
| - Added patch to fix permissions problems with the Apache NSS database. | |
| - Added patch to fix problem with DNS querying where the query could be | |
| returned as the answer. | |
| - Fix spec error where patch1 was in the wrong section | |
| - Resolves: #1339233 CA installed on replica is always marked as renewal master | |
| - Related: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.3.1.201605241723GIT1b427d3 | |
| - Remove ipa-backup and ipa-restore functionality from RHEL (#1003933) | |
| - Resolves: #1378353 Replica install fails with old IPA master sometimes during | |
| replication process | |
| - spec file: bump minimal required version of 389-ds-base | |
| - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 | |
| - Fix missing file that fails DL1 replica installation | |
| - Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade | |
| - WebUI: services without canonical name are shown correctly | |
| - Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run | |
| - trustdomain-del: fix the way how subdomain is searched | |
| - Add a Requires for java-atk-wrapper until we can determine which package | |
| should be pulling it in, dogtag or tomcat. | |
| - Fix Requires for krb5-server that was missing for Fedora versions > 9 | |
| - Remove quotes around test for fedora version to package egg-info | |
| - Winsync agreement cannot be created (#1023085) | |
| - IPA extdom plugin fails when encountering large groups (#1193759) | |
| - CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() | |
| (#1202998) | |
| - CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf() | |
| Resolves: RHBZ#1767304 | |
| - CVE-2019-10195: Don't log passwords embedded in commands in calls using batch | |
| Resolves: RHBZ#1776939 | |
| - Display server name in ipa command's verbose mode (#1061703) | |
| - Remove sourcehostcategory from default HBAC rule (#1061187) | |
| - dnszone-add cannot add classless PTR zones (#1058688) | |
| - Move ipa-otpd socket directory to /var/run/krb5kdc (#1063850) | |
| - Resolves: #1339483 ipa-server-install fails with ERROR pkinit_cert_files | |
| - Fix incorrect rebase of patch 1001 | |
| - Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 | |
| - Revert "spec: add conflict with bind-chroot to freeipa-server-dns" | |
| - Resolves: #1341249 Subsequent external CA installation fails | |
| - install: fix external CA cert validation | |
| - Resolves: #1353831 ipa-server-install fails in container because of | |
| hostnamectl set-hostname | |
| - server-install: Fix --hostname option to always override api.env values | |
| - install: Call hostnamectl set-hostname only if --hostname option is used | |
| - Resolves: #1356091 ipa-cacert-manage --help and man differ | |
| - Improvements for the ipa-cacert-manage man and help | |
| - Resolves: #1360631 ipa-backup is not keeping the | |
| /etc/tmpfiles.d/dirsrv- |
|
| - ipa-backup: backup /etc/tmpfiles.d/dirsrv- |
|
| - Resolves: #1361047 ipa-replica-install --help usage line suggests the replica | |
| file is needed | |
| - Update ipa-replica-install documentation | |
| - Resolves: #1361545 ipa-client-install starts rhel-domainname.service but does | |
| not rpm-require it | |
| - client: RPM require initscripts to get *-domainname.service | |
| - Resolves: #1364197 caacl: error when instantiating rules with service | |
| principals | |
| - caacl: fix regression in rule instantiation | |
| - Resolves: #1364310 ipa otptoken-add bytes object has no attribute confirm | |
| - parameters: move the `confirm` kwarg to Param | |
| - Resolves: #1364464 Topology graph: ca and domain adders shows question marks | |
| instead of plus icon | |
| - Fix unicode characters in ca and domain adders | |
| - Resolves: #1365083 Incomplete output returned for command ipa vault-add | |
| - client: add missing output params to client-side commands | |
| - Resolves: #1365526 build fails during "make check" | |
| - ipa-kdb: Fix unit test after packaging changes in krb5 | |
| - Resolves: #1365858 ipa-ca-install fails on replica when IPA Master is | |
| installed without CA | |
| - Set up DS TLS on replica in CA-less topology | |
| - Resolves: #1398600 IPA replica install fails with dirsrv errors. | |
| - Do not configure PKI ajp redirection to use "::1" | |
| - Resolves: #1413137 CVE-2017-2590 ipa: Insufficient permission check for | |
| ca-del, ca-disable and ca-enable commands | |
| - ca: correctly authorise ca-del, ca-enable and ca-disable | |
| - Update SELinux policy to allow ipa_kpasswd to connect ldap and | |
| read /dev/urandom. (#759679) | |
| - Depend on krb5-kdb-version-devel for BuildRequires | |
| - Update nss dependency to 3.44.0-4 | |
| - Reset per-indicator Kebreros policy | |
| Resolves: RHBZ#1784761 | |
| - Resolves: #1443869 Command "openssl pkcs12 ..." failed during IPA upgrade | |
| - Fix CAInstance.import_ra_cert for empty passwords | |
| - Enforce uniqueness across krbprincipalname and krbcanonicalname | |
| ipa-kdb: enforce PAC presence on TGT for TGS-REQ | |
| ipatests: extend test for unique krbcanonicalname | |
| Resolves: RHEL-110061 | |
| - replica install failing with avc denial for custodia component | |
| Resolves: RHBZ#1857157 | |
| - Update to upstream 3.1.2 | |
| - CVE-2012-4546: Incorrect CRLs publishing | |
| - CVE-2012-5484: MITM Attack during Join process | |
| - CVE-2013-0199: Cross-Realm Trust key leak | |
| - Updated strict dependencies to 389-ds-base = 1.3.0.2 and | |
| pki-ca = 10.0.1 | |
| - Resolves: #1254689 Storing big file as a secret in vault raises traceback | |
| - vault: Limit size of data stored in vault | |
| - Resolves: #1255880 ipactl status should distinguish between different | |
| pki-tomcat services | |
| - ipactl: Do not start/stop/restart single service multiple times | |
| - ipatests: fix test_topology | |
| Resolves: RHBZ#2232351 | |
| - Installer: activate nss and pam services in sssd.conf | |
| Resolves: RHBZ#2216532 | |
| - Add ipa-idrange-fix | |
| Resolves: RHEL-56920 | |
| - Unconditionally add MS-PAC to global config on update | |
| Resolves: RHEL-49437 | |
| - ipatests: Update ipa-adtrust-install test | |
| Resolves: RHEL-40894 | |
| - Require python-qrcode version 5.3 or later | |
| Related: RHEL-15090 | |
| - CAless installation: set the perms on KDC cert file | |
| Resolves: RHBZ#1863616 | |
| - EPN: handle empty attributes | |
| Resolves: RHBZ#1866938 | |
| - IPA-EPN: enhance input validation | |
| Resolves: RHBZ#1866291 | |
| - EPN: enhance input validation | |
| Resolves: RHBZ#1863079 | |
| - Require new samba build 4.12.3-52 | |
| Related: RHBZ#1868558 | |
| - Require new selinux-policy build 3.14.3-52 | |
| Related: RHBZ#1869311 | |
| - RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible | |
| (#1169591) | |
| - CLI doesn't show SSHFP records with SHA256 added via nsupdate (regression) | |
| (#1172578) | |
| - Resolves: #1415162 ipa-exdom-extop plugin can exhaust DS worker threads | |
| - New upstream release 4.8.0 | |
| - New subpackage: freeipa-client-samba | |
| - Added command ipa-cert-fix with man page | |
| - New sysconfdir sysconfig/certmonger | |
| - Updated pki_version, certmonger_version, sssd_version and kdcproxy_version | |
| Related: RHBZ#1684528 | |
| - remove ipa-fix-CVE-2008-3274 | |
| - Resolves: #1200767 [RFE] Allow Kerberos authentication for users with | |
| certificates on smart cards (pkinit) | |
| - spec file: bump krb5 Requires for certauth fixes | |
| - Resolves: #1438729 Configure local PKINIT on DL0 or when '--no-pkinit' option | |
| is used | |
| - separate function to set ipaConfigString values on service entry | |
| - Allow for configuration of all three PKINIT variants when deploying KDC | |
| - API for retrieval of master's PKINIT status and publishing it in LDAP | |
| - Use only anonymous PKINIT to fetch armor ccache | |
| - Stop requesting anonymous keytab and purge all references of it | |
| - Use local anchor when armoring password requests | |
| - Upgrade: configure local/full PKINIT depending on the master status | |
| - Do not test anonymous PKINIT after install/upgrade | |
| - Resolves: #1442427 ipa.ipaserver.install.plugins.adtrust. | |
| update_tdo_gidnumber: ERROR Default SMB Group not found | |
| - upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is | |
| installed | |
| - Resolves: #1442932 ipa restore fails to restore IPA user | |
| - restore: restart/reload gssproxy after restore | |
| - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode | |
| - Fix CA/server cert validation in FIPS | |
| - Resolves: #1444947 Deadlock between topology and schema-compat plugins | |
| - compat-manage: behave the same for all users | |
| - Move the compat plugin setup at the end of install | |
| - compat: ignore cn=topology,cn=ipa,cn=etc subtree | |
| - Resolves: #1445358 ipa vault-add raises TypeError | |
| - vault: piped input for ipa vault-add fails | |
| - Resolves: #1445382 ipa vault-retrieve fails to retrieve data from vault | |
| - Vault: Explicitly default to 3DES CBC | |
| - Resolves: #1445432 uninstall ipa client automount failed with RuntimeWarning | |
| - automount install: fix checking of SSSD functionality on uninstall | |
| - Resolves: #1446137 pki_client_database_password is shown in | |
| ipaserver-install.log | |
| - Hide PKI Client database password in log file | |
| - Resolves: #1131907 [ipa-client-install] cannot write certificate file | |
| '/etc/ipa/ca.crt.new': must be string or buffer, not None | |
| - Resolves: #1195775 unsaved changes dialog internally inconsistent | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - Stageusedr-activate: show username instead of DN | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - Prevent to rename certprofile profile id | |
| - Resolves: #1222047 IPA to AD Trust: IPA ERROR 4016: Remote Retrieve Error | |
| - Resolves: #1224769 copy-schema-to-ca.py does not overwrites schema files | |
| - copy-schema-to-ca: allow to overwrite schema files | |
| - Resolves: #1241941 kdc component installation of IPA failed | |
| - spec file: Update minimum required version of krb5 | |
| - Resolves: #1242036 Replica install fails to update DNS records | |
| - Fix DNS records installation for replicas | |
| - Resolves: #1242884 Upgrade to 4.2.0 fails when enabling kdc proxy | |
| - Start dirsrv for kdcproxy upgrade | |
| - extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT | |
| Resolves: RHBZ#1741530 | |
| - Fix ipa-pwd-extop global configuration caching (#1187342) | |
| - group-detach does not add correct objectclasses (#1187540) | |
| - Add sssd and certmonger as a Requires on ipa-client | |
| - DNS install check: Fix overlapping DNS zone from the master itself | |
| Resolves: RHBZ#1784003 | |
| - Add OTP patches | |
| - Add patch to set KRB5CCNAME for 389-ds-base | |
| - Update to upstream 2.1.4 (CVE-2011-3636) | |
| - Refactor ipatests for unique krbcanonicalname | |
| Resolves: RHEL-110061 | |
| - Require certmonger 0.79.7-1 | |
| Related: RHBZ#1708095 | |
| - Fix wrong path in packaging freeipa-systemd-upgrade | |
| - Resolves: #1462112 ipaserver installation fails in FIPS mode: OpenSSL | |
| internal error, assertion failed: Digest MD4 forbidden in FIPS mode! | |
| - ipa-sam: replace encode_nt_key() with E_md4hash() | |
| - ipa_pwd_extop: do not generate NT hashes in FIPS mode | |
| - Resolves: #1377973 ipa-server-install fails when the provided or resolved | |
| IP address is not found on local interfaces | |
| - Fix local IP address validation | |
| - ipa-dns-install: remove check for local ip address | |
| - refactor CheckedIPAddress class | |
| - CheckedIPAddress: remove match_local param | |
| - Remove ip_netmask from option parser | |
| - replica install: add missing check for non-local IP address | |
| - Remove network and broadcast address warnings | |
| - Set minimum level of sssd to 1.1.1 to pull in required hbac fixes. | |
| - Add Requires on krb5-pkinit-openssl | |
| - Introduce upgrade script to recover existing configuration after systemd migration | |
| as user has no means to recover FreeIPA from systemd migration | |
| - Upgrade script: | |
| - recovers symlinks in Dogtag instance install | |
| - recovers systemd configuration for FreeIPA's directory server instances | |
| - recovers freeipa.service | |
| - migrates directory server and KDC configs to use proper keytabs for systemd services | |
| - Add call to /usr/sbin/upgradeconfig to post install | |
| - Handle NFS configuration file changes. nfs-utils moved the | |
| configuration file from /etc/sysconfig/nfs to /etc/nfs.conf. | |
| Resolves: RHBZ#1676981 | |
| - IPA server in debug mode fails to run because time.perf_counter_ns is | |
| Python 3.7+ | |
| Resolves: RHBZ#1974822 | |
| - Add checks to prevent assigning authentication indicators to internal IPA | |
| services | |
| Resolves: RHBZ#1979625 | |
| - Unable to set ipaUserAuthType with stageuser-add | |
| Resolves: RHBZ#1979605 | |
| - Upstream release FreeIPA 4.9.3 | |
| Resolves: RHBZ#1945038 | |
| - Update minimum selinux-policy to 3.9.16-18 | |
| - Update minimum pki-ca and pki-selinux to 9.0.7 | |
| - Update minimum 389-ds-base to 1.2.8.0-1 | |
| - Update to upstream 2.0.1 | |
| - Rebase to upstream release 4.8.4 | |
| - Removed upstream patches 0001 to 0008 that are part of version 4.8.3-3 | |
| Resolves: RHBZ#1782658 | |
| Resolves: RHBZ#1782169 | |
| Resolves: RHBZ#1783046 | |
| Related: RHBZ#1748987 | |
| - Revert DNSResolver Fix use of nameservers with ports. | |
| Related: RHBZ#2141316 | |
| - package the sessions dir /var/cache/ipa/sessions | |
| - Pull upstream changelog 597 | |
| - Trust add tries to add same value of --base-id for sub domain, | |
| causing an error (#1033068) | |
| - Improved error reporting for adding trust case (#1029856) | |
| - ipatests: Backport test fixes in python3-ipatests. | |
| Resolves: RHBZ#2057505 | |
| - Expand the token auth/sync windows (#919228) | |
| - Access is not rejected for disabled domain (#1172598) | |
| - krb5kdc crash in ldap_pvt_search (#1170695) | |
| - RHEL7.1 IPA server httpd avc denials after upgrade (#1164896) | |
| - ipa-client-automount fails with incompatibility error when installed against | |
| older IPA server (#1083108) | |
| - Resolves: #1217009 OTP sync in UI does not work for TOTP tokens | |
| - Fix an integer underflow bug in libotp | |
| - Resolves: #1262996 ipa vault internal error on replica without KRA | |
| - install: always export KRA agent PEM file | |
| - vault: select a server with KRA for vault operations | |
| - Resolves: #1269777 IPA restore overwrites /etc/passwd and /etc/group files | |
| - do not overwrite files with local users/groups when restoring authconfig | |
| - Renamed patch 1011 to 0138, as it was merged upstream | |
| - Resolve: #1455946 Provide a tooling automating the configuration | |
| of Smart Card authentication on a FreeIPA master | |
| - server certinstall: update KDC master entry | |
| - pkinit manage: introduce ipa-pkinit-manage | |
| - server upgrade: do not enable PKINIT by default | |
| - Extend the advice printing code by some useful abstractions | |
| - Prepare advise plugin for smart card auth configuration | |
| - Resolve: #1461053 allow to modify list of UPNs of a trusted forest | |
| - trust-mod: allow modifying list of UPNs of a trusted forest | |
| - WebUI: add support for changing trust UPN suffixes | |
| - Update to upstream 4.1.0 Alpha 1 (#1109726) | |
| - Updated to upstream 3.0.0 rc 2 | |
| - Include new FF configuration extension | |
| - Set minimum Requires of selinux-policy to 3.11.1-33 | |
| - Set minimum Requires dogtag to 10.0.0-0.43.b1 | |
| - Add new optional strict sub-package to allow users to limit other | |
| package upgrades. | |
| - Resolves: #1419735 ipa-replica-install fails promotecustodia.create_replica | |
| with cert errors (untrusted) | |
| - added ssl verification using IPA trust anchor | |
| - Resolves: #1428472 batch param compatibility is incorrect | |
| - compat: fix `Any` params in `batch` and `dnsrecord` | |
| - Renamed patches 1011 and 1012 to 0159 and 0157, as they were merged upstream | |
| - Resolves: #1609883 ipaserver/plugins/cert.py: Add reason to raise of | |
| errors.NotFound | |
| - Resolves: #1615765 do-not-use-RC4-in-FIPS-mode | |
| - Move fips_enabled to a common library to share across different plugins | |
| - ipasam: do not use RC4 in FIPS mode | |
| - Resolves: #1298288 [RFE] Improve performance in large environments. | |
| - cert: speed up cert-find | |
| - Resolves: #1317379 [EXPERIMENTAL][RFE] Web UI: allow Smart Card | |
| authentication | |
| - service: add flag to allow S4U2Self | |
| - Add 'trusted to auth as user' checkbox | |
| - Added new authentication method | |
| - Resolves: #1353881 ipa-replica-install suggests about | |
| non-existent --force-ntpd option | |
| - Don't show --force-ntpd option in replica install | |
| - Resolves: #1354441 DNS forwarder check is too strict: unable to add | |
| sub-domain to already-broken domain | |
| - DNS: allow to add forward zone to already broken sub-domain | |
| - Resolves: #1356146 performance regression in CLI help | |
| - schema: Speed up schema cache | |
| - frontend: Change doc, summary, topic and NO_CLI to class properties | |
| - schema: Introduce schema cache format | |
| - schema: Generate bits for help load them on request | |
| - help: Do not create instances to get information about commands and topics | |
| - schema cache: Do not reset ServerInfo dirty flag | |
| - schema cache: Do not read fingerprint and format from cache | |
| - Access data for help separately | |
| - frontent: Add summary class property to CommandOverride | |
| - schema cache: Read server info only once | |
| - schema cache: Store API schema cache in memory | |
| - client: Do not create instance just to check isinstance | |
| - schema cache: Read schema instead of rewriting it when SchemaUpToDate | |
| - Resolves: #1360769 ipa-server-certinstall couldnt unlock private key file | |
| - server install: do not prompt for cert file PIN repeatedly | |
| - Resolves: #1364113 ipa-password: ipa: ERROR: RuntimeError: Unable to create | |
| cache directory: [Errno 13] Permission denied: '/home/test_user' | |
| - schema: Speed up schema cache | |
| - Resolves: #1366604 `cert-find` crashes on invalid certificate data | |
| - cert: do not crash on invalid data in cert-find | |
| - Resolves: #1366612 Middle replica uninstallation in line topology works | |
| without '--ignore-topology-disconnect' | |
| - Fail on topology disconnect/last role removal | |
| - Resolves: #1366626 caacl-add-service: incorrect error message when service | |
| does not exists | |
| - Fix ipa-caalc-add-service error message | |
| - Resolves: #1367022 The ipa-server-upgrade command failed when named-pkcs11 | |
| does not happen to run during dnf upgrade | |
| - DNS server upgrade: do not fail when DNS server did not respond | |
| - Resolves: #1367759 [RFE] [webui] warn admin if there is only one IPA server | |
| with CA | |
| - Add warning about only one existing CA server | |
| - Set servers list as default facet in topology facet group | |
| - Resolves: #1367773 thin client ignores locale change | |
| - schema check: Check current client language against cached one | |
| - Lockout plugin crashed during ipa-server-install (#912725) | |
| - Fallback to global policy in ipa lockout plugin (#912725) | |
| - Migration does not add users to default group (#903232) | |
| - hbactest does not work for external users (#848531) | |
| - Resolves: #1296140 Remove redhat-access-plugin-ipa support | |
| - Obsolete and conflict redhat-access-plugin-ipa | |
| - Resolves: #1351119 Multiple issues while uninstalling ipa-server | |
| - server uninstall fails to remove krb principals | |
| - Resolves: #1351758 ipa commands not showing expected error messages | |
| - frontend: copy command arguments to output params on client | |
| - Show full error message for selinuxusermap-add-hostgroup | |
| - Resolves: #1352883 Traceback on adding default automember group and hostgroup | |
| set | |
| - allow 'value' output param in commands without primary key | |
| - Resolves: #1353888 Fix the help for ipa otp and other topics | |
| - schema: Fix subtopic -> topic mapping | |
| - Resolves: #1354348 ipa trustconfig-show throws internal error. | |
| - allow 'value' output param in commands without primary key | |
| - Resolves: #1354381 ipa trust-add with raw option gives internal error. | |
| - trust-add: handle `--all/--raw` options properly | |
| - Resolves: #1354493 Replica install fails with old IPA master | |
| - DNS install: Ensure that DNS servers container exists | |
| - Resolves: #1354628 ipa hostgroup-add-member does not return error message | |
| when adding itself as member | |
| - frontend: copy command arguments to output params on client | |
| - Resolves: #1355856 ipa otptoken-add --type=totp gives internal error | |
| - messages: specify message type for ResultFormattingError | |
| - Resolves: #1356063 "ipa radiusproxy-add" command needs to prompt to enter | |
| secret key | |
| - expose `--secret` option in radiusproxy-* commands | |
| - prevent search for RADIUS proxy servers by secret | |
| - Resolves: #1356099 Bug in the ipapwd plugin | |
| - Heap corruption in ipapwd plugin | |
| - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin | |
| client changes | |
| - Use server API in com.redhat.idm.trust-fetch-domains oddjob helper | |
| - Resolves: #1356964 Renaming a user removes all of his principal aliases | |
| - Preserve user principal aliases during rename operation | |
| - Add bash completion script and own /etc/bash_completion.d in case it | |
| doesn't already exist | |
| - Update to upstream version 1.1.0 | |
| - Patch for indexing memberof attribute | |
| - Patch for indexing uidnumber and gidnumber | |
| - Patch to change DNA default values for replicas | |
| - Patch to fix uninitialized variable in ipa-getkeytab | |
| - Improve server affinity for CA-less deployments | |
| Resolves: RHEL-22283 | |
| - host: update system: Manage Host Keytab permission | |
| Resolves: RHEL-22286 | |
| - adtrustinstance: make sure NetBIOS name defaults are set properly | |
| Resolves: RHEL-21938 | |
| - ipatests: Fix healthcheck report when nsslapd accesslog logbuffering is set to off | |
| Resolves: RHEL-19672 | |
| - webui IdP: Remove arrow notation due to uglify-js limitation | |
| Related: RHBZ#2141316 | |
| - Fixed share/ipa/wsgi.py so .pyc, .pyo files are included | |
| - Set minimum version of sssd to 1.5.1 | |
| - Update to upstream freeipa-2.0.0.rc1 | |
| - Move server-only binaries from admintools subpackage to server | |
| - Upstream release FreeIPA 4.9.8 | |
| Related: RHBZ#2015607 | |
| - Hardening for CVE-2020-25717 | |
| - Set minimum version of certmonger to 0.26 (to pck up #621670) | |
| - Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm) | |
| - Set minimum version of pki-ca to 1.3.6 | |
| - Set minimum version of sssd to 1.2.1 | |
| - Re-arrange doc and defattr to clean up rpmlint warnings | |
| - Remove conditionals on older releases | |
| - Move some man pages into admintools subpackage | |
| - Remove some explicit Requires in client that aren't needed | |
| - Consistent use of buildroot vs RPM_BUILD_ROOT | |
| - Resolves: #1252556 Missing CLI param and ACL for vault service operations | |
| - vault: fix private service vault creation | |
| - Resolves: #1431520 ipa cert-find runs a large number of searches, so IPA | |
| WebUI is slow to display user details page | |
| - cert: defer cert-find result post-processing | |
| - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit | |
| helper when installing replica | |
| - server-install: No double Kerberos install | |
| - Resolves: #1437502 ipa-replica-install fails with requirement to | |
| use --force-join that is a client install option. | |
| - Add the force-join option to replica install | |
| - replicainstall: better client install exception handling | |
| - Resolves: #1437953 Server CA-less impossible option check | |
| - server-install: remove broken no-pkinit check | |
| - Resolves: #1441160 FreeIPA client <= 4.4 fail to parse 4.5 cookies | |
| - Add debug log in case cookie retrieval went wrong | |
| - Resolves: #1441548 ipa server install fails with --external-ca option | |
| - ext. CA: correctly write the cert chain | |
| - Resolves: #1441718 Conversion of CA-less server to CA fails on CA instance | |
| spawn | |
| - Fix CA-less to CA-full upgrade | |
| - Resolves: #1442133 Do not link libkrad, liblber, libldap_r and | |
| libsss_nss_idmap to every binary in IPA | |
| - configure: fix AC_CHECK_LIB usage | |
| - Resolves: #1442815 Replica install fails during migration from older IPA | |
| master | |
| - Fix RA cert import during DL0 replication | |
| - Related: #1442004 Building IdM/FreeIPA internally on all architectures - | |
| filtering unsupported packages | |
| - Build all subpackages on all architectures | |
| - ipa-server-install fails if --subject parameter is other than default | |
| realm (#983075) | |
| - do not allow configuring bind-dyndb-ldap without persistent search (#967876) | |
| - Set the N-V-R so rc1 is an update to beta2. | |
| - ipa-kdb: Rework ipadb_reinit_mspac() | |
| Resolves: RHEL-25742 | |
| - ipatests: wait for replica update in test_dns_locations | |
| Resolves: RHEL-22373 | |
| - ipatests: fix tasks.wait_for_replication() method | |
| Resolves: RHEL-25708 | |
| - Upgrade: fix replica agreement, fix backported patch | |
| Related: RHBZ#2216551 | |
| - Temporarily move ipa-backup and ipa-restore functionality | |
| back to make them available in public Beta (#1003933) | |
| - Update to upstream 2.1.0 | |
| - ipa man page format the EXAMPLES section | |
| Resolves: RHBZ#2129895 | |
| - Fix canonicalization issue in Web UI | |
| Resolves: RHBZ#2127035 | |
| - Remove idnssoaserial argument from dns zone API. | |
| Resolves: RHBZ#2108630 | |
| - Warn for permissions with read/write/search/compare and no attrs | |
| Resolves: RHBZ#2098187 | |
| - Add PKINIT support to ipa-client-install | |
| Resolves: RHBZ#2075452 | |
| - Generate CNAMEs for TXT+URI location krb records | |
| Resolves: RHBZ#2104185 | |
| - Vault: fix interoperability issues with older RHEL systems | |
| Resolves: RHBZ#2144737 | |
| - Fix typo on ipaupgrade.log chmod during RPM %post snipppet | |
| Resolves: RHBZ#2140994 | |
| - Pull upstream changelog 641 | |
| - Require minimum version of krb5-server on F-7 and F-8 | |
| - Package some new files | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - [WebUI] IPA Error 3007: RequirmentError" while adding members in | |
| "User ID overrides" tab | |
| Resolves: RHBZ#1757045 | |
| - EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in | |
| freeipa-client-epn | |
| Resolves: RHBZ#1847999 | |
| - FreeIPA - Utilize 256-bit AJP connector passwords | |
| Resolves: RHBZ#1849914 | |
| - ipa: typo issue in ipanthomedirectoryrive deffinition | |
| Resolves: RHBZ#1851411 | |
| - Upstream release FreeIPA 4.9.1 | |
| Related: RHBZ#1891832 | |
| - Fix automount behavior with authselect | |
| Resolves: RHBZ#1740167 | |
| - SELinux Policy: let custodia replicate keys | |
| Resolves: RHBZ#1868432 | |
| - Missing objectclasses when empty password passed to host-add (#1052979) | |
| - sudoOrder missing in sudoers (#1052983) | |
| - Missing examples in sudorule help (#1049464) | |
| - Client automount does not uninstall when fstore is empty (#910899) | |
| - Error not clear for invalid realm given to trust-fetch-domains (#1052981) | |
| - trust-fetch-domains does not add idrange for subdomains found (#1049926) | |
| - Add option to show if an AD subdomain is enabled/disabled (#1052973) | |
| - ipa-adtrust-install still failed with long NetBIOS names (#1030517) | |
| - Error not clear for invalid relam given to trustdomain-find (#1049455) | |
| - renewed client cert not recognized during IPA CA renewal (#1033273) | |
| - Remove ipa-backup and ipa-restore functionality from RHEL (#1003933) | |
| - Fix S4U2Self regression for cross-realm requester SID buffer | |
| - Related: RHBZ#2021443 | |
| - Add missing ipa-selinux package | |
| Resolves: RHBZ#1853263 | |
| - Proxy PKI URI /ca/ee/ca/profileSubmit to enable replication with future | |
| PKI versions (#1080865) | |
| - Rebuild against samba4 beta7 | |
| - Resolves: #1477703 IPA upgrade fails for latest ipa package | |
| - Restore old version of caIPAserviceCert for upgrade only | |
| - Rebase to upstream release 4.8.2 | |
| - Removed upstream patches 0001 to 0010 that are part of version 4.8.2 | |
| - Updated branding patch | |
| Resolves: RHBZ#1748987 | |
| - Version bump for release | |
| - ipa-csreplica-manage connect fails (#1157735) | |
| - error message which is not understandable when IDNA2003 characters are | |
| present in --zonemgr (#1163849) | |
| - Fix warning message should not contain CLI commands (#1114013) | |
| - Renewing the CA signing certificate does not extend its validity period end | |
| (#1163498) | |
| - RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for | |
| httpd (#1159330) | |
| - Hardening for CVE-2020-25717 | |
| - Rebuild against samba-4.14.5-11.el8 | |
| - Resolves: RHBZ#2021443 | |
| - Fix upgrade issue with AD trust when no trust yet established | |
| Fixes: RHBZ#1708874 | |
| Related: RHBZ#1684528 | |
| - Resolves: #1438833 [ipa-replica-install] - 406 Client Error: Failed to | |
| validate message: Incorrect number of results (0) searching forpublic key for | |
| host | |
| - Make sure remote hosts have our keys | |
| - Resolves: #1442815 Replica install fails during migration from older IPA | |
| master | |
| - Refresh Dogtag RestClient.ca_host property | |
| - Remove the cachedproperty class | |
| - Resolves: #1444787 Update warning message when KRA installation fails | |
| - kra install: update installation failure message | |
| - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode | |
| - ipa-server-install with external CA: fix pkinit cert issuance | |
| - Resolves: #1445397 GET in KerberosSession.finalize_kerberos_acquisition() | |
| must use FreeIPA CA | |
| - kerberos session: use CA cert with full cert chain for obtaining cookie | |
| - Resolves: #1447375 ipa-client-install: extra space in pkinit_anchors | |
| definition | |
| - ipa-client-install: remove extra space in pkinit_anchors definition | |
| - Resolves: #1447703 Fix SELinux contex of http.keytab during upgrade | |
| - Use proper SELinux context with http.keytab | |
| - Use OpenJDK 8 to bootstrap on AArch64 until RH1482244 is resolved in | |
| buildroot | |
| - Resolves: #1470177 - Rebase IPA to latest 4.5.x version | |
| - Resolves: #1398594 ipa topologysuffix-verify should only warn about | |
| maximum number of replication agreements. | |
| - Resolves: #1404236 Web UI: Change "Host Based" and "Role Based" | |
| to "Host-Based" and "Role-Based" | |
| - Resolves: #1409786 Second phase of --external-ca ipa-server-install | |
| setup fails when dirsrv is not running | |
| - Resolves: #1451576 ipa cert-request failed to generate certificate from csr | |
| - Resolves: #1452086 Pagination Size under Customization in IPA WebUI | |
| accepts negative values | |
| - Resolves: #1458169 --force-join option is not mentioned in | |
| ipa-replica-install man page | |
| - Resolves: #1463186 IPA shouldn't allow objectclass if not all in lower case | |
| - Resolves: #1478322 user-show command fails when sizelimit is configured | |
| to number <= number of entity which is user member of | |
| - Resolves: #1496775 Enterprise principals should be able to trigger | |
| a refresh of the trusted domain data in the KDC | |
| - Resolves: #1502533 Changing cert-find to go through the proxy | |
| instead of using the port 8080 | |
| - Resolves: #1502663 pkinit-status command fails after an upgrade from | |
| a pre-4.5 IPA | |
| - Resolves: #1498168 Error when trying to modify a PTR record | |
| - Resolves: #1457876 ipa-backup fails silently | |
| - Resolves: #1493531 In case full PKINIT configuration is failing during | |
| server/replica install the error message should be more meaningful. | |
| - Resolves: #1449985 Suggest CA installation command in KRA installation | |
| warning | |
| - Use NSS protocol range API to set available TLS protocols (#1156466) | |
| - Removed python-asset based webui | |
| - Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin | |
| - man page: update ipa-server-upgrade.1 | |
| Resolves: RHBZ#1973273 | |
| - Fall back to krbprincipalname when validating host auth indicators | |
| Resolves: RHBZ#1979625 | |
| - Add dependency for sssd-winbind-idmap to server-trust-ad | |
| Resolves: RHBZ#1982211 | |
| - Resolves: #1373359 ipa-certupdate fails with "CA is not configured" | |
| - Fix regression introduced in ipa-certupdate | |
| - Mass rebuild 2013-12-27 | |
| - Pull upstream changelog 698 | |
| - Fix ownership of /var/log/ipa_error.log during install (435119) | |
| - Add pwpolicy command and man page | |
| - Resolves: #846033 [RFE] Documentation for JSONRPC IPA API | |
| - Resolves: #989091 Ability to manage IdM/IPA directly from a standard LDAP | |
| client | |
| - Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to | |
| users in IdM | |
| - Resolves: #1115294 [RFE] Add support for DNSSEC | |
| - Resolves: #1145748 [RFE] IPA running with One Way Trust | |
| - Resolves: #1199520 [RFE] Introduce single upgrade tool - ipa-server-upgrade | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - Resolves: #1200728 [RFE] Replicate PKI Profile information | |
| - Resolves: #1200735 [RFE] Allow issuing certificates for user accounts | |
| - Resolves: #1204054 SSSD database is not cleared between installs and | |
| uninstalls of ipa | |
| - Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to | |
| Trusts | |
| - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality | |
| - Resolves: #1204504 [RFE] Add access control so hosts can create their own | |
| services | |
| - Resolves: #1206534 [RFE] Offer Kerberos over HTTP (kdcproxy) by default | |
| - Resolves: #1206613 [RFE] Configure IPA to be a trust agent by default | |
| - Resolves: #1209476 package ipa-client does not require package dbus-python | |
| - Resolves: #1211589 [RFE] Add option to skip the verify_client_version | |
| - Resolves: #1211608 [RFE] Generic support for unknown DNS RR types (RFC 3597) | |
| - Resolves: #1215735 ipa-replica-prepare automatically adds a DNS zone | |
| - Resolves: #1217010 OTP Manager field is not exposed in the UI | |
| - Resolves: #1222475 krb5kdc : segfault at 0 ip 00007fa9f64d82bb sp | |
| 00007fffd68b2340 error 6 in libc-2.17.so | |
| - Related: #1204809 Rebase ipa to 4.2 | |
| - Update to upstream 4.2.0 | |
| - Move /etc/ipa/kdcproxy to the server subpackage | |
| - Fix NetBIOS name generation in CLDAP plugin (#1030517) | |
| - FreeIPA 4.8.0 tarball lacks two update files that are in git | |
| Resolves: RHBZ#1741170 | |
| - Resolves: #1257074 The KRA agent cert is stored in a PEM file that is not | |
| tracked | |
| - cert renewal: Include KRA users in Dogtag LDAP update | |
| - cert renewal: Automatically update KRA agent PEM file | |
| - Resolves: #1257163 renaming certificatte profile with --rename option leads | |
| to integrity issues | |
| - certprofile: remove 'rename' option | |
| - Resolves: #1257968 kinit stop working after ipa-restore | |
| - Backup: back up the hosts file | |
| - Resolves: #1258926 Remove 'DNSSEC is experimental' warnings | |
| - DNSSEC: remove "DNSSEC is experimental" warnings | |
| - Resolves: #1258929 Uninstallation of IPA leaves extra entry in /etc/hosts | |
| - Installer: do not modify /etc/hosts before user agreement | |
| - Resolves: #1258944 DNSSEC daemons may deadlock when processing more than 1 | |
| zone | |
| - DNSSEC: backup and restore opendnssec zone list file | |
| - DNSSEC: remove ccache and keytab of ipa-ods-exporter | |
| - DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart | |
| - DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction | |
| - DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on DNSSEC | |
| key master | |
| - DNSSEC: Fix key metadata export | |
| - DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5. | |
| - Resolves: #1258964 revert to use ldapi to add kra agent in KRA install | |
| - Using LDAPI to setup CA and KRA agents. | |
| - Resolves: #1259848 server closes connection and refuses commands after | |
| deleting user that is still logged in | |
| - ldap: Make ldap2 connection management thread-safe again | |
| - Resolves: #1259996 AttributeError: 'NameSpace' object has no attribute | |
| 'ra_certprofile' while ipa-ca-install | |
| - load RA backend plugins during standalone CA install on CA-less IPA master | |
| - Update to upstream version 1.0.0 | |
| - Resolves: #712109 "krbExtraData not allowed" is logged in DS error log while | |
| setting password for default sudo binddn. | |
| - Resolves: #747612 [RFE] IPA should support and manage DNS sites | |
| - Resolves: #768316 [RFE] ipa-getkeytab should auto-detect the ipa server name | |
| - Resolves: #825391 [RFE] Replica installation should provide a means for | |
| inheriting nssldap security access settings | |
| - Resolves: #921497 Incorrect *.py[co] files placement | |
| - Resolves: #1029640 RHEL7 IPA to add DNA Plugin config for dnaRemote support | |
| - Resolves: #1029905 389 DS cache sizes not replicated to IPA replicas | |
| - Resolves: #1196958 IPA replica installation failing with high number of users | |
| (160000). | |
| - Resolves: #1219402 IPA suggests to uninstall a client when the user needs to | |
| uninstall a replica | |
| - Resolves: #1224057 [RFE] TGS authorization decisions in KDC based on | |
| Authentication Indicator | |
| - Resolves: #1234222 [WebUI] UI error message is not appropriate for "Kerberos | |
| principal expiration" | |
| - Resolves: #1234223 [WebUI] General invalid password error message appearing | |
| for "Locked user" | |
| - Resolves: #1254267 ipa-server-install failure applying ldap updates with | |
| limits exceeded | |
| - Resolves: #1258626 realmdomains-mod --add-domain command throwing error when | |
| doamin already is in forwardzone. | |
| - Resolves: #1259020 ipa-server-adtrust-install doesn't allow | |
| NetBIOS-name=EXAMPLE-TEST.COM (dash character) | |
| - Resolves: #1260993 DNSSEC signing enablement on dnszone should throw error | |
| message when DNSSEC master not installed | |
| - Resolves: #1262747 dnssec options missing in ipa-dns-install man page | |
| - Resolves: #1265900 Fail installation immediately after dirsrv fails to | |
| install using ipa-server-install | |
| - Resolves: #1265915 idoverrideuser-find fails if any SID anchor is not | |
| resolvable anymore | |
| - Resolves: #1268027 ipa-dnskeysync-replica crash with backtrace - | |
| LimitsExceeded: limits exceeded for this query | |
| - Resolves: #1269089 Certificate of managed-by host/service fails to resubmit | |
| - Resolves: #1269200 ipa-server crashing while trying to preserve admin user | |
| - Resolves: #1271321 Reduce ioblocktimeout and idletimeout defaults | |
| - Resolves: #1271579 Automember rule expressions disappear from tables on | |
| single expression delete | |
| - Resolves: #1275816 Incomplete ports for IPA ad-trust | |
| - Resolves: #1276351 [RFE] Remove | |
| /usr/share/ipa/updates/50-lockout-policy.update file from IPA releases | |
| - Resolves: #1277109 Add tool tips for Revert, Refresh, Undo, and Undo All in | |
| the IPA UI | |
| - Resolves: #1278426 Better error message needed for invalid ca-signing-algo | |
| option | |
| - Resolves: #1279932 ipa-client-install --request-cert needs workaround in | |
| anaconda chroot | |
| - Resolves: #1282521 Creating a user w/o private group fails when doing so in | |
| WebUI | |
| - Resolves: #1283879 ipa-winsync-migrate: Traceback message should be replaced | |
| by "IPA is not configured on this system" | |
| - Resolves: #1285071 ipa-kra-install fails on replica looking for admin cert | |
| file | |
| - Resolves: #1287194 [RFE] Support of UPN for trusted domains | |
| - Resolves: #1288967 Normalize Manager entry in ipa user-add | |
| - Resolves: #1289487 Priority field missing in Password Policy detail tab | |
| - Resolves: #1291140 ipa client should configure kpasswd_server directive in | |
| krb5.conf | |
| - Resolves: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.4.0.alpha1 | |
| - Resolves: #1298848 [RFE] Centralized topology management | |
| - Resolves: #1300576 Browser setup page includes instructions for Internet | |
| Explorer | |
| - Resolves: #1301586 ipa host-del --updatedns should remove related dns | |
| entries. | |
| - Resolves: #1304618 Residual Files After IPA Server Uninstall | |
| - Resolves: #1305144 ipa-python does not require its dependencies | |
| - Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 | |
| - Resolves: #1313798 Console output post ipa-winsync-migrate command should be | |
| corrected. | |
| - Resolves: #1314786 [RFE] External Trust with Active Directory domain | |
| - Resolves: #1319023 Include description for 'status' option in man page for | |
| ipactl command. | |
| - Resolves: #1319912 ipa-server-install does not completely change hostname and | |
| named-pkcs11 fails | |
| - Resolves: #1320891 IPA Error 3009: Validation error: Invalid 'ptrrecord': | |
| Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 given | |
| - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on | |
| revocation reasons | |
| - Resolves: #1328549 "ipa-kra-install" command reports incorrect message when | |
| it is executed on server already installed with KRA. | |
| - Resolves: #1329209 ipa-nis-manage enable: change service name from 'portmap' | |
| to 'rpcbind' | |
| - Resolves: #1329275 ipa-nis-manage command should include status option | |
| - Resolves: #1330843 'man ipa' should be updated with latest commands | |
| - Resolves: #1333755 ipa cert-request causes internal server error while | |
| requesting certificate | |
| - Resolves: #1337484 EOF is not handled for ipa-client-install command | |
| - Resolves: #1338031 Insufficient 'write' privilege on some attributes for the | |
| members of the role which has "User Administrators" privilege. | |
| - Resolves: #1343142 IPA DNS should do better verification of DNS zones | |
| - Resolves: #1347928 Frontpage exposes runtime error with no cookies enabled in | |
| browser | |
| - Require samba 4.14.5-13 with IPA DC server role fixes | |
| - Related: RHBZ#2021443 | |
| - Require python-wehjit >= 0.2.2 | |
| - Resolves: #1434032 Run ipa-custodia with custom SELinux context | |
| - Require correct custodia version | |
| - Upstream final release FreeIPA 4.9.0 | |
| Related: RHBZ#1891832 | |
| - Preserve user: fix the confusing summary | |
| Resolves: RHBZ#2022028 | |
| - Only calculate LDAP password grace when the password is expired | |
| Related: RHBZ#782917 | |
| - Update dependencies for samba, 389-ds and sssd | |
| Resolves: RHBZ#1792848 | |
| - Do not fetch a principal two times, remove potential memory leak (#1070924) | |
| - Set min version of 389-ds-base to 1.2.8 | |
| - Set min version of mod_nss 1.0.8-10 | |
| - Set min version of selinux-policy to 3.9.7-27 | |
| - Add dogtag themes to Requires | |
| - Update to upstream freeipa-2.0.0.pre2 | |
| - Resolves: #1355753 adding two way non transitive(external) trust displays | |
| internal error on the console | |
| - Always fetch forest info from root DCs when establishing two-way trust | |
| - factor out `populate_remote_domain` method into module-level function | |
| - Always fetch forest info from root DCs when establishing one-way trust | |
| - Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger | |
| after `ipa-replica-install` | |
| - Track lightweight CAs on replica installation | |
| - Resolves: #1357488 ipa command stuck forever on higher versioned client with | |
| lower versioned server | |
| - compat: Save server's API version in for pre-schema servers | |
| - compat: Fix ping command call | |
| - schema cache: Store and check info for pre-schema servers | |
| - Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag | |
| - Fix man page ipa-replica-manage: remove duplicate -c option | |
| from --no-lookup | |
| - Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA | |
| when revoking certificate | |
| - cert: include CA name in cert command output | |
| - WebUI add support for sub-CAs while revoking certificates | |
| - Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI | |
| - Add support for additional options taken from table facet | |
| - WebUI: Fix showing certificates issued by sub-CA | |
| - Resolves: #1368557 dnsrecord-add does not prompt for missing record parts | |
| internactively | |
| - dns: normalize record type read interactively in dnsrecord_add | |
| - dns: prompt for missing record parts in CLI | |
| - dns: fix crash in interactive mode against old servers | |
| - Resolves: #1370519 Certificate revocation in service-del and host-del isn't | |
| aware of Sub CAs | |
| - cert: fix cert-find --certificate when the cert is not in LDAP | |
| - Make host/service cert revocation aware of lightweight CAs | |
| - Resolves: #1371901 Use OAEP padding with custodia | |
| - Use RSA-OAEP instead of RSA PKCS#1 v1.5 | |
| - Resolves: #1371915 When establishing external two-way trust, forest root | |
| Administrator account is used to fetch domain info | |
| - do not use trusted forest name to construct domain admin principal | |
| - Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in | |
| certificate request | |
| - Fix CA ACL Check on SubjectAltNames | |
| - Resolves: #1373272 CLI always sends default command version | |
| - cli: use full name when executing a command | |
| - Resolves: #1373359 ipa-certupdate fails with "CA is not configured" | |
| - Fix ipa-certupdate for CA-less installation | |
| - Resolves: #1373540 client-install with IPv6 address fails on link-local | |
| address (always) | |
| - Fix parse errors with link-local addresses | |
| - Resolves: #1398670 Check IdM Topology for broken record caused by replication | |
| conflict before upgrading it | |
| - Check for conflict entries before raising domain level | |
| - Updated to upstream 3.0.0 beta 1 | |
| - Rebase ipa to 4.9.11 | |
| Resolves: RHBZ#2141316 | |
| - updates: fix memberManager ACI to allow managers from a specified group | |
| Resolves: RHBZ#2056009 | |
| - Defer creating the final krb5.conf on clients | |
| Resolves: RHBZ#2148259 | |
| - Exclude installed policy module file from RPM verification | |
| Resolves: RHBZ#2149567 | |
| - Spec file: ipa-client depends on krb5-pkinit-openssl | |
| Resolves: RHBZ#2149889 | |
| - Use default ssh host key algorithms | |
| Resolves: RHBZ#1756432 | |
| - Do not run trust upgrade code if master lacks Samba bindings | |
| Resolves: RHBZ#1757064 | |
| - Finish group membership management UI | |
| Resolves: RHBZ#1773528 | |
| - Require 389-ds-base-legacy-tools for setup tools | |
| - Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services | |
| by abusing password policy | |
| - ipa-kdb: search for password policies globally | |
| - Renamed patches 1011 and 1012 to 0151 and 0150, as they were merged upstream | |
| - Resolves: #1455946 Provide a tooling automating the configuration | |
| of Smart Card authentication on a FreeIPA master | |
| - smart-card advises: configure systemwide NSS DB also on master | |
| - smart-card advises: add steps to store smart card signing CA cert | |
| - Allow to pass in multiple CA cert paths to the smart card advises | |
| - add a class that tracks the indentation in the generated advises | |
| - delegate the indentation handling in advises to dedicated class | |
| - advise: add an infrastructure for formatting Bash compound statements | |
| - delegate formatting of compound Bash statements to dedicated classes | |
| - Fix indentation of statements in Smart card advises | |
| - Use the compound statement formatting API for configuring PKINIT | |
| - smart card advises: use a wrapper around Bash `for` loops | |
| - smart card advise: use password when changing trust flags on HTTP cert | |
| - smart-card-advises: ensure that krb5-pkinit is installed on client | |
| - Resolves: #1475238 Use CommonNameToSANDefault in default profile | |
| (new installs only) | |
| - Add CommonNameToSANDefault to default cert profile | |
| - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s | |
| during search in cn=ad,cn=trusts,dc=example,dc=com | |
| - NULL LDAP context in call to ldap_search_ext_s during search | |
| - Prepare spec file for release | |
| - Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503 | |
| - Force to use 389-ds 1.2.10-0.8.a7 or above | |
| - Improve upgrade script to handle systemd 389-ds change | |
| - Fix freeipa to work with python-ldap 2.4.6 | |
| - Resolves: #1274524 [RFE] Qualify up to 60 IdM replicas | |
| - Resolves: #1320838 [RFE] Support IdM Client in a DNS domain controlled by AD | |
| - Related: #1356134 'kinit -E' does not work for IPA user | |
| - Support krb5 1.18 | |
| Resolves: RHBZ#1817579 | |
| - kdb: keeep ipadb_get_connection() from succeding with null LDAP context | |
| Resolves: RHEL-58453 | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - user-undel: Fix error messages. | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - Prohibit deletion of predefined profiles | |
| - Resolves: #1232819 testing ipa-restore on fresh system install fails | |
| - Backup/resore authentication control configuration | |
| - Resolves: #1243331 pkispawn fails when migrating to 4.2 server from 3.0 | |
| server | |
| - Require Dogtag PKI >= 10.2.6 | |
| - Resolves: #1245225 Asymmetric vault drops traceback when the key is not | |
| proper | |
| - Asymmetric vault: validate public key in client | |
| - Resolves: #1248399 Missing DNSSEC related files in backup | |
| - fix typo in BasePathNamespace member pointing to ods exporter config | |
| - ipa-backup: archive DNSSEC zone file and kasp.db | |
| - Resolves: #1248405 PassSync should be disabled after ipa-winsync-migrate is | |
| finished | |
| - winsync-migrate: Add warning about passsync | |
| - winsync-migrate: Expand the man page | |
| - Resolves: #1248524 User can't find any hosts using "ipa host-find $HOSTNAME" | |
| - adjust search so that it works for non-admin users | |
| - Resolves: #1250093 ipa certprofile-import accepts invalid config | |
| - Require Dogtag PKI >= 10.2.6 | |
| - Resolves: #1250107 IPA framework should not allow modifying trust on AD trust | |
| agents | |
| - trusts: Detect missing Samba instance | |
| - Resolves: #1250111 User lifecycle - preserved users can be assigned | |
| membership | |
| - ULC: Prevent preserved users from being assigned membership | |
| - Resolves: #1250145 Add permission for user to bypass caacl enforcement | |
| - Add permission for bypassing CA ACL enforcement | |
| - Resolves: #1250190 idrange is not added for sub domain | |
| - idranges: raise an error when local IPA ID range is being modified | |
| - trusts: harden trust-fetch-domains oddjobd-based script | |
| - Resolves: #1250928 Man page for ipa-server-install is out of sync | |
| - install: Fix server and replica install options | |
| - Resolves: #1251225 IPA default CAACL does not allow cert-request for services | |
| after upgrade | |
| - Fix default CA ACL added during upgrade | |
| - Resolves: #1251561 ipa vault-add Unknown option: ipavaultpublickey | |
| - validate mutually exclusive options in vault-add | |
| - Resolves: #1251579 ipa vault-add --user should set container owner equal to | |
| user on first run | |
| - Fixed vault container ownership. | |
| - Resolves: #1252517 cert-request rejects request with correct | |
| krb5PrincipalName SAN | |
| - Fix KRB5PrincipalName / UPN SAN comparison | |
| - Resolves: #1252555 ipa vault-find doesn't work for services | |
| - vault: Add container information to vault command results | |
| - Add flag to list all service and user vaults | |
| - Resolves: #1252556 Missing CLI param and ACL for vault service operations | |
| - Added CLI param and ACL for vault service operations. | |
| - Resolves: #1252557 certprofile: improve profile format documentation | |
| - certprofile-import: improve profile format documentation | |
| - certprofile: add profile format explanation | |
| - Resolves: #1253443 ipa vault-add creates vault with invalid type | |
| - vault: validate vault type | |
| - Resolves: #1253480 ipa vault-add-owner does not fail when adding an existing | |
| owner | |
| - baseldap: Allow overriding member param label in LDAPModMember | |
| - vault: Fix param labels in output of vault owner commands | |
| - Resolves: #1253511 ipa vault-find does not use criteria | |
| - vault: Fix vault-find with criteria | |
| - Resolves: #1254038 ipa-replica-install pk12util error returns exit status 10 | |
| - install: Fix replica install with custom certificates | |
| - Resolves: #1254262 ipa-dnskeysync-replica crash cannot contact kdc | |
| - improve the handling of krb5-related errors in dnssec daemons | |
| - Resolves: #1254412 when dirsrv is off ,upgrade from 7.1 to 7.2 fails with | |
| starting CA and named-pkcs11.service | |
| - Server Upgrade: Start DS before CA is started. | |
| - Resolves: #1254637 Add ACI and permission for managing user userCertificate | |
| attribute | |
| - add permission: System: Manage User Certificates | |
| - Resolves: #1254641 Remove CSR allowed-extensions restriction | |
| - cert-request: remove allowed extensions check | |
| - Resolves: #1254693 vault --service does not normalize service principal | |
| - vault: normalize service principal in service vault operations | |
| - Resolves: #1254785 ipa-client-install does not properly handle dual stacked | |
| hosts | |
| - client: Add support for multiple IP addresses during installation. | |
| - Add dependency to SSSD 1.13.1 | |
| - client: Add description of --ip-address and --all-ip-addresses to man page | |
| - Remove ipa_webgui, its functions rolled into ipa_httpd | |
| - Change Requires from fedora-ds-base to 389-ds-base | |
| - Set minimum level of 389-ds-base to 1.2.6 for the replication | |
| version plugin. | |
| - No need to create /var/log/ipa_error.log since we aren't using | |
| TurboGears any more. | |
| - Deprecate --serial-autoincrement option (#1016645) | |
| - CA installation always failed on replica (#1005446) | |
| - Re-initializing a winsync connection exited with error (#994980) | |
| - Wrong directories created on full restore (#1186398) | |
| - ipa-restore crashes if replica is unreachable (#1186396) | |
| - idoverrideuser-add option --sshpubkey does not work (#1185410) | |
| - Fix postin scriplet for F-15/F-16 | |
| - Fix breakage caused by python-kerberos update to 1.1 | |
| - Fixed: rhbz#1643445 - External CA step 2 fails with pki_client_database_dir is missing | |
| - Fixed: rhbz#1642834 - Smart card advise script uses hard-coded Python interpreter | |
| - Update to upstream 3.3.2 (#991064) | |
| - Add delegation info to MS-PAC (#915799) | |
| - Warn about incompatibility with AD when IPA realm and domain | |
| differs (#1009044) | |
| - Allow PKCS#12 files with empty password in install tools (#1002639) | |
| - Privilege "SELinux User Map Administrators" did not list | |
| permissions (#997085) | |
| - SSH key upload broken when client joins an older server (#1009024) | |
| - Update to upstream 3.3.3 (#991064) | |
| - Resolves: #1416454 replication race condition prevents IPA to install | |
| - wait_for_entry: use only DN as parameter | |
| - Wait until HTTPS principal entry is replicated to replica | |
| - Use proper logging for error messages | |
| - Allow insecure binds for migration | |
| Resolves: RHBZ#1731963 | |
| - Updated to upstream 3.0.0 rc 1 | |
| - Update BR for 389-ds-base to 1.2.11.14 | |
| - Update BR for krb5 to 1.10 | |
| - Update BR for samba4-devel to 4.0.0-139 (rc1) | |
| - Add BR for python-polib | |
| - Update BR and Requires on sssd to 1.9.0 | |
| - Update Requires on policycoreutils to 2.1.12-5 | |
| - Update Requires on 389-ds-base to 1.2.11.14 | |
| - Update Requires on selinux-policy to 3.11.1-21 | |
| - Update Requires on dogtag to 10.0.0-0.33.a1 | |
| - Update Requires on certmonger to 0.60 | |
| - Update Requires on tomcat to 7.0.29 | |
| - Update minimum version of bind to 9.9.1-10.P3 | |
| - Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1 | |
| - Remove Requires on authconfig from python sub-package | |
| - Add redhat-access-plugin-ipa dependency | |
| - Require platform-python-setuptools instead of python3-setuptools | |
| - Resolves: rhbz#1650139 | |
| - Add a- heck into ipa-cert-fix tool to avoid updating certs if CA is close to expire | |
| Resolves: RHEL-4941 | |
| - Fix rpminspect's 'patches' warnings | |
| Resolves: RHEL-22497 | |
| - Added patch to fix problem reported by ldapmodify | |
| - Installer did not detect different server and IPA domain (#1026845) | |
| - Allow kernel keyring CCACHE when supported (#1026861) | |
| - Abstracted client class to work directly or over RPC | |
| - Reinstalling ipa server hangs when configuring certificate | |
| server (#1018804) | |
| - rpcserver: validate Kerberos principal name before running kinit | |
| Resolves: RHEL-26153 | |
| - Vault: add additional fallback to RSA-OAEP wrapping algo | |
| Resolves: RHEL-28259 | |
| - "an internal error has occurred" during ipa host-del --updatedns (#1198431) | |
| - Renamed patch 1013 to 0114, as it was merged upstream | |
| - Fax number not displayed for user-show when kinit'ed as normal user. | |
| (#1198430) | |
| - Replication agreement with replica not disabled when ipa-restore done without | |
| IPA installed (#1199060) | |
| - Limit deadlocks between DS plugin DNA and slapi-nis (#1199128) | |
| - Updated to upstream 2.2.0 GA | |
| - Update minimum n-v-r of certmonger to 0.53 | |
| - Update minimum n-v-r of slapi-nis to 0.40 | |
| - Add Requires in client to oddjob-mkhomedir and python-krbV | |
| - Update minimum selinux-policy to 3.10.0-110 | |
| - Convert to autotools-based build | |
| - Pull upstream changelog 678 | |
| - Add new subpackage, ipa-server-selinux | |
| - Add Requires: authconfig to ipa-python (bz #433747) | |
| - Package i18n files | |
| - Resolves: #837369 [RFE] Switch to client promotion to replica model | |
| - Resolves: #1199516 [RFE] Move replication topology to the shared tree | |
| - Resolves: #1206588 [RFE] Visualize FreeIPA server replication topology | |
| - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) | |
| - Resolves: #1212713 ipa-csreplica-manage: it could be nice to have also | |
| list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend | |
| - Resolves: #1267206 ipa-server-install uninstall should warn if no | |
| installation found | |
| - Resolves: #1295865 The Domain option is not correctly set in idmapd.conf when | |
| ipa-client-automount is executed. | |
| - Resolves: #1327092 URI details missing and OCSP-URI details are incorrectly | |
| displayed when certificate generated using IPA on RHEL 7.2up2. | |
| - Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install | |
| because of missing dependencies | |
| - Related: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.3.1.201605191449GITf8edf37 | |
| - selinux don't audit rules deny fetching trust topology | |
| Resolves: RHBZ#1845596 | |
| - fix iPAddress cert issuance for >1 host/service | |
| Resolves: RHBZ#1846352 | |
| - Specify cert_paths when calling PKIConnection | |
| Resolves: RHBZ#1849155 | |
| - Update crypto policy to allow AD-SUPPORT when installing IPA | |
| Resolves: RHBZ#1851139 | |
| - Add version to ipa-idoverride-memberof obsoletes | |
| Related: RHBZ#1846434 | |
| - Resolves: #1081561 CA not start during ipa server install in pure IPv6 env | |
| - Fix ipa-server-install in pure IPv6 environment | |
| - Resolves: #1318169 Tree-root domains in a trusted AD forest aren't marked as | |
| reachable via the forest root | |
| - trust: make sure ID range is created for the child domain even if it exists | |
| - ipa-kdb: simplify trusted domain parent search | |
| - Resolves: #1335567 Update Warning in IdM Web UI API browser | |
| - WebUI: add API browser is tech preview warning | |
| - Resolves: #1348560 Mulitple domain Active Directory Trust conflict | |
| - ipaserver/dcerpc: reformat to make the code closer to pep8 | |
| - trust: automatically resolve DNS trust conflicts for triangle trusts | |
| - Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in | |
| certificate revocation | |
| - cert-revoke: fix permission check bypass (CVE-2016-5404) | |
| - Resolves: #1353936 custodia.conf and server.keys file is world-readable. | |
| - Remove Custodia server keys from LDAP | |
| - Secure permissions of Custodia server.keys | |
| - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is | |
| converted from CA-less to CA-full | |
| - custodia: include known CA certs in the PKCS#12 file for Dogtag | |
| - custodia: force reconnect before retrieving CA certs from LDAP | |
| - Resolves: #1362333 ipa vault container owner cannot add vault | |
| - Fix: container owner should be able to add vault | |
| - Resolves: #1365546 External trust with root domain is transitive | |
| - trust: make sure external trust topology is correctly rendered | |
| - Resolves: #1365572 IPA server broken after upgrade | |
| - Require pki-core-10.3.3-7 | |
| - Resolves: #1367864 Server assumes latest version of command instead of | |
| version 1 for old / 3rd party clients | |
| - rpcserver: assume version 1 for unversioned command calls | |
| - rpcserver: fix crash in XML-RPC system commands | |
| - Resolves: #1367773 thin client ignores locale change | |
| - schema cache: Fallback to 'en_us' when locale is not available | |
| - Resolves: #1368754 ipa server uninstall fails with Python "Global Name error" | |
| - Fail on topology disconnect/last role removal | |
| - Resolves: #1368981 ipa otptoken-add --type=hotp --key creates wrong OTP | |
| - otptoken, permission: Convert custom type parameters on server | |
| - Resolves: #1369414 ipa server-del fails with Python stack trace | |
| - Handled empty hostname in server-del command | |
| - Resolves: #1369761 ipa-server must depend on a version of httpd that support | |
| mod_proxy with UDS | |
| - Require httpd 2.4.6-31 with mod_proxy Unix socket support | |
| - Resolves: #1370512 Received ACIError instead of DuplicatedError in | |
| stageuser_tests | |
| - Raise DuplicatedEnrty error when user exists in delete_container | |
| - Resolves: #1371479 cert-find --all does not show information about revocation | |
| - cert: add missing param values to cert-find output | |
| - Renamed patch 1011 to 0100, as it was merged upstream | |
| - Resolves: #1452216 Replica installation grants HTTP principal | |
| access in WebUI | |
| - Make sure we check ccaches in all rpcserver paths | |
| - Replica installation fails for RHEL 6.4 master (#1004680) | |
| - Server uninstallation crashes if DS is not available (#998069) | |
| - Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to | |
| handle PKINIT certificates/anchors | |
| - certdb: add named trust flag constants | |
| - certdb, certs: make trust flags argument mandatory | |
| - certdb: use custom object for trust flags | |
| - install: trust IPA CA for PKINIT | |
| - client install: fix client PKINIT configuration | |
| - install: introduce generic Kerberos Augeas lens | |
| - server install: fix KDC PKINIT configuration | |
| - ipapython.ipautil.run: Add option to set umask before executing command | |
| - certs: do not export keys world-readable in install_key_from_p12 | |
| - certs: do not export CA certs in install_pem_from_p12 | |
| - server install: fix KDC certificate validation in CA-less | |
| - replica install: respect --pkinit-cert-file | |
| - cacert manage: support PKINIT | |
| - server certinstall: support PKINIT | |
| - Resolves: #1444432 CA-less pkinit not installable with --pkinit-cert-file | |
| option | |
| - certs: do not export CA certs in install_pem_from_p12 | |
| - server install: fix KDC certificate validation in CA-less | |
| - Resolves: #1451228 ipa-kra-install fails when primary KRA server has been | |
| decommissioned | |
| - ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname | |
| - Resolves: #1451712 KRA installation fails on server that was originally | |
| installed as CA-less | |
| - ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt | |
| - Resolves: #1441499 ipa cert-show does not raise error if no file name | |
| specified | |
| - ca/cert-show: check certificate_out in options | |
| - Resolves: #1449522 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+ | |
| - Remove pkinit-anonymous command | |
| - Resolves: #1449523 Provide an API command to retrieve PKINIT status | |
| in the FreeIPA topology | |
| - Allow for multivalued server attributes | |
| - Refactor the role/attribute member reporting code | |
| - Add an attribute reporting client PKINIT-capable servers | |
| - Add the list of PKINIT servers as a virtual attribute to global config | |
| - Add `pkinit-status` command | |
| - test_serverroles: Get rid of MockLDAP and use ldap2 instead | |
| - Resolves: #1452216 Replica installation grants HTTP principal access in WebUI | |
| - Fix rare race condition with missing ccache file | |
| - Resolves: #1455045 Simple service uninstallers must be able to handle | |
| missing service files gracefully | |
| - only stop/disable simple service if it is installed | |
| - Resolves: #1455541 after upgrade login from web ui breaks | |
| - krb5: make sure KDC certificate is readable | |
| - Resolves: #1455862 "ipa: ERROR: an internal error has occurred" on executing | |
| command "ipa cert-request --add" after upgrade | |
| - Change python-cryptography to python2-cryptography | |
| - Resolves: #1449189 ipa-kra-install timeouts on replica | |
| - ipa-kra-install: fix check_host_keys | |
| - Fix --external-ca-profile not passed to CSR | |
| Resolves: RHBZ#1731813 | |
| - Resolves: #1373910 IPA server upgrade fails with DNS timed out errors. | |
| - Resolves: #1375269 ipa trust-fetch-domains throws internal error | |
| - sudo rule for "admins" members should be created by default (#1609873) | |
| - Added Require mod_wsgi, added share/ipa/wsgi.py | |
| - Rebuild to samba 4.17.2. | |
| Related: RHBZ#2132051 | |
| - Use java-1.8.0-openjdk-devel | |
| - Hardening for CVE-2020-25717 | |
| - Harden processing of trusted domains' users in S4U operations | |
| - Resolves: RHBZ#2021443 | |
| - Update to upstream 2.2.0 alpha 1 (2.1.90.pre1) | |
| - Resolves: #1277696 IPA certificate auto renewal fail with "Invalid | |
| Credential" | |
| - cert renewal: make renewal of ipaCert atomic | |
| - Resolves: #1278330 installer options are not validated at the beginning of | |
| installation | |
| - install: fix command line option validation | |
| - Resolves: #1282845 sshd_config change on ipa-client-install can prevent sshd | |
| from starting up | |
| - client install: do not corrupt OpenSSH config with Match sections | |
| - Resolves: #1282935 ipa upgrade causes vault internal error | |
| - install: export KRA agent PEM file in ipa-kra-install | |
| - Resolves: #1283429 Default CA ACL rule is not created during | |
| ipa-replica-install | |
| - TLS and Dogtag HTTPS request logging improvements | |
| - Avoid race condition caused by profile delete and recreate | |
| - Do not erroneously reinit NSS in Dogtag interface | |
| - Add profiles and default CA ACL on migration | |
| - disconnect ldap2 backend after adding default CA ACL profiles | |
| - do not disconnect when using existing connection to check default CA ACLs | |
| - Resolves: #1283430 ipa-kra-install: fails to apply updates | |
| - suppress errors arising from adding existing LDAP entries during KRA | |
| install | |
| - Resolves: #1283748 Caching of ipaconfig does not work in framework | |
| - fix caching in get_ipa_config | |
| - Resolves: #1283943 IPA DNS Zone/DNS Forward Zone details missing after | |
| upgrade from RHEL 7.0 to RHEL 7.2 | |
| - upgrade: fix migration of old dns forward zones | |
| - Fix upgrade of forwardzones when zone is in realmdomains | |
| - Resolves: #1284413 ipa-cacert-manage renew fails on nonexistent ldap | |
| connection | |
| - ipa-cacert-renew: Fix connection to ldap. | |
| - Resolves: #1284414 ipa-otptoken-import fails on nonexistent ldap connection | |
| - ipa-otptoken-import: Fix connection to ldap. | |
| - Resolves: #1286635 IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using | |
| "yum update ipa* sssd" | |
| - Set minimal required version for openssl | |
| - Resolves: #1286781 ipa-nis-manage does not update ldap with all NIS maps | |
| - Upgrade: Fix upgrade of NIS Server configuration | |
| - Resolves: #1289311 umask setting causes named-pkcs11 issue with directory | |
| permissions on /var/lib/ipa/dnssec | |
| - DNS: fix file permissions | |
| - Explicitly call chmod on newly created directories | |
| - Fix: replace mkdir with chmod | |
| - Resolves: #1290142 Broken 7.2.0 to 7.2.z upgrade - flawed version comparison | |
| - Fix version comparison | |
| - use FFI call to rpmvercmp function for version comparison | |
| - Resolves: #1292595 In IPA-AD trust environment some secondary IPA based Posix | |
| groups are missing | |
| - ipa-kdb: map_groups() consider all results | |
| - Resolves: #1293870 User should be notified for wrong password in password | |
| reset page | |
| - Fixed login error message box in LoginScreen page | |
| - Resolves: #1296196 Sysrestore did not restore state if a key is specified in | |
| mixed case | |
| - Allow to used mixed case for sysrestore | |
| - Resolves: #1296214 DNSSEC key purging is not handled properly | |
| - DNSSEC: Improve error reporting from ipa-ods-exporter | |
| - DNSSEC: Make sure that current state in OpenDNSSEC matches key state in | |
| LDAP | |
| - DNSSEC: Make sure that current key state in LDAP matches key state in BIND | |
| - DNSSEC: remove obsolete TODO note | |
| - DNSSEC: add debug mode to ldapkeydb.py | |
| - DNSSEC: logging improvements in ipa-ods-exporter | |
| - DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP | |
| - DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP | |
| - DNSSEC: ipa-ods-exporter: add ldap-cleanup command | |
| - DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal | |
| - DNSSEC: Log debug messages at log level DEBUG | |
| - Resolves: #1296216 ipa-server-upgrade fails if certmonger is not running | |
| - prevent crash of CA-less server upgrade due to absent certmonger | |
| - always start certmonger during IPA server configuration upgrade | |
| - Resolves: #1297811 The ipa -e skip_version_check=1 still issues | |
| incompatibility error when called against RHEL 6 server | |
| - ipalib: assume version 2.0 when skip_version_check is enabled | |
| - Resolves: #1298289 install fails when locale is "fr_FR.UTF-8" | |
| - Do not decode HTTP reason phrase from Dogtag | |
| - Resolves: #1300252 shared certificateProfiles container is missing on a | |
| freshly installed RHEL7.2 system | |
| - upgrade: unconditional import of certificate profiles into LDAP | |
| - Resolves: #1301674 --setup-dns and other options is forgotten for using an | |
| external PKI | |
| - installer: Propagate option values from components instead of copying them. | |
| - installer: Fix logic of reading option values from cache. | |
| - Resolves: #1301687 issues with migration from RHEL 6 self-signed to RHEL 7 CA | |
| IPA setup | |
| - ipa-ca-install: print more specific errors when CA is already installed | |
| - cert renewal: import all external CA certs on IPA CA cert renewal | |
| - CA install: explicitly set dogtag_version to 10 | |
| - fix standalone installation of externally signed CA on IPA master | |
| - replica install: validate DS and HTTP server certificates | |
| - replica install: improvements in the handling of CA-related IPA config | |
| entries | |
| - Resolves: #1301901 [RFE] compat tree: show AD members of IPA groups | |
| - slapi-nis: update configuration to allow external members of IPA groups | |
| - Resolves: #1305533 ipa trust-add succeded but after that ipa trust-find | |
| returns "0 trusts matched" | |
| - upgrade: fix config of sidgen and extdom plugins | |
| - trusts: use ipaNTTrustPartner attribute to detect trust entries | |
| - Warn user if trust is broken | |
| - fix upgrade: wait for proper DS socket after DS restart | |
| - Insure the admin_conn is disconnected on stop | |
| - Fix connections to DS during installation | |
| - Fix broken trust warnings | |
| - Resolves: #1321092 Installers fail when there are multiple versions of the | |
| same certificate | |
| - certdb: never use the -r option of certutil | |
| - Related: #1317381 Crash during IPA upgrade due to slapd | |
| - spec file: update minimum required version of slapi-nis | |
| - Related: #1322691 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 | |
| CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 samba: various flaws | |
| [rhel-7.3] | |
| - Rebuild against newer Samba version | |
| - Config plugin: return EmptyModlist when no change is applied. | |
| Resolves: RHBZ#2031825 | |
| - Custodia: use a stronger encryption algo when exporting keys. | |
| Resolves: RHBZ#2032806 | |
| - ipa-kdb: do not remove keys for hardened auth-enabled users. | |
| Resolves: RHBZ#2033342 | |
| - ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus | |
| Resolves: RHBZ#2049167 | |
| - Backport latest test fxes in python3 ipatests. | |
| Resolves: RHBZ#2048509 | |
| - Removed unused patch files that were part of 4.9.8 rebase. | |
| - Fix replica installation failing on certificate subject (#983075) | |
| - Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1 | |
| Any type | |
| - New command automember-find-orphans to find and remove orphan automemeber | |
| rules has been added | |
| Resolves: RHBZ#1638373 | |
| - Moved ipa/idm logos and background to redhat-logos-ipa-80.4: | |
| header-logo.png, login-screen-background.jpg, login-screen-logo.png, | |
| product-name.png | |
| New requirement to redhat-logos-ipa >= 80.4 in ipa-server-common | |
| Resolves: RHBZ#1626507 | |
| - Resolves: #1353829 traceback message seen in ipaserver-uninstall.log file. | |
| - Do not initialize API in ipa-client-automount uninstall | |
| - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin | |
| client changes | |
| - idrange: fix unassigned global variable | |
| - Resolves: #1360792 Migrating users doesn't update krbCanonicalName | |
| - re-set canonical principal name on migrated users | |
| - Resolves: #1362012 ipa hbactest produces error about cannot concatenate 'str' | |
| and 'bool' objects | |
| - Fix ipa hbactest output | |
| - Resolves: #1362260 ipa vault-mod no longer allows defining salt | |
| - vault: add missing salt option to vault_mod | |
| - Resolves: #1362312 ipa vault-retrieve internal error when using the wrong | |
| public key | |
| - vault: Catch correct exception in decrypt | |
| - Resolves: #1362537 ipa-server-install fails to create symlink from | |
| /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ | |
| - Correct path to HTTPD's systemd service directory | |
| - Resolves: #1363756 Increase length of passwords generated by installer | |
| - Increase default length of auto generated passwords | |
| - When IdM server trusts multiple AD forests, IPA client returns invalid group | |
| membership info (#1079498) | |
| - Remove ipa-server-selinux obsoletes as upgrades from version prior to | |
| 3.3.0 are not allowed | |
| - Wrap server-trust-ad subpackage description better | |
| - Add (noreplace) flag for %{_sysconfdir}/tmpfiles.d/ipa.conf | |
| - Change permissions on default_encoding_utf8.so to fix ipa-python Provides | |
| - Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum | |
| version to 1.0.7-4 so we pick up the NSS fixes. | |
| - Add selinux-policy-base(post) to Requires (446496) | |
| - Resolves: #1449189 ipa-kra-install timeouts on replica | |
| - kra: promote: Get ticket before calling custodia | |
| - ipa-replica-install never checks for 7389 port (#1075165) | |
| - Non-terminated string may be passed to LDAP search (#1075091) | |
| - ipa-sam may fail to translate group SID into GID (#1073829) | |
| - Excessive LDAP calls by ipa-sam during Samba FS operations (#1075132) | |
| - ipatests: remove additional check for failed units. | |
| Resolves: RHBZ#2053024 | |
| - ipa-cldap: fix memory leak. | |
| Resolves: RHBZ#2032738 | |
| - ipatests: Update ipa-adtrust-install test | |
| Resolves: RHEL-40894 | |
| - IPA Replicate creation fails with error "Update failed! Status: [10 Total | |
| update abortedLDAP error: Referral]" (#1166265) | |
| - running ipa-server-install --setup-dns results in a crash (#1072502) | |
| - DNS zones are not migrated into forward zones if 4.0+ replica is added | |
| (#1175384) | |
| - gid is overridden by uid in default trust view (#1168904) | |
| - When migrating warn user if compat is enabled (#1177133) | |
| - Clean up debug log for trust-add (#1168376) | |
| - No error message thrown on restore(full kind) on replica from full backup | |
| taken on master (#1175287) | |
| - ipa-restore proceed even IPA not configured (#1175326) | |
| - Data replication not working as expected after data restore from full backup | |
| (#1175277) | |
| - IPA externally signed CA cert expiration warning missing from log (#1178128) | |
| - ipa-upgradeconfig fails in CA-less installs (#1181767) | |
| - IPA certs fail to autorenew simultaneouly (#1173207) | |
| - More validation required on ipa-restore's options (#1176034) | |
| - 2.1.3 | |
| - Resolves: #1388135 [RFE] limit the retro changelog to dns subtree. | |
| - ldap: limit the retro changelog to dns subtree | |
| - Resolves: #1427798 Use X509v3 Basic Constraints "CA:TRUE" instead | |
| of "CA:FALSE" IPA CA CSR | |
| - Include the CA basic constraint in CSRs when renewing a CA | |
| - Resolves: #1493145 ipa-replica-install might fail because of an already | |
| existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX | |
| - Checks if replica-s4u2proxy.ldif should be applied | |
| - Resolves: #1493150 [RFE] set nsslapd-ignore-time-skew: on by default | |
| - ds: ignore time skew during initial replication step | |
| - ipa-replica-manage: implicitly ignore initial time skew in force-sync | |
| - Resolves: #1500218 Replica installation at domain-level 0 fails against | |
| upgraded ipa-server | |
| - Fix ipa-replica-conncheck when called with --principal | |
| - Resolves: #1506188 server-del doesn't remove dns-server configuration | |
| from ldap | |
| - Make sure ipa-server depends on krb5-kdb-version to pick up | |
| right MIT Kerberos KDB ABI | |
| Related: RHBZ#1700121 | |
| - User field separator uses '$$' within ipaSELInuxUserMapOrder | |
| Fixes: RHBZ#1729099 | |
| - ipa-server-install crashes when AD subpackage is not installed (#1026434) | |
| - Allow Web-based migration to work with tightened SE Linux policy (#769440) | |
| - Rebuild slapi plugins against re-enterant version of libldap | |
| - Add ipa init script | |
| - Fix mapping of BUILTIN\Guests to 'nobody' group during upgrade | |
| to not use generated Samba config at this point | |
| - Related: rhbz#1623895 | |
| - Resolves: #1614301 Remove --no-sssd and --noac options | |
| - Resolves: #1613879 Disable Domain Level 0 | |
| - New patch sets to disable domain level 0 | |
| - New adapted patch to disable DL0 specific tests (pytest_ipa vs. | |
| pytest_plugins) | |
| - Adapted branding patch in ipa-replica-install.1 due to DL0 removal | |
| - Removed python-cherrypy from BuildRequires and Requires | |
| - Added Requires python-assets, python-wehjit | |
| - Resolves: #1356102 Server uninstall does not stop tracking lightweight sub-CA | |
| with certmonger | |
| - uninstall: untrack lightweight CA certs | |
| - Resolves: #1351807 ipa-nis-manage config.get_dn missing | |
| - ipa-nis-manage: Use server API to retrieve plugin status | |
| - Resolves: #1353452 ipa-compat-manage command failed, | |
| exception: NotImplementedError: config.get_dn() | |
| - ipa-compat-manage: use server API to retrieve plugin status | |
| - Resolves: #1353899 ipa-advise: object of type 'type' has no len() | |
| - ipa-advise: correct handling of plugin namespace iteration | |
| - Resolves: #1356134 'kinit -E' does not work for IPA user | |
| - kdb: check for local realm in enterprise principals | |
| - Resolves: #1353072 ipa unknown command vault-add | |
| - Enable vault-* commands on client | |
| - vault-add: set the default vault type on the client side if none was given | |
| - Resolves: #1353995 Default CA can be used without a CA ACL | |
| - caacl: expand plugin documentation | |
| - Resolves: #1356144 host-find should not print SSH keys by default, only | |
| SSH fingerprints | |
| - host-find: do not show SSH key by default | |
| - Resolves: #1353506 ipa migrate-ds command fails for IPA in RHEL 7.3 | |
| - Removed unused method parameter from migrate-ds | |
| - Resolves: #1262996 ipa vault internal error on replica without KRA | |
| - upgrade: make sure ldap2 is connected in export_kra_agent_pem | |
| - Resolves: #1270608 IPA upgrade fails for server with CA cert signed by | |
| external CA | |
| - schema: do not derive ipaVaultPublicKey from ipaPublicKey | |
| - Resolves: #1361119 UPN-based search for AD users does not match an entry in | |
| slapi-nis map cache | |
| - support multiple uid values in schema compatibility tree | |
| - Included LICENSE and README in all packages for documentation | |
| - Move user-modifiable content to /etc/ipa and linked back to | |
| /usr/share/ipa/html | |
| - Changed some references to /usr to the {_usr} macro and /etc | |
| to {_sysconfdir} | |
| - Added popt-devel to BuildRequires for Fedora 8 and higher and | |
| popt for Fedora 7 | |
| - Package the egg-info for Fedora 9 and higher for ipa-python | |
| - Add ipa-host-net-manage script | |
| - Add Requires: python-nss to ipa-python sub-package | |
| - Adopt to samba4 beta6 (libsecurity -> libsamba-security) | |
| - Add dependency to samba4-winbind | |
| - Bump up minimum version of python-nss to pick up nss_is_initialize() API | |
| - Resolves: #800545 [RFE] Support SUDO command rename | |
| - Reworked the renaming mechanism | |
| - Allow renaming of the sudorule objects | |
| - Resolves: #872671 IPA WebUI login for AD Trusted User fails | |
| - WebUI: check principals in lowercase | |
| - WebUI: add method for disabling item in user dropdown menu | |
| - WebUI: Add support for login for AD users | |
| - Resolves: #1200767 [RFE] Allow Kerberos authentication for users with | |
| certificates on smart cards (pkinit) | |
| - ipa-kdb: add ipadb_fetch_principals_with_extra_filter() | |
| - IPA certauth plugin | |
| - ipa-kdb: do not depend on certauth_plugin.h | |
| - spec file: bump krb5-devel BuildRequires for certauth | |
| - Resolves: #1264370 RFE: disable last successful authentication by default in | |
| ipa. | |
| - Set "KDC:Disable Last Success" by default | |
| - Resolves: #1318186 Misleading error message during external-ca IPA master | |
| install | |
| - certs: do not implicitly create DS pin.txt | |
| - httpinstance: clean up /etc/httpd/alias on uninstall | |
| - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR | |
| CA certificate chain in ... incomplete" | |
| - certs: do not implicitly create DS pin.txt | |
| - httpinstance: clean up /etc/httpd/alias on uninstall | |
| - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication | |
| - configure: fix --disable-server with certauth plugin | |
| - rpcserver.login_x509: Actually return reply from __call__ method | |
| - spec file: Bump requires to make Certificate Login in WebUI work | |
| - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping | |
| - extdom: do reverse search for domain separator | |
| - extdom: improve cert request | |
| - Resolves: #1430363 [RFE] HBAC rule names command rename | |
| - Reworked the renaming mechanism | |
| - Allow renaming of the HBAC rule objects | |
| - Resolves: #1433082 systemctl daemon-reload needs to be called after | |
| httpd.service.d/ipa.conf is manipulated | |
| - tasks: run `systemctl daemon-reload` after httpd.service.d updates | |
| - Resolves: #1434032 Run ipa-custodia with custom SELinux context | |
| - Use Custodia 0.3.1 features | |
| - Resolves: #1434384 RPC client should use HTTP persistent connection | |
| - Use connection keep-alive | |
| - Add debug logging for keep-alive | |
| - Increase Apache HTTPD's default keep alive timeout | |
| - Resolves: #1434729 man ipa-cacert-manage install needs clarification | |
| - man ipa-cacert-manage install needs clarification | |
| - Resolves: #1434910 replica install against IPA v3 master fails with ACIError | |
| - Fixing replica install: fix ldap connection in domlvl 0 | |
| - Resolves: #1435394 Ipa-kra-install fails with weird output when backspace is | |
| used during typing Directory Manager password | |
| - ipapython.ipautil.nolog_replace: Do not replace empty value | |
| - Resolves: #1435397 ipa-replica-install can't install replica file produced by | |
| ipa-replica-prepare on 4.5 | |
| - replica prepare: fix wrong IPA CA nickname in replica file | |
| - Resolves: #1435599 WebUI: in self-service Vault menu item is shown even if | |
| KRA is not installed | |
| - WebUI: Fix showing vault in selfservice view | |
| - Resolves: #1435718 As a ID user I cannot call a command with --rights option | |
| - ldap2: use LDAP whoami operation to retrieve bind DN for current connection | |
| - Resolves: #1436319 "Truncated search results" pop-up appears in user details | |
| in WebUI | |
| - WebUI: Add support for suppressing warnings | |
| - WebUI: suppress truncation warning in select widget | |
| - Resolves: #1436333 Uninstall fails with No such file or directory: | |
| '/var/run/ipa/services.list' | |
| - Create temporaty directories at the begining of uninstall | |
| - Resolves: #1436334 WebUI: Adding certificate mapping data using certificate | |
| fails | |
| - WebUI: Allow to add certs to certmapping with CERT LINES around | |
| - Resolves: #1436338 CLI doesn't work after ipa-restore | |
| - Backup ipa-specific httpd unit-file | |
| - Backup CA cert from kerberos folder | |
| - Resolves: #1436342 Bump samba version, required for FIPS mode and privilege | |
| separation | |
| - Bump samba version for FIPS and priv. separation | |
| - Resolves: #1436642 [ipalib/rpc.py] - "maximum recursion depth exceeded" with | |
| ipa vault commands | |
| - Avoid growing FILE ccaches unnecessarily | |
| - Handle failed authentication via cookie | |
| - Work around issues fetching session data | |
| - Prevent churn on ccaches | |
| - Resolves: #1436657 Add workaround for pki_pin for FIPS | |
| - Generate PIN for PKI to help Dogtag in FIPS | |
| - Resolves: #1436714 [vault] cache KRA transport cert | |
| - Simplify KRA transport cert cache | |
| - Resolves: #1436723 cert-find does not find all certificates without | |
| sizelimit=0 | |
| - cert: do not limit internal searches in cert-find | |
| - Resolves: #1436724 Renewal of IPA RA fails on replica | |
| - dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function | |
| - Resolves: #1436753 Master tree fails to install | |
| - httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not | |
| available | |
| - ipatests: fix TestOTPToken::test_check_otpd_after_idle_timeout | |
| Related: RHBZ#2053024 | |
| - Remove unnecessary moving of v1 CA serial number file in post script | |
| - Add Obsoletes for server-selinxu subpackage | |
| - Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da | |
| - Pull upstream changelog 608 which renamed several files | |
| - clean up spec | |
| - Depend on sssd >= 1.6.2 for better user experience | |
| - Update slapi-nis dependency to pull 0.54-2 (#891984) | |
| - ipa-restore: Don't crash if AD trust is not installed (#951581) | |
| - Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type (#1138791) | |
| - Trust setting not restored for CA cert with ipa-restore command (#1159011) | |
| - ipa-server-install fails when restarting named (#1162340) | |
| - Resolves: #1228671 pkispawn fails in ipa-ca-install and ipa-kra-install | |
| - Related: #1204809 Rebase ipa to 4.2 | |
| - Fix minimum version of slapi-nis | |
| - Require python-sss and python-sss-murmur (provided by sssd-1.13.0) | |
| - Fix: DNS installer adds invalid zonemgr email (#1056202) | |
| - ipaplatform: Use the dirsrv service, not target (#951581) | |
| - Fix: DNS policy upgrade raises asertion error (#1161128) | |
| - Fix upgrade referint plugin (#1161128) | |
| - Upgrade: fix trusts objectclass violationi (#1161128) | |
| - group-add doesn't accept gid parameter (#1149124) | |
| - ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL | |
| Resolves: RHBZ#1982956 | |
| - Unable to remove replica by ipa-replica-manage (#1001662) | |
| - Before uninstalling a server, warn about active replicas (#998069) | |
| - Fix Fedora package changelog after merging systemd changes | |
| - ipaclient-install: chmod needs octal permissions (#1609880) | |
| - Move ipalib to ipa-python subpackage | |
| - Bump minimum version of slapi-nis to 0.15 | |
| - Ensure that /etc/ipa exists before moving user-modifiable html files there | |
| - Put html files into /etc/ipa/html instead of /etc/ipa | |
| - Added auto* BuildRequires | |
| - New upstream release 1.2.1 | |
| - Rely on sssd-krb5 to include SSSD-generated krb5 configuration | |
| Resolves: RHBZ#2214563 | |
| - Add end to end integration tests for external IdP | |
| Resolves: RHBZ#2106346 | |
| - Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install | |
| because of missing dependencies | |
| - Rebuild with krb5-1.14.1 | |
| - schema update on RHEL-6.6 using latest copy-schema-to-ca.py from RHEL-7.1 | |
| build fails (#1167196) | |
| - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) | |
| - "ipa trust-add ... " cmd says : (Trust status: Established and verified) | |
| while in the logs we see "WERR_ACCESS_DENIED" during verification step. | |
| (#1144121) | |
| - POODLE: force using safe ciphers (non-SSLv3) in IPA client and server | |
| (#1156466) | |
| - Add support/hooks for a one-time password system like SecureID in IPA | |
| (#919228) | |
| - Tracebacks with latest build for --zonemgr cli option (#1167270) | |
| - ID Views: Support migration from the sync solution to the trust solution | |
| (#891984) | |
| - Mass rebuild 2014-01-24 | |
| - Move initialization of Guests mapping after cifs/ principal is created | |
| - Related: rhbz#1623895 | |
| - Preverse mode on ipa-keytab-util | |
| - Version bump for relase and rpm name change | |
| - Updated upstream pull (596) to fix bug in ipa_webgui that was causing the | |
| UI to not start. | |
| - Update to upstream 4.7.0 GA | |
| - Fixed License in specfile | |
| - Include files from /usr/lib/python*/site-packages/ipaserver | |
| - Allow ipa-tests to work with older version (1.7.7) of python-paramiko | |
| - Fixed kdcproxy_version to 0.4-3 | |
| - Fixed krb5_version to 1.17-7 | |
| Related: RHBZ#1684528 | |
| - Remove "Listen 443 http" hack from deployed nss.conf (#1029046) | |
| - Re-adding existing trust fails (#1033216) | |
| - IPA uninstall exits with a samba error (#1033075) | |
| - Added RELRO hardening on /usr/libexec/ipa-otpd (#1026260) | |
| - Fixed ownership of /usr/share/ipa/ui/js (#1026260) | |
| - ipa-tests: support external names for hosts (#1032668) | |
| - ipa-client-install fail due fail to obtain host TGT (#1029354) | |
| - Update to upstream 4.0.3 (#1109726) | |
| - Server installation fails using external signed certificates with | |
| "IndexError: list index out of range" (#1111320) | |
| - Add rhino to BuildRequires to fix Web UI build error | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Set krbCanonicalName admin@REALM on the admin user | |
| Resolves: RHEL-89895 | |
| - Handle new samba exception types. | |
| Resolves: RHEL-17623 | |
| - Fix for CVE-2008-3274 | |
| - Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface | |
| - Add fix for bug #453185 | |
| - Rebuild against openldap libraries, mozldap ones do not work properly | |
| - TurboGears is currently broken in rawhide. Added patch to not build | |
| the UI locales and removed them from the ipa-server files section. | |
| - ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older | |
| Resolves: RHEL-12198 | |
| - Update dependency for bind-dndb-ldap to 11.2-2 | |
| Related: RHBZ#1762813 | |
| - Drop requires on python-configobj (not used any more) | |
| - Drop ipa-ldap-updater message, upgrades are done differently now | |
| - Update Requires on pki-ca to 10.1.2-4 (#1129558) | |
| - build: increase java stack size for all arches | |
| - Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides (#891984) | |
| - Fix dns zonemgr validation regression (#1056202) | |
| - Handle profile changes in dogtag-ipa-ca-renew-agent (#886645) | |
| - Do not wait for new CA certificate to appear in LDAP in ipa-certupdate | |
| (#886645) | |
| - Add bind-dyndb-ldap working dir to IPA specfile | |
| - Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage | |
| (#886645) | |
| - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) | |
| - Deadlock in schema compat plugin (#1161131) | |
| - ipactl stop should stop dirsrv last (#1161129) | |
| - Upgrade 3.3.5 to 4.1 failed (#1161128) | |
| - CVE-2014-7828 freeipa: password not required when OTP in use (#1160877) | |
| - Remove ipa-idoverride-memberof as superceded by ipa-server 4.8.7 | |
| Resolves: RHBZ#1846434 | |
| - Require python-wehjit >= 0.2.0 | |
| - Replica CA installation: ignore skew during initial replication | |
| Resolves RHEL-80995 | |
| - Revert bind-pkcs11-utils configuration in freeipa.spec. | |
| Resolves: RHBZ#2026732 | |
| - Configure CA replication to use TLS instead of SSL | |
| - Update to upstream 3.2.0 Beta 1 | |
| - Added support for libipa-dna-plugin | |
| - Remove posixAccount from service_find search filter | |
| Resolves: RHBZ#1731437 | |
| - Fix repeated uninstallation of ipa-client-samba crashes | |
| Resolves: RHBZ#1732529 | |
| - WebUI: Add PKINIT status field to 'Configuration' page | |
| Resolves: RHBZ#1518153 | |
| - Resolves: #1461177 ipa-otptoken-import - XML file is missing PBKDF2 | |
| parameters! | |
| - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during | |
| search in cn=ad, cn=trusts,dc=example,dc=com | |
| - Resolves: #1467887 iommu platform support for ipxe | |
| - Resolves: #1477178 [ipa-replica-install] - 406 Client Error: Failed to | |
| validate message: Incorrect number of results (0) searching forpublic key for | |
| host | |
| - Resolves: #1478251 IPA WebUI does not work after upgrade from IPA 4.4 to | |
| 4.5 | |
| - Resolves: #1480102 ipa-server-upgrade failes with "This entry already | |
| exists" | |
| - Resolves: #1482802 Unable to set ca renewal master on replica | |
| - Resolves: #1484428 Updating from RHEL 7.3 fails with Server-Cert not found | |
| (ipa-server-upgrade) | |
| - Resolves: #1484826 FreeIPA/IdM installations which were upgraded from | |
| versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and | |
| thus startup of Web UI fails | |
| - Resolves: #1486283 TypeError in renew_ca_cert prevents from swiching back | |
| to self-signed CA | |
| - Resolves: #1469246 Replica install fails to configure IPA-specific | |
| temporary files/directories | |
| - Resolves: #1469480 bind package is not automatically updated during | |
| ipa-server upgrade process | |
| - Resolves: #1475238 Use CommonNameToSANDefault in default profile (new | |
| installs only) | |
| - Resolves: #1477703 IPA upgrade fails for latest ipa package | |
| - Throw zonemgr error message before installation proceeds (#1163849) | |
| - Winsync: Setup is broken due to incorrect import of certificate (#1169867) | |
| - Enable last token deletion when password auth type is configured (#919228) | |
| - ipa-otp-lasttoken loads all user's tokens on every mod/del (#1166641) | |
| - add --hosts and --hostgroup options to allow/retrieve keytab methods | |
| (#1007367) | |
| - Extend host-show to add the view attribute in set of default attributes | |
| (#1168916) | |
| - Prefer TCP connections to UDP in krb5 clients (#919228) | |
| - [WebUI] Not able to unprovisioning service in IPA 4.1 (#1168214) | |
| - webui: increase notification duration (#1171089) | |
| - RHEL7.1 ipa automatic CA cert renewal stuck in submitting state (#1166931) | |
| - RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert | |
| (#1170003) | |
| - Improve validation of --instance and --backend options in ipa-restore | |
| (#951581) | |
| - RHEL7.1 ipa replica unable to replicate to rhel6 master (#1167964) | |
| - Disable TLS 1.2 in nss.conf until mod_nss supports it (#1156466) | |
| - Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to | |
| Trusts | |
| - winsync-migrate: Convert entity names to posix friendly strings | |
| - winsync-migrate: Properly handle collisions in the names of external groups | |
| - Resolves: #1261074 Adjust Firefox configuration to new extension signing | |
| policy | |
| - webui: use manual Firefox configuration for Firefox >= 40 | |
| - Resolves: #1263337 IPA Restore failed with installed KRA | |
| - ipa-backup: Add mechanism to store empty directory structure | |
| - Resolves: #1264793 CVE-2015-5284 ipa: ipa-kra-install includes certificate | |
| and private key in world readable file [rhel-7.2] | |
| - install: fix KRA agent PEM file permissions | |
| - Resolves: #1265086 Mark IdM API Browser as experimental | |
| - WebUI: add API browser is experimental warning | |
| - Resolves: #1265277 Fix kdcproxy user creation | |
| - install: create kdcproxy user during server install | |
| - platform: add option to create home directory when adding user | |
| - install: fix kdcproxy user home directory | |
| - Resolves: #1265559 GSS failure after ipa-restore | |
| - destroy httpd ccache after stopping the service | |
| - Remove redundat Requires versions that are already in Fedora 17 | |
| - Replace python-crypto Requires with m2crypto | |
| - Add missing Requires(post) for client and server-trust-ad subpackages | |
| - Restart httpd service when server-trust-ad subpackage is installed | |
| - Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes | |
| - trustdomain-find with pkey-only fails (#1068611) | |
| - Invalid credential cache in trust-add (#1069182) | |
| - ipa-replica-install prints unexpected error (#1069722) | |
| - Too big font in input fields in details facet in Firefox (#1069720) | |
| - trust-add for POSIX AD does not fetch trustdomains (#1070925) | |
| - Misleading trust-add error message in some cases (#1070926) | |
| - Access is not rejected for disabled domain (#1070924) | |
| - Rebuild for broken deps | |
| - Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1 | |
| - Resolves: #1377973 ipa-server-install fails when the provided or resolved | |
| IP address is not found on local interfaces | |
| - Only warn when specified server IP addresses don't match intf | |
| - Resolves: #1438016 gssapi errors after IPA server upgrade | |
| - Bump version of python-gssapi | |
| - Resolves: #1457942 certauth: use canonical principal for lookups | |
| - ipa-kdb: use canonical principal in certauth plugin | |
| - Resolves: #1459153 Do not send Max-Age in ipa_session cookie to avoid | |
| breaking older clients | |
| - Add code to be able to set default kinit lifetime | |
| - Revert setting sessionMaxAge for old clients | |
| - Rebase to security release 4.8.3 (CVE-2019-14867, CVE-2019-10195) | |
| Resolves: RHBZ#1767304 | |
| Resolves: RHBZ#1776939 | |
| - Support KDC ticket policies for authentication indicators | |
| Resolves: RHBZ#1777564 | |
| - Added support for ipa_kpasswd and ipa_pwd_extop | |
| - Backport latest test fixes in python3-ipatests | |
| Resolves: RHBZ#2060841 | |
| - extdom: user getorigby{user|group}name if available | |
| Resolves: RHBZ#2062379 | |
| - Set the mode on ipaupgrade.log during RPM post snipppet | |
| Resolves: RHBZ#2061957 | |
| - test_krbtpolicy: skip SPAKE-related tests in FIPS mode | |
| Resolves: RHBZ#1909630 | |
| - Remove radius subpackages | |
| - Don't always override the port in import_included_profiles | |
| Fixes: RHBZ#2022483 | |
| - Remove ipa-join errors from behind the debug option | |
| Fixes: RHBZ#2048558 | |
| - Enable the ccache sweep timer during installation | |
| Fixes: RHBZ#2051575 | |
| - Set 0.14 as minimum version for slapi-nis | |
| - Marked with wrong license. IPA is GPLv2. | |
| - Update to upstream 3.2.1 | |
| - Drop dogtag-pki-server-theme requires, it won't be build for RHEL-7.0 | |
| - Fix bug #702633 | |
| - Resolves: #1451804 "AttributeError: 'tuple' object has no attribute 'append'" | |
| error observed during ipa upgrade with latest package. | |
| - ipa-server-install: fix uninstall | |
| - Resolves: #1445390 ipa-[ca|kra]-install with invalid DM password break | |
| replica | |
| - ca install: merge duplicated code for DM password | |
| - installutils: add DM password validator | |
| - ca, kra install: validate DM password | |
| - Fix status trust-add command status message (#910453) | |
| - NetBIOS was not trimmed at 15 characters (#1030517) | |
| - Harden CA subsystem certificate renewal on CA clones (#1040018) | |
| - Replace TurboGears requirement with python-cherrypy | |
| - Resolves: #1382812 Creation of replica for disconnected environment is | |
| failing with CA issuance errors; Need good steps. | |
| - gracefully handle setting replica bind dn group on old masters | |
| - Resolves: #1397439 ipa-ca-install on promoted replica hangs on creating a | |
| temporary CA admin | |
| - replication: ensure bind DN group check interval is set on replica config | |
| - add missing attribute to ipaca replica during CA topology update | |
| - Resolves: #1401088 IPA upgrade of replica without DNS fails during restart of | |
| named-pkcs11 | |
| - bindinstance: use data in named.conf to determine configuration status | |
| - Unable to add trust successfully with --trust-secret (#1075704) | |
| - Fix krb5-kdb-server -> krb5-kdb-version | |
| Related: RHBZ#1700121 | |
| - Resolves: #1477367 ipa-server-upgrade timeouts on wait_for_open ports | |
| expecting IPA services listening on IPv6 ports | |
| - Make sure upgrade also checks for IPv6 stack | |
| - control logging of host_port_open from caller | |
| - log progress of wait_for_open_ports | |
| - Resolves: #1477243 ipa help command returns traceback when no cache | |
| is present | |
| - Store help in Schema before writing to disk | |
| - Disable pylint in get_help function because of type confusion. | |
| - Update to upstream version 1.2.0 | |
| - Set fedora-ds-base minimum version to 1.1.3 for winsync header | |
| - Set the minimum version for SELinux policy | |
| - Remove references to Fedora 7 | |
| - Resolves: #828866 [RFE] enhance --subject option for ipa-server-install | |
| - Resolves: #1160555 ipa-server-install: Cannot handle double hyphen "--" in | |
| hostname | |
| - Resolves: #1286288 Insufficient 'write' privilege to the 'ipaExternalMember' | |
| attribute | |
| - Resolves: #1321652 ipa-server-install fails when using external certificates | |
| that encapsulate RDN components in double quotes | |
| - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on | |
| revocation reasons | |
| - Resolves: #1340880 ipa-server-install: improve prompt on interactive | |
| installation | |
| - Resolves: #1353841 ipa-replica-install fails to install when resolv.conf | |
| incomplete entries | |
| - Resolves: #1356104 cert-show command does not display Subject Alternative | |
| Names | |
| - Resolves: #1357511 Traceback message seen when ipa is provided with invalid | |
| configuration file name | |
| - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is | |
| converted from CA-less to CA-full | |
| - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication | |
| - Resolves: #1367572 improve error message in ipa migrate-ds: mention ipa | |
| config-mod --enable-migration=TRUE | |
| - Resolves: #1367868 Add options to retrieve lightweight CA certificate/chain | |
| - Resolves: #1371927 Implement ca-enable/disable commands. | |
| - Resolves: #1372202 Add Users into User Group editors fails to show Full names | |
| - Resolves: #1373091 Adding an auth indicator from the CLI creates an extra | |
| check box in the UI | |
| - Resolves: #1375596 Ipa-server WebUI - long user/group name show wrong error | |
| message | |
| - Resolves: #1375905 "Normal" group type in the UI is confusing | |
| - Resolves: #1376040 IPA client ipv6 - invalid --ip-address shows traceback | |
| - Resolves: #1376630 IDM admin password gets written to | |
| /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf | |
| - Resolves: #1376729 ipa-server-install script option --no_hbac_allow should | |
| match other options | |
| - Resolves: #1378461 IPA Allows Password Reuse with History value defined when | |
| admin resets the password. | |
| - Resolves: #1379029 conncheck failing intermittently during single step | |
| replica installs | |
| - Resolves: #1379858 [RFE] better debugging for ipa-replica-conncheck | |
| - Resolves: #1384310 ipa dnsrecord-add fails with Keyerror stack trace | |
| - Resolves: #1392778 Update man page for ipa-adtrust-install by | |
| removing --no-msdcs option | |
| - Resolves: #1392858 Rebase to FreeIPA 4.5+ | |
| - Rebase to 4.5.0 | |
| - Resolves: #1399133 Delete option shouldn't be available for hosts applied to | |
| view. | |
| - Resolves: #1399190 [RFE] Certificates issued by externally signed IdM CA | |
| should contain full trust chain | |
| - Resolves: #1400416 RFE: Provide option to take backup of IPA server before | |
| uninstalling IPA server | |
| - Resolves: #1400529 cert-request is not aware of Kerberos principal aliases | |
| - Resolves: #1401526 IPA WebUI certificates are grayed out on overview page but | |
| not on details page | |
| - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping | |
| - Resolves: #1404750 ipa-client-install fails to get CA cert via LDAP when | |
| non-FQDN name of IPA server is first in /etc/hosts | |
| - Resolves: #1409628 [RFE] Semi-automatic integration with external DNS using | |
| nsupdate | |
| - Resolves: #1413742 Backport request for bug/issue Change IP address | |
| validation errors to warnings | |
| - Resolves: #1415652 IPA replica install log shows password in plain text | |
| - Resolves: #1427897 different behavior regarding system wide certs in master | |
| and replica. | |
| - Resolves: #1430314 The ipa-managed-entries command failed, exception: | |
| AttributeError: ldap2 | |
| - Unified spec file | |
| - Fix SELinux code | |
| - Allow the admin user to be disabled | |
| Resolves: RHEL-34756 | |
| - ipa-otptoken-import: open the key file in binary mode | |
| Resolves: RHEL-39616 | |
| - ipa-crlgen-manage: manage the cert status task execution time | |
| Resolves: RHEL-30280 | |
| - idrange-add: add a warning because 389ds restart is required | |
| Resolves: RHEL-28996 | |
| - PKINIT certificate: fix renewal on hidden replica | |
| Resolves: RHEL-4913, RHEL-45908 | |
| - [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: | |
| (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312) | |
| - Resolves: #1348948 IPA server install fails with build | |
| ipa-server-4.4.0-0.el7.1.alpha1 | |
| - Revert "Increased mod_wsgi socket-timeout" | |
| - Add mod_auth_kerb and cyrus-sasl-gssapi to Requires | |
| - Remove references to admin server in ipa-server-setupssl | |
| - Generate a client certificate for the XML-RPC server to connect to LDAP with | |
| - Create a keytab for Apache | |
| - Create an ldif with a test user | |
| - Provide a certmap.conf for doing SSL client authentication | |
| - Remove strict dependencies to krb5-server version in order to allow | |
| update of krb5 to 1.17 and change dependency to KDB DAL version. | |
| Resolves: RHBZ#1700121 | |
| - kdb: apply combinatorial logic for ticket flags (CVE-2024-3183) | |
| Resolves: RHEL-29927 | |
| - kdb: fix vulnerability in GCD rules handling (CVE-2024-2698) | |
| Resolves: RHEL-29692 | |
| - Update Requires on krb5-server to 1.11 | |
| - Upstream release FreeIPA 4.9.6 | |
| Related: RHBZ#1945038 | |
| - Revise PKINIT upgrade code | |
| Resolves: RHBZ#1886837 | |
| - ipa-cert-fix man page: add note about certmonger renewal | |
| Resolves: RHBZ#1780317 | |
| - Certificate Serial Number issue | |
| Resolves: RHBZ#1919384 | |
| - Update to upstream 3.3.1 (#991064) | |
| - Update minimum version of bind-dyndb-ldap to 3.5 | |
| - Rebuild for Python 2.6 | |
| - Load ipa_dogtag.pp in post install | |
| - Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services | |
| by abusing password policy | |
| - password policy: Add explicit default password policy for hosts and | |
| services | |
| - Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in | |
| certprofile-mod | |
| - certprofile-mod: correctly authorise config update | |
| - Fix systemd-user HBAC rule | |
| Resolves: RHBZ#1664974 | |
| - dcerpc: invalidate forest trust intfo cache when filtering out realm domains | |
| Resolves: RHEL-28559 | |
| - Backport latests test fixes in python3-tests | |
| ipatests: add xfail for autoprivate group test with override | |
| ipatests: remove xfail thanks to sssd 2.9.4 | |
| ipatests: adapt for new automembership fixup behavior | |
| ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation testcases | |
| test_xmlrpc: adopt to automember plugin message changes in 389-ds | |
| Resolves: RHEL-29908 | |
| - Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations | |
| Resolves: RHBZ#1870202 | |
| - Do not check if port 8443 is available in step 2 of external CA install | |
| (#1129481) | |
| - Rebuilt for glibc bug#747377 | |
| - Resolves: #1260663 crash of ipa-dnskeysync-replica component during | |
| ipa-restore | |
| - IPA Restore: allows to specify files that should be removed | |
| - Resolves: #1261806 Installing ipa-server package breaks httpd | |
| - Handle timeout error in ipa-httpd-kdcproxy | |
| - Resolves: #1262322 Failed to backup CS.cfg message in upgrade. | |
| - Server Upgrade: backup CS.cfg when dogtag is turned off | |
| - Resolves: #1477178 - [ipa-replica-install] - 406 Client Error: Failed to | |
| validate message: Incorrect number of results (0) searching forpublic | |
| key for host | |
| - Always check peer has keys before connecting | |
| - Resolves: #1482802 - Unable to set ca renewal master on replica | |
| - Fix ipa config-mod --ca-renewal-master | |
| - Resolves: #1486283 - TypeError in renew_ca_cert prevents from swiching | |
| back to self-signed CA | |
| - Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca) | |
| - Resolves: #1480102 - ipa-server-upgrade failes with "This entry already exists" | |
| - Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already exists | |
| - Resolves: #1484826 - FreeIPA/IdM installations which were upgraded from | |
| versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and | |
| thus startup of Web UI fails | |
| - Adds whoami DS plugin in case that plugin is missing | |
| - Resolves: #1478251 - IPA WebUI does not work after upgrade from IPA 4.4 to 4.5 | |
| - Fixing how sssd.conf is updated when promoting a client to replica | |
| - Resolves: #1461177 - ipa-otptoken-import - XML file is missing PBKDF2 | |
| parameters! | |
| - ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace | |
| - Resolves: #1484428 - Updating from RHEL 7.3 fails with Server-Cert not found | |
| (ipa-server-upgrade) | |
| - Backport 4-5: Fix ipa-server-upgrade with server cert tracking | |
| - Add explicit dependency for libvert-libev | |
| Resolves: RHBZ#2104929 | |
| - Add versioned dependency of samba-client-libs to ipa-server | |
| - Related: RHBZ#2021443 | |
| - Version bump for release | |
| - PKI service restart after CA renewal failed (#1040018) | |
| - Resolves: #1469246 Replica install fails to configure IPA-specific | |
| temporary files/directories | |
| - replica install: drop-in IPA specific config to tmpfiles.d | |
| - Resolves: #1469480 bind package is not automatically updated during | |
| ipa-server upgrade process | |
| - Bumped Required version of bind-dyndb-ldap and bind package | |
| - Add dependency for python-krbV | |
| - Remove client-epn left over files for ONLY_CLIENT | |
| Related: RHBZ#1847999 | |
| - Drop Requires of python-krbV on ipa-client | |
| - Upstream release FreeIPA 4.9.5 | |
| Related: RHBZ#1945038 | |
| - IPA to allow setting a new range type | |
| Resolves: RHBZ#1688267 | |
| - ipa-server-install displays debug output when --debug output is not | |
| specified. | |
| Resolves: RHBZ#1943151 | |
| - ACME fails to generate a cert on migrated RHEL8.4 server | |
| Resolves: RHBZ#1934991 | |
| - Switch ipa-client to use the JSON API | |
| Resolves: RHBZ#1937856 | |
| - IDM - Allow specifying permanent logging settings for BIND | |
| Resolves: RHBZ#1951511 | |
| - Cache LDAP data within a request | |
| Resolves: RHBZ#1953656 | |
| - ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4 | |
| Resolves: RHBZ#1957768 | |
| - Upstream release FreeIPA 4.8.6 | |
| - New SELinux sub package to provide own module | |
| - Depend on selinux-policy-devel 3.14.3-43 for build due to a makefile issue in | |
| SELinux external policy support | |
| Related: RHBZ#1818765 | |
| - Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf | |
| - Upstream pre release FreeIPA 4.9.0rc1 | |
| Resolves: RHBZ#1891832 | |
| - Requirements and design for libpwquality integration | |
| Resolves: RHBZ#1340463 | |
| - When parsing options require name/value pairs | |
| Resolves: RHBZ#1357495 | |
| - WebUI: Fix issue with opening links in new tab/window | |
| Resolves: RHBZ#1484088 | |
| - Use a state to determine if a 389-ds upgrade is in progress | |
| Resolves: RHBZ#1569011 | |
| - Unlock user accounts after a password reset and replicate that unlock to | |
| all IdM servers | |
| Resolves: RHBZ#1784657 | |
| - Set the certmonger subject with a string, not an object | |
| Resolves: RHBZ#1810148 | |
| - Implement ACME certificate enrolment | |
| Resolves: RHBZ#1851835 | |
| - [WebUI] Backport jQuery patches from newer versions of the library (e.g. | |
| 3.5.0) | |
| Resolves: RHBZ#1859249 | |
| - It is not possible to edit KDC database when the FreeIPA server is running | |
| Resolves: RHBZ#1875001 | |
| - Fix nsslapd-db-lock tuning of BDB backend | |
| Resolves: RHBZ#1882340 | |
| - ipa-kdb: support subordinate/superior UPN suffixes | |
| Resolves: RHBZ#1891056 | |
| - wgi/plugins.py: ignore empty plugin directories | |
| Resolves: RHBZ#1894800 | |
| - Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit | |
| Resolves: RHBZ#1790663 | |
| - Rebase ipa to 4.9.12 | |
| Resolves: RHBZ#2196425 | |
| - user or group name: explain the supported format | |
| Resolves: RHBZ#2150217 | |
| - PassSync does not sync passwords due to missing ACIs (#1181093) | |
| - ipa-replica-manage list does not list synced domain (#1181010) | |
| - Do not assume certmonger is running in httpinstance (#1181767) | |
| - ipa-replica-manage disconnect fails without password (#1183279) | |
| - Put LDIF files to their original location in ipa-restore (#1175277) | |
| - DUA profile not available anonymously (#1184149) | |
| - IPA replica missing data after master upgraded (#1176995) | |
| - Resolves: #1258965 ipa vault: set owner of vault container | |
| - baseldap: make subtree deletion optional in LDAPDelete | |
| - vault: add vault container commands | |
| - vault: set owner to current user on container creation | |
| - vault: update access control | |
| - vault: add permissions and administrator privilege | |
| - install: support KRA update | |
| - Resolves: #1261586 ipa config-mod addattr fails for ipauserobjectclasses | |
| - config: allow user/host attributes with tagging options | |
| - Resolves: #1262315 Unable to establish winsync replication | |
| - winsync: Add inetUser objectclass to the passsync sysaccount | |
| - Hardening for CVE-2020-25717 | |
| - Related: RHBZ#2019668 | |
| - Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca | |
| - Keep NSS trust flags of existing certificates | |
| - Resolves: #1360813 ipa-server-certinstall does not update all certificate | |
| stores and doesn't set proper trust permissions | |
| - Add cert checks in ipa-server-certinstall | |
| - Resolves: #1371479 cert-find --all does not show information about revocation | |
| - cert: add revocation reason back to cert-find output | |
| - Resolves: #1375133 WinSync users who have First.Last casing creates users who | |
| can have their password set | |
| - ipa passwd: use correct normalizer for user principals | |
| - Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers | |
| - Properly handle LDAP socket closures in ipa-otpd | |
| - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 | |
| - Make httpd publish its CA certificate on DL1 | |
| - Use the OpenSSL certificate parser in cert-find | |
| Resolves: RHBZ#2209947 | |
| - Resolves: #1170770 [AD TRUST]IPA should detect inconsistent realm domains | |
| that conflicts with AD DC | |
| - trusts: Check for AD root domain among our trusted domains | |
| - Resolves: #1195339 ipa-client-install changes the label on various files | |
| which causes SELinux denials | |
| - sysrestore: copy files instead of moving them to avoind SELinux issues | |
| - Resolves: #1196656 [ipa-client][rhel71] enable debugging for spawned | |
| commands / ntpd -qgc $tmpfile hangs | |
| - enable debugging of ntpd during client installation | |
| - Resolves: #1205264 Migration UI Does Not Work When Anonymous Bind is Disabled | |
| - migration: Use api.env variables. | |
| - Resolves: #1212719 abort-clean-ruv subcommand should allow | |
| replica-certifyall: no | |
| - Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand | |
| - Resolves: #1216935 ipa trust-add shows ipa: ERROR: an internal error has | |
| occurred | |
| - dcerpc: Expand explanation for WERR_ACCESS_DENIED | |
| - dcerpc: Fix UnboundLocalError for ccache_name | |
| - Resolves: #1222778 idoverride group-del can delete user and user-del can | |
| delete group | |
| - dcerpc: Add get_trusted_domain_object_type method | |
| - idviews: Restrict anchor to name and name to anchor conversions | |
| - idviews: Enforce objectclass check in idoverride*-del | |
| - Resolves: #1234919 Be able to request certificates without certmonger service | |
| running | |
| - cermonger: Use private unix socket when DBus SystemBus is not available. | |
| - ipa-client-install: Do not (re)start certmonger and DBus daemons. | |
| - Resolves: #1240939 Please add dependency on bind-pkcs11 | |
| - Create server-dns sub-package. | |
| - ipaplatform: Add constants submodule | |
| - DNS: check if DNS package is installed | |
| - Resolves: #1242914 Bump minimal selinux-policy and add booleans to allow | |
| calling out oddjobd-activated services | |
| - selinux: enable httpd_run_ipa to allow communicating with oddjobd services | |
| - Resolves: #1243261 non-admin users cannot search hbac rules | |
| - fix hbac rule search for non-admin users | |
| - fix selinuxusermap search for non-admin users | |
| - Resolves: #1243652 Client has missing dependency on memcache | |
| - do not import memcache on client | |
| - Resolves: #1243835 [webui] user change password dialog does not work | |
| - webui: fix user reset password dialog | |
| - Resolves: #1244802 spec: selinux denial during kdcproxy user creation | |
| - Fix selinux denial during kdcproxy user creation | |
| - Resolves: #1246132 trust-fetch-domains: Do not chown keytab to the sssd user | |
| - oddjob: avoid chown keytab to sssd if sssd user does not exist | |
| - Resolves: #1246136 Adding a privilege to a permission avoids validation | |
| - Validate adding privilege to a permission | |
| - Resolves: #1246141 DNS Administrators cannot search in zones | |
| - DNS: Consolidate DNS RR types in API and schema | |
| - Resolves: #1246143 User plugin - user-find doesn't work properly with manager | |
| option | |
| - fix broken search for users by their manager | |
| - Updated to upstream 3.1.0 GA | |
| - Set minimum for sssd to 1.9.2 | |
| - Set minimum for pki-ca to 10.0.0-1 | |
| - Set minimum for 389-ds-base to 1.3.0 | |
| - Set minimum for selinux-policy to 3.11.1-60 | |
| - Remove unneeded dogtag package requires | |
| - Allow longer dirsrv startup with systemd: | |
| - IPAdmin class will wait until dirsrv instance is available up to 10 seconds | |
| - Helps with restarts during upgrade for ipa-ldap-updater | |
| - Fix pylint warnings from F16 and Rawhide | |
| - Update to upstream 2.2.0 beta 1 (2.1.90.rc1) | |
| - Set minimum n-v-r for pki-ca and pki-silent to 9.0.18. | |
| - Add Conflicts on mod_ssl | |
| - Update minimum n-v-r of 389-ds-base to 1.2.10.4 | |
| - Update minimum n-v-r of sssd to 1.8.0 | |
| - Update minimum n-v-r of slapi-nis to 0.38 | |
| - Update minimum n-v-r of pki-* to 9.0.18 | |
| - Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1 | |
| - Update conflicts on bind to < 9.9.0-1 | |
| - Drop requires on krb5-server-ldap | |
| - Add patch to remove escaping arguments to pkisilent | |
| - Resolves: #1475238 Use CommonNameToSANDefault in default profile | |
| (new installs only) | |
| - Restore old version of caIPAserviceCert for upgrade only | |
| - Default to systemd for Fedora 16 and onwards | |
| - Remove duplicate %files entries on share/ipa/static | |
| - Add python default encoding shared library | |
| - webui: Do not allow empty pagination size | |
| Resolves: RHBZ#2094672 | |
| - Fix requirement for python3-kdcproxy, add no autoreqprov for ipatests sub | |
| package | |
| Related: RHBZ#1891832 | |
| - Require krb5 release 1.18.2-25 or later | |
| Resolves: RHBZ#2234711 | |
| - Resolves: #1382053 Need to have validation for idrange names | |
| - idrange-add: properly handle empty --dom-name option | |
| - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit | |
| helper when installing replica | |
| - dsinstance: reconnect ldap2 after DS is restarted by certmonger | |
| - httpinstance: avoid httpd restart during certificate request | |
| - dsinstance, httpinstance: consolidate certificate request code | |
| - install: request service certs after host keytab is set up | |
| - renew agent: revert to host keytab authentication | |
| - renew agent, restart scripts: connect to LDAP after kinit | |
| - Resolves: #1436987 ipasam: gidNumber attribute is not created in the trusted | |
| domain entry | |
| - ipa-sam: create the gidNumber attribute in the trusted domain entry | |
| - Upgrade: add gidnumber to trusted domain entry | |
| - Resolves: #1438679 [ipa-replica-install] - IncorrectPasswordException: | |
| Incorrect client security database password | |
| - Add pki_pin only when needed | |
| - Resolves: #1438348 Console output message while adding trust should be | |
| mapped with texts changed in Samba. | |
| - ipaserver/dcerpc: unify error processing | |
| - Resolves: #1438366 ipa trust-fetch-domains: ValidationError: invalid | |
| 'Credentials': Missing credentials for cross-forest communication | |
| - trust: always use oddjobd helper for fetching trust information | |
| - Resolves: #1441192 Add the name of URL parameter which will be check for | |
| username during cert login | |
| - WebUI: cert login: Configure name of parameter used to pass username | |
| - Resolves: #1437879 [copr] Replica install failing | |
| - Create system users for FreeIPA services during package installation | |
| - Resolves: #1441316 WebUI cert auth fails after ipa-adtrust-install | |
| - Fix s4u2self with adtrust | |
| - Update to upstream 4.6.90.pre1 | |
| - Fix misleading errors during client install rollback | |
| Resolves: RHBZ#1658283 | |
| - ipa-advise: update url of cacerdir_rehash tool | |
| Resolves: RHBZ#1658287 | |
| - Handle NTP configuration in a replica server installation | |
| Resolves: RHBZ#1651679 | |
| - Fix defects found by static analysis | |
| Resolves: RHBZ#1658182 | |
| - ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad | |
| Resolves: RHBZ#1658294 | |
| - ipaldap: invalid modlist when attribute encoding can vary | |
| Resolves: RHBZ#1658302 | |
| - Allow ipaapi and Apache user to access SSSD IFP | |
| Resolves: RHBZ#1639910 | |
| - Add sysadm_r to default SELinux user map order | |
| Resolves: RHBZ#1658303 | |
| - certdb: ensure non-empty Subject Key Identifier and validate server cert sig | |
| Resolves: RHBZ#1641988 | |
| - ipa-replica-install: password and admin-password options mutually exclusive | |
| Resolves: RHBZ#1658309 | |
| - ipa upgrade: handle double-encoded certificates | |
| Resolves: RHBZ#1658310 | |
| - PKINIT: fix ipa-pkinit-manage enable|disable | |
| Resolves: RHBZ#1658313 | |
| - Enable LDAP debug output in client to display TLS errors in join | |
| Resolves: RHBZ#1658316 | |
| - rpc: always read response | |
| Resolves: RHBZ#1639890 | |
| - ipa vault-retrieve: fix internal error | |
| Resolves: RHBZ#1658485 | |
| - Move ipa's systemd tmpfiles from /var/run to /run | |
| Resolves: RHBZ#1658487 | |
| - Fix authselect invocations to work with 1.0.2 | |
| Resolves: RHBZ#1654291 | |
| - ipa-client-automount and NFS unit name changes | |
| Resolves: RHBZ#1645501 | |
| - Fix compile issue with new 389-ds | |
| Resolves: RHBZ#1659448 | |
| - Update to upstream 3.2.0 Prerelease 1 | |
| - Use upstream reference spec file as a base for Fedora spec file | |
| - Add dep for freeipa-admintools and acl | |
| - Drop conflicts on mod_nss | |
| - Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847) | |
| - Drop a slew of conditionals on older Fedora releases (< 12) | |
| - Add a few conditionals against RHEL 6 | |
| - Add Requires of nss-tools on ipa-client | |
| - Require samba packages instead of obsoleted samba4 packages | |
| - Upstream release FreeIPA 4.8.7 | |
| - Require new samba build 4.12.3-0 | |
| Related: RHBZ#1818765 | |
| - New client-epn sub package | |
| Resolves: RHBZ#913799 | |
| - Fix ipa-replica-install crashes | |
| - Fix ipa-server-install and ipa-dns-install logging | |
| - Set minimum version of pki-ca to 9.0.17 to fix sslget problem | |
| caused by FEDORA-2011-17400 update (#771357) | |
| - Added httpd SELinux policy so CRLs can be read | |
| - Build radius separately | |
| - Fix a few minor issues | |
| - rebuild with new openssl | |
| - Update to upstream 3.2.2 | |
| - Drop ipa-server-selinux subpackage | |
| - Drop redundant directory /var/cache/ipa/sessions | |
| - Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost | |
| - Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency | |
| issues when there are still old parts of software (like entitlements plugin) | |
| - [WebUI] IPA Error 3007: RequirmentError" while adding members in | |
| "User ID overrides" tab (updated) | |
| Resolves: RHBZ#1757045 | |
| - ipa-client-install: use the authselect backup during uninstall | |
| Resolves: RHBZ#1810179 | |
| - Replace SSLCertVerificationError with CertificateError for py36 | |
| Resolves: RHBZ#1858318 | |
| - Fix AVC denial during ipa-adtrust-install --add-agents | |
| Resolves: RHBZ#1859213 | |
| - Update to upstream 3.2.0 GA | |
| - ipa-client-install fails if /etc/ipa does not exist (#961483) | |
| - Certificate status is not visible in Service and Host page (#956718) | |
| - ipa-client-install removes needed options from ldap.conf (#953991) | |
| - Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957) | |
| - Add triggerin scriptlet to support OpenSSH 6.2 (#953617) | |
| - Require nss 3.14.3-12.0 to address certutil certificate import | |
| errors (#953485) | |
| - Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6 | |
| environments. (#953464) | |
| - ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453) | |
| - ipa-server-install --uninstall doesn't stop dirsrv instances (#953432) | |
| - Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for | |
| socket based connections (#960222) | |
| - Require libsss_nss_idmap-python | |
| - Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to | |
| member is now done automatically and having it in the config file raises | |
| an error. | |
| - Add backup and restore tools, directory. | |
| - require at least systemd 38 which provides the journal (we no longer | |
| need to require syslog.target) | |
| - Update Requires on policycoreutils to 2.1.14-37 | |
| - Update Requires on selinux-policy to 3.12.1-42 | |
| - Update Requires on 389-ds-base to 1.3.1.0 | |
| - Remove a Requires for java-atk-wrapper | |
| - Re-add accidentally removed patches for #1170695 and #1164896 | |
| - Broke invididual Requires and BuildRequires onto separate lines and | |
| reordered them | |
| - Added python-tgexpandingformwidget as a dependency | |
| - Require at least fedora-ds-base 1.1 | |
| - Resolves: #1432630 python2-jinja2 needed for python2-ipaclient | |
| - Remove csrgen | |
| - Resolves: #1432903 Set GssProxy options to enable caching of ldap tickets | |
| - Add options to allow ticket caching | |
| - Drop BuildRequires on mozldap-devel | |
| - Resolves: #747612 [RFE] IPA should support and manage DNS sites | |
| - Resolves: #826790 Disabling password expiration (--maxlife=0 and --minlife=0) | |
| in the default global_policy in IPA sets user's password expiration | |
| (krbPasswordExpiration) to be 90 days | |
| - Resolves: #896699 ipa-replica-manage -H does not delete DNS SRV records | |
| - Resolves: #1084018 [RFE] Add IdM user password change support for legacy | |
| client compat tree | |
| - Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos | |
| aliases) | |
| - Fix incorrect check for principal type when evaluating CA ACLs | |
| - Resolves: #1146860 [RFE] Offer OTP generation for host enrollment in the UI | |
| - Resolves: #1238190 ipasam unable to lookup group in directory yet manual | |
| search works | |
| - Resolves: #1250110 search by users which don't have read rights for all attrs | |
| in search_attributes fails | |
| - Resolves: #1263764 Show Certificate displays in useless format | |
| - Resolves: #1272491 [WebUI] Certificate action dropdown does not display all | |
| the options after adding new certificate | |
| - Resolves: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.4.0 | |
| - Resolves: #1294503 IPA fails to issue 3rd party certs | |
| - Resolves: #1298242 [RFE] API compatibility - compatibility of clients | |
| - Resolves: #1298848 [RFE] Centralized topology management | |
| - Resolves: #1298966 [RFE] Extend Smart Card support | |
| - Resolves: #1315146 Multiple clients cannot join domain simultaneously: | |
| /var/run/httpd/ipa/clientcaches race condition? | |
| - Resolves: #1318903 ipa server install failing when SUBCA signs the cert | |
| - Resolves: #1319003 ipa-winsync-migrate: Traceback should be fixed with proper | |
| console output | |
| - Resolves: #1324055 IPA always qualify requests for admin | |
| - Resolves: #1328552 [RFE] Allow users to authenticate with alternative names | |
| - Resolves: #1334582 Inconsistent UI and CLI options for removing certificate | |
| hold | |
| - Resolves: #1346321 Exclude o=ipaca subtree from Retro Changelog (syncrepl) | |
| - Resolves: #1349281 Fix `Conflicts` with ipa-python | |
| - Resolves: #1350695 execution of copy-schema script fails | |
| - Resolves: #1351118 upgrade failed for RHEL-7.3 from RHEL-7.2.z | |
| - Resolves: #1351153 AVC seen on Replica during ipa-server upgrade test | |
| execution to 7.3 | |
| - Resolves: #1351276 ipa-server-install with dns cannot resolve itself to | |
| create ipa-ca entry | |
| - Related: #1343422 [RFE] Add GssapiImpersonate option | |
| - Upstream pre release FreeIPA 4.9.0rc3 | |
| Related: RHBZ#1891832 | |
| - kdb: PAC generator: do not fail if canonical principal is missing | |
| Resolves: RHEL-23630 | |
| - ipa-kdb: Fix memory leak during PAC verification | |
| Resolves: RHEL-22644 | |
| - Fix session cookie access | |
| Resolves: RHEL-23622 | |
| - Do not ignore staged users in sidgen plugin | |
| Resovlves: RHEL-23626 | |
| - ipa-kdb: Disable Bronze-Bit check if PAC not available | |
| Resolves: RHEL-22313 | |
| - krb5kdc: Fix start when pkinit and otp auth type are enabled | |
| Resolves: RHEL-4874 | |
| - hbactest was not collecting or returning messages | |
| Resolves: RHEL-12780 | |
| - Update to upstream freeipa-2.0.0.rc2 | |
| - Set minimum version of python-nss to 0.11 to make sure IPv6 support is in | |
| - Set minimum version of sssd to 1.5.1 | |
| - Patch to include SuiteSpotGroup when setting up 389-ds instances | |
| - Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled | |
| - Rebase ipa to 4.9.13 | |
| Resolves: RHEL-16936 | |
| - Add BuildRequires for authconfig | |
| - Move ipa-tests package to separate srpm (#1032668) | |
| - Remove dependency on python-paramiko (#1002884) | |
| - Broken redirection when deleting last entry of DNS resource | |
| record (#1006360) | |
| - Resolves: #1256840 [webui] majority of required fields is no longer marked as | |
| required | |
| - fix missing information in object metadata | |
| - Resolves: #1256842 [webui] no option to choose trust type when creating a | |
| trust | |
| - webui: add option to establish bidirectional trust | |
| - Resolves: #1256853 Clear text passwords in KRA install log | |
| - Removed clear text passwords from KRA install log. | |
| - Resolves: #1257072 The "Standard Vault" MUST not be the default and must be | |
| discouraged | |
| - vault: change default vault type to symmetric | |
| - Resolves: #1257163 renaming certificatte profile with --rename option leads | |
| to integrity issues | |
| - certprofile: prevent rename (modrdn) | |
| - Resolves: #1447284 Upgrade from ipa-4.1 fails when enabling KDC proxy | |
| - python2-ipalib: add missing python dependency | |
| - installer service: fix typo in service entry | |
| - upgrade: add missing suffix to http instance | |
| - Resolves: #1444791 Update man page of ipa-kra-install | |
| - ipa-kra-install manpage: document domain-level 1 | |
| - Resolves: #1441493 ipa cert-show raises stack traces when | |
| --certificate-out=/tmp | |
| - cert-show: writable files does not mean dirs | |
| - Resolves: #1441192 Add the name of URL parameter which will be check for | |
| username during cert login | |
| - Bump version of ipa.conf file | |
| - Resolves: #1378797 Web UI must check OCSP and CRL during smartcard login | |
| - Turn on NSSOCSP check in mod_nss conf | |
| - Resolves: #1322963 Errors from AD when trying to sign ipa.csr, conflicting | |
| template on | |
| - renew agent: respect CA renewal master setting | |
| - server upgrade: always fix certmonger tracking request | |
| - cainstance: use correct profile for lightweight CA certificates | |
| - renew agent: allow reusing existing certs | |
| - renew agent: always export CSR on IPA CA certificate renewal | |
| - renew agent: get rid of virtual profiles | |
| - ipa-cacert-manage: add --external-ca-type | |
| - Resolves: #1441593 error adding authenticator indicators to host | |
| - Fixing adding authenticator indicators to host | |
| - Resolves: #1449525 Set directory ownership in spec file | |
| - Added plugins directory to ipaclient subpackages | |
| - ipaclient: fix missing RPM ownership | |
| - Resolves: #1451279 otptoken-add-yubikey KeyError: 'ipatokenotpdigits' | |
| - otptoken-add-yubikey: When --digits not provided use default value | |
|
|
|
| ipa-client-common-4.9.13-20.module+el8.10.0+2067+377bdd64.noarch.rpm | - Updated to upstream 3.0.0 GA |
| - Set minimum for samba to 4.0.0-153. | |
| - Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so | |
| plugin to /dev/null since they cannot be used when trusts are configured | |
| - Restrict krb5-server to 1.10. | |
| - Update BR for 389-ds-base to 1.3.0 | |
| - Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca | |
| - Add Requires on zip for generating FF browser extension | |
| - Update to 4.7.90-pre1 | |
| Related: RHBZ#1684528 | |
| - Removed patches 0002 to 0031 as these are upsteram and part of 4.7.90-pre1 | |
| - Added new patches 0001-revert-minssf-defaults.patch and | |
| 0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch | |
| - Require slapi-nis 0.47.7 delivering a core feature of 3.3.0 release | |
| - Use default crypto policy for TLS and enable TLS 1.3 support | |
| Resolves: RHBZ#1777809 | |
| - Covscan fixes | |
| Resolves: RHBZ#1777920 | |
| - Change pki_version to 10.8.0 | |
| Related: RHBZ#1748987 | |
| - Updated to upstream 3.0.0 beta 2 | |
| - Respin after the tarball has been re-released upstream | |
| New hash is 506c9c92dcaf9f227cba5030e999f177 | |
| - Do not add krbPwdPolicyReference for new accounts, hardcode it (#1045218) | |
| - Increase default timeout for IPA services (#1033273) | |
| - Error while running trustdomain-find (#1054376) | |
| - group-show lists SID instead of name for external groups (#1054391) | |
| - Fix IPA server NetBIOS name in samba configuration (#1030517) | |
| - dnsrecord-mod produces missing API version warning (#1054869) | |
| - Hide trust-resolve command as internal (#1052860) | |
| - Add Trust domain Web UI (#1054870) | |
| - ipasam cannot delete multiple child trusted domains (#1056120) | |
| - diffstat was missing as a build dependency causing multilib problems | |
| - kdb: Use-krb5_pac_full_sign_compat() when available | |
| Resolves: RHBZ#2176406 | |
| - OTP: fix-data-type-to-avoid-endianness-issue | |
| Resolves: RHBZ#2218293 | |
| - Upgrade: fix replica agreement | |
| Resolves: RHBZ#2216551 | |
| - Upgrade: add PKI drop-in file if missing | |
| Resolves: RHBZ#2215336 | |
| - Use the python-cryptography parser directly in cert-find | |
| Resolves: RHBZ#2164349 | |
| - Backport test updates | |
| Resolves: RHBZ#221884 | |
| - Initial rpm version | |
| - Re-enable otptoken_yubikey plugin | |
| - Resolves: #805188 [RFE] "ipa migrate-ds" ldapsearches with scope=1 | |
| - Resolves: #1019272 With 20000+ users, adding a user to a group intermittently | |
| throws Internal server error | |
| - Resolves: #1035494 Unable to add Kerberos principal via kadmin.local | |
| - Resolves: #1045153 ipa-managed-entries --list -p |
|
| DM password | |
| - Resolves: #1125950 ipa-server-install --uinstall doesn't remove port 7389 | |
| from ldap_port_t | |
| - Resolves: #1132540 [RFE] Expose service delegation rules in UI and CLI | |
| - Resolves: #1145584 ipaserver/install/cainstance.py creates pkiuser not | |
| matching uidgid | |
| - Resolves: #1176036 IDM client registration failure in a high load environment | |
| - Resolves: #1183116 Remove Requires: subscription-manager | |
| - Resolves: #1186054 permission-add does not prompt to enter --right option in | |
| interactive mode | |
| - Resolves: #1187524 Replication agreement with replica not disabled when | |
| ipa-restore done without IPA installed | |
| - Resolves: #1188195 Fax number not displayed for user-show when kinit'ed as | |
| normal user. | |
| - Resolves: #1189034 "an internal error has occurred" during ipa host-del | |
| --updatedns | |
| - Resolves: #1193554 ipa-client-automount: failing with error LDAP server | |
| returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled. | |
| - Resolves: #1193759 IPA extdom plugin fails when encountering large groups | |
| - Resolves: #1194312 [ipa-python] ipalib.errors.LDAPError: failed to decode | |
| certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. | |
| - Resolves: #1194633 Default trust view can be deleted in lower case | |
| - Resolves: #1196455 ipa-server-install step [8/27]: starting certificate | |
| server instance - confusing CA staus message on TLS error | |
| - Resolves: #1198263 Limit deadlocks between DS plugin DNA and slapi-nis | |
| - Resolves: #1199527 [RFE] Use datepicker component for datetime fields | |
| - Resolves: #1200867 [RFE] Make OTP validation window configurable | |
| - Resolves: #1200883 [RFE] Switch apache to use mod_auth_gssapi | |
| - Resolves: #1202998 CVE-2015-1827 ipa: memory corruption when using | |
| get_user_grouplist() [rhel-7.2] | |
| - Resolves: #1204637 slow group operations | |
| - Resolves: #1204642 migrate-ds: slow add o users to default group | |
| - Resolves: #1208461 IPA CA master server update stuck on checking getStatus | |
| via https | |
| - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) | |
| - Resolves: #1211708 ipa-client-install gets stuck during NTP sync | |
| - Resolves: #1215197 ipa-client-install ignores --ntp-server option during time | |
| sync | |
| - Resolves: #1215200 ipa-client-install configures IPA server as NTP source | |
| even if IPA server has not ntpd configured | |
| - Resolves: #1217009 OTP sync in UI does not work for TOTP tokens | |
| - Related: #1204809 Rebase ipa to 4.2 | |
| - Update to upstream 4.2.0.alpha1 | |
| - Rebuild against samba4 beta4 | |
| - Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to | |
| users in IdM | |
| - store certificates issued for user entries as | |
| - user-show: add --out option to save certificates to file | |
| - Resolves: #1145748 [RFE] IPA running with One Way Trust | |
| - Fix upgrade of sidgen and extdom plugins | |
| - Resolves: #1195339 ipa-client-install changes the label on various files | |
| which causes SELinux denials | |
| - Use 'mv -Z' in specfile to restore SELinux context | |
| - Resolves: #1198796 Text in UI should describe differing LDAP vs Krb behavior | |
| for combinations of "User authentication types" | |
| - webui: add LDAP vs Kerberos behavior description to user auth | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - ULC: Fix stageused-add --from-delete command | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - certprofile-import: do not require profileId in profile data | |
| - Give more info on virtual command access denial | |
| - Allow SAN extension for cert-request self-service | |
| - Add profile for DNP3 / IEC 62351-8 certificates | |
| - Work around python-nss bug on unrecognised OIDs | |
| - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality | |
| - Validate vault's file parameters | |
| - Fixed missing KRA agent cert on replica. | |
| - Resolves: #1225866 display browser config options that apply to the browser. | |
| - webui: add Kerberos configuration instructions for Chrome | |
| - Remove ico files from Makefile | |
| - Resolves: #1246342 Unapply idview raises internal error | |
| - idviews: Check for the Default Trust View only if applying the view | |
| - Resolves: #1248102 [webui] regression - incorrect/no failed auth messages | |
| - webui: fix regressions failed auth messages | |
| - Resolves: #1248396 Internal error in DomainValidator.__search_in_dc | |
| - dcerpc: Fix UnboundLocalError for ccache_name | |
| - Resolves: #1249455 ipa trust-add failed CIFS server configuration does not | |
| allow access to \\pipe\lsarpc | |
| - Fix selector of protocol for LSA RPC binding string | |
| - dcerpc: Simplify generation of LSA-RPC binding strings | |
| - Resolves: #1250192 Error in ipa trust-fecth-domains | |
| - Fix incorrect type comparison in trust-fetch-domains | |
| - Resolves: #1251553 Winsync setup fails with unexpected error | |
| - replication: Fix incorrect exception invocation | |
| - Resolves: #1251854 ipa aci plugin is not parsing aci's correctly. | |
| - ACI plugin: correctly parse bind rules enclosed in | |
| - Resolves: #1252414 Trust agent install does not detect available replicas to | |
| add to master | |
| - adtrust-install: Correctly determine 4.2 FreeIPA servers | |
| - Add ipa-rmkeytab tool | |
| - Update Requires on selinux-policy to 3.13.1-4 | |
| - Update to upstream 4.1.0 (#1109726) | |
| - Fixed weekday in 4.8.4-2 changelog date | |
| Related: RHBZ#1784003 | |
| - adtrust: print DNS records for external DNS case after role is enabled | |
| Resolves: RHBZ#1665051 | |
| - AD user without override receive InternalServerError with API | |
| Resolves: RHBZ#1782572 | |
| - ipa-client-automount fails after repeated installation/uninstallation | |
| Resolves: RHBZ#1790886 | |
| - install/updates: move external members past schema compat update | |
| Resolves: RHBZ#1803165 | |
| - kdb: make sure audit_as_req callback signature change is preserved | |
| Resolves: RHBZ#1803786 | |
| - Fix otptoken_sync plugin | |
| Resolves: RHBZ#1777811 | |
| - Create systemd-user HBAC service and rule | |
| Resolves: RHBZ#1664974 | |
| - ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned | |
| Resolves: RHBZ#1664023 | |
| - ipa-kdb: fix error handling of is_master_host() | |
| Resolves: RHBZ#2214638 | |
| - ipatests: enable firewall rule for http service on acme client | |
| Resolves: RHBZ#2230256 | |
| - User plugin: improve error related to non existing idp | |
| Resolves: RHBZ#2224572 | |
| - Prevent admin user from being deleted | |
| Resolves: RHBZ#1821181 | |
| - Fix memory leak in the OTP last token plugin | |
| Resolves: RHBZ#2227783 | |
| - Rebuild for broken deps in rawhide | |
| - Fix 389-ds-base strict dep to be 1.3.0.3 | |
| - Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos | |
| aliases) | |
| - harden the check for trust namespace overlap in new principals | |
| - Resolves: #1351142 CLI is not using session cookies for communication with | |
| IPA API | |
| - Fix session cookies | |
| - Resolves: #1353888 Fix the help for ipa otp and other topics | |
| - help: Add dnsserver commands to help topic 'dns' | |
| - Resolves: #1354406 host-del updatedns options complains about missing ptr | |
| record for host | |
| - Host-del: fix behavior of --updatedns and PTR records | |
| - Resolves: #1355718 ipa-replica-manage man page example output differs actual | |
| command output | |
| - Minor fix in ipa-replica-manage MAN page | |
| - Resolves: #1358229 Traceback message should be fixed, seen while editing | |
| winsync migrated user information in Default trust view. | |
| - baseldap: Fix MidairCollision instantiation during entry modification | |
| - Resolves: #1358849 CA replica install logs to wrong log file | |
| - unite log file name of ipa-ca-install | |
| - Resolves: #1359130 ipa-server-install command fails to install IPA server. | |
| - DNS Locations: fix update-system-records unpacking error | |
| - Resolves: #1359237 AVC on dirsrv config caused by IPA installer | |
| - Use copy when replacing files to keep SELinux context | |
| - Resolves: #1359692 ipa-client-install join fail with traceback against | |
| RHEL-6.8 ipa-server | |
| - compat: fix ping call | |
| - Resolves: #1359738 ipa-replica-install --domain= |
|
| does not work | |
| - replica-install: Fix --domain | |
| - Resolves: #1360778 Vault commands are available in CLI even when the server | |
| does not support them | |
| - Revert "Enable vault-* commands on client" | |
| - client: fix hiding of commands which lack server support | |
| - Related: #1281704 Rebase to softhsm 2.1.0 | |
| - Remove the workaround for softhsm bug #1293340 | |
| - Related: #1298288 [RFE] Improve performance in large environments. | |
| - Create indexes for krbCanonicalName attribute | |
| - Rebuild against samba4 beta8 | |
| - Require the Python interpreter directly instead of using the package name | |
| - Related: rhbz#1619153 | |
| - Require mod_nss-1.0.7-2 for mod_proxy fixes | |
| - Drop workaround for building on AArch64 (#1482244) | |
| - Temporarily reduce Requires on python-netaddr to 0.7.5-7 (#1506485) | |
| - ipa-kdb: Detect and block Bronze-Bit attacks | |
| Resolves: RHEL-9984 | |
| - Fix for CVE-2023-5455 | |
| Resolves: RHEL-12578 | |
| - Rebase to upstream release 4.9.10 | |
| Remove upstream patches 0002 to 0016 that are part of version 4.9.10 | |
| Remove patches 1101 that is part of version 4.9.10 | |
| Rename patch 0001 to 1002 as it will be used in future RHEL 8 releases | |
| Add patches 0001 and 0002 to fix build on RHEL 8.7 | |
| Resolves: RHBZ#2079466 | |
| Resolves: RHBZ#2063155 | |
| Resolves: RHBZ#1958777 | |
| Resolves: RHBZ#2068088 | |
| Resolves: RHBZ#2004646 | |
| Resolves: RHBZ#782917 | |
| Resolves: RHBZ#2059396 | |
| Resolves: RHBZ#2092015 | |
| - webui: Allow grace login limit | |
| Resolves: RHBZ#2109243 | |
| - check_repl_update: in progress is a boolean | |
| Resolves: RHBZ#2117303 | |
| - Disabling gracelimit does not prevent LDAP binds | |
| Resolves: RHBZ#2109236 | |
| - Set passwordgracelimit to match global policy on group pw policies | |
| Resolves: RHBZ#2115475 | |
| - Add missing part of backported CVE-2024-3183 fix | |
| Resolves: RHEL-29927 | |
| - Update to upstream 3.3.0 Beta 2 (#991064) | |
| - Update to upstream GA release | |
| - Automatically apply updates when the package is upgraded | |
| - Moved directory install/static to install/ui | |
| - Upstream pre release FreeIPA 4.9.0rc2 | |
| Related: RHBZ#1891832 | |
| - Synchronize spec file with upstream and Fedora | |
| Related: RHBZ#1891832 | |
| - Traceback while doing ipa-backup | |
| Resolves: RHBZ#1901068 | |
| - ipa-client-install changes system wide ssh configuration | |
| Resolves: RRBZ#1544379 | |
| - ipa-kdb: support subordinate/superior UPN suffixes | |
| Resolves: RHBZ#1891056 | |
| - KRA Transport and Storage Certificates do not renew | |
| Resolves: RHBZ#1872603 | |
| - Move where the restore state is marked during IPA server upgrade | |
| Resolves: RHBZ#1569011 | |
| - Intermittent IdM Client Registration Failures | |
| Resolves: RHBZ#1812871 | |
| - Nightly test failure in test_acme.py::TestACME::test_third_party_certs | |
| (updates-testing) | |
| Resolves: RHBZ#1903025 | |
| - Add IPA RA Agent to ACME group on the CA | |
| Resolves: RHBZ#1902727 | |
| - 4.7.1 | |
| - Fixes: rhbz#1633105 - rebase to 4.7.1 | |
| - Remove the IPA DNA plugin, use the DS one | |
| - Conditionally restart also dirsrv and httpd when upgrading | |
| - Set krb5 DAL version to 7.0 (#1580711) | |
| - Rebuild aclocal and configure during build | |
| - Remove dependency on nss_ldap/nss-pam-ldapd | |
| - The official client is sssd and that's what we use by default. | |
| - Resolve user/group names in idoverride*-find | |
| Resolves: RHBZ#1657745 | |
| - PKI database is ugraded during replica installation (#1075118) | |
| - Server install failure during client enrollment shouldn't | |
| roll back (#1023086) | |
| - nsds5ReplicaStripAttrs are not set on agreements (#1023085) | |
| - ipa-server conflicts with mod_ssl (#1018172) | |
| - Updated to current upstream state of 3.0.0 beta 2 development | |
| - Pull upstream changelog 722 | |
| - Add Conflicts mod_ssl (435360) | |
| - Resolves: #1318186 Misleading error message during external-ca IPA master | |
| install | |
| - httpinstance: make sure NSS database is backed up | |
| - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR | |
| CA certificate chain in ... incomplete" | |
| - httpinstance: make sure NSS database is backed up | |
| - Resolves: #1393726 Enumerate all available request type options in ipa | |
| cert-request help | |
| - Hide request_type doc string in cert-request help | |
| - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping | |
| - spec file: bump libsss_nss_idmap-devel BuildRequires | |
| - server: make sure we test for sss_nss_getlistbycert | |
| - Resolves: #1437378 ipa-adtrust-install produced an error and failed on | |
| starting smb when hostname is not FQDN | |
| - adtrust: make sure that runtime hostname result is consistent with the | |
| configuration | |
| - Resolves: #1437555 ipa-replica-install with DL0 fails to get annonymous | |
| keytab | |
| - Always check and create anonymous principal during KDC install | |
| - Remove duplicate functionality in upgrade | |
| - Resolves: #1437946 Upgrade to FreeIPA 4.5.0 does not configure anonymous | |
| principal for PKINIT | |
| - Upgrade: configure PKINIT after adding anonymous principal | |
| - Remove unused variable from failed anonymous PKINIT handling | |
| - Split out anonymous PKINIT test to a separate method | |
| - Ensure KDC is propery configured after upgrade | |
| - Resolves: #1437951 Remove pkinit-related options from server/replica-install | |
| on DL0 | |
| - Fix the order of cert-files check | |
| - Don't allow setting pkinit-related options on DL0 | |
| - replica-prepare man: remove pkinit option refs | |
| - Remove redundant option check for cert files | |
| - Resolves: #1438490 CA-less installation fails on publishing CA certificate | |
| - Get correct CA cert nickname in CA-less | |
| - Remove publish_ca_cert() method from NSSDatabase | |
| - Resolves: #1438838 Avoid arch-specific path in /etc/krb5.conf.d/ipa-certmap | |
| - IPA-KDB: use relative path in ipa-certmap config snippet | |
| - Resolves: #1439038 Allow erasing ipaDomainResolutionOrder attribute | |
| - Allow erasing ipaDomainResolutionOrder attribute | |
| - Improve otptoken help messages (#919228) | |
| - Ensure users exist when assigning tokens to them (#919228) | |
| - Enable QR code display by default in otptoken-add (#919228) | |
| - Show warning instead of error if CA did not start (#1158410) | |
| - CVE-2014-7850 freeipa: XSS flaw can be used to escalate privileges (#1165774) | |
| - Traceback when adding zone with long name (#1164859) | |
| - Backup & Restore mechanism (#951581) | |
| - ignoring user attributes in migrate-ds does not work if uppercase characters | |
| are returned by ldap (#1159816) | |
| - Allow ipa-getkeytab to optionally fetch existing keys (#1007367) | |
| - Failure when installing on dual stacked system with external ca (#1128380) | |
| - ipa-server should keep backup of CS.cfg (#1059135) | |
| - Tracebacks with latest build for --zonemgr cli option (#1167270) | |
| - webui: use domain name instead of domain SID in idrange adder dialog | |
| (#891984) | |
| - webui: normalize idview tab labels (#891984) | |
| - Resolves: #1442233 IPA client commands fail when pointing to replica | |
| - httpinstance: wait until the service entry is replicated | |
| - Resolves: #1456769 ipaAnchorUUID index incorrectly configured and then | |
| not indexed | |
| - Fix index definition for ipaAnchorUUID | |
| - Resolves: #1438016 gssapi errors after IPA server upgrade | |
| - Avoid possible endless recursion in RPC call | |
| - rpc: preparations for recursion fix | |
| - rpc: avoid possible recursion in create_connection | |
| - Resolves: #1446087 services entries missing krbCanonicalName attribute. | |
| - Changing cert-find to do not use only primary key to search in LDAP. | |
| - Resolves: #1452763 ipa certmaprule change not reflected in krb5kdc workers | |
| - ipa-kdb: reload certificate mapping rules periodically | |
| - Resolves: #1455541 after upgrade login from web ui breaks | |
| - kdc.key should not be visible to all | |
| - Resolves: #1435606 Add pkinit_indicator option to KDC configuration | |
| - ipa-kdb: add pkinit authentication indicator in case of a successful | |
| certauth | |
| - Resolves: #1455945 Enabling OCSP checks in mod_nss breaks certificate | |
| issuance when ipa-ca records are not resolvable | |
| - Turn off OCSP check | |
| - Resolves: #1454483 rhel73 ipa ui - cannot del server - IPA Error 903 - | |
| server_del - TypeError: 'NoneType' object is not iterable | |
| - fix incorrect suffix handling in topology checks | |
| - Upstream release FreeIPA 4.9.2 | |
| Related: RHBZ#1891832 | |
| - Remove ipa-server dependency from ipa-selinux subpackage | |
| - Related: RHBZ#1891832 | |
| - Resolves: #1249226 IPA dnssec-validation not working for AD dnsforwardzone | |
| - DNSSEC: fix forward zone forwarders checks | |
| - Resolves: #1250190 idrange is not added for sub domain | |
| - trusts: format Kerberos principal properly when fetching trust topology | |
| - Resolves: #1252334 User life cycle: missing ability to provision a stage user | |
| from a preserved user | |
| - Add user-stage command | |
| - Resolves: #1252863 After applying RHBA-2015-1554 errata, IPA service fails to | |
| start. | |
| - spec file: Add Requires(post) on selinux-policy | |
| - Resolves: #1254304 Changing vault encryption attributes | |
| - Change internal rsa_(public|private)_key variable names | |
| - Added support for changing vault encryption. | |
| - Resolves: #1256715 Executing user-del --preserve twice removes the user | |
| pernamently | |
| - improve the usability of `ipa user-del --preserve` command | |
| - Prevent multilib failures in *.pyo and *.pyc files | |
| - Set minimum pki-ca and pki-silent versions to 9.0.0 | |
| - Update to upstream 3.3.0 (#991064) | |
| - Remove release from krb5-server in strict sub-package to allow for rebuilds. | |
| - Deletion of active subdomain range should not be allowed (#1075615) | |
| - ipa-kdb: Fix double free in ipadb_reinit_mspac() | |
| Resolves: RHEL-25742 | |
| - kra: set RSA-OAEP as default wrapping algo when FIPS is enabled | |
| Resolves: RHEL-12153 | |
| - Vault: improve vault server archival/retrieval calls error handling | |
| Resolves: RHEL-12153 | |
| - Vault: add support for RSA-OAEP wrapping algo | |
| Resolves: RHEL-12153 | |
| - Add missing entry for /var/cache/ipa/kpasswd (444624) | |
| - Added patch to fix permissions problems with the Apache NSS database. | |
| - Added patch to fix problem with DNS querying where the query could be | |
| returned as the answer. | |
| - Fix spec error where patch1 was in the wrong section | |
| - Resolves: #1339233 CA installed on replica is always marked as renewal master | |
| - Related: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.3.1.201605241723GIT1b427d3 | |
| - Remove ipa-backup and ipa-restore functionality from RHEL (#1003933) | |
| - Resolves: #1378353 Replica install fails with old IPA master sometimes during | |
| replication process | |
| - spec file: bump minimal required version of 389-ds-base | |
| - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 | |
| - Fix missing file that fails DL1 replica installation | |
| - Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade | |
| - WebUI: services without canonical name are shown correctly | |
| - Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run | |
| - trustdomain-del: fix the way how subdomain is searched | |
| - Add a Requires for java-atk-wrapper until we can determine which package | |
| should be pulling it in, dogtag or tomcat. | |
| - Fix Requires for krb5-server that was missing for Fedora versions > 9 | |
| - Remove quotes around test for fedora version to package egg-info | |
| - Winsync agreement cannot be created (#1023085) | |
| - IPA extdom plugin fails when encountering large groups (#1193759) | |
| - CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() | |
| (#1202998) | |
| - CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf() | |
| Resolves: RHBZ#1767304 | |
| - CVE-2019-10195: Don't log passwords embedded in commands in calls using batch | |
| Resolves: RHBZ#1776939 | |
| - Display server name in ipa command's verbose mode (#1061703) | |
| - Remove sourcehostcategory from default HBAC rule (#1061187) | |
| - dnszone-add cannot add classless PTR zones (#1058688) | |
| - Move ipa-otpd socket directory to /var/run/krb5kdc (#1063850) | |
| - Resolves: #1339483 ipa-server-install fails with ERROR pkinit_cert_files | |
| - Fix incorrect rebase of patch 1001 | |
| - Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 | |
| - Revert "spec: add conflict with bind-chroot to freeipa-server-dns" | |
| - Resolves: #1341249 Subsequent external CA installation fails | |
| - install: fix external CA cert validation | |
| - Resolves: #1353831 ipa-server-install fails in container because of | |
| hostnamectl set-hostname | |
| - server-install: Fix --hostname option to always override api.env values | |
| - install: Call hostnamectl set-hostname only if --hostname option is used | |
| - Resolves: #1356091 ipa-cacert-manage --help and man differ | |
| - Improvements for the ipa-cacert-manage man and help | |
| - Resolves: #1360631 ipa-backup is not keeping the | |
| /etc/tmpfiles.d/dirsrv- |
|
| - ipa-backup: backup /etc/tmpfiles.d/dirsrv- |
|
| - Resolves: #1361047 ipa-replica-install --help usage line suggests the replica | |
| file is needed | |
| - Update ipa-replica-install documentation | |
| - Resolves: #1361545 ipa-client-install starts rhel-domainname.service but does | |
| not rpm-require it | |
| - client: RPM require initscripts to get *-domainname.service | |
| - Resolves: #1364197 caacl: error when instantiating rules with service | |
| principals | |
| - caacl: fix regression in rule instantiation | |
| - Resolves: #1364310 ipa otptoken-add bytes object has no attribute confirm | |
| - parameters: move the `confirm` kwarg to Param | |
| - Resolves: #1364464 Topology graph: ca and domain adders shows question marks | |
| instead of plus icon | |
| - Fix unicode characters in ca and domain adders | |
| - Resolves: #1365083 Incomplete output returned for command ipa vault-add | |
| - client: add missing output params to client-side commands | |
| - Resolves: #1365526 build fails during "make check" | |
| - ipa-kdb: Fix unit test after packaging changes in krb5 | |
| - Resolves: #1365858 ipa-ca-install fails on replica when IPA Master is | |
| installed without CA | |
| - Set up DS TLS on replica in CA-less topology | |
| - Resolves: #1398600 IPA replica install fails with dirsrv errors. | |
| - Do not configure PKI ajp redirection to use "::1" | |
| - Resolves: #1413137 CVE-2017-2590 ipa: Insufficient permission check for | |
| ca-del, ca-disable and ca-enable commands | |
| - ca: correctly authorise ca-del, ca-enable and ca-disable | |
| - Update SELinux policy to allow ipa_kpasswd to connect ldap and | |
| read /dev/urandom. (#759679) | |
| - Depend on krb5-kdb-version-devel for BuildRequires | |
| - Update nss dependency to 3.44.0-4 | |
| - Reset per-indicator Kebreros policy | |
| Resolves: RHBZ#1784761 | |
| - Resolves: #1443869 Command "openssl pkcs12 ..." failed during IPA upgrade | |
| - Fix CAInstance.import_ra_cert for empty passwords | |
| - Enforce uniqueness across krbprincipalname and krbcanonicalname | |
| ipa-kdb: enforce PAC presence on TGT for TGS-REQ | |
| ipatests: extend test for unique krbcanonicalname | |
| Resolves: RHEL-110061 | |
| - replica install failing with avc denial for custodia component | |
| Resolves: RHBZ#1857157 | |
| - Update to upstream 3.1.2 | |
| - CVE-2012-4546: Incorrect CRLs publishing | |
| - CVE-2012-5484: MITM Attack during Join process | |
| - CVE-2013-0199: Cross-Realm Trust key leak | |
| - Updated strict dependencies to 389-ds-base = 1.3.0.2 and | |
| pki-ca = 10.0.1 | |
| - Resolves: #1254689 Storing big file as a secret in vault raises traceback | |
| - vault: Limit size of data stored in vault | |
| - Resolves: #1255880 ipactl status should distinguish between different | |
| pki-tomcat services | |
| - ipactl: Do not start/stop/restart single service multiple times | |
| - ipatests: fix test_topology | |
| Resolves: RHBZ#2232351 | |
| - Installer: activate nss and pam services in sssd.conf | |
| Resolves: RHBZ#2216532 | |
| - Add ipa-idrange-fix | |
| Resolves: RHEL-56920 | |
| - Unconditionally add MS-PAC to global config on update | |
| Resolves: RHEL-49437 | |
| - ipatests: Update ipa-adtrust-install test | |
| Resolves: RHEL-40894 | |
| - Require python-qrcode version 5.3 or later | |
| Related: RHEL-15090 | |
| - CAless installation: set the perms on KDC cert file | |
| Resolves: RHBZ#1863616 | |
| - EPN: handle empty attributes | |
| Resolves: RHBZ#1866938 | |
| - IPA-EPN: enhance input validation | |
| Resolves: RHBZ#1866291 | |
| - EPN: enhance input validation | |
| Resolves: RHBZ#1863079 | |
| - Require new samba build 4.12.3-52 | |
| Related: RHBZ#1868558 | |
| - Require new selinux-policy build 3.14.3-52 | |
| Related: RHBZ#1869311 | |
| - RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible | |
| (#1169591) | |
| - CLI doesn't show SSHFP records with SHA256 added via nsupdate (regression) | |
| (#1172578) | |
| - Resolves: #1415162 ipa-exdom-extop plugin can exhaust DS worker threads | |
| - New upstream release 4.8.0 | |
| - New subpackage: freeipa-client-samba | |
| - Added command ipa-cert-fix with man page | |
| - New sysconfdir sysconfig/certmonger | |
| - Updated pki_version, certmonger_version, sssd_version and kdcproxy_version | |
| Related: RHBZ#1684528 | |
| - remove ipa-fix-CVE-2008-3274 | |
| - Resolves: #1200767 [RFE] Allow Kerberos authentication for users with | |
| certificates on smart cards (pkinit) | |
| - spec file: bump krb5 Requires for certauth fixes | |
| - Resolves: #1438729 Configure local PKINIT on DL0 or when '--no-pkinit' option | |
| is used | |
| - separate function to set ipaConfigString values on service entry | |
| - Allow for configuration of all three PKINIT variants when deploying KDC | |
| - API for retrieval of master's PKINIT status and publishing it in LDAP | |
| - Use only anonymous PKINIT to fetch armor ccache | |
| - Stop requesting anonymous keytab and purge all references of it | |
| - Use local anchor when armoring password requests | |
| - Upgrade: configure local/full PKINIT depending on the master status | |
| - Do not test anonymous PKINIT after install/upgrade | |
| - Resolves: #1442427 ipa.ipaserver.install.plugins.adtrust. | |
| update_tdo_gidnumber: ERROR Default SMB Group not found | |
| - upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is | |
| installed | |
| - Resolves: #1442932 ipa restore fails to restore IPA user | |
| - restore: restart/reload gssproxy after restore | |
| - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode | |
| - Fix CA/server cert validation in FIPS | |
| - Resolves: #1444947 Deadlock between topology and schema-compat plugins | |
| - compat-manage: behave the same for all users | |
| - Move the compat plugin setup at the end of install | |
| - compat: ignore cn=topology,cn=ipa,cn=etc subtree | |
| - Resolves: #1445358 ipa vault-add raises TypeError | |
| - vault: piped input for ipa vault-add fails | |
| - Resolves: #1445382 ipa vault-retrieve fails to retrieve data from vault | |
| - Vault: Explicitly default to 3DES CBC | |
| - Resolves: #1445432 uninstall ipa client automount failed with RuntimeWarning | |
| - automount install: fix checking of SSSD functionality on uninstall | |
| - Resolves: #1446137 pki_client_database_password is shown in | |
| ipaserver-install.log | |
| - Hide PKI Client database password in log file | |
| - Resolves: #1131907 [ipa-client-install] cannot write certificate file | |
| '/etc/ipa/ca.crt.new': must be string or buffer, not None | |
| - Resolves: #1195775 unsaved changes dialog internally inconsistent | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - Stageusedr-activate: show username instead of DN | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - Prevent to rename certprofile profile id | |
| - Resolves: #1222047 IPA to AD Trust: IPA ERROR 4016: Remote Retrieve Error | |
| - Resolves: #1224769 copy-schema-to-ca.py does not overwrites schema files | |
| - copy-schema-to-ca: allow to overwrite schema files | |
| - Resolves: #1241941 kdc component installation of IPA failed | |
| - spec file: Update minimum required version of krb5 | |
| - Resolves: #1242036 Replica install fails to update DNS records | |
| - Fix DNS records installation for replicas | |
| - Resolves: #1242884 Upgrade to 4.2.0 fails when enabling kdc proxy | |
| - Start dirsrv for kdcproxy upgrade | |
| - extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT | |
| Resolves: RHBZ#1741530 | |
| - Fix ipa-pwd-extop global configuration caching (#1187342) | |
| - group-detach does not add correct objectclasses (#1187540) | |
| - Add sssd and certmonger as a Requires on ipa-client | |
| - DNS install check: Fix overlapping DNS zone from the master itself | |
| Resolves: RHBZ#1784003 | |
| - Add OTP patches | |
| - Add patch to set KRB5CCNAME for 389-ds-base | |
| - Update to upstream 2.1.4 (CVE-2011-3636) | |
| - Refactor ipatests for unique krbcanonicalname | |
| Resolves: RHEL-110061 | |
| - Require certmonger 0.79.7-1 | |
| Related: RHBZ#1708095 | |
| - Fix wrong path in packaging freeipa-systemd-upgrade | |
| - Resolves: #1462112 ipaserver installation fails in FIPS mode: OpenSSL | |
| internal error, assertion failed: Digest MD4 forbidden in FIPS mode! | |
| - ipa-sam: replace encode_nt_key() with E_md4hash() | |
| - ipa_pwd_extop: do not generate NT hashes in FIPS mode | |
| - Resolves: #1377973 ipa-server-install fails when the provided or resolved | |
| IP address is not found on local interfaces | |
| - Fix local IP address validation | |
| - ipa-dns-install: remove check for local ip address | |
| - refactor CheckedIPAddress class | |
| - CheckedIPAddress: remove match_local param | |
| - Remove ip_netmask from option parser | |
| - replica install: add missing check for non-local IP address | |
| - Remove network and broadcast address warnings | |
| - Set minimum level of sssd to 1.1.1 to pull in required hbac fixes. | |
| - Add Requires on krb5-pkinit-openssl | |
| - Introduce upgrade script to recover existing configuration after systemd migration | |
| as user has no means to recover FreeIPA from systemd migration | |
| - Upgrade script: | |
| - recovers symlinks in Dogtag instance install | |
| - recovers systemd configuration for FreeIPA's directory server instances | |
| - recovers freeipa.service | |
| - migrates directory server and KDC configs to use proper keytabs for systemd services | |
| - Add call to /usr/sbin/upgradeconfig to post install | |
| - Handle NFS configuration file changes. nfs-utils moved the | |
| configuration file from /etc/sysconfig/nfs to /etc/nfs.conf. | |
| Resolves: RHBZ#1676981 | |
| - IPA server in debug mode fails to run because time.perf_counter_ns is | |
| Python 3.7+ | |
| Resolves: RHBZ#1974822 | |
| - Add checks to prevent assigning authentication indicators to internal IPA | |
| services | |
| Resolves: RHBZ#1979625 | |
| - Unable to set ipaUserAuthType with stageuser-add | |
| Resolves: RHBZ#1979605 | |
| - Upstream release FreeIPA 4.9.3 | |
| Resolves: RHBZ#1945038 | |
| - Update minimum selinux-policy to 3.9.16-18 | |
| - Update minimum pki-ca and pki-selinux to 9.0.7 | |
| - Update minimum 389-ds-base to 1.2.8.0-1 | |
| - Update to upstream 2.0.1 | |
| - Rebase to upstream release 4.8.4 | |
| - Removed upstream patches 0001 to 0008 that are part of version 4.8.3-3 | |
| Resolves: RHBZ#1782658 | |
| Resolves: RHBZ#1782169 | |
| Resolves: RHBZ#1783046 | |
| Related: RHBZ#1748987 | |
| - Revert DNSResolver Fix use of nameservers with ports. | |
| Related: RHBZ#2141316 | |
| - package the sessions dir /var/cache/ipa/sessions | |
| - Pull upstream changelog 597 | |
| - Trust add tries to add same value of --base-id for sub domain, | |
| causing an error (#1033068) | |
| - Improved error reporting for adding trust case (#1029856) | |
| - ipatests: Backport test fixes in python3-ipatests. | |
| Resolves: RHBZ#2057505 | |
| - Expand the token auth/sync windows (#919228) | |
| - Access is not rejected for disabled domain (#1172598) | |
| - krb5kdc crash in ldap_pvt_search (#1170695) | |
| - RHEL7.1 IPA server httpd avc denials after upgrade (#1164896) | |
| - ipa-client-automount fails with incompatibility error when installed against | |
| older IPA server (#1083108) | |
| - Resolves: #1217009 OTP sync in UI does not work for TOTP tokens | |
| - Fix an integer underflow bug in libotp | |
| - Resolves: #1262996 ipa vault internal error on replica without KRA | |
| - install: always export KRA agent PEM file | |
| - vault: select a server with KRA for vault operations | |
| - Resolves: #1269777 IPA restore overwrites /etc/passwd and /etc/group files | |
| - do not overwrite files with local users/groups when restoring authconfig | |
| - Renamed patch 1011 to 0138, as it was merged upstream | |
| - Resolve: #1455946 Provide a tooling automating the configuration | |
| of Smart Card authentication on a FreeIPA master | |
| - server certinstall: update KDC master entry | |
| - pkinit manage: introduce ipa-pkinit-manage | |
| - server upgrade: do not enable PKINIT by default | |
| - Extend the advice printing code by some useful abstractions | |
| - Prepare advise plugin for smart card auth configuration | |
| - Resolve: #1461053 allow to modify list of UPNs of a trusted forest | |
| - trust-mod: allow modifying list of UPNs of a trusted forest | |
| - WebUI: add support for changing trust UPN suffixes | |
| - Update to upstream 4.1.0 Alpha 1 (#1109726) | |
| - Updated to upstream 3.0.0 rc 2 | |
| - Include new FF configuration extension | |
| - Set minimum Requires of selinux-policy to 3.11.1-33 | |
| - Set minimum Requires dogtag to 10.0.0-0.43.b1 | |
| - Add new optional strict sub-package to allow users to limit other | |
| package upgrades. | |
| - Resolves: #1419735 ipa-replica-install fails promotecustodia.create_replica | |
| with cert errors (untrusted) | |
| - added ssl verification using IPA trust anchor | |
| - Resolves: #1428472 batch param compatibility is incorrect | |
| - compat: fix `Any` params in `batch` and `dnsrecord` | |
| - Renamed patches 1011 and 1012 to 0159 and 0157, as they were merged upstream | |
| - Resolves: #1609883 ipaserver/plugins/cert.py: Add reason to raise of | |
| errors.NotFound | |
| - Resolves: #1615765 do-not-use-RC4-in-FIPS-mode | |
| - Move fips_enabled to a common library to share across different plugins | |
| - ipasam: do not use RC4 in FIPS mode | |
| - Resolves: #1298288 [RFE] Improve performance in large environments. | |
| - cert: speed up cert-find | |
| - Resolves: #1317379 [EXPERIMENTAL][RFE] Web UI: allow Smart Card | |
| authentication | |
| - service: add flag to allow S4U2Self | |
| - Add 'trusted to auth as user' checkbox | |
| - Added new authentication method | |
| - Resolves: #1353881 ipa-replica-install suggests about | |
| non-existent --force-ntpd option | |
| - Don't show --force-ntpd option in replica install | |
| - Resolves: #1354441 DNS forwarder check is too strict: unable to add | |
| sub-domain to already-broken domain | |
| - DNS: allow to add forward zone to already broken sub-domain | |
| - Resolves: #1356146 performance regression in CLI help | |
| - schema: Speed up schema cache | |
| - frontend: Change doc, summary, topic and NO_CLI to class properties | |
| - schema: Introduce schema cache format | |
| - schema: Generate bits for help load them on request | |
| - help: Do not create instances to get information about commands and topics | |
| - schema cache: Do not reset ServerInfo dirty flag | |
| - schema cache: Do not read fingerprint and format from cache | |
| - Access data for help separately | |
| - frontent: Add summary class property to CommandOverride | |
| - schema cache: Read server info only once | |
| - schema cache: Store API schema cache in memory | |
| - client: Do not create instance just to check isinstance | |
| - schema cache: Read schema instead of rewriting it when SchemaUpToDate | |
| - Resolves: #1360769 ipa-server-certinstall couldnt unlock private key file | |
| - server install: do not prompt for cert file PIN repeatedly | |
| - Resolves: #1364113 ipa-password: ipa: ERROR: RuntimeError: Unable to create | |
| cache directory: [Errno 13] Permission denied: '/home/test_user' | |
| - schema: Speed up schema cache | |
| - Resolves: #1366604 `cert-find` crashes on invalid certificate data | |
| - cert: do not crash on invalid data in cert-find | |
| - Resolves: #1366612 Middle replica uninstallation in line topology works | |
| without '--ignore-topology-disconnect' | |
| - Fail on topology disconnect/last role removal | |
| - Resolves: #1366626 caacl-add-service: incorrect error message when service | |
| does not exists | |
| - Fix ipa-caalc-add-service error message | |
| - Resolves: #1367022 The ipa-server-upgrade command failed when named-pkcs11 | |
| does not happen to run during dnf upgrade | |
| - DNS server upgrade: do not fail when DNS server did not respond | |
| - Resolves: #1367759 [RFE] [webui] warn admin if there is only one IPA server | |
| with CA | |
| - Add warning about only one existing CA server | |
| - Set servers list as default facet in topology facet group | |
| - Resolves: #1367773 thin client ignores locale change | |
| - schema check: Check current client language against cached one | |
| - Lockout plugin crashed during ipa-server-install (#912725) | |
| - Fallback to global policy in ipa lockout plugin (#912725) | |
| - Migration does not add users to default group (#903232) | |
| - hbactest does not work for external users (#848531) | |
| - Resolves: #1296140 Remove redhat-access-plugin-ipa support | |
| - Obsolete and conflict redhat-access-plugin-ipa | |
| - Resolves: #1351119 Multiple issues while uninstalling ipa-server | |
| - server uninstall fails to remove krb principals | |
| - Resolves: #1351758 ipa commands not showing expected error messages | |
| - frontend: copy command arguments to output params on client | |
| - Show full error message for selinuxusermap-add-hostgroup | |
| - Resolves: #1352883 Traceback on adding default automember group and hostgroup | |
| set | |
| - allow 'value' output param in commands without primary key | |
| - Resolves: #1353888 Fix the help for ipa otp and other topics | |
| - schema: Fix subtopic -> topic mapping | |
| - Resolves: #1354348 ipa trustconfig-show throws internal error. | |
| - allow 'value' output param in commands without primary key | |
| - Resolves: #1354381 ipa trust-add with raw option gives internal error. | |
| - trust-add: handle `--all/--raw` options properly | |
| - Resolves: #1354493 Replica install fails with old IPA master | |
| - DNS install: Ensure that DNS servers container exists | |
| - Resolves: #1354628 ipa hostgroup-add-member does not return error message | |
| when adding itself as member | |
| - frontend: copy command arguments to output params on client | |
| - Resolves: #1355856 ipa otptoken-add --type=totp gives internal error | |
| - messages: specify message type for ResultFormattingError | |
| - Resolves: #1356063 "ipa radiusproxy-add" command needs to prompt to enter | |
| secret key | |
| - expose `--secret` option in radiusproxy-* commands | |
| - prevent search for RADIUS proxy servers by secret | |
| - Resolves: #1356099 Bug in the ipapwd plugin | |
| - Heap corruption in ipapwd plugin | |
| - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin | |
| client changes | |
| - Use server API in com.redhat.idm.trust-fetch-domains oddjob helper | |
| - Resolves: #1356964 Renaming a user removes all of his principal aliases | |
| - Preserve user principal aliases during rename operation | |
| - Add bash completion script and own /etc/bash_completion.d in case it | |
| doesn't already exist | |
| - Update to upstream version 1.1.0 | |
| - Patch for indexing memberof attribute | |
| - Patch for indexing uidnumber and gidnumber | |
| - Patch to change DNA default values for replicas | |
| - Patch to fix uninitialized variable in ipa-getkeytab | |
| - Improve server affinity for CA-less deployments | |
| Resolves: RHEL-22283 | |
| - host: update system: Manage Host Keytab permission | |
| Resolves: RHEL-22286 | |
| - adtrustinstance: make sure NetBIOS name defaults are set properly | |
| Resolves: RHEL-21938 | |
| - ipatests: Fix healthcheck report when nsslapd accesslog logbuffering is set to off | |
| Resolves: RHEL-19672 | |
| - webui IdP: Remove arrow notation due to uglify-js limitation | |
| Related: RHBZ#2141316 | |
| - Fixed share/ipa/wsgi.py so .pyc, .pyo files are included | |
| - Set minimum version of sssd to 1.5.1 | |
| - Update to upstream freeipa-2.0.0.rc1 | |
| - Move server-only binaries from admintools subpackage to server | |
| - Upstream release FreeIPA 4.9.8 | |
| Related: RHBZ#2015607 | |
| - Hardening for CVE-2020-25717 | |
| - Set minimum version of certmonger to 0.26 (to pck up #621670) | |
| - Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm) | |
| - Set minimum version of pki-ca to 1.3.6 | |
| - Set minimum version of sssd to 1.2.1 | |
| - Re-arrange doc and defattr to clean up rpmlint warnings | |
| - Remove conditionals on older releases | |
| - Move some man pages into admintools subpackage | |
| - Remove some explicit Requires in client that aren't needed | |
| - Consistent use of buildroot vs RPM_BUILD_ROOT | |
| - Resolves: #1252556 Missing CLI param and ACL for vault service operations | |
| - vault: fix private service vault creation | |
| - Resolves: #1431520 ipa cert-find runs a large number of searches, so IPA | |
| WebUI is slow to display user details page | |
| - cert: defer cert-find result post-processing | |
| - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit | |
| helper when installing replica | |
| - server-install: No double Kerberos install | |
| - Resolves: #1437502 ipa-replica-install fails with requirement to | |
| use --force-join that is a client install option. | |
| - Add the force-join option to replica install | |
| - replicainstall: better client install exception handling | |
| - Resolves: #1437953 Server CA-less impossible option check | |
| - server-install: remove broken no-pkinit check | |
| - Resolves: #1441160 FreeIPA client <= 4.4 fail to parse 4.5 cookies | |
| - Add debug log in case cookie retrieval went wrong | |
| - Resolves: #1441548 ipa server install fails with --external-ca option | |
| - ext. CA: correctly write the cert chain | |
| - Resolves: #1441718 Conversion of CA-less server to CA fails on CA instance | |
| spawn | |
| - Fix CA-less to CA-full upgrade | |
| - Resolves: #1442133 Do not link libkrad, liblber, libldap_r and | |
| libsss_nss_idmap to every binary in IPA | |
| - configure: fix AC_CHECK_LIB usage | |
| - Resolves: #1442815 Replica install fails during migration from older IPA | |
| master | |
| - Fix RA cert import during DL0 replication | |
| - Related: #1442004 Building IdM/FreeIPA internally on all architectures - | |
| filtering unsupported packages | |
| - Build all subpackages on all architectures | |
| - ipa-server-install fails if --subject parameter is other than default | |
| realm (#983075) | |
| - do not allow configuring bind-dyndb-ldap without persistent search (#967876) | |
| - Set the N-V-R so rc1 is an update to beta2. | |
| - ipa-kdb: Rework ipadb_reinit_mspac() | |
| Resolves: RHEL-25742 | |
| - ipatests: wait for replica update in test_dns_locations | |
| Resolves: RHEL-22373 | |
| - ipatests: fix tasks.wait_for_replication() method | |
| Resolves: RHEL-25708 | |
| - Upgrade: fix replica agreement, fix backported patch | |
| Related: RHBZ#2216551 | |
| - Temporarily move ipa-backup and ipa-restore functionality | |
| back to make them available in public Beta (#1003933) | |
| - Update to upstream 2.1.0 | |
| - ipa man page format the EXAMPLES section | |
| Resolves: RHBZ#2129895 | |
| - Fix canonicalization issue in Web UI | |
| Resolves: RHBZ#2127035 | |
| - Remove idnssoaserial argument from dns zone API. | |
| Resolves: RHBZ#2108630 | |
| - Warn for permissions with read/write/search/compare and no attrs | |
| Resolves: RHBZ#2098187 | |
| - Add PKINIT support to ipa-client-install | |
| Resolves: RHBZ#2075452 | |
| - Generate CNAMEs for TXT+URI location krb records | |
| Resolves: RHBZ#2104185 | |
| - Vault: fix interoperability issues with older RHEL systems | |
| Resolves: RHBZ#2144737 | |
| - Fix typo on ipaupgrade.log chmod during RPM %post snipppet | |
| Resolves: RHBZ#2140994 | |
| - Pull upstream changelog 641 | |
| - Require minimum version of krb5-server on F-7 and F-8 | |
| - Package some new files | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - [WebUI] IPA Error 3007: RequirmentError" while adding members in | |
| "User ID overrides" tab | |
| Resolves: RHBZ#1757045 | |
| - EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in | |
| freeipa-client-epn | |
| Resolves: RHBZ#1847999 | |
| - FreeIPA - Utilize 256-bit AJP connector passwords | |
| Resolves: RHBZ#1849914 | |
| - ipa: typo issue in ipanthomedirectoryrive deffinition | |
| Resolves: RHBZ#1851411 | |
| - Upstream release FreeIPA 4.9.1 | |
| Related: RHBZ#1891832 | |
| - Fix automount behavior with authselect | |
| Resolves: RHBZ#1740167 | |
| - SELinux Policy: let custodia replicate keys | |
| Resolves: RHBZ#1868432 | |
| - Missing objectclasses when empty password passed to host-add (#1052979) | |
| - sudoOrder missing in sudoers (#1052983) | |
| - Missing examples in sudorule help (#1049464) | |
| - Client automount does not uninstall when fstore is empty (#910899) | |
| - Error not clear for invalid realm given to trust-fetch-domains (#1052981) | |
| - trust-fetch-domains does not add idrange for subdomains found (#1049926) | |
| - Add option to show if an AD subdomain is enabled/disabled (#1052973) | |
| - ipa-adtrust-install still failed with long NetBIOS names (#1030517) | |
| - Error not clear for invalid relam given to trustdomain-find (#1049455) | |
| - renewed client cert not recognized during IPA CA renewal (#1033273) | |
| - Remove ipa-backup and ipa-restore functionality from RHEL (#1003933) | |
| - Fix S4U2Self regression for cross-realm requester SID buffer | |
| - Related: RHBZ#2021443 | |
| - Add missing ipa-selinux package | |
| Resolves: RHBZ#1853263 | |
| - Proxy PKI URI /ca/ee/ca/profileSubmit to enable replication with future | |
| PKI versions (#1080865) | |
| - Rebuild against samba4 beta7 | |
| - Resolves: #1477703 IPA upgrade fails for latest ipa package | |
| - Restore old version of caIPAserviceCert for upgrade only | |
| - Rebase to upstream release 4.8.2 | |
| - Removed upstream patches 0001 to 0010 that are part of version 4.8.2 | |
| - Updated branding patch | |
| Resolves: RHBZ#1748987 | |
| - Version bump for release | |
| - ipa-csreplica-manage connect fails (#1157735) | |
| - error message which is not understandable when IDNA2003 characters are | |
| present in --zonemgr (#1163849) | |
| - Fix warning message should not contain CLI commands (#1114013) | |
| - Renewing the CA signing certificate does not extend its validity period end | |
| (#1163498) | |
| - RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for | |
| httpd (#1159330) | |
| - Hardening for CVE-2020-25717 | |
| - Rebuild against samba-4.14.5-11.el8 | |
| - Resolves: RHBZ#2021443 | |
| - Fix upgrade issue with AD trust when no trust yet established | |
| Fixes: RHBZ#1708874 | |
| Related: RHBZ#1684528 | |
| - Resolves: #1438833 [ipa-replica-install] - 406 Client Error: Failed to | |
| validate message: Incorrect number of results (0) searching forpublic key for | |
| host | |
| - Make sure remote hosts have our keys | |
| - Resolves: #1442815 Replica install fails during migration from older IPA | |
| master | |
| - Refresh Dogtag RestClient.ca_host property | |
| - Remove the cachedproperty class | |
| - Resolves: #1444787 Update warning message when KRA installation fails | |
| - kra install: update installation failure message | |
| - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode | |
| - ipa-server-install with external CA: fix pkinit cert issuance | |
| - Resolves: #1445397 GET in KerberosSession.finalize_kerberos_acquisition() | |
| must use FreeIPA CA | |
| - kerberos session: use CA cert with full cert chain for obtaining cookie | |
| - Resolves: #1447375 ipa-client-install: extra space in pkinit_anchors | |
| definition | |
| - ipa-client-install: remove extra space in pkinit_anchors definition | |
| - Resolves: #1447703 Fix SELinux contex of http.keytab during upgrade | |
| - Use proper SELinux context with http.keytab | |
| - Use OpenJDK 8 to bootstrap on AArch64 until RH1482244 is resolved in | |
| buildroot | |
| - Resolves: #1470177 - Rebase IPA to latest 4.5.x version | |
| - Resolves: #1398594 ipa topologysuffix-verify should only warn about | |
| maximum number of replication agreements. | |
| - Resolves: #1404236 Web UI: Change "Host Based" and "Role Based" | |
| to "Host-Based" and "Role-Based" | |
| - Resolves: #1409786 Second phase of --external-ca ipa-server-install | |
| setup fails when dirsrv is not running | |
| - Resolves: #1451576 ipa cert-request failed to generate certificate from csr | |
| - Resolves: #1452086 Pagination Size under Customization in IPA WebUI | |
| accepts negative values | |
| - Resolves: #1458169 --force-join option is not mentioned in | |
| ipa-replica-install man page | |
| - Resolves: #1463186 IPA shouldn't allow objectclass if not all in lower case | |
| - Resolves: #1478322 user-show command fails when sizelimit is configured | |
| to number <= number of entity which is user member of | |
| - Resolves: #1496775 Enterprise principals should be able to trigger | |
| a refresh of the trusted domain data in the KDC | |
| - Resolves: #1502533 Changing cert-find to go through the proxy | |
| instead of using the port 8080 | |
| - Resolves: #1502663 pkinit-status command fails after an upgrade from | |
| a pre-4.5 IPA | |
| - Resolves: #1498168 Error when trying to modify a PTR record | |
| - Resolves: #1457876 ipa-backup fails silently | |
| - Resolves: #1493531 In case full PKINIT configuration is failing during | |
| server/replica install the error message should be more meaningful. | |
| - Resolves: #1449985 Suggest CA installation command in KRA installation | |
| warning | |
| - Use NSS protocol range API to set available TLS protocols (#1156466) | |
| - Removed python-asset based webui | |
| - Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin | |
| - man page: update ipa-server-upgrade.1 | |
| Resolves: RHBZ#1973273 | |
| - Fall back to krbprincipalname when validating host auth indicators | |
| Resolves: RHBZ#1979625 | |
| - Add dependency for sssd-winbind-idmap to server-trust-ad | |
| Resolves: RHBZ#1982211 | |
| - Resolves: #1373359 ipa-certupdate fails with "CA is not configured" | |
| - Fix regression introduced in ipa-certupdate | |
| - Mass rebuild 2013-12-27 | |
| - Pull upstream changelog 698 | |
| - Fix ownership of /var/log/ipa_error.log during install (435119) | |
| - Add pwpolicy command and man page | |
| - Resolves: #846033 [RFE] Documentation for JSONRPC IPA API | |
| - Resolves: #989091 Ability to manage IdM/IPA directly from a standard LDAP | |
| client | |
| - Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to | |
| users in IdM | |
| - Resolves: #1115294 [RFE] Add support for DNSSEC | |
| - Resolves: #1145748 [RFE] IPA running with One Way Trust | |
| - Resolves: #1199520 [RFE] Introduce single upgrade tool - ipa-server-upgrade | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - Resolves: #1200728 [RFE] Replicate PKI Profile information | |
| - Resolves: #1200735 [RFE] Allow issuing certificates for user accounts | |
| - Resolves: #1204054 SSSD database is not cleared between installs and | |
| uninstalls of ipa | |
| - Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to | |
| Trusts | |
| - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality | |
| - Resolves: #1204504 [RFE] Add access control so hosts can create their own | |
| services | |
| - Resolves: #1206534 [RFE] Offer Kerberos over HTTP (kdcproxy) by default | |
| - Resolves: #1206613 [RFE] Configure IPA to be a trust agent by default | |
| - Resolves: #1209476 package ipa-client does not require package dbus-python | |
| - Resolves: #1211589 [RFE] Add option to skip the verify_client_version | |
| - Resolves: #1211608 [RFE] Generic support for unknown DNS RR types (RFC 3597) | |
| - Resolves: #1215735 ipa-replica-prepare automatically adds a DNS zone | |
| - Resolves: #1217010 OTP Manager field is not exposed in the UI | |
| - Resolves: #1222475 krb5kdc : segfault at 0 ip 00007fa9f64d82bb sp | |
| 00007fffd68b2340 error 6 in libc-2.17.so | |
| - Related: #1204809 Rebase ipa to 4.2 | |
| - Update to upstream 4.2.0 | |
| - Move /etc/ipa/kdcproxy to the server subpackage | |
| - Fix NetBIOS name generation in CLDAP plugin (#1030517) | |
| - FreeIPA 4.8.0 tarball lacks two update files that are in git | |
| Resolves: RHBZ#1741170 | |
| - Resolves: #1257074 The KRA agent cert is stored in a PEM file that is not | |
| tracked | |
| - cert renewal: Include KRA users in Dogtag LDAP update | |
| - cert renewal: Automatically update KRA agent PEM file | |
| - Resolves: #1257163 renaming certificatte profile with --rename option leads | |
| to integrity issues | |
| - certprofile: remove 'rename' option | |
| - Resolves: #1257968 kinit stop working after ipa-restore | |
| - Backup: back up the hosts file | |
| - Resolves: #1258926 Remove 'DNSSEC is experimental' warnings | |
| - DNSSEC: remove "DNSSEC is experimental" warnings | |
| - Resolves: #1258929 Uninstallation of IPA leaves extra entry in /etc/hosts | |
| - Installer: do not modify /etc/hosts before user agreement | |
| - Resolves: #1258944 DNSSEC daemons may deadlock when processing more than 1 | |
| zone | |
| - DNSSEC: backup and restore opendnssec zone list file | |
| - DNSSEC: remove ccache and keytab of ipa-ods-exporter | |
| - DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart | |
| - DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction | |
| - DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on DNSSEC | |
| key master | |
| - DNSSEC: Fix key metadata export | |
| - DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5. | |
| - Resolves: #1258964 revert to use ldapi to add kra agent in KRA install | |
| - Using LDAPI to setup CA and KRA agents. | |
| - Resolves: #1259848 server closes connection and refuses commands after | |
| deleting user that is still logged in | |
| - ldap: Make ldap2 connection management thread-safe again | |
| - Resolves: #1259996 AttributeError: 'NameSpace' object has no attribute | |
| 'ra_certprofile' while ipa-ca-install | |
| - load RA backend plugins during standalone CA install on CA-less IPA master | |
| - Update to upstream version 1.0.0 | |
| - Resolves: #712109 "krbExtraData not allowed" is logged in DS error log while | |
| setting password for default sudo binddn. | |
| - Resolves: #747612 [RFE] IPA should support and manage DNS sites | |
| - Resolves: #768316 [RFE] ipa-getkeytab should auto-detect the ipa server name | |
| - Resolves: #825391 [RFE] Replica installation should provide a means for | |
| inheriting nssldap security access settings | |
| - Resolves: #921497 Incorrect *.py[co] files placement | |
| - Resolves: #1029640 RHEL7 IPA to add DNA Plugin config for dnaRemote support | |
| - Resolves: #1029905 389 DS cache sizes not replicated to IPA replicas | |
| - Resolves: #1196958 IPA replica installation failing with high number of users | |
| (160000). | |
| - Resolves: #1219402 IPA suggests to uninstall a client when the user needs to | |
| uninstall a replica | |
| - Resolves: #1224057 [RFE] TGS authorization decisions in KDC based on | |
| Authentication Indicator | |
| - Resolves: #1234222 [WebUI] UI error message is not appropriate for "Kerberos | |
| principal expiration" | |
| - Resolves: #1234223 [WebUI] General invalid password error message appearing | |
| for "Locked user" | |
| - Resolves: #1254267 ipa-server-install failure applying ldap updates with | |
| limits exceeded | |
| - Resolves: #1258626 realmdomains-mod --add-domain command throwing error when | |
| doamin already is in forwardzone. | |
| - Resolves: #1259020 ipa-server-adtrust-install doesn't allow | |
| NetBIOS-name=EXAMPLE-TEST.COM (dash character) | |
| - Resolves: #1260993 DNSSEC signing enablement on dnszone should throw error | |
| message when DNSSEC master not installed | |
| - Resolves: #1262747 dnssec options missing in ipa-dns-install man page | |
| - Resolves: #1265900 Fail installation immediately after dirsrv fails to | |
| install using ipa-server-install | |
| - Resolves: #1265915 idoverrideuser-find fails if any SID anchor is not | |
| resolvable anymore | |
| - Resolves: #1268027 ipa-dnskeysync-replica crash with backtrace - | |
| LimitsExceeded: limits exceeded for this query | |
| - Resolves: #1269089 Certificate of managed-by host/service fails to resubmit | |
| - Resolves: #1269200 ipa-server crashing while trying to preserve admin user | |
| - Resolves: #1271321 Reduce ioblocktimeout and idletimeout defaults | |
| - Resolves: #1271579 Automember rule expressions disappear from tables on | |
| single expression delete | |
| - Resolves: #1275816 Incomplete ports for IPA ad-trust | |
| - Resolves: #1276351 [RFE] Remove | |
| /usr/share/ipa/updates/50-lockout-policy.update file from IPA releases | |
| - Resolves: #1277109 Add tool tips for Revert, Refresh, Undo, and Undo All in | |
| the IPA UI | |
| - Resolves: #1278426 Better error message needed for invalid ca-signing-algo | |
| option | |
| - Resolves: #1279932 ipa-client-install --request-cert needs workaround in | |
| anaconda chroot | |
| - Resolves: #1282521 Creating a user w/o private group fails when doing so in | |
| WebUI | |
| - Resolves: #1283879 ipa-winsync-migrate: Traceback message should be replaced | |
| by "IPA is not configured on this system" | |
| - Resolves: #1285071 ipa-kra-install fails on replica looking for admin cert | |
| file | |
| - Resolves: #1287194 [RFE] Support of UPN for trusted domains | |
| - Resolves: #1288967 Normalize Manager entry in ipa user-add | |
| - Resolves: #1289487 Priority field missing in Password Policy detail tab | |
| - Resolves: #1291140 ipa client should configure kpasswd_server directive in | |
| krb5.conf | |
| - Resolves: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.4.0.alpha1 | |
| - Resolves: #1298848 [RFE] Centralized topology management | |
| - Resolves: #1300576 Browser setup page includes instructions for Internet | |
| Explorer | |
| - Resolves: #1301586 ipa host-del --updatedns should remove related dns | |
| entries. | |
| - Resolves: #1304618 Residual Files After IPA Server Uninstall | |
| - Resolves: #1305144 ipa-python does not require its dependencies | |
| - Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 | |
| - Resolves: #1313798 Console output post ipa-winsync-migrate command should be | |
| corrected. | |
| - Resolves: #1314786 [RFE] External Trust with Active Directory domain | |
| - Resolves: #1319023 Include description for 'status' option in man page for | |
| ipactl command. | |
| - Resolves: #1319912 ipa-server-install does not completely change hostname and | |
| named-pkcs11 fails | |
| - Resolves: #1320891 IPA Error 3009: Validation error: Invalid 'ptrrecord': | |
| Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 given | |
| - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on | |
| revocation reasons | |
| - Resolves: #1328549 "ipa-kra-install" command reports incorrect message when | |
| it is executed on server already installed with KRA. | |
| - Resolves: #1329209 ipa-nis-manage enable: change service name from 'portmap' | |
| to 'rpcbind' | |
| - Resolves: #1329275 ipa-nis-manage command should include status option | |
| - Resolves: #1330843 'man ipa' should be updated with latest commands | |
| - Resolves: #1333755 ipa cert-request causes internal server error while | |
| requesting certificate | |
| - Resolves: #1337484 EOF is not handled for ipa-client-install command | |
| - Resolves: #1338031 Insufficient 'write' privilege on some attributes for the | |
| members of the role which has "User Administrators" privilege. | |
| - Resolves: #1343142 IPA DNS should do better verification of DNS zones | |
| - Resolves: #1347928 Frontpage exposes runtime error with no cookies enabled in | |
| browser | |
| - Require samba 4.14.5-13 with IPA DC server role fixes | |
| - Related: RHBZ#2021443 | |
| - Require python-wehjit >= 0.2.2 | |
| - Resolves: #1434032 Run ipa-custodia with custom SELinux context | |
| - Require correct custodia version | |
| - Upstream final release FreeIPA 4.9.0 | |
| Related: RHBZ#1891832 | |
| - Preserve user: fix the confusing summary | |
| Resolves: RHBZ#2022028 | |
| - Only calculate LDAP password grace when the password is expired | |
| Related: RHBZ#782917 | |
| - Update dependencies for samba, 389-ds and sssd | |
| Resolves: RHBZ#1792848 | |
| - Do not fetch a principal two times, remove potential memory leak (#1070924) | |
| - Set min version of 389-ds-base to 1.2.8 | |
| - Set min version of mod_nss 1.0.8-10 | |
| - Set min version of selinux-policy to 3.9.7-27 | |
| - Add dogtag themes to Requires | |
| - Update to upstream freeipa-2.0.0.pre2 | |
| - Resolves: #1355753 adding two way non transitive(external) trust displays | |
| internal error on the console | |
| - Always fetch forest info from root DCs when establishing two-way trust | |
| - factor out `populate_remote_domain` method into module-level function | |
| - Always fetch forest info from root DCs when establishing one-way trust | |
| - Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger | |
| after `ipa-replica-install` | |
| - Track lightweight CAs on replica installation | |
| - Resolves: #1357488 ipa command stuck forever on higher versioned client with | |
| lower versioned server | |
| - compat: Save server's API version in for pre-schema servers | |
| - compat: Fix ping command call | |
| - schema cache: Store and check info for pre-schema servers | |
| - Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag | |
| - Fix man page ipa-replica-manage: remove duplicate -c option | |
| from --no-lookup | |
| - Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA | |
| when revoking certificate | |
| - cert: include CA name in cert command output | |
| - WebUI add support for sub-CAs while revoking certificates | |
| - Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI | |
| - Add support for additional options taken from table facet | |
| - WebUI: Fix showing certificates issued by sub-CA | |
| - Resolves: #1368557 dnsrecord-add does not prompt for missing record parts | |
| internactively | |
| - dns: normalize record type read interactively in dnsrecord_add | |
| - dns: prompt for missing record parts in CLI | |
| - dns: fix crash in interactive mode against old servers | |
| - Resolves: #1370519 Certificate revocation in service-del and host-del isn't | |
| aware of Sub CAs | |
| - cert: fix cert-find --certificate when the cert is not in LDAP | |
| - Make host/service cert revocation aware of lightweight CAs | |
| - Resolves: #1371901 Use OAEP padding with custodia | |
| - Use RSA-OAEP instead of RSA PKCS#1 v1.5 | |
| - Resolves: #1371915 When establishing external two-way trust, forest root | |
| Administrator account is used to fetch domain info | |
| - do not use trusted forest name to construct domain admin principal | |
| - Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in | |
| certificate request | |
| - Fix CA ACL Check on SubjectAltNames | |
| - Resolves: #1373272 CLI always sends default command version | |
| - cli: use full name when executing a command | |
| - Resolves: #1373359 ipa-certupdate fails with "CA is not configured" | |
| - Fix ipa-certupdate for CA-less installation | |
| - Resolves: #1373540 client-install with IPv6 address fails on link-local | |
| address (always) | |
| - Fix parse errors with link-local addresses | |
| - Resolves: #1398670 Check IdM Topology for broken record caused by replication | |
| conflict before upgrading it | |
| - Check for conflict entries before raising domain level | |
| - Updated to upstream 3.0.0 beta 1 | |
| - Rebase ipa to 4.9.11 | |
| Resolves: RHBZ#2141316 | |
| - updates: fix memberManager ACI to allow managers from a specified group | |
| Resolves: RHBZ#2056009 | |
| - Defer creating the final krb5.conf on clients | |
| Resolves: RHBZ#2148259 | |
| - Exclude installed policy module file from RPM verification | |
| Resolves: RHBZ#2149567 | |
| - Spec file: ipa-client depends on krb5-pkinit-openssl | |
| Resolves: RHBZ#2149889 | |
| - Use default ssh host key algorithms | |
| Resolves: RHBZ#1756432 | |
| - Do not run trust upgrade code if master lacks Samba bindings | |
| Resolves: RHBZ#1757064 | |
| - Finish group membership management UI | |
| Resolves: RHBZ#1773528 | |
| - Require 389-ds-base-legacy-tools for setup tools | |
| - Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services | |
| by abusing password policy | |
| - ipa-kdb: search for password policies globally | |
| - Renamed patches 1011 and 1012 to 0151 and 0150, as they were merged upstream | |
| - Resolves: #1455946 Provide a tooling automating the configuration | |
| of Smart Card authentication on a FreeIPA master | |
| - smart-card advises: configure systemwide NSS DB also on master | |
| - smart-card advises: add steps to store smart card signing CA cert | |
| - Allow to pass in multiple CA cert paths to the smart card advises | |
| - add a class that tracks the indentation in the generated advises | |
| - delegate the indentation handling in advises to dedicated class | |
| - advise: add an infrastructure for formatting Bash compound statements | |
| - delegate formatting of compound Bash statements to dedicated classes | |
| - Fix indentation of statements in Smart card advises | |
| - Use the compound statement formatting API for configuring PKINIT | |
| - smart card advises: use a wrapper around Bash `for` loops | |
| - smart card advise: use password when changing trust flags on HTTP cert | |
| - smart-card-advises: ensure that krb5-pkinit is installed on client | |
| - Resolves: #1475238 Use CommonNameToSANDefault in default profile | |
| (new installs only) | |
| - Add CommonNameToSANDefault to default cert profile | |
| - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s | |
| during search in cn=ad,cn=trusts,dc=example,dc=com | |
| - NULL LDAP context in call to ldap_search_ext_s during search | |
| - Prepare spec file for release | |
| - Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503 | |
| - Force to use 389-ds 1.2.10-0.8.a7 or above | |
| - Improve upgrade script to handle systemd 389-ds change | |
| - Fix freeipa to work with python-ldap 2.4.6 | |
| - Resolves: #1274524 [RFE] Qualify up to 60 IdM replicas | |
| - Resolves: #1320838 [RFE] Support IdM Client in a DNS domain controlled by AD | |
| - Related: #1356134 'kinit -E' does not work for IPA user | |
| - Support krb5 1.18 | |
| Resolves: RHBZ#1817579 | |
| - kdb: keeep ipadb_get_connection() from succeding with null LDAP context | |
| Resolves: RHEL-58453 | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - user-undel: Fix error messages. | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - Prohibit deletion of predefined profiles | |
| - Resolves: #1232819 testing ipa-restore on fresh system install fails | |
| - Backup/resore authentication control configuration | |
| - Resolves: #1243331 pkispawn fails when migrating to 4.2 server from 3.0 | |
| server | |
| - Require Dogtag PKI >= 10.2.6 | |
| - Resolves: #1245225 Asymmetric vault drops traceback when the key is not | |
| proper | |
| - Asymmetric vault: validate public key in client | |
| - Resolves: #1248399 Missing DNSSEC related files in backup | |
| - fix typo in BasePathNamespace member pointing to ods exporter config | |
| - ipa-backup: archive DNSSEC zone file and kasp.db | |
| - Resolves: #1248405 PassSync should be disabled after ipa-winsync-migrate is | |
| finished | |
| - winsync-migrate: Add warning about passsync | |
| - winsync-migrate: Expand the man page | |
| - Resolves: #1248524 User can't find any hosts using "ipa host-find $HOSTNAME" | |
| - adjust search so that it works for non-admin users | |
| - Resolves: #1250093 ipa certprofile-import accepts invalid config | |
| - Require Dogtag PKI >= 10.2.6 | |
| - Resolves: #1250107 IPA framework should not allow modifying trust on AD trust | |
| agents | |
| - trusts: Detect missing Samba instance | |
| - Resolves: #1250111 User lifecycle - preserved users can be assigned | |
| membership | |
| - ULC: Prevent preserved users from being assigned membership | |
| - Resolves: #1250145 Add permission for user to bypass caacl enforcement | |
| - Add permission for bypassing CA ACL enforcement | |
| - Resolves: #1250190 idrange is not added for sub domain | |
| - idranges: raise an error when local IPA ID range is being modified | |
| - trusts: harden trust-fetch-domains oddjobd-based script | |
| - Resolves: #1250928 Man page for ipa-server-install is out of sync | |
| - install: Fix server and replica install options | |
| - Resolves: #1251225 IPA default CAACL does not allow cert-request for services | |
| after upgrade | |
| - Fix default CA ACL added during upgrade | |
| - Resolves: #1251561 ipa vault-add Unknown option: ipavaultpublickey | |
| - validate mutually exclusive options in vault-add | |
| - Resolves: #1251579 ipa vault-add --user should set container owner equal to | |
| user on first run | |
| - Fixed vault container ownership. | |
| - Resolves: #1252517 cert-request rejects request with correct | |
| krb5PrincipalName SAN | |
| - Fix KRB5PrincipalName / UPN SAN comparison | |
| - Resolves: #1252555 ipa vault-find doesn't work for services | |
| - vault: Add container information to vault command results | |
| - Add flag to list all service and user vaults | |
| - Resolves: #1252556 Missing CLI param and ACL for vault service operations | |
| - Added CLI param and ACL for vault service operations. | |
| - Resolves: #1252557 certprofile: improve profile format documentation | |
| - certprofile-import: improve profile format documentation | |
| - certprofile: add profile format explanation | |
| - Resolves: #1253443 ipa vault-add creates vault with invalid type | |
| - vault: validate vault type | |
| - Resolves: #1253480 ipa vault-add-owner does not fail when adding an existing | |
| owner | |
| - baseldap: Allow overriding member param label in LDAPModMember | |
| - vault: Fix param labels in output of vault owner commands | |
| - Resolves: #1253511 ipa vault-find does not use criteria | |
| - vault: Fix vault-find with criteria | |
| - Resolves: #1254038 ipa-replica-install pk12util error returns exit status 10 | |
| - install: Fix replica install with custom certificates | |
| - Resolves: #1254262 ipa-dnskeysync-replica crash cannot contact kdc | |
| - improve the handling of krb5-related errors in dnssec daemons | |
| - Resolves: #1254412 when dirsrv is off ,upgrade from 7.1 to 7.2 fails with | |
| starting CA and named-pkcs11.service | |
| - Server Upgrade: Start DS before CA is started. | |
| - Resolves: #1254637 Add ACI and permission for managing user userCertificate | |
| attribute | |
| - add permission: System: Manage User Certificates | |
| - Resolves: #1254641 Remove CSR allowed-extensions restriction | |
| - cert-request: remove allowed extensions check | |
| - Resolves: #1254693 vault --service does not normalize service principal | |
| - vault: normalize service principal in service vault operations | |
| - Resolves: #1254785 ipa-client-install does not properly handle dual stacked | |
| hosts | |
| - client: Add support for multiple IP addresses during installation. | |
| - Add dependency to SSSD 1.13.1 | |
| - client: Add description of --ip-address and --all-ip-addresses to man page | |
| - Remove ipa_webgui, its functions rolled into ipa_httpd | |
| - Change Requires from fedora-ds-base to 389-ds-base | |
| - Set minimum level of 389-ds-base to 1.2.6 for the replication | |
| version plugin. | |
| - No need to create /var/log/ipa_error.log since we aren't using | |
| TurboGears any more. | |
| - Deprecate --serial-autoincrement option (#1016645) | |
| - CA installation always failed on replica (#1005446) | |
| - Re-initializing a winsync connection exited with error (#994980) | |
| - Wrong directories created on full restore (#1186398) | |
| - ipa-restore crashes if replica is unreachable (#1186396) | |
| - idoverrideuser-add option --sshpubkey does not work (#1185410) | |
| - Fix postin scriplet for F-15/F-16 | |
| - Fix breakage caused by python-kerberos update to 1.1 | |
| - Fixed: rhbz#1643445 - External CA step 2 fails with pki_client_database_dir is missing | |
| - Fixed: rhbz#1642834 - Smart card advise script uses hard-coded Python interpreter | |
| - Update to upstream 3.3.2 (#991064) | |
| - Add delegation info to MS-PAC (#915799) | |
| - Warn about incompatibility with AD when IPA realm and domain | |
| differs (#1009044) | |
| - Allow PKCS#12 files with empty password in install tools (#1002639) | |
| - Privilege "SELinux User Map Administrators" did not list | |
| permissions (#997085) | |
| - SSH key upload broken when client joins an older server (#1009024) | |
| - Update to upstream 3.3.3 (#991064) | |
| - Resolves: #1416454 replication race condition prevents IPA to install | |
| - wait_for_entry: use only DN as parameter | |
| - Wait until HTTPS principal entry is replicated to replica | |
| - Use proper logging for error messages | |
| - Allow insecure binds for migration | |
| Resolves: RHBZ#1731963 | |
| - Updated to upstream 3.0.0 rc 1 | |
| - Update BR for 389-ds-base to 1.2.11.14 | |
| - Update BR for krb5 to 1.10 | |
| - Update BR for samba4-devel to 4.0.0-139 (rc1) | |
| - Add BR for python-polib | |
| - Update BR and Requires on sssd to 1.9.0 | |
| - Update Requires on policycoreutils to 2.1.12-5 | |
| - Update Requires on 389-ds-base to 1.2.11.14 | |
| - Update Requires on selinux-policy to 3.11.1-21 | |
| - Update Requires on dogtag to 10.0.0-0.33.a1 | |
| - Update Requires on certmonger to 0.60 | |
| - Update Requires on tomcat to 7.0.29 | |
| - Update minimum version of bind to 9.9.1-10.P3 | |
| - Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1 | |
| - Remove Requires on authconfig from python sub-package | |
| - Add redhat-access-plugin-ipa dependency | |
| - Require platform-python-setuptools instead of python3-setuptools | |
| - Resolves: rhbz#1650139 | |
| - Add a- heck into ipa-cert-fix tool to avoid updating certs if CA is close to expire | |
| Resolves: RHEL-4941 | |
| - Fix rpminspect's 'patches' warnings | |
| Resolves: RHEL-22497 | |
| - Added patch to fix problem reported by ldapmodify | |
| - Installer did not detect different server and IPA domain (#1026845) | |
| - Allow kernel keyring CCACHE when supported (#1026861) | |
| - Abstracted client class to work directly or over RPC | |
| - Reinstalling ipa server hangs when configuring certificate | |
| server (#1018804) | |
| - rpcserver: validate Kerberos principal name before running kinit | |
| Resolves: RHEL-26153 | |
| - Vault: add additional fallback to RSA-OAEP wrapping algo | |
| Resolves: RHEL-28259 | |
| - "an internal error has occurred" during ipa host-del --updatedns (#1198431) | |
| - Renamed patch 1013 to 0114, as it was merged upstream | |
| - Fax number not displayed for user-show when kinit'ed as normal user. | |
| (#1198430) | |
| - Replication agreement with replica not disabled when ipa-restore done without | |
| IPA installed (#1199060) | |
| - Limit deadlocks between DS plugin DNA and slapi-nis (#1199128) | |
| - Updated to upstream 2.2.0 GA | |
| - Update minimum n-v-r of certmonger to 0.53 | |
| - Update minimum n-v-r of slapi-nis to 0.40 | |
| - Add Requires in client to oddjob-mkhomedir and python-krbV | |
| - Update minimum selinux-policy to 3.10.0-110 | |
| - Convert to autotools-based build | |
| - Pull upstream changelog 678 | |
| - Add new subpackage, ipa-server-selinux | |
| - Add Requires: authconfig to ipa-python (bz #433747) | |
| - Package i18n files | |
| - Resolves: #837369 [RFE] Switch to client promotion to replica model | |
| - Resolves: #1199516 [RFE] Move replication topology to the shared tree | |
| - Resolves: #1206588 [RFE] Visualize FreeIPA server replication topology | |
| - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) | |
| - Resolves: #1212713 ipa-csreplica-manage: it could be nice to have also | |
| list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend | |
| - Resolves: #1267206 ipa-server-install uninstall should warn if no | |
| installation found | |
| - Resolves: #1295865 The Domain option is not correctly set in idmapd.conf when | |
| ipa-client-automount is executed. | |
| - Resolves: #1327092 URI details missing and OCSP-URI details are incorrectly | |
| displayed when certificate generated using IPA on RHEL 7.2up2. | |
| - Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install | |
| because of missing dependencies | |
| - Related: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.3.1.201605191449GITf8edf37 | |
| - selinux don't audit rules deny fetching trust topology | |
| Resolves: RHBZ#1845596 | |
| - fix iPAddress cert issuance for >1 host/service | |
| Resolves: RHBZ#1846352 | |
| - Specify cert_paths when calling PKIConnection | |
| Resolves: RHBZ#1849155 | |
| - Update crypto policy to allow AD-SUPPORT when installing IPA | |
| Resolves: RHBZ#1851139 | |
| - Add version to ipa-idoverride-memberof obsoletes | |
| Related: RHBZ#1846434 | |
| - Resolves: #1081561 CA not start during ipa server install in pure IPv6 env | |
| - Fix ipa-server-install in pure IPv6 environment | |
| - Resolves: #1318169 Tree-root domains in a trusted AD forest aren't marked as | |
| reachable via the forest root | |
| - trust: make sure ID range is created for the child domain even if it exists | |
| - ipa-kdb: simplify trusted domain parent search | |
| - Resolves: #1335567 Update Warning in IdM Web UI API browser | |
| - WebUI: add API browser is tech preview warning | |
| - Resolves: #1348560 Mulitple domain Active Directory Trust conflict | |
| - ipaserver/dcerpc: reformat to make the code closer to pep8 | |
| - trust: automatically resolve DNS trust conflicts for triangle trusts | |
| - Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in | |
| certificate revocation | |
| - cert-revoke: fix permission check bypass (CVE-2016-5404) | |
| - Resolves: #1353936 custodia.conf and server.keys file is world-readable. | |
| - Remove Custodia server keys from LDAP | |
| - Secure permissions of Custodia server.keys | |
| - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is | |
| converted from CA-less to CA-full | |
| - custodia: include known CA certs in the PKCS#12 file for Dogtag | |
| - custodia: force reconnect before retrieving CA certs from LDAP | |
| - Resolves: #1362333 ipa vault container owner cannot add vault | |
| - Fix: container owner should be able to add vault | |
| - Resolves: #1365546 External trust with root domain is transitive | |
| - trust: make sure external trust topology is correctly rendered | |
| - Resolves: #1365572 IPA server broken after upgrade | |
| - Require pki-core-10.3.3-7 | |
| - Resolves: #1367864 Server assumes latest version of command instead of | |
| version 1 for old / 3rd party clients | |
| - rpcserver: assume version 1 for unversioned command calls | |
| - rpcserver: fix crash in XML-RPC system commands | |
| - Resolves: #1367773 thin client ignores locale change | |
| - schema cache: Fallback to 'en_us' when locale is not available | |
| - Resolves: #1368754 ipa server uninstall fails with Python "Global Name error" | |
| - Fail on topology disconnect/last role removal | |
| - Resolves: #1368981 ipa otptoken-add --type=hotp --key creates wrong OTP | |
| - otptoken, permission: Convert custom type parameters on server | |
| - Resolves: #1369414 ipa server-del fails with Python stack trace | |
| - Handled empty hostname in server-del command | |
| - Resolves: #1369761 ipa-server must depend on a version of httpd that support | |
| mod_proxy with UDS | |
| - Require httpd 2.4.6-31 with mod_proxy Unix socket support | |
| - Resolves: #1370512 Received ACIError instead of DuplicatedError in | |
| stageuser_tests | |
| - Raise DuplicatedEnrty error when user exists in delete_container | |
| - Resolves: #1371479 cert-find --all does not show information about revocation | |
| - cert: add missing param values to cert-find output | |
| - Renamed patch 1011 to 0100, as it was merged upstream | |
| - Resolves: #1452216 Replica installation grants HTTP principal | |
| access in WebUI | |
| - Make sure we check ccaches in all rpcserver paths | |
| - Replica installation fails for RHEL 6.4 master (#1004680) | |
| - Server uninstallation crashes if DS is not available (#998069) | |
| - Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to | |
| handle PKINIT certificates/anchors | |
| - certdb: add named trust flag constants | |
| - certdb, certs: make trust flags argument mandatory | |
| - certdb: use custom object for trust flags | |
| - install: trust IPA CA for PKINIT | |
| - client install: fix client PKINIT configuration | |
| - install: introduce generic Kerberos Augeas lens | |
| - server install: fix KDC PKINIT configuration | |
| - ipapython.ipautil.run: Add option to set umask before executing command | |
| - certs: do not export keys world-readable in install_key_from_p12 | |
| - certs: do not export CA certs in install_pem_from_p12 | |
| - server install: fix KDC certificate validation in CA-less | |
| - replica install: respect --pkinit-cert-file | |
| - cacert manage: support PKINIT | |
| - server certinstall: support PKINIT | |
| - Resolves: #1444432 CA-less pkinit not installable with --pkinit-cert-file | |
| option | |
| - certs: do not export CA certs in install_pem_from_p12 | |
| - server install: fix KDC certificate validation in CA-less | |
| - Resolves: #1451228 ipa-kra-install fails when primary KRA server has been | |
| decommissioned | |
| - ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname | |
| - Resolves: #1451712 KRA installation fails on server that was originally | |
| installed as CA-less | |
| - ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt | |
| - Resolves: #1441499 ipa cert-show does not raise error if no file name | |
| specified | |
| - ca/cert-show: check certificate_out in options | |
| - Resolves: #1449522 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+ | |
| - Remove pkinit-anonymous command | |
| - Resolves: #1449523 Provide an API command to retrieve PKINIT status | |
| in the FreeIPA topology | |
| - Allow for multivalued server attributes | |
| - Refactor the role/attribute member reporting code | |
| - Add an attribute reporting client PKINIT-capable servers | |
| - Add the list of PKINIT servers as a virtual attribute to global config | |
| - Add `pkinit-status` command | |
| - test_serverroles: Get rid of MockLDAP and use ldap2 instead | |
| - Resolves: #1452216 Replica installation grants HTTP principal access in WebUI | |
| - Fix rare race condition with missing ccache file | |
| - Resolves: #1455045 Simple service uninstallers must be able to handle | |
| missing service files gracefully | |
| - only stop/disable simple service if it is installed | |
| - Resolves: #1455541 after upgrade login from web ui breaks | |
| - krb5: make sure KDC certificate is readable | |
| - Resolves: #1455862 "ipa: ERROR: an internal error has occurred" on executing | |
| command "ipa cert-request --add" after upgrade | |
| - Change python-cryptography to python2-cryptography | |
| - Resolves: #1449189 ipa-kra-install timeouts on replica | |
| - ipa-kra-install: fix check_host_keys | |
| - Fix --external-ca-profile not passed to CSR | |
| Resolves: RHBZ#1731813 | |
| - Resolves: #1373910 IPA server upgrade fails with DNS timed out errors. | |
| - Resolves: #1375269 ipa trust-fetch-domains throws internal error | |
| - sudo rule for "admins" members should be created by default (#1609873) | |
| - Added Require mod_wsgi, added share/ipa/wsgi.py | |
| - Rebuild to samba 4.17.2. | |
| Related: RHBZ#2132051 | |
| - Use java-1.8.0-openjdk-devel | |
| - Hardening for CVE-2020-25717 | |
| - Harden processing of trusted domains' users in S4U operations | |
| - Resolves: RHBZ#2021443 | |
| - Update to upstream 2.2.0 alpha 1 (2.1.90.pre1) | |
| - Resolves: #1277696 IPA certificate auto renewal fail with "Invalid | |
| Credential" | |
| - cert renewal: make renewal of ipaCert atomic | |
| - Resolves: #1278330 installer options are not validated at the beginning of | |
| installation | |
| - install: fix command line option validation | |
| - Resolves: #1282845 sshd_config change on ipa-client-install can prevent sshd | |
| from starting up | |
| - client install: do not corrupt OpenSSH config with Match sections | |
| - Resolves: #1282935 ipa upgrade causes vault internal error | |
| - install: export KRA agent PEM file in ipa-kra-install | |
| - Resolves: #1283429 Default CA ACL rule is not created during | |
| ipa-replica-install | |
| - TLS and Dogtag HTTPS request logging improvements | |
| - Avoid race condition caused by profile delete and recreate | |
| - Do not erroneously reinit NSS in Dogtag interface | |
| - Add profiles and default CA ACL on migration | |
| - disconnect ldap2 backend after adding default CA ACL profiles | |
| - do not disconnect when using existing connection to check default CA ACLs | |
| - Resolves: #1283430 ipa-kra-install: fails to apply updates | |
| - suppress errors arising from adding existing LDAP entries during KRA | |
| install | |
| - Resolves: #1283748 Caching of ipaconfig does not work in framework | |
| - fix caching in get_ipa_config | |
| - Resolves: #1283943 IPA DNS Zone/DNS Forward Zone details missing after | |
| upgrade from RHEL 7.0 to RHEL 7.2 | |
| - upgrade: fix migration of old dns forward zones | |
| - Fix upgrade of forwardzones when zone is in realmdomains | |
| - Resolves: #1284413 ipa-cacert-manage renew fails on nonexistent ldap | |
| connection | |
| - ipa-cacert-renew: Fix connection to ldap. | |
| - Resolves: #1284414 ipa-otptoken-import fails on nonexistent ldap connection | |
| - ipa-otptoken-import: Fix connection to ldap. | |
| - Resolves: #1286635 IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using | |
| "yum update ipa* sssd" | |
| - Set minimal required version for openssl | |
| - Resolves: #1286781 ipa-nis-manage does not update ldap with all NIS maps | |
| - Upgrade: Fix upgrade of NIS Server configuration | |
| - Resolves: #1289311 umask setting causes named-pkcs11 issue with directory | |
| permissions on /var/lib/ipa/dnssec | |
| - DNS: fix file permissions | |
| - Explicitly call chmod on newly created directories | |
| - Fix: replace mkdir with chmod | |
| - Resolves: #1290142 Broken 7.2.0 to 7.2.z upgrade - flawed version comparison | |
| - Fix version comparison | |
| - use FFI call to rpmvercmp function for version comparison | |
| - Resolves: #1292595 In IPA-AD trust environment some secondary IPA based Posix | |
| groups are missing | |
| - ipa-kdb: map_groups() consider all results | |
| - Resolves: #1293870 User should be notified for wrong password in password | |
| reset page | |
| - Fixed login error message box in LoginScreen page | |
| - Resolves: #1296196 Sysrestore did not restore state if a key is specified in | |
| mixed case | |
| - Allow to used mixed case for sysrestore | |
| - Resolves: #1296214 DNSSEC key purging is not handled properly | |
| - DNSSEC: Improve error reporting from ipa-ods-exporter | |
| - DNSSEC: Make sure that current state in OpenDNSSEC matches key state in | |
| LDAP | |
| - DNSSEC: Make sure that current key state in LDAP matches key state in BIND | |
| - DNSSEC: remove obsolete TODO note | |
| - DNSSEC: add debug mode to ldapkeydb.py | |
| - DNSSEC: logging improvements in ipa-ods-exporter | |
| - DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP | |
| - DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP | |
| - DNSSEC: ipa-ods-exporter: add ldap-cleanup command | |
| - DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal | |
| - DNSSEC: Log debug messages at log level DEBUG | |
| - Resolves: #1296216 ipa-server-upgrade fails if certmonger is not running | |
| - prevent crash of CA-less server upgrade due to absent certmonger | |
| - always start certmonger during IPA server configuration upgrade | |
| - Resolves: #1297811 The ipa -e skip_version_check=1 still issues | |
| incompatibility error when called against RHEL 6 server | |
| - ipalib: assume version 2.0 when skip_version_check is enabled | |
| - Resolves: #1298289 install fails when locale is "fr_FR.UTF-8" | |
| - Do not decode HTTP reason phrase from Dogtag | |
| - Resolves: #1300252 shared certificateProfiles container is missing on a | |
| freshly installed RHEL7.2 system | |
| - upgrade: unconditional import of certificate profiles into LDAP | |
| - Resolves: #1301674 --setup-dns and other options is forgotten for using an | |
| external PKI | |
| - installer: Propagate option values from components instead of copying them. | |
| - installer: Fix logic of reading option values from cache. | |
| - Resolves: #1301687 issues with migration from RHEL 6 self-signed to RHEL 7 CA | |
| IPA setup | |
| - ipa-ca-install: print more specific errors when CA is already installed | |
| - cert renewal: import all external CA certs on IPA CA cert renewal | |
| - CA install: explicitly set dogtag_version to 10 | |
| - fix standalone installation of externally signed CA on IPA master | |
| - replica install: validate DS and HTTP server certificates | |
| - replica install: improvements in the handling of CA-related IPA config | |
| entries | |
| - Resolves: #1301901 [RFE] compat tree: show AD members of IPA groups | |
| - slapi-nis: update configuration to allow external members of IPA groups | |
| - Resolves: #1305533 ipa trust-add succeded but after that ipa trust-find | |
| returns "0 trusts matched" | |
| - upgrade: fix config of sidgen and extdom plugins | |
| - trusts: use ipaNTTrustPartner attribute to detect trust entries | |
| - Warn user if trust is broken | |
| - fix upgrade: wait for proper DS socket after DS restart | |
| - Insure the admin_conn is disconnected on stop | |
| - Fix connections to DS during installation | |
| - Fix broken trust warnings | |
| - Resolves: #1321092 Installers fail when there are multiple versions of the | |
| same certificate | |
| - certdb: never use the -r option of certutil | |
| - Related: #1317381 Crash during IPA upgrade due to slapd | |
| - spec file: update minimum required version of slapi-nis | |
| - Related: #1322691 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 | |
| CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 samba: various flaws | |
| [rhel-7.3] | |
| - Rebuild against newer Samba version | |
| - Config plugin: return EmptyModlist when no change is applied. | |
| Resolves: RHBZ#2031825 | |
| - Custodia: use a stronger encryption algo when exporting keys. | |
| Resolves: RHBZ#2032806 | |
| - ipa-kdb: do not remove keys for hardened auth-enabled users. | |
| Resolves: RHBZ#2033342 | |
| - ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus | |
| Resolves: RHBZ#2049167 | |
| - Backport latest test fxes in python3 ipatests. | |
| Resolves: RHBZ#2048509 | |
| - Removed unused patch files that were part of 4.9.8 rebase. | |
| - Fix replica installation failing on certificate subject (#983075) | |
| - Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1 | |
| Any type | |
| - New command automember-find-orphans to find and remove orphan automemeber | |
| rules has been added | |
| Resolves: RHBZ#1638373 | |
| - Moved ipa/idm logos and background to redhat-logos-ipa-80.4: | |
| header-logo.png, login-screen-background.jpg, login-screen-logo.png, | |
| product-name.png | |
| New requirement to redhat-logos-ipa >= 80.4 in ipa-server-common | |
| Resolves: RHBZ#1626507 | |
| - Resolves: #1353829 traceback message seen in ipaserver-uninstall.log file. | |
| - Do not initialize API in ipa-client-automount uninstall | |
| - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin | |
| client changes | |
| - idrange: fix unassigned global variable | |
| - Resolves: #1360792 Migrating users doesn't update krbCanonicalName | |
| - re-set canonical principal name on migrated users | |
| - Resolves: #1362012 ipa hbactest produces error about cannot concatenate 'str' | |
| and 'bool' objects | |
| - Fix ipa hbactest output | |
| - Resolves: #1362260 ipa vault-mod no longer allows defining salt | |
| - vault: add missing salt option to vault_mod | |
| - Resolves: #1362312 ipa vault-retrieve internal error when using the wrong | |
| public key | |
| - vault: Catch correct exception in decrypt | |
| - Resolves: #1362537 ipa-server-install fails to create symlink from | |
| /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ | |
| - Correct path to HTTPD's systemd service directory | |
| - Resolves: #1363756 Increase length of passwords generated by installer | |
| - Increase default length of auto generated passwords | |
| - When IdM server trusts multiple AD forests, IPA client returns invalid group | |
| membership info (#1079498) | |
| - Remove ipa-server-selinux obsoletes as upgrades from version prior to | |
| 3.3.0 are not allowed | |
| - Wrap server-trust-ad subpackage description better | |
| - Add (noreplace) flag for %{_sysconfdir}/tmpfiles.d/ipa.conf | |
| - Change permissions on default_encoding_utf8.so to fix ipa-python Provides | |
| - Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum | |
| version to 1.0.7-4 so we pick up the NSS fixes. | |
| - Add selinux-policy-base(post) to Requires (446496) | |
| - Resolves: #1449189 ipa-kra-install timeouts on replica | |
| - kra: promote: Get ticket before calling custodia | |
| - ipa-replica-install never checks for 7389 port (#1075165) | |
| - Non-terminated string may be passed to LDAP search (#1075091) | |
| - ipa-sam may fail to translate group SID into GID (#1073829) | |
| - Excessive LDAP calls by ipa-sam during Samba FS operations (#1075132) | |
| - ipatests: remove additional check for failed units. | |
| Resolves: RHBZ#2053024 | |
| - ipa-cldap: fix memory leak. | |
| Resolves: RHBZ#2032738 | |
| - ipatests: Update ipa-adtrust-install test | |
| Resolves: RHEL-40894 | |
| - IPA Replicate creation fails with error "Update failed! Status: [10 Total | |
| update abortedLDAP error: Referral]" (#1166265) | |
| - running ipa-server-install --setup-dns results in a crash (#1072502) | |
| - DNS zones are not migrated into forward zones if 4.0+ replica is added | |
| (#1175384) | |
| - gid is overridden by uid in default trust view (#1168904) | |
| - When migrating warn user if compat is enabled (#1177133) | |
| - Clean up debug log for trust-add (#1168376) | |
| - No error message thrown on restore(full kind) on replica from full backup | |
| taken on master (#1175287) | |
| - ipa-restore proceed even IPA not configured (#1175326) | |
| - Data replication not working as expected after data restore from full backup | |
| (#1175277) | |
| - IPA externally signed CA cert expiration warning missing from log (#1178128) | |
| - ipa-upgradeconfig fails in CA-less installs (#1181767) | |
| - IPA certs fail to autorenew simultaneouly (#1173207) | |
| - More validation required on ipa-restore's options (#1176034) | |
| - 2.1.3 | |
| - Resolves: #1388135 [RFE] limit the retro changelog to dns subtree. | |
| - ldap: limit the retro changelog to dns subtree | |
| - Resolves: #1427798 Use X509v3 Basic Constraints "CA:TRUE" instead | |
| of "CA:FALSE" IPA CA CSR | |
| - Include the CA basic constraint in CSRs when renewing a CA | |
| - Resolves: #1493145 ipa-replica-install might fail because of an already | |
| existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX | |
| - Checks if replica-s4u2proxy.ldif should be applied | |
| - Resolves: #1493150 [RFE] set nsslapd-ignore-time-skew: on by default | |
| - ds: ignore time skew during initial replication step | |
| - ipa-replica-manage: implicitly ignore initial time skew in force-sync | |
| - Resolves: #1500218 Replica installation at domain-level 0 fails against | |
| upgraded ipa-server | |
| - Fix ipa-replica-conncheck when called with --principal | |
| - Resolves: #1506188 server-del doesn't remove dns-server configuration | |
| from ldap | |
| - Make sure ipa-server depends on krb5-kdb-version to pick up | |
| right MIT Kerberos KDB ABI | |
| Related: RHBZ#1700121 | |
| - User field separator uses '$$' within ipaSELInuxUserMapOrder | |
| Fixes: RHBZ#1729099 | |
| - ipa-server-install crashes when AD subpackage is not installed (#1026434) | |
| - Allow Web-based migration to work with tightened SE Linux policy (#769440) | |
| - Rebuild slapi plugins against re-enterant version of libldap | |
| - Add ipa init script | |
| - Fix mapping of BUILTIN\Guests to 'nobody' group during upgrade | |
| to not use generated Samba config at this point | |
| - Related: rhbz#1623895 | |
| - Resolves: #1614301 Remove --no-sssd and --noac options | |
| - Resolves: #1613879 Disable Domain Level 0 | |
| - New patch sets to disable domain level 0 | |
| - New adapted patch to disable DL0 specific tests (pytest_ipa vs. | |
| pytest_plugins) | |
| - Adapted branding patch in ipa-replica-install.1 due to DL0 removal | |
| - Removed python-cherrypy from BuildRequires and Requires | |
| - Added Requires python-assets, python-wehjit | |
| - Resolves: #1356102 Server uninstall does not stop tracking lightweight sub-CA | |
| with certmonger | |
| - uninstall: untrack lightweight CA certs | |
| - Resolves: #1351807 ipa-nis-manage config.get_dn missing | |
| - ipa-nis-manage: Use server API to retrieve plugin status | |
| - Resolves: #1353452 ipa-compat-manage command failed, | |
| exception: NotImplementedError: config.get_dn() | |
| - ipa-compat-manage: use server API to retrieve plugin status | |
| - Resolves: #1353899 ipa-advise: object of type 'type' has no len() | |
| - ipa-advise: correct handling of plugin namespace iteration | |
| - Resolves: #1356134 'kinit -E' does not work for IPA user | |
| - kdb: check for local realm in enterprise principals | |
| - Resolves: #1353072 ipa unknown command vault-add | |
| - Enable vault-* commands on client | |
| - vault-add: set the default vault type on the client side if none was given | |
| - Resolves: #1353995 Default CA can be used without a CA ACL | |
| - caacl: expand plugin documentation | |
| - Resolves: #1356144 host-find should not print SSH keys by default, only | |
| SSH fingerprints | |
| - host-find: do not show SSH key by default | |
| - Resolves: #1353506 ipa migrate-ds command fails for IPA in RHEL 7.3 | |
| - Removed unused method parameter from migrate-ds | |
| - Resolves: #1262996 ipa vault internal error on replica without KRA | |
| - upgrade: make sure ldap2 is connected in export_kra_agent_pem | |
| - Resolves: #1270608 IPA upgrade fails for server with CA cert signed by | |
| external CA | |
| - schema: do not derive ipaVaultPublicKey from ipaPublicKey | |
| - Resolves: #1361119 UPN-based search for AD users does not match an entry in | |
| slapi-nis map cache | |
| - support multiple uid values in schema compatibility tree | |
| - Included LICENSE and README in all packages for documentation | |
| - Move user-modifiable content to /etc/ipa and linked back to | |
| /usr/share/ipa/html | |
| - Changed some references to /usr to the {_usr} macro and /etc | |
| to {_sysconfdir} | |
| - Added popt-devel to BuildRequires for Fedora 8 and higher and | |
| popt for Fedora 7 | |
| - Package the egg-info for Fedora 9 and higher for ipa-python | |
| - Add ipa-host-net-manage script | |
| - Add Requires: python-nss to ipa-python sub-package | |
| - Adopt to samba4 beta6 (libsecurity -> libsamba-security) | |
| - Add dependency to samba4-winbind | |
| - Bump up minimum version of python-nss to pick up nss_is_initialize() API | |
| - Resolves: #800545 [RFE] Support SUDO command rename | |
| - Reworked the renaming mechanism | |
| - Allow renaming of the sudorule objects | |
| - Resolves: #872671 IPA WebUI login for AD Trusted User fails | |
| - WebUI: check principals in lowercase | |
| - WebUI: add method for disabling item in user dropdown menu | |
| - WebUI: Add support for login for AD users | |
| - Resolves: #1200767 [RFE] Allow Kerberos authentication for users with | |
| certificates on smart cards (pkinit) | |
| - ipa-kdb: add ipadb_fetch_principals_with_extra_filter() | |
| - IPA certauth plugin | |
| - ipa-kdb: do not depend on certauth_plugin.h | |
| - spec file: bump krb5-devel BuildRequires for certauth | |
| - Resolves: #1264370 RFE: disable last successful authentication by default in | |
| ipa. | |
| - Set "KDC:Disable Last Success" by default | |
| - Resolves: #1318186 Misleading error message during external-ca IPA master | |
| install | |
| - certs: do not implicitly create DS pin.txt | |
| - httpinstance: clean up /etc/httpd/alias on uninstall | |
| - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR | |
| CA certificate chain in ... incomplete" | |
| - certs: do not implicitly create DS pin.txt | |
| - httpinstance: clean up /etc/httpd/alias on uninstall | |
| - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication | |
| - configure: fix --disable-server with certauth plugin | |
| - rpcserver.login_x509: Actually return reply from __call__ method | |
| - spec file: Bump requires to make Certificate Login in WebUI work | |
| - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping | |
| - extdom: do reverse search for domain separator | |
| - extdom: improve cert request | |
| - Resolves: #1430363 [RFE] HBAC rule names command rename | |
| - Reworked the renaming mechanism | |
| - Allow renaming of the HBAC rule objects | |
| - Resolves: #1433082 systemctl daemon-reload needs to be called after | |
| httpd.service.d/ipa.conf is manipulated | |
| - tasks: run `systemctl daemon-reload` after httpd.service.d updates | |
| - Resolves: #1434032 Run ipa-custodia with custom SELinux context | |
| - Use Custodia 0.3.1 features | |
| - Resolves: #1434384 RPC client should use HTTP persistent connection | |
| - Use connection keep-alive | |
| - Add debug logging for keep-alive | |
| - Increase Apache HTTPD's default keep alive timeout | |
| - Resolves: #1434729 man ipa-cacert-manage install needs clarification | |
| - man ipa-cacert-manage install needs clarification | |
| - Resolves: #1434910 replica install against IPA v3 master fails with ACIError | |
| - Fixing replica install: fix ldap connection in domlvl 0 | |
| - Resolves: #1435394 Ipa-kra-install fails with weird output when backspace is | |
| used during typing Directory Manager password | |
| - ipapython.ipautil.nolog_replace: Do not replace empty value | |
| - Resolves: #1435397 ipa-replica-install can't install replica file produced by | |
| ipa-replica-prepare on 4.5 | |
| - replica prepare: fix wrong IPA CA nickname in replica file | |
| - Resolves: #1435599 WebUI: in self-service Vault menu item is shown even if | |
| KRA is not installed | |
| - WebUI: Fix showing vault in selfservice view | |
| - Resolves: #1435718 As a ID user I cannot call a command with --rights option | |
| - ldap2: use LDAP whoami operation to retrieve bind DN for current connection | |
| - Resolves: #1436319 "Truncated search results" pop-up appears in user details | |
| in WebUI | |
| - WebUI: Add support for suppressing warnings | |
| - WebUI: suppress truncation warning in select widget | |
| - Resolves: #1436333 Uninstall fails with No such file or directory: | |
| '/var/run/ipa/services.list' | |
| - Create temporaty directories at the begining of uninstall | |
| - Resolves: #1436334 WebUI: Adding certificate mapping data using certificate | |
| fails | |
| - WebUI: Allow to add certs to certmapping with CERT LINES around | |
| - Resolves: #1436338 CLI doesn't work after ipa-restore | |
| - Backup ipa-specific httpd unit-file | |
| - Backup CA cert from kerberos folder | |
| - Resolves: #1436342 Bump samba version, required for FIPS mode and privilege | |
| separation | |
| - Bump samba version for FIPS and priv. separation | |
| - Resolves: #1436642 [ipalib/rpc.py] - "maximum recursion depth exceeded" with | |
| ipa vault commands | |
| - Avoid growing FILE ccaches unnecessarily | |
| - Handle failed authentication via cookie | |
| - Work around issues fetching session data | |
| - Prevent churn on ccaches | |
| - Resolves: #1436657 Add workaround for pki_pin for FIPS | |
| - Generate PIN for PKI to help Dogtag in FIPS | |
| - Resolves: #1436714 [vault] cache KRA transport cert | |
| - Simplify KRA transport cert cache | |
| - Resolves: #1436723 cert-find does not find all certificates without | |
| sizelimit=0 | |
| - cert: do not limit internal searches in cert-find | |
| - Resolves: #1436724 Renewal of IPA RA fails on replica | |
| - dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function | |
| - Resolves: #1436753 Master tree fails to install | |
| - httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not | |
| available | |
| - ipatests: fix TestOTPToken::test_check_otpd_after_idle_timeout | |
| Related: RHBZ#2053024 | |
| - Remove unnecessary moving of v1 CA serial number file in post script | |
| - Add Obsoletes for server-selinxu subpackage | |
| - Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da | |
| - Pull upstream changelog 608 which renamed several files | |
| - clean up spec | |
| - Depend on sssd >= 1.6.2 for better user experience | |
| - Update slapi-nis dependency to pull 0.54-2 (#891984) | |
| - ipa-restore: Don't crash if AD trust is not installed (#951581) | |
| - Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type (#1138791) | |
| - Trust setting not restored for CA cert with ipa-restore command (#1159011) | |
| - ipa-server-install fails when restarting named (#1162340) | |
| - Resolves: #1228671 pkispawn fails in ipa-ca-install and ipa-kra-install | |
| - Related: #1204809 Rebase ipa to 4.2 | |
| - Fix minimum version of slapi-nis | |
| - Require python-sss and python-sss-murmur (provided by sssd-1.13.0) | |
| - Fix: DNS installer adds invalid zonemgr email (#1056202) | |
| - ipaplatform: Use the dirsrv service, not target (#951581) | |
| - Fix: DNS policy upgrade raises asertion error (#1161128) | |
| - Fix upgrade referint plugin (#1161128) | |
| - Upgrade: fix trusts objectclass violationi (#1161128) | |
| - group-add doesn't accept gid parameter (#1149124) | |
| - ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL | |
| Resolves: RHBZ#1982956 | |
| - Unable to remove replica by ipa-replica-manage (#1001662) | |
| - Before uninstalling a server, warn about active replicas (#998069) | |
| - Fix Fedora package changelog after merging systemd changes | |
| - ipaclient-install: chmod needs octal permissions (#1609880) | |
| - Move ipalib to ipa-python subpackage | |
| - Bump minimum version of slapi-nis to 0.15 | |
| - Ensure that /etc/ipa exists before moving user-modifiable html files there | |
| - Put html files into /etc/ipa/html instead of /etc/ipa | |
| - Added auto* BuildRequires | |
| - New upstream release 1.2.1 | |
| - Rely on sssd-krb5 to include SSSD-generated krb5 configuration | |
| Resolves: RHBZ#2214563 | |
| - Add end to end integration tests for external IdP | |
| Resolves: RHBZ#2106346 | |
| - Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install | |
| because of missing dependencies | |
| - Rebuild with krb5-1.14.1 | |
| - schema update on RHEL-6.6 using latest copy-schema-to-ca.py from RHEL-7.1 | |
| build fails (#1167196) | |
| - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) | |
| - "ipa trust-add ... " cmd says : (Trust status: Established and verified) | |
| while in the logs we see "WERR_ACCESS_DENIED" during verification step. | |
| (#1144121) | |
| - POODLE: force using safe ciphers (non-SSLv3) in IPA client and server | |
| (#1156466) | |
| - Add support/hooks for a one-time password system like SecureID in IPA | |
| (#919228) | |
| - Tracebacks with latest build for --zonemgr cli option (#1167270) | |
| - ID Views: Support migration from the sync solution to the trust solution | |
| (#891984) | |
| - Mass rebuild 2014-01-24 | |
| - Move initialization of Guests mapping after cifs/ principal is created | |
| - Related: rhbz#1623895 | |
| - Preverse mode on ipa-keytab-util | |
| - Version bump for relase and rpm name change | |
| - Updated upstream pull (596) to fix bug in ipa_webgui that was causing the | |
| UI to not start. | |
| - Update to upstream 4.7.0 GA | |
| - Fixed License in specfile | |
| - Include files from /usr/lib/python*/site-packages/ipaserver | |
| - Allow ipa-tests to work with older version (1.7.7) of python-paramiko | |
| - Fixed kdcproxy_version to 0.4-3 | |
| - Fixed krb5_version to 1.17-7 | |
| Related: RHBZ#1684528 | |
| - Remove "Listen 443 http" hack from deployed nss.conf (#1029046) | |
| - Re-adding existing trust fails (#1033216) | |
| - IPA uninstall exits with a samba error (#1033075) | |
| - Added RELRO hardening on /usr/libexec/ipa-otpd (#1026260) | |
| - Fixed ownership of /usr/share/ipa/ui/js (#1026260) | |
| - ipa-tests: support external names for hosts (#1032668) | |
| - ipa-client-install fail due fail to obtain host TGT (#1029354) | |
| - Update to upstream 4.0.3 (#1109726) | |
| - Server installation fails using external signed certificates with | |
| "IndexError: list index out of range" (#1111320) | |
| - Add rhino to BuildRequires to fix Web UI build error | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Set krbCanonicalName admin@REALM on the admin user | |
| Resolves: RHEL-89895 | |
| - Handle new samba exception types. | |
| Resolves: RHEL-17623 | |
| - Fix for CVE-2008-3274 | |
| - Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface | |
| - Add fix for bug #453185 | |
| - Rebuild against openldap libraries, mozldap ones do not work properly | |
| - TurboGears is currently broken in rawhide. Added patch to not build | |
| the UI locales and removed them from the ipa-server files section. | |
| - ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older | |
| Resolves: RHEL-12198 | |
| - Update dependency for bind-dndb-ldap to 11.2-2 | |
| Related: RHBZ#1762813 | |
| - Drop requires on python-configobj (not used any more) | |
| - Drop ipa-ldap-updater message, upgrades are done differently now | |
| - Update Requires on pki-ca to 10.1.2-4 (#1129558) | |
| - build: increase java stack size for all arches | |
| - Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides (#891984) | |
| - Fix dns zonemgr validation regression (#1056202) | |
| - Handle profile changes in dogtag-ipa-ca-renew-agent (#886645) | |
| - Do not wait for new CA certificate to appear in LDAP in ipa-certupdate | |
| (#886645) | |
| - Add bind-dyndb-ldap working dir to IPA specfile | |
| - Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage | |
| (#886645) | |
| - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) | |
| - Deadlock in schema compat plugin (#1161131) | |
| - ipactl stop should stop dirsrv last (#1161129) | |
| - Upgrade 3.3.5 to 4.1 failed (#1161128) | |
| - CVE-2014-7828 freeipa: password not required when OTP in use (#1160877) | |
| - Remove ipa-idoverride-memberof as superceded by ipa-server 4.8.7 | |
| Resolves: RHBZ#1846434 | |
| - Require python-wehjit >= 0.2.0 | |
| - Replica CA installation: ignore skew during initial replication | |
| Resolves RHEL-80995 | |
| - Revert bind-pkcs11-utils configuration in freeipa.spec. | |
| Resolves: RHBZ#2026732 | |
| - Configure CA replication to use TLS instead of SSL | |
| - Update to upstream 3.2.0 Beta 1 | |
| - Added support for libipa-dna-plugin | |
| - Remove posixAccount from service_find search filter | |
| Resolves: RHBZ#1731437 | |
| - Fix repeated uninstallation of ipa-client-samba crashes | |
| Resolves: RHBZ#1732529 | |
| - WebUI: Add PKINIT status field to 'Configuration' page | |
| Resolves: RHBZ#1518153 | |
| - Resolves: #1461177 ipa-otptoken-import - XML file is missing PBKDF2 | |
| parameters! | |
| - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during | |
| search in cn=ad, cn=trusts,dc=example,dc=com | |
| - Resolves: #1467887 iommu platform support for ipxe | |
| - Resolves: #1477178 [ipa-replica-install] - 406 Client Error: Failed to | |
| validate message: Incorrect number of results (0) searching forpublic key for | |
| host | |
| - Resolves: #1478251 IPA WebUI does not work after upgrade from IPA 4.4 to | |
| 4.5 | |
| - Resolves: #1480102 ipa-server-upgrade failes with "This entry already | |
| exists" | |
| - Resolves: #1482802 Unable to set ca renewal master on replica | |
| - Resolves: #1484428 Updating from RHEL 7.3 fails with Server-Cert not found | |
| (ipa-server-upgrade) | |
| - Resolves: #1484826 FreeIPA/IdM installations which were upgraded from | |
| versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and | |
| thus startup of Web UI fails | |
| - Resolves: #1486283 TypeError in renew_ca_cert prevents from swiching back | |
| to self-signed CA | |
| - Resolves: #1469246 Replica install fails to configure IPA-specific | |
| temporary files/directories | |
| - Resolves: #1469480 bind package is not automatically updated during | |
| ipa-server upgrade process | |
| - Resolves: #1475238 Use CommonNameToSANDefault in default profile (new | |
| installs only) | |
| - Resolves: #1477703 IPA upgrade fails for latest ipa package | |
| - Throw zonemgr error message before installation proceeds (#1163849) | |
| - Winsync: Setup is broken due to incorrect import of certificate (#1169867) | |
| - Enable last token deletion when password auth type is configured (#919228) | |
| - ipa-otp-lasttoken loads all user's tokens on every mod/del (#1166641) | |
| - add --hosts and --hostgroup options to allow/retrieve keytab methods | |
| (#1007367) | |
| - Extend host-show to add the view attribute in set of default attributes | |
| (#1168916) | |
| - Prefer TCP connections to UDP in krb5 clients (#919228) | |
| - [WebUI] Not able to unprovisioning service in IPA 4.1 (#1168214) | |
| - webui: increase notification duration (#1171089) | |
| - RHEL7.1 ipa automatic CA cert renewal stuck in submitting state (#1166931) | |
| - RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert | |
| (#1170003) | |
| - Improve validation of --instance and --backend options in ipa-restore | |
| (#951581) | |
| - RHEL7.1 ipa replica unable to replicate to rhel6 master (#1167964) | |
| - Disable TLS 1.2 in nss.conf until mod_nss supports it (#1156466) | |
| - Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to | |
| Trusts | |
| - winsync-migrate: Convert entity names to posix friendly strings | |
| - winsync-migrate: Properly handle collisions in the names of external groups | |
| - Resolves: #1261074 Adjust Firefox configuration to new extension signing | |
| policy | |
| - webui: use manual Firefox configuration for Firefox >= 40 | |
| - Resolves: #1263337 IPA Restore failed with installed KRA | |
| - ipa-backup: Add mechanism to store empty directory structure | |
| - Resolves: #1264793 CVE-2015-5284 ipa: ipa-kra-install includes certificate | |
| and private key in world readable file [rhel-7.2] | |
| - install: fix KRA agent PEM file permissions | |
| - Resolves: #1265086 Mark IdM API Browser as experimental | |
| - WebUI: add API browser is experimental warning | |
| - Resolves: #1265277 Fix kdcproxy user creation | |
| - install: create kdcproxy user during server install | |
| - platform: add option to create home directory when adding user | |
| - install: fix kdcproxy user home directory | |
| - Resolves: #1265559 GSS failure after ipa-restore | |
| - destroy httpd ccache after stopping the service | |
| - Remove redundat Requires versions that are already in Fedora 17 | |
| - Replace python-crypto Requires with m2crypto | |
| - Add missing Requires(post) for client and server-trust-ad subpackages | |
| - Restart httpd service when server-trust-ad subpackage is installed | |
| - Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes | |
| - trustdomain-find with pkey-only fails (#1068611) | |
| - Invalid credential cache in trust-add (#1069182) | |
| - ipa-replica-install prints unexpected error (#1069722) | |
| - Too big font in input fields in details facet in Firefox (#1069720) | |
| - trust-add for POSIX AD does not fetch trustdomains (#1070925) | |
| - Misleading trust-add error message in some cases (#1070926) | |
| - Access is not rejected for disabled domain (#1070924) | |
| - Rebuild for broken deps | |
| - Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1 | |
| - Resolves: #1377973 ipa-server-install fails when the provided or resolved | |
| IP address is not found on local interfaces | |
| - Only warn when specified server IP addresses don't match intf | |
| - Resolves: #1438016 gssapi errors after IPA server upgrade | |
| - Bump version of python-gssapi | |
| - Resolves: #1457942 certauth: use canonical principal for lookups | |
| - ipa-kdb: use canonical principal in certauth plugin | |
| - Resolves: #1459153 Do not send Max-Age in ipa_session cookie to avoid | |
| breaking older clients | |
| - Add code to be able to set default kinit lifetime | |
| - Revert setting sessionMaxAge for old clients | |
| - Rebase to security release 4.8.3 (CVE-2019-14867, CVE-2019-10195) | |
| Resolves: RHBZ#1767304 | |
| Resolves: RHBZ#1776939 | |
| - Support KDC ticket policies for authentication indicators | |
| Resolves: RHBZ#1777564 | |
| - Added support for ipa_kpasswd and ipa_pwd_extop | |
| - Backport latest test fixes in python3-ipatests | |
| Resolves: RHBZ#2060841 | |
| - extdom: user getorigby{user|group}name if available | |
| Resolves: RHBZ#2062379 | |
| - Set the mode on ipaupgrade.log during RPM post snipppet | |
| Resolves: RHBZ#2061957 | |
| - test_krbtpolicy: skip SPAKE-related tests in FIPS mode | |
| Resolves: RHBZ#1909630 | |
| - Remove radius subpackages | |
| - Don't always override the port in import_included_profiles | |
| Fixes: RHBZ#2022483 | |
| - Remove ipa-join errors from behind the debug option | |
| Fixes: RHBZ#2048558 | |
| - Enable the ccache sweep timer during installation | |
| Fixes: RHBZ#2051575 | |
| - Set 0.14 as minimum version for slapi-nis | |
| - Marked with wrong license. IPA is GPLv2. | |
| - Update to upstream 3.2.1 | |
| - Drop dogtag-pki-server-theme requires, it won't be build for RHEL-7.0 | |
| - Fix bug #702633 | |
| - Resolves: #1451804 "AttributeError: 'tuple' object has no attribute 'append'" | |
| error observed during ipa upgrade with latest package. | |
| - ipa-server-install: fix uninstall | |
| - Resolves: #1445390 ipa-[ca|kra]-install with invalid DM password break | |
| replica | |
| - ca install: merge duplicated code for DM password | |
| - installutils: add DM password validator | |
| - ca, kra install: validate DM password | |
| - Fix status trust-add command status message (#910453) | |
| - NetBIOS was not trimmed at 15 characters (#1030517) | |
| - Harden CA subsystem certificate renewal on CA clones (#1040018) | |
| - Replace TurboGears requirement with python-cherrypy | |
| - Resolves: #1382812 Creation of replica for disconnected environment is | |
| failing with CA issuance errors; Need good steps. | |
| - gracefully handle setting replica bind dn group on old masters | |
| - Resolves: #1397439 ipa-ca-install on promoted replica hangs on creating a | |
| temporary CA admin | |
| - replication: ensure bind DN group check interval is set on replica config | |
| - add missing attribute to ipaca replica during CA topology update | |
| - Resolves: #1401088 IPA upgrade of replica without DNS fails during restart of | |
| named-pkcs11 | |
| - bindinstance: use data in named.conf to determine configuration status | |
| - Unable to add trust successfully with --trust-secret (#1075704) | |
| - Fix krb5-kdb-server -> krb5-kdb-version | |
| Related: RHBZ#1700121 | |
| - Resolves: #1477367 ipa-server-upgrade timeouts on wait_for_open ports | |
| expecting IPA services listening on IPv6 ports | |
| - Make sure upgrade also checks for IPv6 stack | |
| - control logging of host_port_open from caller | |
| - log progress of wait_for_open_ports | |
| - Resolves: #1477243 ipa help command returns traceback when no cache | |
| is present | |
| - Store help in Schema before writing to disk | |
| - Disable pylint in get_help function because of type confusion. | |
| - Update to upstream version 1.2.0 | |
| - Set fedora-ds-base minimum version to 1.1.3 for winsync header | |
| - Set the minimum version for SELinux policy | |
| - Remove references to Fedora 7 | |
| - Resolves: #828866 [RFE] enhance --subject option for ipa-server-install | |
| - Resolves: #1160555 ipa-server-install: Cannot handle double hyphen "--" in | |
| hostname | |
| - Resolves: #1286288 Insufficient 'write' privilege to the 'ipaExternalMember' | |
| attribute | |
| - Resolves: #1321652 ipa-server-install fails when using external certificates | |
| that encapsulate RDN components in double quotes | |
| - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on | |
| revocation reasons | |
| - Resolves: #1340880 ipa-server-install: improve prompt on interactive | |
| installation | |
| - Resolves: #1353841 ipa-replica-install fails to install when resolv.conf | |
| incomplete entries | |
| - Resolves: #1356104 cert-show command does not display Subject Alternative | |
| Names | |
| - Resolves: #1357511 Traceback message seen when ipa is provided with invalid | |
| configuration file name | |
| - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is | |
| converted from CA-less to CA-full | |
| - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication | |
| - Resolves: #1367572 improve error message in ipa migrate-ds: mention ipa | |
| config-mod --enable-migration=TRUE | |
| - Resolves: #1367868 Add options to retrieve lightweight CA certificate/chain | |
| - Resolves: #1371927 Implement ca-enable/disable commands. | |
| - Resolves: #1372202 Add Users into User Group editors fails to show Full names | |
| - Resolves: #1373091 Adding an auth indicator from the CLI creates an extra | |
| check box in the UI | |
| - Resolves: #1375596 Ipa-server WebUI - long user/group name show wrong error | |
| message | |
| - Resolves: #1375905 "Normal" group type in the UI is confusing | |
| - Resolves: #1376040 IPA client ipv6 - invalid --ip-address shows traceback | |
| - Resolves: #1376630 IDM admin password gets written to | |
| /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf | |
| - Resolves: #1376729 ipa-server-install script option --no_hbac_allow should | |
| match other options | |
| - Resolves: #1378461 IPA Allows Password Reuse with History value defined when | |
| admin resets the password. | |
| - Resolves: #1379029 conncheck failing intermittently during single step | |
| replica installs | |
| - Resolves: #1379858 [RFE] better debugging for ipa-replica-conncheck | |
| - Resolves: #1384310 ipa dnsrecord-add fails with Keyerror stack trace | |
| - Resolves: #1392778 Update man page for ipa-adtrust-install by | |
| removing --no-msdcs option | |
| - Resolves: #1392858 Rebase to FreeIPA 4.5+ | |
| - Rebase to 4.5.0 | |
| - Resolves: #1399133 Delete option shouldn't be available for hosts applied to | |
| view. | |
| - Resolves: #1399190 [RFE] Certificates issued by externally signed IdM CA | |
| should contain full trust chain | |
| - Resolves: #1400416 RFE: Provide option to take backup of IPA server before | |
| uninstalling IPA server | |
| - Resolves: #1400529 cert-request is not aware of Kerberos principal aliases | |
| - Resolves: #1401526 IPA WebUI certificates are grayed out on overview page but | |
| not on details page | |
| - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping | |
| - Resolves: #1404750 ipa-client-install fails to get CA cert via LDAP when | |
| non-FQDN name of IPA server is first in /etc/hosts | |
| - Resolves: #1409628 [RFE] Semi-automatic integration with external DNS using | |
| nsupdate | |
| - Resolves: #1413742 Backport request for bug/issue Change IP address | |
| validation errors to warnings | |
| - Resolves: #1415652 IPA replica install log shows password in plain text | |
| - Resolves: #1427897 different behavior regarding system wide certs in master | |
| and replica. | |
| - Resolves: #1430314 The ipa-managed-entries command failed, exception: | |
| AttributeError: ldap2 | |
| - Unified spec file | |
| - Fix SELinux code | |
| - Allow the admin user to be disabled | |
| Resolves: RHEL-34756 | |
| - ipa-otptoken-import: open the key file in binary mode | |
| Resolves: RHEL-39616 | |
| - ipa-crlgen-manage: manage the cert status task execution time | |
| Resolves: RHEL-30280 | |
| - idrange-add: add a warning because 389ds restart is required | |
| Resolves: RHEL-28996 | |
| - PKINIT certificate: fix renewal on hidden replica | |
| Resolves: RHEL-4913, RHEL-45908 | |
| - [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: | |
| (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312) | |
| - Resolves: #1348948 IPA server install fails with build | |
| ipa-server-4.4.0-0.el7.1.alpha1 | |
| - Revert "Increased mod_wsgi socket-timeout" | |
| - Add mod_auth_kerb and cyrus-sasl-gssapi to Requires | |
| - Remove references to admin server in ipa-server-setupssl | |
| - Generate a client certificate for the XML-RPC server to connect to LDAP with | |
| - Create a keytab for Apache | |
| - Create an ldif with a test user | |
| - Provide a certmap.conf for doing SSL client authentication | |
| - Remove strict dependencies to krb5-server version in order to allow | |
| update of krb5 to 1.17 and change dependency to KDB DAL version. | |
| Resolves: RHBZ#1700121 | |
| - kdb: apply combinatorial logic for ticket flags (CVE-2024-3183) | |
| Resolves: RHEL-29927 | |
| - kdb: fix vulnerability in GCD rules handling (CVE-2024-2698) | |
| Resolves: RHEL-29692 | |
| - Update Requires on krb5-server to 1.11 | |
| - Upstream release FreeIPA 4.9.6 | |
| Related: RHBZ#1945038 | |
| - Revise PKINIT upgrade code | |
| Resolves: RHBZ#1886837 | |
| - ipa-cert-fix man page: add note about certmonger renewal | |
| Resolves: RHBZ#1780317 | |
| - Certificate Serial Number issue | |
| Resolves: RHBZ#1919384 | |
| - Update to upstream 3.3.1 (#991064) | |
| - Update minimum version of bind-dyndb-ldap to 3.5 | |
| - Rebuild for Python 2.6 | |
| - Load ipa_dogtag.pp in post install | |
| - Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services | |
| by abusing password policy | |
| - password policy: Add explicit default password policy for hosts and | |
| services | |
| - Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in | |
| certprofile-mod | |
| - certprofile-mod: correctly authorise config update | |
| - Fix systemd-user HBAC rule | |
| Resolves: RHBZ#1664974 | |
| - dcerpc: invalidate forest trust intfo cache when filtering out realm domains | |
| Resolves: RHEL-28559 | |
| - Backport latests test fixes in python3-tests | |
| ipatests: add xfail for autoprivate group test with override | |
| ipatests: remove xfail thanks to sssd 2.9.4 | |
| ipatests: adapt for new automembership fixup behavior | |
| ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation testcases | |
| test_xmlrpc: adopt to automember plugin message changes in 389-ds | |
| Resolves: RHEL-29908 | |
| - Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations | |
| Resolves: RHBZ#1870202 | |
| - Do not check if port 8443 is available in step 2 of external CA install | |
| (#1129481) | |
| - Rebuilt for glibc bug#747377 | |
| - Resolves: #1260663 crash of ipa-dnskeysync-replica component during | |
| ipa-restore | |
| - IPA Restore: allows to specify files that should be removed | |
| - Resolves: #1261806 Installing ipa-server package breaks httpd | |
| - Handle timeout error in ipa-httpd-kdcproxy | |
| - Resolves: #1262322 Failed to backup CS.cfg message in upgrade. | |
| - Server Upgrade: backup CS.cfg when dogtag is turned off | |
| - Resolves: #1477178 - [ipa-replica-install] - 406 Client Error: Failed to | |
| validate message: Incorrect number of results (0) searching forpublic | |
| key for host | |
| - Always check peer has keys before connecting | |
| - Resolves: #1482802 - Unable to set ca renewal master on replica | |
| - Fix ipa config-mod --ca-renewal-master | |
| - Resolves: #1486283 - TypeError in renew_ca_cert prevents from swiching | |
| back to self-signed CA | |
| - Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca) | |
| - Resolves: #1480102 - ipa-server-upgrade failes with "This entry already exists" | |
| - Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already exists | |
| - Resolves: #1484826 - FreeIPA/IdM installations which were upgraded from | |
| versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and | |
| thus startup of Web UI fails | |
| - Adds whoami DS plugin in case that plugin is missing | |
| - Resolves: #1478251 - IPA WebUI does not work after upgrade from IPA 4.4 to 4.5 | |
| - Fixing how sssd.conf is updated when promoting a client to replica | |
| - Resolves: #1461177 - ipa-otptoken-import - XML file is missing PBKDF2 | |
| parameters! | |
| - ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace | |
| - Resolves: #1484428 - Updating from RHEL 7.3 fails with Server-Cert not found | |
| (ipa-server-upgrade) | |
| - Backport 4-5: Fix ipa-server-upgrade with server cert tracking | |
| - Add explicit dependency for libvert-libev | |
| Resolves: RHBZ#2104929 | |
| - Add versioned dependency of samba-client-libs to ipa-server | |
| - Related: RHBZ#2021443 | |
| - Version bump for release | |
| - PKI service restart after CA renewal failed (#1040018) | |
| - Resolves: #1469246 Replica install fails to configure IPA-specific | |
| temporary files/directories | |
| - replica install: drop-in IPA specific config to tmpfiles.d | |
| - Resolves: #1469480 bind package is not automatically updated during | |
| ipa-server upgrade process | |
| - Bumped Required version of bind-dyndb-ldap and bind package | |
| - Add dependency for python-krbV | |
| - Remove client-epn left over files for ONLY_CLIENT | |
| Related: RHBZ#1847999 | |
| - Drop Requires of python-krbV on ipa-client | |
| - Upstream release FreeIPA 4.9.5 | |
| Related: RHBZ#1945038 | |
| - IPA to allow setting a new range type | |
| Resolves: RHBZ#1688267 | |
| - ipa-server-install displays debug output when --debug output is not | |
| specified. | |
| Resolves: RHBZ#1943151 | |
| - ACME fails to generate a cert on migrated RHEL8.4 server | |
| Resolves: RHBZ#1934991 | |
| - Switch ipa-client to use the JSON API | |
| Resolves: RHBZ#1937856 | |
| - IDM - Allow specifying permanent logging settings for BIND | |
| Resolves: RHBZ#1951511 | |
| - Cache LDAP data within a request | |
| Resolves: RHBZ#1953656 | |
| - ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4 | |
| Resolves: RHBZ#1957768 | |
| - Upstream release FreeIPA 4.8.6 | |
| - New SELinux sub package to provide own module | |
| - Depend on selinux-policy-devel 3.14.3-43 for build due to a makefile issue in | |
| SELinux external policy support | |
| Related: RHBZ#1818765 | |
| - Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf | |
| - Upstream pre release FreeIPA 4.9.0rc1 | |
| Resolves: RHBZ#1891832 | |
| - Requirements and design for libpwquality integration | |
| Resolves: RHBZ#1340463 | |
| - When parsing options require name/value pairs | |
| Resolves: RHBZ#1357495 | |
| - WebUI: Fix issue with opening links in new tab/window | |
| Resolves: RHBZ#1484088 | |
| - Use a state to determine if a 389-ds upgrade is in progress | |
| Resolves: RHBZ#1569011 | |
| - Unlock user accounts after a password reset and replicate that unlock to | |
| all IdM servers | |
| Resolves: RHBZ#1784657 | |
| - Set the certmonger subject with a string, not an object | |
| Resolves: RHBZ#1810148 | |
| - Implement ACME certificate enrolment | |
| Resolves: RHBZ#1851835 | |
| - [WebUI] Backport jQuery patches from newer versions of the library (e.g. | |
| 3.5.0) | |
| Resolves: RHBZ#1859249 | |
| - It is not possible to edit KDC database when the FreeIPA server is running | |
| Resolves: RHBZ#1875001 | |
| - Fix nsslapd-db-lock tuning of BDB backend | |
| Resolves: RHBZ#1882340 | |
| - ipa-kdb: support subordinate/superior UPN suffixes | |
| Resolves: RHBZ#1891056 | |
| - wgi/plugins.py: ignore empty plugin directories | |
| Resolves: RHBZ#1894800 | |
| - Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit | |
| Resolves: RHBZ#1790663 | |
| - Rebase ipa to 4.9.12 | |
| Resolves: RHBZ#2196425 | |
| - user or group name: explain the supported format | |
| Resolves: RHBZ#2150217 | |
| - PassSync does not sync passwords due to missing ACIs (#1181093) | |
| - ipa-replica-manage list does not list synced domain (#1181010) | |
| - Do not assume certmonger is running in httpinstance (#1181767) | |
| - ipa-replica-manage disconnect fails without password (#1183279) | |
| - Put LDIF files to their original location in ipa-restore (#1175277) | |
| - DUA profile not available anonymously (#1184149) | |
| - IPA replica missing data after master upgraded (#1176995) | |
| - Resolves: #1258965 ipa vault: set owner of vault container | |
| - baseldap: make subtree deletion optional in LDAPDelete | |
| - vault: add vault container commands | |
| - vault: set owner to current user on container creation | |
| - vault: update access control | |
| - vault: add permissions and administrator privilege | |
| - install: support KRA update | |
| - Resolves: #1261586 ipa config-mod addattr fails for ipauserobjectclasses | |
| - config: allow user/host attributes with tagging options | |
| - Resolves: #1262315 Unable to establish winsync replication | |
| - winsync: Add inetUser objectclass to the passsync sysaccount | |
| - Hardening for CVE-2020-25717 | |
| - Related: RHBZ#2019668 | |
| - Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca | |
| - Keep NSS trust flags of existing certificates | |
| - Resolves: #1360813 ipa-server-certinstall does not update all certificate | |
| stores and doesn't set proper trust permissions | |
| - Add cert checks in ipa-server-certinstall | |
| - Resolves: #1371479 cert-find --all does not show information about revocation | |
| - cert: add revocation reason back to cert-find output | |
| - Resolves: #1375133 WinSync users who have First.Last casing creates users who | |
| can have their password set | |
| - ipa passwd: use correct normalizer for user principals | |
| - Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers | |
| - Properly handle LDAP socket closures in ipa-otpd | |
| - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 | |
| - Make httpd publish its CA certificate on DL1 | |
| - Use the OpenSSL certificate parser in cert-find | |
| Resolves: RHBZ#2209947 | |
| - Resolves: #1170770 [AD TRUST]IPA should detect inconsistent realm domains | |
| that conflicts with AD DC | |
| - trusts: Check for AD root domain among our trusted domains | |
| - Resolves: #1195339 ipa-client-install changes the label on various files | |
| which causes SELinux denials | |
| - sysrestore: copy files instead of moving them to avoind SELinux issues | |
| - Resolves: #1196656 [ipa-client][rhel71] enable debugging for spawned | |
| commands / ntpd -qgc $tmpfile hangs | |
| - enable debugging of ntpd during client installation | |
| - Resolves: #1205264 Migration UI Does Not Work When Anonymous Bind is Disabled | |
| - migration: Use api.env variables. | |
| - Resolves: #1212719 abort-clean-ruv subcommand should allow | |
| replica-certifyall: no | |
| - Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand | |
| - Resolves: #1216935 ipa trust-add shows ipa: ERROR: an internal error has | |
| occurred | |
| - dcerpc: Expand explanation for WERR_ACCESS_DENIED | |
| - dcerpc: Fix UnboundLocalError for ccache_name | |
| - Resolves: #1222778 idoverride group-del can delete user and user-del can | |
| delete group | |
| - dcerpc: Add get_trusted_domain_object_type method | |
| - idviews: Restrict anchor to name and name to anchor conversions | |
| - idviews: Enforce objectclass check in idoverride*-del | |
| - Resolves: #1234919 Be able to request certificates without certmonger service | |
| running | |
| - cermonger: Use private unix socket when DBus SystemBus is not available. | |
| - ipa-client-install: Do not (re)start certmonger and DBus daemons. | |
| - Resolves: #1240939 Please add dependency on bind-pkcs11 | |
| - Create server-dns sub-package. | |
| - ipaplatform: Add constants submodule | |
| - DNS: check if DNS package is installed | |
| - Resolves: #1242914 Bump minimal selinux-policy and add booleans to allow | |
| calling out oddjobd-activated services | |
| - selinux: enable httpd_run_ipa to allow communicating with oddjobd services | |
| - Resolves: #1243261 non-admin users cannot search hbac rules | |
| - fix hbac rule search for non-admin users | |
| - fix selinuxusermap search for non-admin users | |
| - Resolves: #1243652 Client has missing dependency on memcache | |
| - do not import memcache on client | |
| - Resolves: #1243835 [webui] user change password dialog does not work | |
| - webui: fix user reset password dialog | |
| - Resolves: #1244802 spec: selinux denial during kdcproxy user creation | |
| - Fix selinux denial during kdcproxy user creation | |
| - Resolves: #1246132 trust-fetch-domains: Do not chown keytab to the sssd user | |
| - oddjob: avoid chown keytab to sssd if sssd user does not exist | |
| - Resolves: #1246136 Adding a privilege to a permission avoids validation | |
| - Validate adding privilege to a permission | |
| - Resolves: #1246141 DNS Administrators cannot search in zones | |
| - DNS: Consolidate DNS RR types in API and schema | |
| - Resolves: #1246143 User plugin - user-find doesn't work properly with manager | |
| option | |
| - fix broken search for users by their manager | |
| - Updated to upstream 3.1.0 GA | |
| - Set minimum for sssd to 1.9.2 | |
| - Set minimum for pki-ca to 10.0.0-1 | |
| - Set minimum for 389-ds-base to 1.3.0 | |
| - Set minimum for selinux-policy to 3.11.1-60 | |
| - Remove unneeded dogtag package requires | |
| - Allow longer dirsrv startup with systemd: | |
| - IPAdmin class will wait until dirsrv instance is available up to 10 seconds | |
| - Helps with restarts during upgrade for ipa-ldap-updater | |
| - Fix pylint warnings from F16 and Rawhide | |
| - Update to upstream 2.2.0 beta 1 (2.1.90.rc1) | |
| - Set minimum n-v-r for pki-ca and pki-silent to 9.0.18. | |
| - Add Conflicts on mod_ssl | |
| - Update minimum n-v-r of 389-ds-base to 1.2.10.4 | |
| - Update minimum n-v-r of sssd to 1.8.0 | |
| - Update minimum n-v-r of slapi-nis to 0.38 | |
| - Update minimum n-v-r of pki-* to 9.0.18 | |
| - Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1 | |
| - Update conflicts on bind to < 9.9.0-1 | |
| - Drop requires on krb5-server-ldap | |
| - Add patch to remove escaping arguments to pkisilent | |
| - Resolves: #1475238 Use CommonNameToSANDefault in default profile | |
| (new installs only) | |
| - Restore old version of caIPAserviceCert for upgrade only | |
| - Default to systemd for Fedora 16 and onwards | |
| - Remove duplicate %files entries on share/ipa/static | |
| - Add python default encoding shared library | |
| - webui: Do not allow empty pagination size | |
| Resolves: RHBZ#2094672 | |
| - Fix requirement for python3-kdcproxy, add no autoreqprov for ipatests sub | |
| package | |
| Related: RHBZ#1891832 | |
| - Require krb5 release 1.18.2-25 or later | |
| Resolves: RHBZ#2234711 | |
| - Resolves: #1382053 Need to have validation for idrange names | |
| - idrange-add: properly handle empty --dom-name option | |
| - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit | |
| helper when installing replica | |
| - dsinstance: reconnect ldap2 after DS is restarted by certmonger | |
| - httpinstance: avoid httpd restart during certificate request | |
| - dsinstance, httpinstance: consolidate certificate request code | |
| - install: request service certs after host keytab is set up | |
| - renew agent: revert to host keytab authentication | |
| - renew agent, restart scripts: connect to LDAP after kinit | |
| - Resolves: #1436987 ipasam: gidNumber attribute is not created in the trusted | |
| domain entry | |
| - ipa-sam: create the gidNumber attribute in the trusted domain entry | |
| - Upgrade: add gidnumber to trusted domain entry | |
| - Resolves: #1438679 [ipa-replica-install] - IncorrectPasswordException: | |
| Incorrect client security database password | |
| - Add pki_pin only when needed | |
| - Resolves: #1438348 Console output message while adding trust should be | |
| mapped with texts changed in Samba. | |
| - ipaserver/dcerpc: unify error processing | |
| - Resolves: #1438366 ipa trust-fetch-domains: ValidationError: invalid | |
| 'Credentials': Missing credentials for cross-forest communication | |
| - trust: always use oddjobd helper for fetching trust information | |
| - Resolves: #1441192 Add the name of URL parameter which will be check for | |
| username during cert login | |
| - WebUI: cert login: Configure name of parameter used to pass username | |
| - Resolves: #1437879 [copr] Replica install failing | |
| - Create system users for FreeIPA services during package installation | |
| - Resolves: #1441316 WebUI cert auth fails after ipa-adtrust-install | |
| - Fix s4u2self with adtrust | |
| - Update to upstream 4.6.90.pre1 | |
| - Fix misleading errors during client install rollback | |
| Resolves: RHBZ#1658283 | |
| - ipa-advise: update url of cacerdir_rehash tool | |
| Resolves: RHBZ#1658287 | |
| - Handle NTP configuration in a replica server installation | |
| Resolves: RHBZ#1651679 | |
| - Fix defects found by static analysis | |
| Resolves: RHBZ#1658182 | |
| - ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad | |
| Resolves: RHBZ#1658294 | |
| - ipaldap: invalid modlist when attribute encoding can vary | |
| Resolves: RHBZ#1658302 | |
| - Allow ipaapi and Apache user to access SSSD IFP | |
| Resolves: RHBZ#1639910 | |
| - Add sysadm_r to default SELinux user map order | |
| Resolves: RHBZ#1658303 | |
| - certdb: ensure non-empty Subject Key Identifier and validate server cert sig | |
| Resolves: RHBZ#1641988 | |
| - ipa-replica-install: password and admin-password options mutually exclusive | |
| Resolves: RHBZ#1658309 | |
| - ipa upgrade: handle double-encoded certificates | |
| Resolves: RHBZ#1658310 | |
| - PKINIT: fix ipa-pkinit-manage enable|disable | |
| Resolves: RHBZ#1658313 | |
| - Enable LDAP debug output in client to display TLS errors in join | |
| Resolves: RHBZ#1658316 | |
| - rpc: always read response | |
| Resolves: RHBZ#1639890 | |
| - ipa vault-retrieve: fix internal error | |
| Resolves: RHBZ#1658485 | |
| - Move ipa's systemd tmpfiles from /var/run to /run | |
| Resolves: RHBZ#1658487 | |
| - Fix authselect invocations to work with 1.0.2 | |
| Resolves: RHBZ#1654291 | |
| - ipa-client-automount and NFS unit name changes | |
| Resolves: RHBZ#1645501 | |
| - Fix compile issue with new 389-ds | |
| Resolves: RHBZ#1659448 | |
| - Update to upstream 3.2.0 Prerelease 1 | |
| - Use upstream reference spec file as a base for Fedora spec file | |
| - Add dep for freeipa-admintools and acl | |
| - Drop conflicts on mod_nss | |
| - Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847) | |
| - Drop a slew of conditionals on older Fedora releases (< 12) | |
| - Add a few conditionals against RHEL 6 | |
| - Add Requires of nss-tools on ipa-client | |
| - Require samba packages instead of obsoleted samba4 packages | |
| - Upstream release FreeIPA 4.8.7 | |
| - Require new samba build 4.12.3-0 | |
| Related: RHBZ#1818765 | |
| - New client-epn sub package | |
| Resolves: RHBZ#913799 | |
| - Fix ipa-replica-install crashes | |
| - Fix ipa-server-install and ipa-dns-install logging | |
| - Set minimum version of pki-ca to 9.0.17 to fix sslget problem | |
| caused by FEDORA-2011-17400 update (#771357) | |
| - Added httpd SELinux policy so CRLs can be read | |
| - Build radius separately | |
| - Fix a few minor issues | |
| - rebuild with new openssl | |
| - Update to upstream 3.2.2 | |
| - Drop ipa-server-selinux subpackage | |
| - Drop redundant directory /var/cache/ipa/sessions | |
| - Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost | |
| - Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency | |
| issues when there are still old parts of software (like entitlements plugin) | |
| - [WebUI] IPA Error 3007: RequirmentError" while adding members in | |
| "User ID overrides" tab (updated) | |
| Resolves: RHBZ#1757045 | |
| - ipa-client-install: use the authselect backup during uninstall | |
| Resolves: RHBZ#1810179 | |
| - Replace SSLCertVerificationError with CertificateError for py36 | |
| Resolves: RHBZ#1858318 | |
| - Fix AVC denial during ipa-adtrust-install --add-agents | |
| Resolves: RHBZ#1859213 | |
| - Update to upstream 3.2.0 GA | |
| - ipa-client-install fails if /etc/ipa does not exist (#961483) | |
| - Certificate status is not visible in Service and Host page (#956718) | |
| - ipa-client-install removes needed options from ldap.conf (#953991) | |
| - Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957) | |
| - Add triggerin scriptlet to support OpenSSH 6.2 (#953617) | |
| - Require nss 3.14.3-12.0 to address certutil certificate import | |
| errors (#953485) | |
| - Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6 | |
| environments. (#953464) | |
| - ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453) | |
| - ipa-server-install --uninstall doesn't stop dirsrv instances (#953432) | |
| - Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for | |
| socket based connections (#960222) | |
| - Require libsss_nss_idmap-python | |
| - Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to | |
| member is now done automatically and having it in the config file raises | |
| an error. | |
| - Add backup and restore tools, directory. | |
| - require at least systemd 38 which provides the journal (we no longer | |
| need to require syslog.target) | |
| - Update Requires on policycoreutils to 2.1.14-37 | |
| - Update Requires on selinux-policy to 3.12.1-42 | |
| - Update Requires on 389-ds-base to 1.3.1.0 | |
| - Remove a Requires for java-atk-wrapper | |
| - Re-add accidentally removed patches for #1170695 and #1164896 | |
| - Broke invididual Requires and BuildRequires onto separate lines and | |
| reordered them | |
| - Added python-tgexpandingformwidget as a dependency | |
| - Require at least fedora-ds-base 1.1 | |
| - Resolves: #1432630 python2-jinja2 needed for python2-ipaclient | |
| - Remove csrgen | |
| - Resolves: #1432903 Set GssProxy options to enable caching of ldap tickets | |
| - Add options to allow ticket caching | |
| - Drop BuildRequires on mozldap-devel | |
| - Resolves: #747612 [RFE] IPA should support and manage DNS sites | |
| - Resolves: #826790 Disabling password expiration (--maxlife=0 and --minlife=0) | |
| in the default global_policy in IPA sets user's password expiration | |
| (krbPasswordExpiration) to be 90 days | |
| - Resolves: #896699 ipa-replica-manage -H does not delete DNS SRV records | |
| - Resolves: #1084018 [RFE] Add IdM user password change support for legacy | |
| client compat tree | |
| - Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos | |
| aliases) | |
| - Fix incorrect check for principal type when evaluating CA ACLs | |
| - Resolves: #1146860 [RFE] Offer OTP generation for host enrollment in the UI | |
| - Resolves: #1238190 ipasam unable to lookup group in directory yet manual | |
| search works | |
| - Resolves: #1250110 search by users which don't have read rights for all attrs | |
| in search_attributes fails | |
| - Resolves: #1263764 Show Certificate displays in useless format | |
| - Resolves: #1272491 [WebUI] Certificate action dropdown does not display all | |
| the options after adding new certificate | |
| - Resolves: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.4.0 | |
| - Resolves: #1294503 IPA fails to issue 3rd party certs | |
| - Resolves: #1298242 [RFE] API compatibility - compatibility of clients | |
| - Resolves: #1298848 [RFE] Centralized topology management | |
| - Resolves: #1298966 [RFE] Extend Smart Card support | |
| - Resolves: #1315146 Multiple clients cannot join domain simultaneously: | |
| /var/run/httpd/ipa/clientcaches race condition? | |
| - Resolves: #1318903 ipa server install failing when SUBCA signs the cert | |
| - Resolves: #1319003 ipa-winsync-migrate: Traceback should be fixed with proper | |
| console output | |
| - Resolves: #1324055 IPA always qualify requests for admin | |
| - Resolves: #1328552 [RFE] Allow users to authenticate with alternative names | |
| - Resolves: #1334582 Inconsistent UI and CLI options for removing certificate | |
| hold | |
| - Resolves: #1346321 Exclude o=ipaca subtree from Retro Changelog (syncrepl) | |
| - Resolves: #1349281 Fix `Conflicts` with ipa-python | |
| - Resolves: #1350695 execution of copy-schema script fails | |
| - Resolves: #1351118 upgrade failed for RHEL-7.3 from RHEL-7.2.z | |
| - Resolves: #1351153 AVC seen on Replica during ipa-server upgrade test | |
| execution to 7.3 | |
| - Resolves: #1351276 ipa-server-install with dns cannot resolve itself to | |
| create ipa-ca entry | |
| - Related: #1343422 [RFE] Add GssapiImpersonate option | |
| - Upstream pre release FreeIPA 4.9.0rc3 | |
| Related: RHBZ#1891832 | |
| - kdb: PAC generator: do not fail if canonical principal is missing | |
| Resolves: RHEL-23630 | |
| - ipa-kdb: Fix memory leak during PAC verification | |
| Resolves: RHEL-22644 | |
| - Fix session cookie access | |
| Resolves: RHEL-23622 | |
| - Do not ignore staged users in sidgen plugin | |
| Resovlves: RHEL-23626 | |
| - ipa-kdb: Disable Bronze-Bit check if PAC not available | |
| Resolves: RHEL-22313 | |
| - krb5kdc: Fix start when pkinit and otp auth type are enabled | |
| Resolves: RHEL-4874 | |
| - hbactest was not collecting or returning messages | |
| Resolves: RHEL-12780 | |
| - Update to upstream freeipa-2.0.0.rc2 | |
| - Set minimum version of python-nss to 0.11 to make sure IPv6 support is in | |
| - Set minimum version of sssd to 1.5.1 | |
| - Patch to include SuiteSpotGroup when setting up 389-ds instances | |
| - Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled | |
| - Rebase ipa to 4.9.13 | |
| Resolves: RHEL-16936 | |
| - Add BuildRequires for authconfig | |
| - Move ipa-tests package to separate srpm (#1032668) | |
| - Remove dependency on python-paramiko (#1002884) | |
| - Broken redirection when deleting last entry of DNS resource | |
| record (#1006360) | |
| - Resolves: #1256840 [webui] majority of required fields is no longer marked as | |
| required | |
| - fix missing information in object metadata | |
| - Resolves: #1256842 [webui] no option to choose trust type when creating a | |
| trust | |
| - webui: add option to establish bidirectional trust | |
| - Resolves: #1256853 Clear text passwords in KRA install log | |
| - Removed clear text passwords from KRA install log. | |
| - Resolves: #1257072 The "Standard Vault" MUST not be the default and must be | |
| discouraged | |
| - vault: change default vault type to symmetric | |
| - Resolves: #1257163 renaming certificatte profile with --rename option leads | |
| to integrity issues | |
| - certprofile: prevent rename (modrdn) | |
| - Resolves: #1447284 Upgrade from ipa-4.1 fails when enabling KDC proxy | |
| - python2-ipalib: add missing python dependency | |
| - installer service: fix typo in service entry | |
| - upgrade: add missing suffix to http instance | |
| - Resolves: #1444791 Update man page of ipa-kra-install | |
| - ipa-kra-install manpage: document domain-level 1 | |
| - Resolves: #1441493 ipa cert-show raises stack traces when | |
| --certificate-out=/tmp | |
| - cert-show: writable files does not mean dirs | |
| - Resolves: #1441192 Add the name of URL parameter which will be check for | |
| username during cert login | |
| - Bump version of ipa.conf file | |
| - Resolves: #1378797 Web UI must check OCSP and CRL during smartcard login | |
| - Turn on NSSOCSP check in mod_nss conf | |
| - Resolves: #1322963 Errors from AD when trying to sign ipa.csr, conflicting | |
| template on | |
| - renew agent: respect CA renewal master setting | |
| - server upgrade: always fix certmonger tracking request | |
| - cainstance: use correct profile for lightweight CA certificates | |
| - renew agent: allow reusing existing certs | |
| - renew agent: always export CSR on IPA CA certificate renewal | |
| - renew agent: get rid of virtual profiles | |
| - ipa-cacert-manage: add --external-ca-type | |
| - Resolves: #1441593 error adding authenticator indicators to host | |
| - Fixing adding authenticator indicators to host | |
| - Resolves: #1449525 Set directory ownership in spec file | |
| - Added plugins directory to ipaclient subpackages | |
| - ipaclient: fix missing RPM ownership | |
| - Resolves: #1451279 otptoken-add-yubikey KeyError: 'ipatokenotpdigits' | |
| - otptoken-add-yubikey: When --digits not provided use default value | |
|
|
|
| ipa-common-4.9.13-20.module+el8.10.0+2067+377bdd64.noarch.rpm | - Updated to upstream 3.0.0 GA |
| - Set minimum for samba to 4.0.0-153. | |
| - Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so | |
| plugin to /dev/null since they cannot be used when trusts are configured | |
| - Restrict krb5-server to 1.10. | |
| - Update BR for 389-ds-base to 1.3.0 | |
| - Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca | |
| - Add Requires on zip for generating FF browser extension | |
| - Update to 4.7.90-pre1 | |
| Related: RHBZ#1684528 | |
| - Removed patches 0002 to 0031 as these are upsteram and part of 4.7.90-pre1 | |
| - Added new patches 0001-revert-minssf-defaults.patch and | |
| 0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch | |
| - Require slapi-nis 0.47.7 delivering a core feature of 3.3.0 release | |
| - Use default crypto policy for TLS and enable TLS 1.3 support | |
| Resolves: RHBZ#1777809 | |
| - Covscan fixes | |
| Resolves: RHBZ#1777920 | |
| - Change pki_version to 10.8.0 | |
| Related: RHBZ#1748987 | |
| - Updated to upstream 3.0.0 beta 2 | |
| - Respin after the tarball has been re-released upstream | |
| New hash is 506c9c92dcaf9f227cba5030e999f177 | |
| - Do not add krbPwdPolicyReference for new accounts, hardcode it (#1045218) | |
| - Increase default timeout for IPA services (#1033273) | |
| - Error while running trustdomain-find (#1054376) | |
| - group-show lists SID instead of name for external groups (#1054391) | |
| - Fix IPA server NetBIOS name in samba configuration (#1030517) | |
| - dnsrecord-mod produces missing API version warning (#1054869) | |
| - Hide trust-resolve command as internal (#1052860) | |
| - Add Trust domain Web UI (#1054870) | |
| - ipasam cannot delete multiple child trusted domains (#1056120) | |
| - diffstat was missing as a build dependency causing multilib problems | |
| - kdb: Use-krb5_pac_full_sign_compat() when available | |
| Resolves: RHBZ#2176406 | |
| - OTP: fix-data-type-to-avoid-endianness-issue | |
| Resolves: RHBZ#2218293 | |
| - Upgrade: fix replica agreement | |
| Resolves: RHBZ#2216551 | |
| - Upgrade: add PKI drop-in file if missing | |
| Resolves: RHBZ#2215336 | |
| - Use the python-cryptography parser directly in cert-find | |
| Resolves: RHBZ#2164349 | |
| - Backport test updates | |
| Resolves: RHBZ#221884 | |
| - Initial rpm version | |
| - Re-enable otptoken_yubikey plugin | |
| - Resolves: #805188 [RFE] "ipa migrate-ds" ldapsearches with scope=1 | |
| - Resolves: #1019272 With 20000+ users, adding a user to a group intermittently | |
| throws Internal server error | |
| - Resolves: #1035494 Unable to add Kerberos principal via kadmin.local | |
| - Resolves: #1045153 ipa-managed-entries --list -p |
|
| DM password | |
| - Resolves: #1125950 ipa-server-install --uinstall doesn't remove port 7389 | |
| from ldap_port_t | |
| - Resolves: #1132540 [RFE] Expose service delegation rules in UI and CLI | |
| - Resolves: #1145584 ipaserver/install/cainstance.py creates pkiuser not | |
| matching uidgid | |
| - Resolves: #1176036 IDM client registration failure in a high load environment | |
| - Resolves: #1183116 Remove Requires: subscription-manager | |
| - Resolves: #1186054 permission-add does not prompt to enter --right option in | |
| interactive mode | |
| - Resolves: #1187524 Replication agreement with replica not disabled when | |
| ipa-restore done without IPA installed | |
| - Resolves: #1188195 Fax number not displayed for user-show when kinit'ed as | |
| normal user. | |
| - Resolves: #1189034 "an internal error has occurred" during ipa host-del | |
| --updatedns | |
| - Resolves: #1193554 ipa-client-automount: failing with error LDAP server | |
| returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled. | |
| - Resolves: #1193759 IPA extdom plugin fails when encountering large groups | |
| - Resolves: #1194312 [ipa-python] ipalib.errors.LDAPError: failed to decode | |
| certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. | |
| - Resolves: #1194633 Default trust view can be deleted in lower case | |
| - Resolves: #1196455 ipa-server-install step [8/27]: starting certificate | |
| server instance - confusing CA staus message on TLS error | |
| - Resolves: #1198263 Limit deadlocks between DS plugin DNA and slapi-nis | |
| - Resolves: #1199527 [RFE] Use datepicker component for datetime fields | |
| - Resolves: #1200867 [RFE] Make OTP validation window configurable | |
| - Resolves: #1200883 [RFE] Switch apache to use mod_auth_gssapi | |
| - Resolves: #1202998 CVE-2015-1827 ipa: memory corruption when using | |
| get_user_grouplist() [rhel-7.2] | |
| - Resolves: #1204637 slow group operations | |
| - Resolves: #1204642 migrate-ds: slow add o users to default group | |
| - Resolves: #1208461 IPA CA master server update stuck on checking getStatus | |
| via https | |
| - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) | |
| - Resolves: #1211708 ipa-client-install gets stuck during NTP sync | |
| - Resolves: #1215197 ipa-client-install ignores --ntp-server option during time | |
| sync | |
| - Resolves: #1215200 ipa-client-install configures IPA server as NTP source | |
| even if IPA server has not ntpd configured | |
| - Resolves: #1217009 OTP sync in UI does not work for TOTP tokens | |
| - Related: #1204809 Rebase ipa to 4.2 | |
| - Update to upstream 4.2.0.alpha1 | |
| - Rebuild against samba4 beta4 | |
| - Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to | |
| users in IdM | |
| - store certificates issued for user entries as | |
| - user-show: add --out option to save certificates to file | |
| - Resolves: #1145748 [RFE] IPA running with One Way Trust | |
| - Fix upgrade of sidgen and extdom plugins | |
| - Resolves: #1195339 ipa-client-install changes the label on various files | |
| which causes SELinux denials | |
| - Use 'mv -Z' in specfile to restore SELinux context | |
| - Resolves: #1198796 Text in UI should describe differing LDAP vs Krb behavior | |
| for combinations of "User authentication types" | |
| - webui: add LDAP vs Kerberos behavior description to user auth | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - ULC: Fix stageused-add --from-delete command | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - certprofile-import: do not require profileId in profile data | |
| - Give more info on virtual command access denial | |
| - Allow SAN extension for cert-request self-service | |
| - Add profile for DNP3 / IEC 62351-8 certificates | |
| - Work around python-nss bug on unrecognised OIDs | |
| - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality | |
| - Validate vault's file parameters | |
| - Fixed missing KRA agent cert on replica. | |
| - Resolves: #1225866 display browser config options that apply to the browser. | |
| - webui: add Kerberos configuration instructions for Chrome | |
| - Remove ico files from Makefile | |
| - Resolves: #1246342 Unapply idview raises internal error | |
| - idviews: Check for the Default Trust View only if applying the view | |
| - Resolves: #1248102 [webui] regression - incorrect/no failed auth messages | |
| - webui: fix regressions failed auth messages | |
| - Resolves: #1248396 Internal error in DomainValidator.__search_in_dc | |
| - dcerpc: Fix UnboundLocalError for ccache_name | |
| - Resolves: #1249455 ipa trust-add failed CIFS server configuration does not | |
| allow access to \\pipe\lsarpc | |
| - Fix selector of protocol for LSA RPC binding string | |
| - dcerpc: Simplify generation of LSA-RPC binding strings | |
| - Resolves: #1250192 Error in ipa trust-fecth-domains | |
| - Fix incorrect type comparison in trust-fetch-domains | |
| - Resolves: #1251553 Winsync setup fails with unexpected error | |
| - replication: Fix incorrect exception invocation | |
| - Resolves: #1251854 ipa aci plugin is not parsing aci's correctly. | |
| - ACI plugin: correctly parse bind rules enclosed in | |
| - Resolves: #1252414 Trust agent install does not detect available replicas to | |
| add to master | |
| - adtrust-install: Correctly determine 4.2 FreeIPA servers | |
| - Add ipa-rmkeytab tool | |
| - Update Requires on selinux-policy to 3.13.1-4 | |
| - Update to upstream 4.1.0 (#1109726) | |
| - Fixed weekday in 4.8.4-2 changelog date | |
| Related: RHBZ#1784003 | |
| - adtrust: print DNS records for external DNS case after role is enabled | |
| Resolves: RHBZ#1665051 | |
| - AD user without override receive InternalServerError with API | |
| Resolves: RHBZ#1782572 | |
| - ipa-client-automount fails after repeated installation/uninstallation | |
| Resolves: RHBZ#1790886 | |
| - install/updates: move external members past schema compat update | |
| Resolves: RHBZ#1803165 | |
| - kdb: make sure audit_as_req callback signature change is preserved | |
| Resolves: RHBZ#1803786 | |
| - Fix otptoken_sync plugin | |
| Resolves: RHBZ#1777811 | |
| - Create systemd-user HBAC service and rule | |
| Resolves: RHBZ#1664974 | |
| - ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned | |
| Resolves: RHBZ#1664023 | |
| - ipa-kdb: fix error handling of is_master_host() | |
| Resolves: RHBZ#2214638 | |
| - ipatests: enable firewall rule for http service on acme client | |
| Resolves: RHBZ#2230256 | |
| - User plugin: improve error related to non existing idp | |
| Resolves: RHBZ#2224572 | |
| - Prevent admin user from being deleted | |
| Resolves: RHBZ#1821181 | |
| - Fix memory leak in the OTP last token plugin | |
| Resolves: RHBZ#2227783 | |
| - Rebuild for broken deps in rawhide | |
| - Fix 389-ds-base strict dep to be 1.3.0.3 | |
| - Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos | |
| aliases) | |
| - harden the check for trust namespace overlap in new principals | |
| - Resolves: #1351142 CLI is not using session cookies for communication with | |
| IPA API | |
| - Fix session cookies | |
| - Resolves: #1353888 Fix the help for ipa otp and other topics | |
| - help: Add dnsserver commands to help topic 'dns' | |
| - Resolves: #1354406 host-del updatedns options complains about missing ptr | |
| record for host | |
| - Host-del: fix behavior of --updatedns and PTR records | |
| - Resolves: #1355718 ipa-replica-manage man page example output differs actual | |
| command output | |
| - Minor fix in ipa-replica-manage MAN page | |
| - Resolves: #1358229 Traceback message should be fixed, seen while editing | |
| winsync migrated user information in Default trust view. | |
| - baseldap: Fix MidairCollision instantiation during entry modification | |
| - Resolves: #1358849 CA replica install logs to wrong log file | |
| - unite log file name of ipa-ca-install | |
| - Resolves: #1359130 ipa-server-install command fails to install IPA server. | |
| - DNS Locations: fix update-system-records unpacking error | |
| - Resolves: #1359237 AVC on dirsrv config caused by IPA installer | |
| - Use copy when replacing files to keep SELinux context | |
| - Resolves: #1359692 ipa-client-install join fail with traceback against | |
| RHEL-6.8 ipa-server | |
| - compat: fix ping call | |
| - Resolves: #1359738 ipa-replica-install --domain= |
|
| does not work | |
| - replica-install: Fix --domain | |
| - Resolves: #1360778 Vault commands are available in CLI even when the server | |
| does not support them | |
| - Revert "Enable vault-* commands on client" | |
| - client: fix hiding of commands which lack server support | |
| - Related: #1281704 Rebase to softhsm 2.1.0 | |
| - Remove the workaround for softhsm bug #1293340 | |
| - Related: #1298288 [RFE] Improve performance in large environments. | |
| - Create indexes for krbCanonicalName attribute | |
| - Rebuild against samba4 beta8 | |
| - Require the Python interpreter directly instead of using the package name | |
| - Related: rhbz#1619153 | |
| - Require mod_nss-1.0.7-2 for mod_proxy fixes | |
| - Drop workaround for building on AArch64 (#1482244) | |
| - Temporarily reduce Requires on python-netaddr to 0.7.5-7 (#1506485) | |
| - ipa-kdb: Detect and block Bronze-Bit attacks | |
| Resolves: RHEL-9984 | |
| - Fix for CVE-2023-5455 | |
| Resolves: RHEL-12578 | |
| - Rebase to upstream release 4.9.10 | |
| Remove upstream patches 0002 to 0016 that are part of version 4.9.10 | |
| Remove patches 1101 that is part of version 4.9.10 | |
| Rename patch 0001 to 1002 as it will be used in future RHEL 8 releases | |
| Add patches 0001 and 0002 to fix build on RHEL 8.7 | |
| Resolves: RHBZ#2079466 | |
| Resolves: RHBZ#2063155 | |
| Resolves: RHBZ#1958777 | |
| Resolves: RHBZ#2068088 | |
| Resolves: RHBZ#2004646 | |
| Resolves: RHBZ#782917 | |
| Resolves: RHBZ#2059396 | |
| Resolves: RHBZ#2092015 | |
| - webui: Allow grace login limit | |
| Resolves: RHBZ#2109243 | |
| - check_repl_update: in progress is a boolean | |
| Resolves: RHBZ#2117303 | |
| - Disabling gracelimit does not prevent LDAP binds | |
| Resolves: RHBZ#2109236 | |
| - Set passwordgracelimit to match global policy on group pw policies | |
| Resolves: RHBZ#2115475 | |
| - Add missing part of backported CVE-2024-3183 fix | |
| Resolves: RHEL-29927 | |
| - Update to upstream 3.3.0 Beta 2 (#991064) | |
| - Update to upstream GA release | |
| - Automatically apply updates when the package is upgraded | |
| - Moved directory install/static to install/ui | |
| - Upstream pre release FreeIPA 4.9.0rc2 | |
| Related: RHBZ#1891832 | |
| - Synchronize spec file with upstream and Fedora | |
| Related: RHBZ#1891832 | |
| - Traceback while doing ipa-backup | |
| Resolves: RHBZ#1901068 | |
| - ipa-client-install changes system wide ssh configuration | |
| Resolves: RRBZ#1544379 | |
| - ipa-kdb: support subordinate/superior UPN suffixes | |
| Resolves: RHBZ#1891056 | |
| - KRA Transport and Storage Certificates do not renew | |
| Resolves: RHBZ#1872603 | |
| - Move where the restore state is marked during IPA server upgrade | |
| Resolves: RHBZ#1569011 | |
| - Intermittent IdM Client Registration Failures | |
| Resolves: RHBZ#1812871 | |
| - Nightly test failure in test_acme.py::TestACME::test_third_party_certs | |
| (updates-testing) | |
| Resolves: RHBZ#1903025 | |
| - Add IPA RA Agent to ACME group on the CA | |
| Resolves: RHBZ#1902727 | |
| - 4.7.1 | |
| - Fixes: rhbz#1633105 - rebase to 4.7.1 | |
| - Remove the IPA DNA plugin, use the DS one | |
| - Conditionally restart also dirsrv and httpd when upgrading | |
| - Set krb5 DAL version to 7.0 (#1580711) | |
| - Rebuild aclocal and configure during build | |
| - Remove dependency on nss_ldap/nss-pam-ldapd | |
| - The official client is sssd and that's what we use by default. | |
| - Resolve user/group names in idoverride*-find | |
| Resolves: RHBZ#1657745 | |
| - PKI database is ugraded during replica installation (#1075118) | |
| - Server install failure during client enrollment shouldn't | |
| roll back (#1023086) | |
| - nsds5ReplicaStripAttrs are not set on agreements (#1023085) | |
| - ipa-server conflicts with mod_ssl (#1018172) | |
| - Updated to current upstream state of 3.0.0 beta 2 development | |
| - Pull upstream changelog 722 | |
| - Add Conflicts mod_ssl (435360) | |
| - Resolves: #1318186 Misleading error message during external-ca IPA master | |
| install | |
| - httpinstance: make sure NSS database is backed up | |
| - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR | |
| CA certificate chain in ... incomplete" | |
| - httpinstance: make sure NSS database is backed up | |
| - Resolves: #1393726 Enumerate all available request type options in ipa | |
| cert-request help | |
| - Hide request_type doc string in cert-request help | |
| - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping | |
| - spec file: bump libsss_nss_idmap-devel BuildRequires | |
| - server: make sure we test for sss_nss_getlistbycert | |
| - Resolves: #1437378 ipa-adtrust-install produced an error and failed on | |
| starting smb when hostname is not FQDN | |
| - adtrust: make sure that runtime hostname result is consistent with the | |
| configuration | |
| - Resolves: #1437555 ipa-replica-install with DL0 fails to get annonymous | |
| keytab | |
| - Always check and create anonymous principal during KDC install | |
| - Remove duplicate functionality in upgrade | |
| - Resolves: #1437946 Upgrade to FreeIPA 4.5.0 does not configure anonymous | |
| principal for PKINIT | |
| - Upgrade: configure PKINIT after adding anonymous principal | |
| - Remove unused variable from failed anonymous PKINIT handling | |
| - Split out anonymous PKINIT test to a separate method | |
| - Ensure KDC is propery configured after upgrade | |
| - Resolves: #1437951 Remove pkinit-related options from server/replica-install | |
| on DL0 | |
| - Fix the order of cert-files check | |
| - Don't allow setting pkinit-related options on DL0 | |
| - replica-prepare man: remove pkinit option refs | |
| - Remove redundant option check for cert files | |
| - Resolves: #1438490 CA-less installation fails on publishing CA certificate | |
| - Get correct CA cert nickname in CA-less | |
| - Remove publish_ca_cert() method from NSSDatabase | |
| - Resolves: #1438838 Avoid arch-specific path in /etc/krb5.conf.d/ipa-certmap | |
| - IPA-KDB: use relative path in ipa-certmap config snippet | |
| - Resolves: #1439038 Allow erasing ipaDomainResolutionOrder attribute | |
| - Allow erasing ipaDomainResolutionOrder attribute | |
| - Improve otptoken help messages (#919228) | |
| - Ensure users exist when assigning tokens to them (#919228) | |
| - Enable QR code display by default in otptoken-add (#919228) | |
| - Show warning instead of error if CA did not start (#1158410) | |
| - CVE-2014-7850 freeipa: XSS flaw can be used to escalate privileges (#1165774) | |
| - Traceback when adding zone with long name (#1164859) | |
| - Backup & Restore mechanism (#951581) | |
| - ignoring user attributes in migrate-ds does not work if uppercase characters | |
| are returned by ldap (#1159816) | |
| - Allow ipa-getkeytab to optionally fetch existing keys (#1007367) | |
| - Failure when installing on dual stacked system with external ca (#1128380) | |
| - ipa-server should keep backup of CS.cfg (#1059135) | |
| - Tracebacks with latest build for --zonemgr cli option (#1167270) | |
| - webui: use domain name instead of domain SID in idrange adder dialog | |
| (#891984) | |
| - webui: normalize idview tab labels (#891984) | |
| - Resolves: #1442233 IPA client commands fail when pointing to replica | |
| - httpinstance: wait until the service entry is replicated | |
| - Resolves: #1456769 ipaAnchorUUID index incorrectly configured and then | |
| not indexed | |
| - Fix index definition for ipaAnchorUUID | |
| - Resolves: #1438016 gssapi errors after IPA server upgrade | |
| - Avoid possible endless recursion in RPC call | |
| - rpc: preparations for recursion fix | |
| - rpc: avoid possible recursion in create_connection | |
| - Resolves: #1446087 services entries missing krbCanonicalName attribute. | |
| - Changing cert-find to do not use only primary key to search in LDAP. | |
| - Resolves: #1452763 ipa certmaprule change not reflected in krb5kdc workers | |
| - ipa-kdb: reload certificate mapping rules periodically | |
| - Resolves: #1455541 after upgrade login from web ui breaks | |
| - kdc.key should not be visible to all | |
| - Resolves: #1435606 Add pkinit_indicator option to KDC configuration | |
| - ipa-kdb: add pkinit authentication indicator in case of a successful | |
| certauth | |
| - Resolves: #1455945 Enabling OCSP checks in mod_nss breaks certificate | |
| issuance when ipa-ca records are not resolvable | |
| - Turn off OCSP check | |
| - Resolves: #1454483 rhel73 ipa ui - cannot del server - IPA Error 903 - | |
| server_del - TypeError: 'NoneType' object is not iterable | |
| - fix incorrect suffix handling in topology checks | |
| - Upstream release FreeIPA 4.9.2 | |
| Related: RHBZ#1891832 | |
| - Remove ipa-server dependency from ipa-selinux subpackage | |
| - Related: RHBZ#1891832 | |
| - Resolves: #1249226 IPA dnssec-validation not working for AD dnsforwardzone | |
| - DNSSEC: fix forward zone forwarders checks | |
| - Resolves: #1250190 idrange is not added for sub domain | |
| - trusts: format Kerberos principal properly when fetching trust topology | |
| - Resolves: #1252334 User life cycle: missing ability to provision a stage user | |
| from a preserved user | |
| - Add user-stage command | |
| - Resolves: #1252863 After applying RHBA-2015-1554 errata, IPA service fails to | |
| start. | |
| - spec file: Add Requires(post) on selinux-policy | |
| - Resolves: #1254304 Changing vault encryption attributes | |
| - Change internal rsa_(public|private)_key variable names | |
| - Added support for changing vault encryption. | |
| - Resolves: #1256715 Executing user-del --preserve twice removes the user | |
| pernamently | |
| - improve the usability of `ipa user-del --preserve` command | |
| - Prevent multilib failures in *.pyo and *.pyc files | |
| - Set minimum pki-ca and pki-silent versions to 9.0.0 | |
| - Update to upstream 3.3.0 (#991064) | |
| - Remove release from krb5-server in strict sub-package to allow for rebuilds. | |
| - Deletion of active subdomain range should not be allowed (#1075615) | |
| - ipa-kdb: Fix double free in ipadb_reinit_mspac() | |
| Resolves: RHEL-25742 | |
| - kra: set RSA-OAEP as default wrapping algo when FIPS is enabled | |
| Resolves: RHEL-12153 | |
| - Vault: improve vault server archival/retrieval calls error handling | |
| Resolves: RHEL-12153 | |
| - Vault: add support for RSA-OAEP wrapping algo | |
| Resolves: RHEL-12153 | |
| - Add missing entry for /var/cache/ipa/kpasswd (444624) | |
| - Added patch to fix permissions problems with the Apache NSS database. | |
| - Added patch to fix problem with DNS querying where the query could be | |
| returned as the answer. | |
| - Fix spec error where patch1 was in the wrong section | |
| - Resolves: #1339233 CA installed on replica is always marked as renewal master | |
| - Related: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.3.1.201605241723GIT1b427d3 | |
| - Remove ipa-backup and ipa-restore functionality from RHEL (#1003933) | |
| - Resolves: #1378353 Replica install fails with old IPA master sometimes during | |
| replication process | |
| - spec file: bump minimal required version of 389-ds-base | |
| - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 | |
| - Fix missing file that fails DL1 replica installation | |
| - Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade | |
| - WebUI: services without canonical name are shown correctly | |
| - Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run | |
| - trustdomain-del: fix the way how subdomain is searched | |
| - Add a Requires for java-atk-wrapper until we can determine which package | |
| should be pulling it in, dogtag or tomcat. | |
| - Fix Requires for krb5-server that was missing for Fedora versions > 9 | |
| - Remove quotes around test for fedora version to package egg-info | |
| - Winsync agreement cannot be created (#1023085) | |
| - IPA extdom plugin fails when encountering large groups (#1193759) | |
| - CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() | |
| (#1202998) | |
| - CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf() | |
| Resolves: RHBZ#1767304 | |
| - CVE-2019-10195: Don't log passwords embedded in commands in calls using batch | |
| Resolves: RHBZ#1776939 | |
| - Display server name in ipa command's verbose mode (#1061703) | |
| - Remove sourcehostcategory from default HBAC rule (#1061187) | |
| - dnszone-add cannot add classless PTR zones (#1058688) | |
| - Move ipa-otpd socket directory to /var/run/krb5kdc (#1063850) | |
| - Resolves: #1339483 ipa-server-install fails with ERROR pkinit_cert_files | |
| - Fix incorrect rebase of patch 1001 | |
| - Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 | |
| - Revert "spec: add conflict with bind-chroot to freeipa-server-dns" | |
| - Resolves: #1341249 Subsequent external CA installation fails | |
| - install: fix external CA cert validation | |
| - Resolves: #1353831 ipa-server-install fails in container because of | |
| hostnamectl set-hostname | |
| - server-install: Fix --hostname option to always override api.env values | |
| - install: Call hostnamectl set-hostname only if --hostname option is used | |
| - Resolves: #1356091 ipa-cacert-manage --help and man differ | |
| - Improvements for the ipa-cacert-manage man and help | |
| - Resolves: #1360631 ipa-backup is not keeping the | |
| /etc/tmpfiles.d/dirsrv- |
|
| - ipa-backup: backup /etc/tmpfiles.d/dirsrv- |
|
| - Resolves: #1361047 ipa-replica-install --help usage line suggests the replica | |
| file is needed | |
| - Update ipa-replica-install documentation | |
| - Resolves: #1361545 ipa-client-install starts rhel-domainname.service but does | |
| not rpm-require it | |
| - client: RPM require initscripts to get *-domainname.service | |
| - Resolves: #1364197 caacl: error when instantiating rules with service | |
| principals | |
| - caacl: fix regression in rule instantiation | |
| - Resolves: #1364310 ipa otptoken-add bytes object has no attribute confirm | |
| - parameters: move the `confirm` kwarg to Param | |
| - Resolves: #1364464 Topology graph: ca and domain adders shows question marks | |
| instead of plus icon | |
| - Fix unicode characters in ca and domain adders | |
| - Resolves: #1365083 Incomplete output returned for command ipa vault-add | |
| - client: add missing output params to client-side commands | |
| - Resolves: #1365526 build fails during "make check" | |
| - ipa-kdb: Fix unit test after packaging changes in krb5 | |
| - Resolves: #1365858 ipa-ca-install fails on replica when IPA Master is | |
| installed without CA | |
| - Set up DS TLS on replica in CA-less topology | |
| - Resolves: #1398600 IPA replica install fails with dirsrv errors. | |
| - Do not configure PKI ajp redirection to use "::1" | |
| - Resolves: #1413137 CVE-2017-2590 ipa: Insufficient permission check for | |
| ca-del, ca-disable and ca-enable commands | |
| - ca: correctly authorise ca-del, ca-enable and ca-disable | |
| - Update SELinux policy to allow ipa_kpasswd to connect ldap and | |
| read /dev/urandom. (#759679) | |
| - Depend on krb5-kdb-version-devel for BuildRequires | |
| - Update nss dependency to 3.44.0-4 | |
| - Reset per-indicator Kebreros policy | |
| Resolves: RHBZ#1784761 | |
| - Resolves: #1443869 Command "openssl pkcs12 ..." failed during IPA upgrade | |
| - Fix CAInstance.import_ra_cert for empty passwords | |
| - Enforce uniqueness across krbprincipalname and krbcanonicalname | |
| ipa-kdb: enforce PAC presence on TGT for TGS-REQ | |
| ipatests: extend test for unique krbcanonicalname | |
| Resolves: RHEL-110061 | |
| - replica install failing with avc denial for custodia component | |
| Resolves: RHBZ#1857157 | |
| - Update to upstream 3.1.2 | |
| - CVE-2012-4546: Incorrect CRLs publishing | |
| - CVE-2012-5484: MITM Attack during Join process | |
| - CVE-2013-0199: Cross-Realm Trust key leak | |
| - Updated strict dependencies to 389-ds-base = 1.3.0.2 and | |
| pki-ca = 10.0.1 | |
| - Resolves: #1254689 Storing big file as a secret in vault raises traceback | |
| - vault: Limit size of data stored in vault | |
| - Resolves: #1255880 ipactl status should distinguish between different | |
| pki-tomcat services | |
| - ipactl: Do not start/stop/restart single service multiple times | |
| - ipatests: fix test_topology | |
| Resolves: RHBZ#2232351 | |
| - Installer: activate nss and pam services in sssd.conf | |
| Resolves: RHBZ#2216532 | |
| - Add ipa-idrange-fix | |
| Resolves: RHEL-56920 | |
| - Unconditionally add MS-PAC to global config on update | |
| Resolves: RHEL-49437 | |
| - ipatests: Update ipa-adtrust-install test | |
| Resolves: RHEL-40894 | |
| - Require python-qrcode version 5.3 or later | |
| Related: RHEL-15090 | |
| - CAless installation: set the perms on KDC cert file | |
| Resolves: RHBZ#1863616 | |
| - EPN: handle empty attributes | |
| Resolves: RHBZ#1866938 | |
| - IPA-EPN: enhance input validation | |
| Resolves: RHBZ#1866291 | |
| - EPN: enhance input validation | |
| Resolves: RHBZ#1863079 | |
| - Require new samba build 4.12.3-52 | |
| Related: RHBZ#1868558 | |
| - Require new selinux-policy build 3.14.3-52 | |
| Related: RHBZ#1869311 | |
| - RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible | |
| (#1169591) | |
| - CLI doesn't show SSHFP records with SHA256 added via nsupdate (regression) | |
| (#1172578) | |
| - Resolves: #1415162 ipa-exdom-extop plugin can exhaust DS worker threads | |
| - New upstream release 4.8.0 | |
| - New subpackage: freeipa-client-samba | |
| - Added command ipa-cert-fix with man page | |
| - New sysconfdir sysconfig/certmonger | |
| - Updated pki_version, certmonger_version, sssd_version and kdcproxy_version | |
| Related: RHBZ#1684528 | |
| - remove ipa-fix-CVE-2008-3274 | |
| - Resolves: #1200767 [RFE] Allow Kerberos authentication for users with | |
| certificates on smart cards (pkinit) | |
| - spec file: bump krb5 Requires for certauth fixes | |
| - Resolves: #1438729 Configure local PKINIT on DL0 or when '--no-pkinit' option | |
| is used | |
| - separate function to set ipaConfigString values on service entry | |
| - Allow for configuration of all three PKINIT variants when deploying KDC | |
| - API for retrieval of master's PKINIT status and publishing it in LDAP | |
| - Use only anonymous PKINIT to fetch armor ccache | |
| - Stop requesting anonymous keytab and purge all references of it | |
| - Use local anchor when armoring password requests | |
| - Upgrade: configure local/full PKINIT depending on the master status | |
| - Do not test anonymous PKINIT after install/upgrade | |
| - Resolves: #1442427 ipa.ipaserver.install.plugins.adtrust. | |
| update_tdo_gidnumber: ERROR Default SMB Group not found | |
| - upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is | |
| installed | |
| - Resolves: #1442932 ipa restore fails to restore IPA user | |
| - restore: restart/reload gssproxy after restore | |
| - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode | |
| - Fix CA/server cert validation in FIPS | |
| - Resolves: #1444947 Deadlock between topology and schema-compat plugins | |
| - compat-manage: behave the same for all users | |
| - Move the compat plugin setup at the end of install | |
| - compat: ignore cn=topology,cn=ipa,cn=etc subtree | |
| - Resolves: #1445358 ipa vault-add raises TypeError | |
| - vault: piped input for ipa vault-add fails | |
| - Resolves: #1445382 ipa vault-retrieve fails to retrieve data from vault | |
| - Vault: Explicitly default to 3DES CBC | |
| - Resolves: #1445432 uninstall ipa client automount failed with RuntimeWarning | |
| - automount install: fix checking of SSSD functionality on uninstall | |
| - Resolves: #1446137 pki_client_database_password is shown in | |
| ipaserver-install.log | |
| - Hide PKI Client database password in log file | |
| - Resolves: #1131907 [ipa-client-install] cannot write certificate file | |
| '/etc/ipa/ca.crt.new': must be string or buffer, not None | |
| - Resolves: #1195775 unsaved changes dialog internally inconsistent | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - Stageusedr-activate: show username instead of DN | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - Prevent to rename certprofile profile id | |
| - Resolves: #1222047 IPA to AD Trust: IPA ERROR 4016: Remote Retrieve Error | |
| - Resolves: #1224769 copy-schema-to-ca.py does not overwrites schema files | |
| - copy-schema-to-ca: allow to overwrite schema files | |
| - Resolves: #1241941 kdc component installation of IPA failed | |
| - spec file: Update minimum required version of krb5 | |
| - Resolves: #1242036 Replica install fails to update DNS records | |
| - Fix DNS records installation for replicas | |
| - Resolves: #1242884 Upgrade to 4.2.0 fails when enabling kdc proxy | |
| - Start dirsrv for kdcproxy upgrade | |
| - extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT | |
| Resolves: RHBZ#1741530 | |
| - Fix ipa-pwd-extop global configuration caching (#1187342) | |
| - group-detach does not add correct objectclasses (#1187540) | |
| - Add sssd and certmonger as a Requires on ipa-client | |
| - DNS install check: Fix overlapping DNS zone from the master itself | |
| Resolves: RHBZ#1784003 | |
| - Add OTP patches | |
| - Add patch to set KRB5CCNAME for 389-ds-base | |
| - Update to upstream 2.1.4 (CVE-2011-3636) | |
| - Refactor ipatests for unique krbcanonicalname | |
| Resolves: RHEL-110061 | |
| - Require certmonger 0.79.7-1 | |
| Related: RHBZ#1708095 | |
| - Fix wrong path in packaging freeipa-systemd-upgrade | |
| - Resolves: #1462112 ipaserver installation fails in FIPS mode: OpenSSL | |
| internal error, assertion failed: Digest MD4 forbidden in FIPS mode! | |
| - ipa-sam: replace encode_nt_key() with E_md4hash() | |
| - ipa_pwd_extop: do not generate NT hashes in FIPS mode | |
| - Resolves: #1377973 ipa-server-install fails when the provided or resolved | |
| IP address is not found on local interfaces | |
| - Fix local IP address validation | |
| - ipa-dns-install: remove check for local ip address | |
| - refactor CheckedIPAddress class | |
| - CheckedIPAddress: remove match_local param | |
| - Remove ip_netmask from option parser | |
| - replica install: add missing check for non-local IP address | |
| - Remove network and broadcast address warnings | |
| - Set minimum level of sssd to 1.1.1 to pull in required hbac fixes. | |
| - Add Requires on krb5-pkinit-openssl | |
| - Introduce upgrade script to recover existing configuration after systemd migration | |
| as user has no means to recover FreeIPA from systemd migration | |
| - Upgrade script: | |
| - recovers symlinks in Dogtag instance install | |
| - recovers systemd configuration for FreeIPA's directory server instances | |
| - recovers freeipa.service | |
| - migrates directory server and KDC configs to use proper keytabs for systemd services | |
| - Add call to /usr/sbin/upgradeconfig to post install | |
| - Handle NFS configuration file changes. nfs-utils moved the | |
| configuration file from /etc/sysconfig/nfs to /etc/nfs.conf. | |
| Resolves: RHBZ#1676981 | |
| - IPA server in debug mode fails to run because time.perf_counter_ns is | |
| Python 3.7+ | |
| Resolves: RHBZ#1974822 | |
| - Add checks to prevent assigning authentication indicators to internal IPA | |
| services | |
| Resolves: RHBZ#1979625 | |
| - Unable to set ipaUserAuthType with stageuser-add | |
| Resolves: RHBZ#1979605 | |
| - Upstream release FreeIPA 4.9.3 | |
| Resolves: RHBZ#1945038 | |
| - Update minimum selinux-policy to 3.9.16-18 | |
| - Update minimum pki-ca and pki-selinux to 9.0.7 | |
| - Update minimum 389-ds-base to 1.2.8.0-1 | |
| - Update to upstream 2.0.1 | |
| - Rebase to upstream release 4.8.4 | |
| - Removed upstream patches 0001 to 0008 that are part of version 4.8.3-3 | |
| Resolves: RHBZ#1782658 | |
| Resolves: RHBZ#1782169 | |
| Resolves: RHBZ#1783046 | |
| Related: RHBZ#1748987 | |
| - Revert DNSResolver Fix use of nameservers with ports. | |
| Related: RHBZ#2141316 | |
| - package the sessions dir /var/cache/ipa/sessions | |
| - Pull upstream changelog 597 | |
| - Trust add tries to add same value of --base-id for sub domain, | |
| causing an error (#1033068) | |
| - Improved error reporting for adding trust case (#1029856) | |
| - ipatests: Backport test fixes in python3-ipatests. | |
| Resolves: RHBZ#2057505 | |
| - Expand the token auth/sync windows (#919228) | |
| - Access is not rejected for disabled domain (#1172598) | |
| - krb5kdc crash in ldap_pvt_search (#1170695) | |
| - RHEL7.1 IPA server httpd avc denials after upgrade (#1164896) | |
| - ipa-client-automount fails with incompatibility error when installed against | |
| older IPA server (#1083108) | |
| - Resolves: #1217009 OTP sync in UI does not work for TOTP tokens | |
| - Fix an integer underflow bug in libotp | |
| - Resolves: #1262996 ipa vault internal error on replica without KRA | |
| - install: always export KRA agent PEM file | |
| - vault: select a server with KRA for vault operations | |
| - Resolves: #1269777 IPA restore overwrites /etc/passwd and /etc/group files | |
| - do not overwrite files with local users/groups when restoring authconfig | |
| - Renamed patch 1011 to 0138, as it was merged upstream | |
| - Resolve: #1455946 Provide a tooling automating the configuration | |
| of Smart Card authentication on a FreeIPA master | |
| - server certinstall: update KDC master entry | |
| - pkinit manage: introduce ipa-pkinit-manage | |
| - server upgrade: do not enable PKINIT by default | |
| - Extend the advice printing code by some useful abstractions | |
| - Prepare advise plugin for smart card auth configuration | |
| - Resolve: #1461053 allow to modify list of UPNs of a trusted forest | |
| - trust-mod: allow modifying list of UPNs of a trusted forest | |
| - WebUI: add support for changing trust UPN suffixes | |
| - Update to upstream 4.1.0 Alpha 1 (#1109726) | |
| - Updated to upstream 3.0.0 rc 2 | |
| - Include new FF configuration extension | |
| - Set minimum Requires of selinux-policy to 3.11.1-33 | |
| - Set minimum Requires dogtag to 10.0.0-0.43.b1 | |
| - Add new optional strict sub-package to allow users to limit other | |
| package upgrades. | |
| - Resolves: #1419735 ipa-replica-install fails promotecustodia.create_replica | |
| with cert errors (untrusted) | |
| - added ssl verification using IPA trust anchor | |
| - Resolves: #1428472 batch param compatibility is incorrect | |
| - compat: fix `Any` params in `batch` and `dnsrecord` | |
| - Renamed patches 1011 and 1012 to 0159 and 0157, as they were merged upstream | |
| - Resolves: #1609883 ipaserver/plugins/cert.py: Add reason to raise of | |
| errors.NotFound | |
| - Resolves: #1615765 do-not-use-RC4-in-FIPS-mode | |
| - Move fips_enabled to a common library to share across different plugins | |
| - ipasam: do not use RC4 in FIPS mode | |
| - Resolves: #1298288 [RFE] Improve performance in large environments. | |
| - cert: speed up cert-find | |
| - Resolves: #1317379 [EXPERIMENTAL][RFE] Web UI: allow Smart Card | |
| authentication | |
| - service: add flag to allow S4U2Self | |
| - Add 'trusted to auth as user' checkbox | |
| - Added new authentication method | |
| - Resolves: #1353881 ipa-replica-install suggests about | |
| non-existent --force-ntpd option | |
| - Don't show --force-ntpd option in replica install | |
| - Resolves: #1354441 DNS forwarder check is too strict: unable to add | |
| sub-domain to already-broken domain | |
| - DNS: allow to add forward zone to already broken sub-domain | |
| - Resolves: #1356146 performance regression in CLI help | |
| - schema: Speed up schema cache | |
| - frontend: Change doc, summary, topic and NO_CLI to class properties | |
| - schema: Introduce schema cache format | |
| - schema: Generate bits for help load them on request | |
| - help: Do not create instances to get information about commands and topics | |
| - schema cache: Do not reset ServerInfo dirty flag | |
| - schema cache: Do not read fingerprint and format from cache | |
| - Access data for help separately | |
| - frontent: Add summary class property to CommandOverride | |
| - schema cache: Read server info only once | |
| - schema cache: Store API schema cache in memory | |
| - client: Do not create instance just to check isinstance | |
| - schema cache: Read schema instead of rewriting it when SchemaUpToDate | |
| - Resolves: #1360769 ipa-server-certinstall couldnt unlock private key file | |
| - server install: do not prompt for cert file PIN repeatedly | |
| - Resolves: #1364113 ipa-password: ipa: ERROR: RuntimeError: Unable to create | |
| cache directory: [Errno 13] Permission denied: '/home/test_user' | |
| - schema: Speed up schema cache | |
| - Resolves: #1366604 `cert-find` crashes on invalid certificate data | |
| - cert: do not crash on invalid data in cert-find | |
| - Resolves: #1366612 Middle replica uninstallation in line topology works | |
| without '--ignore-topology-disconnect' | |
| - Fail on topology disconnect/last role removal | |
| - Resolves: #1366626 caacl-add-service: incorrect error message when service | |
| does not exists | |
| - Fix ipa-caalc-add-service error message | |
| - Resolves: #1367022 The ipa-server-upgrade command failed when named-pkcs11 | |
| does not happen to run during dnf upgrade | |
| - DNS server upgrade: do not fail when DNS server did not respond | |
| - Resolves: #1367759 [RFE] [webui] warn admin if there is only one IPA server | |
| with CA | |
| - Add warning about only one existing CA server | |
| - Set servers list as default facet in topology facet group | |
| - Resolves: #1367773 thin client ignores locale change | |
| - schema check: Check current client language against cached one | |
| - Lockout plugin crashed during ipa-server-install (#912725) | |
| - Fallback to global policy in ipa lockout plugin (#912725) | |
| - Migration does not add users to default group (#903232) | |
| - hbactest does not work for external users (#848531) | |
| - Resolves: #1296140 Remove redhat-access-plugin-ipa support | |
| - Obsolete and conflict redhat-access-plugin-ipa | |
| - Resolves: #1351119 Multiple issues while uninstalling ipa-server | |
| - server uninstall fails to remove krb principals | |
| - Resolves: #1351758 ipa commands not showing expected error messages | |
| - frontend: copy command arguments to output params on client | |
| - Show full error message for selinuxusermap-add-hostgroup | |
| - Resolves: #1352883 Traceback on adding default automember group and hostgroup | |
| set | |
| - allow 'value' output param in commands without primary key | |
| - Resolves: #1353888 Fix the help for ipa otp and other topics | |
| - schema: Fix subtopic -> topic mapping | |
| - Resolves: #1354348 ipa trustconfig-show throws internal error. | |
| - allow 'value' output param in commands without primary key | |
| - Resolves: #1354381 ipa trust-add with raw option gives internal error. | |
| - trust-add: handle `--all/--raw` options properly | |
| - Resolves: #1354493 Replica install fails with old IPA master | |
| - DNS install: Ensure that DNS servers container exists | |
| - Resolves: #1354628 ipa hostgroup-add-member does not return error message | |
| when adding itself as member | |
| - frontend: copy command arguments to output params on client | |
| - Resolves: #1355856 ipa otptoken-add --type=totp gives internal error | |
| - messages: specify message type for ResultFormattingError | |
| - Resolves: #1356063 "ipa radiusproxy-add" command needs to prompt to enter | |
| secret key | |
| - expose `--secret` option in radiusproxy-* commands | |
| - prevent search for RADIUS proxy servers by secret | |
| - Resolves: #1356099 Bug in the ipapwd plugin | |
| - Heap corruption in ipapwd plugin | |
| - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin | |
| client changes | |
| - Use server API in com.redhat.idm.trust-fetch-domains oddjob helper | |
| - Resolves: #1356964 Renaming a user removes all of his principal aliases | |
| - Preserve user principal aliases during rename operation | |
| - Add bash completion script and own /etc/bash_completion.d in case it | |
| doesn't already exist | |
| - Update to upstream version 1.1.0 | |
| - Patch for indexing memberof attribute | |
| - Patch for indexing uidnumber and gidnumber | |
| - Patch to change DNA default values for replicas | |
| - Patch to fix uninitialized variable in ipa-getkeytab | |
| - Improve server affinity for CA-less deployments | |
| Resolves: RHEL-22283 | |
| - host: update system: Manage Host Keytab permission | |
| Resolves: RHEL-22286 | |
| - adtrustinstance: make sure NetBIOS name defaults are set properly | |
| Resolves: RHEL-21938 | |
| - ipatests: Fix healthcheck report when nsslapd accesslog logbuffering is set to off | |
| Resolves: RHEL-19672 | |
| - webui IdP: Remove arrow notation due to uglify-js limitation | |
| Related: RHBZ#2141316 | |
| - Fixed share/ipa/wsgi.py so .pyc, .pyo files are included | |
| - Set minimum version of sssd to 1.5.1 | |
| - Update to upstream freeipa-2.0.0.rc1 | |
| - Move server-only binaries from admintools subpackage to server | |
| - Upstream release FreeIPA 4.9.8 | |
| Related: RHBZ#2015607 | |
| - Hardening for CVE-2020-25717 | |
| - Set minimum version of certmonger to 0.26 (to pck up #621670) | |
| - Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm) | |
| - Set minimum version of pki-ca to 1.3.6 | |
| - Set minimum version of sssd to 1.2.1 | |
| - Re-arrange doc and defattr to clean up rpmlint warnings | |
| - Remove conditionals on older releases | |
| - Move some man pages into admintools subpackage | |
| - Remove some explicit Requires in client that aren't needed | |
| - Consistent use of buildroot vs RPM_BUILD_ROOT | |
| - Resolves: #1252556 Missing CLI param and ACL for vault service operations | |
| - vault: fix private service vault creation | |
| - Resolves: #1431520 ipa cert-find runs a large number of searches, so IPA | |
| WebUI is slow to display user details page | |
| - cert: defer cert-find result post-processing | |
| - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit | |
| helper when installing replica | |
| - server-install: No double Kerberos install | |
| - Resolves: #1437502 ipa-replica-install fails with requirement to | |
| use --force-join that is a client install option. | |
| - Add the force-join option to replica install | |
| - replicainstall: better client install exception handling | |
| - Resolves: #1437953 Server CA-less impossible option check | |
| - server-install: remove broken no-pkinit check | |
| - Resolves: #1441160 FreeIPA client <= 4.4 fail to parse 4.5 cookies | |
| - Add debug log in case cookie retrieval went wrong | |
| - Resolves: #1441548 ipa server install fails with --external-ca option | |
| - ext. CA: correctly write the cert chain | |
| - Resolves: #1441718 Conversion of CA-less server to CA fails on CA instance | |
| spawn | |
| - Fix CA-less to CA-full upgrade | |
| - Resolves: #1442133 Do not link libkrad, liblber, libldap_r and | |
| libsss_nss_idmap to every binary in IPA | |
| - configure: fix AC_CHECK_LIB usage | |
| - Resolves: #1442815 Replica install fails during migration from older IPA | |
| master | |
| - Fix RA cert import during DL0 replication | |
| - Related: #1442004 Building IdM/FreeIPA internally on all architectures - | |
| filtering unsupported packages | |
| - Build all subpackages on all architectures | |
| - ipa-server-install fails if --subject parameter is other than default | |
| realm (#983075) | |
| - do not allow configuring bind-dyndb-ldap without persistent search (#967876) | |
| - Set the N-V-R so rc1 is an update to beta2. | |
| - ipa-kdb: Rework ipadb_reinit_mspac() | |
| Resolves: RHEL-25742 | |
| - ipatests: wait for replica update in test_dns_locations | |
| Resolves: RHEL-22373 | |
| - ipatests: fix tasks.wait_for_replication() method | |
| Resolves: RHEL-25708 | |
| - Upgrade: fix replica agreement, fix backported patch | |
| Related: RHBZ#2216551 | |
| - Temporarily move ipa-backup and ipa-restore functionality | |
| back to make them available in public Beta (#1003933) | |
| - Update to upstream 2.1.0 | |
| - ipa man page format the EXAMPLES section | |
| Resolves: RHBZ#2129895 | |
| - Fix canonicalization issue in Web UI | |
| Resolves: RHBZ#2127035 | |
| - Remove idnssoaserial argument from dns zone API. | |
| Resolves: RHBZ#2108630 | |
| - Warn for permissions with read/write/search/compare and no attrs | |
| Resolves: RHBZ#2098187 | |
| - Add PKINIT support to ipa-client-install | |
| Resolves: RHBZ#2075452 | |
| - Generate CNAMEs for TXT+URI location krb records | |
| Resolves: RHBZ#2104185 | |
| - Vault: fix interoperability issues with older RHEL systems | |
| Resolves: RHBZ#2144737 | |
| - Fix typo on ipaupgrade.log chmod during RPM %post snipppet | |
| Resolves: RHBZ#2140994 | |
| - Pull upstream changelog 641 | |
| - Require minimum version of krb5-server on F-7 and F-8 | |
| - Package some new files | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - [WebUI] IPA Error 3007: RequirmentError" while adding members in | |
| "User ID overrides" tab | |
| Resolves: RHBZ#1757045 | |
| - EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in | |
| freeipa-client-epn | |
| Resolves: RHBZ#1847999 | |
| - FreeIPA - Utilize 256-bit AJP connector passwords | |
| Resolves: RHBZ#1849914 | |
| - ipa: typo issue in ipanthomedirectoryrive deffinition | |
| Resolves: RHBZ#1851411 | |
| - Upstream release FreeIPA 4.9.1 | |
| Related: RHBZ#1891832 | |
| - Fix automount behavior with authselect | |
| Resolves: RHBZ#1740167 | |
| - SELinux Policy: let custodia replicate keys | |
| Resolves: RHBZ#1868432 | |
| - Missing objectclasses when empty password passed to host-add (#1052979) | |
| - sudoOrder missing in sudoers (#1052983) | |
| - Missing examples in sudorule help (#1049464) | |
| - Client automount does not uninstall when fstore is empty (#910899) | |
| - Error not clear for invalid realm given to trust-fetch-domains (#1052981) | |
| - trust-fetch-domains does not add idrange for subdomains found (#1049926) | |
| - Add option to show if an AD subdomain is enabled/disabled (#1052973) | |
| - ipa-adtrust-install still failed with long NetBIOS names (#1030517) | |
| - Error not clear for invalid relam given to trustdomain-find (#1049455) | |
| - renewed client cert not recognized during IPA CA renewal (#1033273) | |
| - Remove ipa-backup and ipa-restore functionality from RHEL (#1003933) | |
| - Fix S4U2Self regression for cross-realm requester SID buffer | |
| - Related: RHBZ#2021443 | |
| - Add missing ipa-selinux package | |
| Resolves: RHBZ#1853263 | |
| - Proxy PKI URI /ca/ee/ca/profileSubmit to enable replication with future | |
| PKI versions (#1080865) | |
| - Rebuild against samba4 beta7 | |
| - Resolves: #1477703 IPA upgrade fails for latest ipa package | |
| - Restore old version of caIPAserviceCert for upgrade only | |
| - Rebase to upstream release 4.8.2 | |
| - Removed upstream patches 0001 to 0010 that are part of version 4.8.2 | |
| - Updated branding patch | |
| Resolves: RHBZ#1748987 | |
| - Version bump for release | |
| - ipa-csreplica-manage connect fails (#1157735) | |
| - error message which is not understandable when IDNA2003 characters are | |
| present in --zonemgr (#1163849) | |
| - Fix warning message should not contain CLI commands (#1114013) | |
| - Renewing the CA signing certificate does not extend its validity period end | |
| (#1163498) | |
| - RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for | |
| httpd (#1159330) | |
| - Hardening for CVE-2020-25717 | |
| - Rebuild against samba-4.14.5-11.el8 | |
| - Resolves: RHBZ#2021443 | |
| - Fix upgrade issue with AD trust when no trust yet established | |
| Fixes: RHBZ#1708874 | |
| Related: RHBZ#1684528 | |
| - Resolves: #1438833 [ipa-replica-install] - 406 Client Error: Failed to | |
| validate message: Incorrect number of results (0) searching forpublic key for | |
| host | |
| - Make sure remote hosts have our keys | |
| - Resolves: #1442815 Replica install fails during migration from older IPA | |
| master | |
| - Refresh Dogtag RestClient.ca_host property | |
| - Remove the cachedproperty class | |
| - Resolves: #1444787 Update warning message when KRA installation fails | |
| - kra install: update installation failure message | |
| - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode | |
| - ipa-server-install with external CA: fix pkinit cert issuance | |
| - Resolves: #1445397 GET in KerberosSession.finalize_kerberos_acquisition() | |
| must use FreeIPA CA | |
| - kerberos session: use CA cert with full cert chain for obtaining cookie | |
| - Resolves: #1447375 ipa-client-install: extra space in pkinit_anchors | |
| definition | |
| - ipa-client-install: remove extra space in pkinit_anchors definition | |
| - Resolves: #1447703 Fix SELinux contex of http.keytab during upgrade | |
| - Use proper SELinux context with http.keytab | |
| - Use OpenJDK 8 to bootstrap on AArch64 until RH1482244 is resolved in | |
| buildroot | |
| - Resolves: #1470177 - Rebase IPA to latest 4.5.x version | |
| - Resolves: #1398594 ipa topologysuffix-verify should only warn about | |
| maximum number of replication agreements. | |
| - Resolves: #1404236 Web UI: Change "Host Based" and "Role Based" | |
| to "Host-Based" and "Role-Based" | |
| - Resolves: #1409786 Second phase of --external-ca ipa-server-install | |
| setup fails when dirsrv is not running | |
| - Resolves: #1451576 ipa cert-request failed to generate certificate from csr | |
| - Resolves: #1452086 Pagination Size under Customization in IPA WebUI | |
| accepts negative values | |
| - Resolves: #1458169 --force-join option is not mentioned in | |
| ipa-replica-install man page | |
| - Resolves: #1463186 IPA shouldn't allow objectclass if not all in lower case | |
| - Resolves: #1478322 user-show command fails when sizelimit is configured | |
| to number <= number of entity which is user member of | |
| - Resolves: #1496775 Enterprise principals should be able to trigger | |
| a refresh of the trusted domain data in the KDC | |
| - Resolves: #1502533 Changing cert-find to go through the proxy | |
| instead of using the port 8080 | |
| - Resolves: #1502663 pkinit-status command fails after an upgrade from | |
| a pre-4.5 IPA | |
| - Resolves: #1498168 Error when trying to modify a PTR record | |
| - Resolves: #1457876 ipa-backup fails silently | |
| - Resolves: #1493531 In case full PKINIT configuration is failing during | |
| server/replica install the error message should be more meaningful. | |
| - Resolves: #1449985 Suggest CA installation command in KRA installation | |
| warning | |
| - Use NSS protocol range API to set available TLS protocols (#1156466) | |
| - Removed python-asset based webui | |
| - Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin | |
| - man page: update ipa-server-upgrade.1 | |
| Resolves: RHBZ#1973273 | |
| - Fall back to krbprincipalname when validating host auth indicators | |
| Resolves: RHBZ#1979625 | |
| - Add dependency for sssd-winbind-idmap to server-trust-ad | |
| Resolves: RHBZ#1982211 | |
| - Resolves: #1373359 ipa-certupdate fails with "CA is not configured" | |
| - Fix regression introduced in ipa-certupdate | |
| - Mass rebuild 2013-12-27 | |
| - Pull upstream changelog 698 | |
| - Fix ownership of /var/log/ipa_error.log during install (435119) | |
| - Add pwpolicy command and man page | |
| - Resolves: #846033 [RFE] Documentation for JSONRPC IPA API | |
| - Resolves: #989091 Ability to manage IdM/IPA directly from a standard LDAP | |
| client | |
| - Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to | |
| users in IdM | |
| - Resolves: #1115294 [RFE] Add support for DNSSEC | |
| - Resolves: #1145748 [RFE] IPA running with One Way Trust | |
| - Resolves: #1199520 [RFE] Introduce single upgrade tool - ipa-server-upgrade | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - Resolves: #1200728 [RFE] Replicate PKI Profile information | |
| - Resolves: #1200735 [RFE] Allow issuing certificates for user accounts | |
| - Resolves: #1204054 SSSD database is not cleared between installs and | |
| uninstalls of ipa | |
| - Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to | |
| Trusts | |
| - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality | |
| - Resolves: #1204504 [RFE] Add access control so hosts can create their own | |
| services | |
| - Resolves: #1206534 [RFE] Offer Kerberos over HTTP (kdcproxy) by default | |
| - Resolves: #1206613 [RFE] Configure IPA to be a trust agent by default | |
| - Resolves: #1209476 package ipa-client does not require package dbus-python | |
| - Resolves: #1211589 [RFE] Add option to skip the verify_client_version | |
| - Resolves: #1211608 [RFE] Generic support for unknown DNS RR types (RFC 3597) | |
| - Resolves: #1215735 ipa-replica-prepare automatically adds a DNS zone | |
| - Resolves: #1217010 OTP Manager field is not exposed in the UI | |
| - Resolves: #1222475 krb5kdc : segfault at 0 ip 00007fa9f64d82bb sp | |
| 00007fffd68b2340 error 6 in libc-2.17.so | |
| - Related: #1204809 Rebase ipa to 4.2 | |
| - Update to upstream 4.2.0 | |
| - Move /etc/ipa/kdcproxy to the server subpackage | |
| - Fix NetBIOS name generation in CLDAP plugin (#1030517) | |
| - FreeIPA 4.8.0 tarball lacks two update files that are in git | |
| Resolves: RHBZ#1741170 | |
| - Resolves: #1257074 The KRA agent cert is stored in a PEM file that is not | |
| tracked | |
| - cert renewal: Include KRA users in Dogtag LDAP update | |
| - cert renewal: Automatically update KRA agent PEM file | |
| - Resolves: #1257163 renaming certificatte profile with --rename option leads | |
| to integrity issues | |
| - certprofile: remove 'rename' option | |
| - Resolves: #1257968 kinit stop working after ipa-restore | |
| - Backup: back up the hosts file | |
| - Resolves: #1258926 Remove 'DNSSEC is experimental' warnings | |
| - DNSSEC: remove "DNSSEC is experimental" warnings | |
| - Resolves: #1258929 Uninstallation of IPA leaves extra entry in /etc/hosts | |
| - Installer: do not modify /etc/hosts before user agreement | |
| - Resolves: #1258944 DNSSEC daemons may deadlock when processing more than 1 | |
| zone | |
| - DNSSEC: backup and restore opendnssec zone list file | |
| - DNSSEC: remove ccache and keytab of ipa-ods-exporter | |
| - DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart | |
| - DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction | |
| - DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on DNSSEC | |
| key master | |
| - DNSSEC: Fix key metadata export | |
| - DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5. | |
| - Resolves: #1258964 revert to use ldapi to add kra agent in KRA install | |
| - Using LDAPI to setup CA and KRA agents. | |
| - Resolves: #1259848 server closes connection and refuses commands after | |
| deleting user that is still logged in | |
| - ldap: Make ldap2 connection management thread-safe again | |
| - Resolves: #1259996 AttributeError: 'NameSpace' object has no attribute | |
| 'ra_certprofile' while ipa-ca-install | |
| - load RA backend plugins during standalone CA install on CA-less IPA master | |
| - Update to upstream version 1.0.0 | |
| - Resolves: #712109 "krbExtraData not allowed" is logged in DS error log while | |
| setting password for default sudo binddn. | |
| - Resolves: #747612 [RFE] IPA should support and manage DNS sites | |
| - Resolves: #768316 [RFE] ipa-getkeytab should auto-detect the ipa server name | |
| - Resolves: #825391 [RFE] Replica installation should provide a means for | |
| inheriting nssldap security access settings | |
| - Resolves: #921497 Incorrect *.py[co] files placement | |
| - Resolves: #1029640 RHEL7 IPA to add DNA Plugin config for dnaRemote support | |
| - Resolves: #1029905 389 DS cache sizes not replicated to IPA replicas | |
| - Resolves: #1196958 IPA replica installation failing with high number of users | |
| (160000). | |
| - Resolves: #1219402 IPA suggests to uninstall a client when the user needs to | |
| uninstall a replica | |
| - Resolves: #1224057 [RFE] TGS authorization decisions in KDC based on | |
| Authentication Indicator | |
| - Resolves: #1234222 [WebUI] UI error message is not appropriate for "Kerberos | |
| principal expiration" | |
| - Resolves: #1234223 [WebUI] General invalid password error message appearing | |
| for "Locked user" | |
| - Resolves: #1254267 ipa-server-install failure applying ldap updates with | |
| limits exceeded | |
| - Resolves: #1258626 realmdomains-mod --add-domain command throwing error when | |
| doamin already is in forwardzone. | |
| - Resolves: #1259020 ipa-server-adtrust-install doesn't allow | |
| NetBIOS-name=EXAMPLE-TEST.COM (dash character) | |
| - Resolves: #1260993 DNSSEC signing enablement on dnszone should throw error | |
| message when DNSSEC master not installed | |
| - Resolves: #1262747 dnssec options missing in ipa-dns-install man page | |
| - Resolves: #1265900 Fail installation immediately after dirsrv fails to | |
| install using ipa-server-install | |
| - Resolves: #1265915 idoverrideuser-find fails if any SID anchor is not | |
| resolvable anymore | |
| - Resolves: #1268027 ipa-dnskeysync-replica crash with backtrace - | |
| LimitsExceeded: limits exceeded for this query | |
| - Resolves: #1269089 Certificate of managed-by host/service fails to resubmit | |
| - Resolves: #1269200 ipa-server crashing while trying to preserve admin user | |
| - Resolves: #1271321 Reduce ioblocktimeout and idletimeout defaults | |
| - Resolves: #1271579 Automember rule expressions disappear from tables on | |
| single expression delete | |
| - Resolves: #1275816 Incomplete ports for IPA ad-trust | |
| - Resolves: #1276351 [RFE] Remove | |
| /usr/share/ipa/updates/50-lockout-policy.update file from IPA releases | |
| - Resolves: #1277109 Add tool tips for Revert, Refresh, Undo, and Undo All in | |
| the IPA UI | |
| - Resolves: #1278426 Better error message needed for invalid ca-signing-algo | |
| option | |
| - Resolves: #1279932 ipa-client-install --request-cert needs workaround in | |
| anaconda chroot | |
| - Resolves: #1282521 Creating a user w/o private group fails when doing so in | |
| WebUI | |
| - Resolves: #1283879 ipa-winsync-migrate: Traceback message should be replaced | |
| by "IPA is not configured on this system" | |
| - Resolves: #1285071 ipa-kra-install fails on replica looking for admin cert | |
| file | |
| - Resolves: #1287194 [RFE] Support of UPN for trusted domains | |
| - Resolves: #1288967 Normalize Manager entry in ipa user-add | |
| - Resolves: #1289487 Priority field missing in Password Policy detail tab | |
| - Resolves: #1291140 ipa client should configure kpasswd_server directive in | |
| krb5.conf | |
| - Resolves: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.4.0.alpha1 | |
| - Resolves: #1298848 [RFE] Centralized topology management | |
| - Resolves: #1300576 Browser setup page includes instructions for Internet | |
| Explorer | |
| - Resolves: #1301586 ipa host-del --updatedns should remove related dns | |
| entries. | |
| - Resolves: #1304618 Residual Files After IPA Server Uninstall | |
| - Resolves: #1305144 ipa-python does not require its dependencies | |
| - Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 | |
| - Resolves: #1313798 Console output post ipa-winsync-migrate command should be | |
| corrected. | |
| - Resolves: #1314786 [RFE] External Trust with Active Directory domain | |
| - Resolves: #1319023 Include description for 'status' option in man page for | |
| ipactl command. | |
| - Resolves: #1319912 ipa-server-install does not completely change hostname and | |
| named-pkcs11 fails | |
| - Resolves: #1320891 IPA Error 3009: Validation error: Invalid 'ptrrecord': | |
| Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 given | |
| - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on | |
| revocation reasons | |
| - Resolves: #1328549 "ipa-kra-install" command reports incorrect message when | |
| it is executed on server already installed with KRA. | |
| - Resolves: #1329209 ipa-nis-manage enable: change service name from 'portmap' | |
| to 'rpcbind' | |
| - Resolves: #1329275 ipa-nis-manage command should include status option | |
| - Resolves: #1330843 'man ipa' should be updated with latest commands | |
| - Resolves: #1333755 ipa cert-request causes internal server error while | |
| requesting certificate | |
| - Resolves: #1337484 EOF is not handled for ipa-client-install command | |
| - Resolves: #1338031 Insufficient 'write' privilege on some attributes for the | |
| members of the role which has "User Administrators" privilege. | |
| - Resolves: #1343142 IPA DNS should do better verification of DNS zones | |
| - Resolves: #1347928 Frontpage exposes runtime error with no cookies enabled in | |
| browser | |
| - Require samba 4.14.5-13 with IPA DC server role fixes | |
| - Related: RHBZ#2021443 | |
| - Require python-wehjit >= 0.2.2 | |
| - Resolves: #1434032 Run ipa-custodia with custom SELinux context | |
| - Require correct custodia version | |
| - Upstream final release FreeIPA 4.9.0 | |
| Related: RHBZ#1891832 | |
| - Preserve user: fix the confusing summary | |
| Resolves: RHBZ#2022028 | |
| - Only calculate LDAP password grace when the password is expired | |
| Related: RHBZ#782917 | |
| - Update dependencies for samba, 389-ds and sssd | |
| Resolves: RHBZ#1792848 | |
| - Do not fetch a principal two times, remove potential memory leak (#1070924) | |
| - Set min version of 389-ds-base to 1.2.8 | |
| - Set min version of mod_nss 1.0.8-10 | |
| - Set min version of selinux-policy to 3.9.7-27 | |
| - Add dogtag themes to Requires | |
| - Update to upstream freeipa-2.0.0.pre2 | |
| - Resolves: #1355753 adding two way non transitive(external) trust displays | |
| internal error on the console | |
| - Always fetch forest info from root DCs when establishing two-way trust | |
| - factor out `populate_remote_domain` method into module-level function | |
| - Always fetch forest info from root DCs when establishing one-way trust | |
| - Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger | |
| after `ipa-replica-install` | |
| - Track lightweight CAs on replica installation | |
| - Resolves: #1357488 ipa command stuck forever on higher versioned client with | |
| lower versioned server | |
| - compat: Save server's API version in for pre-schema servers | |
| - compat: Fix ping command call | |
| - schema cache: Store and check info for pre-schema servers | |
| - Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag | |
| - Fix man page ipa-replica-manage: remove duplicate -c option | |
| from --no-lookup | |
| - Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA | |
| when revoking certificate | |
| - cert: include CA name in cert command output | |
| - WebUI add support for sub-CAs while revoking certificates | |
| - Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI | |
| - Add support for additional options taken from table facet | |
| - WebUI: Fix showing certificates issued by sub-CA | |
| - Resolves: #1368557 dnsrecord-add does not prompt for missing record parts | |
| internactively | |
| - dns: normalize record type read interactively in dnsrecord_add | |
| - dns: prompt for missing record parts in CLI | |
| - dns: fix crash in interactive mode against old servers | |
| - Resolves: #1370519 Certificate revocation in service-del and host-del isn't | |
| aware of Sub CAs | |
| - cert: fix cert-find --certificate when the cert is not in LDAP | |
| - Make host/service cert revocation aware of lightweight CAs | |
| - Resolves: #1371901 Use OAEP padding with custodia | |
| - Use RSA-OAEP instead of RSA PKCS#1 v1.5 | |
| - Resolves: #1371915 When establishing external two-way trust, forest root | |
| Administrator account is used to fetch domain info | |
| - do not use trusted forest name to construct domain admin principal | |
| - Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in | |
| certificate request | |
| - Fix CA ACL Check on SubjectAltNames | |
| - Resolves: #1373272 CLI always sends default command version | |
| - cli: use full name when executing a command | |
| - Resolves: #1373359 ipa-certupdate fails with "CA is not configured" | |
| - Fix ipa-certupdate for CA-less installation | |
| - Resolves: #1373540 client-install with IPv6 address fails on link-local | |
| address (always) | |
| - Fix parse errors with link-local addresses | |
| - Resolves: #1398670 Check IdM Topology for broken record caused by replication | |
| conflict before upgrading it | |
| - Check for conflict entries before raising domain level | |
| - Updated to upstream 3.0.0 beta 1 | |
| - Rebase ipa to 4.9.11 | |
| Resolves: RHBZ#2141316 | |
| - updates: fix memberManager ACI to allow managers from a specified group | |
| Resolves: RHBZ#2056009 | |
| - Defer creating the final krb5.conf on clients | |
| Resolves: RHBZ#2148259 | |
| - Exclude installed policy module file from RPM verification | |
| Resolves: RHBZ#2149567 | |
| - Spec file: ipa-client depends on krb5-pkinit-openssl | |
| Resolves: RHBZ#2149889 | |
| - Use default ssh host key algorithms | |
| Resolves: RHBZ#1756432 | |
| - Do not run trust upgrade code if master lacks Samba bindings | |
| Resolves: RHBZ#1757064 | |
| - Finish group membership management UI | |
| Resolves: RHBZ#1773528 | |
| - Require 389-ds-base-legacy-tools for setup tools | |
| - Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services | |
| by abusing password policy | |
| - ipa-kdb: search for password policies globally | |
| - Renamed patches 1011 and 1012 to 0151 and 0150, as they were merged upstream | |
| - Resolves: #1455946 Provide a tooling automating the configuration | |
| of Smart Card authentication on a FreeIPA master | |
| - smart-card advises: configure systemwide NSS DB also on master | |
| - smart-card advises: add steps to store smart card signing CA cert | |
| - Allow to pass in multiple CA cert paths to the smart card advises | |
| - add a class that tracks the indentation in the generated advises | |
| - delegate the indentation handling in advises to dedicated class | |
| - advise: add an infrastructure for formatting Bash compound statements | |
| - delegate formatting of compound Bash statements to dedicated classes | |
| - Fix indentation of statements in Smart card advises | |
| - Use the compound statement formatting API for configuring PKINIT | |
| - smart card advises: use a wrapper around Bash `for` loops | |
| - smart card advise: use password when changing trust flags on HTTP cert | |
| - smart-card-advises: ensure that krb5-pkinit is installed on client | |
| - Resolves: #1475238 Use CommonNameToSANDefault in default profile | |
| (new installs only) | |
| - Add CommonNameToSANDefault to default cert profile | |
| - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s | |
| during search in cn=ad,cn=trusts,dc=example,dc=com | |
| - NULL LDAP context in call to ldap_search_ext_s during search | |
| - Prepare spec file for release | |
| - Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503 | |
| - Force to use 389-ds 1.2.10-0.8.a7 or above | |
| - Improve upgrade script to handle systemd 389-ds change | |
| - Fix freeipa to work with python-ldap 2.4.6 | |
| - Resolves: #1274524 [RFE] Qualify up to 60 IdM replicas | |
| - Resolves: #1320838 [RFE] Support IdM Client in a DNS domain controlled by AD | |
| - Related: #1356134 'kinit -E' does not work for IPA user | |
| - Support krb5 1.18 | |
| Resolves: RHBZ#1817579 | |
| - kdb: keeep ipadb_get_connection() from succeding with null LDAP context | |
| Resolves: RHEL-58453 | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - user-undel: Fix error messages. | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - Prohibit deletion of predefined profiles | |
| - Resolves: #1232819 testing ipa-restore on fresh system install fails | |
| - Backup/resore authentication control configuration | |
| - Resolves: #1243331 pkispawn fails when migrating to 4.2 server from 3.0 | |
| server | |
| - Require Dogtag PKI >= 10.2.6 | |
| - Resolves: #1245225 Asymmetric vault drops traceback when the key is not | |
| proper | |
| - Asymmetric vault: validate public key in client | |
| - Resolves: #1248399 Missing DNSSEC related files in backup | |
| - fix typo in BasePathNamespace member pointing to ods exporter config | |
| - ipa-backup: archive DNSSEC zone file and kasp.db | |
| - Resolves: #1248405 PassSync should be disabled after ipa-winsync-migrate is | |
| finished | |
| - winsync-migrate: Add warning about passsync | |
| - winsync-migrate: Expand the man page | |
| - Resolves: #1248524 User can't find any hosts using "ipa host-find $HOSTNAME" | |
| - adjust search so that it works for non-admin users | |
| - Resolves: #1250093 ipa certprofile-import accepts invalid config | |
| - Require Dogtag PKI >= 10.2.6 | |
| - Resolves: #1250107 IPA framework should not allow modifying trust on AD trust | |
| agents | |
| - trusts: Detect missing Samba instance | |
| - Resolves: #1250111 User lifecycle - preserved users can be assigned | |
| membership | |
| - ULC: Prevent preserved users from being assigned membership | |
| - Resolves: #1250145 Add permission for user to bypass caacl enforcement | |
| - Add permission for bypassing CA ACL enforcement | |
| - Resolves: #1250190 idrange is not added for sub domain | |
| - idranges: raise an error when local IPA ID range is being modified | |
| - trusts: harden trust-fetch-domains oddjobd-based script | |
| - Resolves: #1250928 Man page for ipa-server-install is out of sync | |
| - install: Fix server and replica install options | |
| - Resolves: #1251225 IPA default CAACL does not allow cert-request for services | |
| after upgrade | |
| - Fix default CA ACL added during upgrade | |
| - Resolves: #1251561 ipa vault-add Unknown option: ipavaultpublickey | |
| - validate mutually exclusive options in vault-add | |
| - Resolves: #1251579 ipa vault-add --user should set container owner equal to | |
| user on first run | |
| - Fixed vault container ownership. | |
| - Resolves: #1252517 cert-request rejects request with correct | |
| krb5PrincipalName SAN | |
| - Fix KRB5PrincipalName / UPN SAN comparison | |
| - Resolves: #1252555 ipa vault-find doesn't work for services | |
| - vault: Add container information to vault command results | |
| - Add flag to list all service and user vaults | |
| - Resolves: #1252556 Missing CLI param and ACL for vault service operations | |
| - Added CLI param and ACL for vault service operations. | |
| - Resolves: #1252557 certprofile: improve profile format documentation | |
| - certprofile-import: improve profile format documentation | |
| - certprofile: add profile format explanation | |
| - Resolves: #1253443 ipa vault-add creates vault with invalid type | |
| - vault: validate vault type | |
| - Resolves: #1253480 ipa vault-add-owner does not fail when adding an existing | |
| owner | |
| - baseldap: Allow overriding member param label in LDAPModMember | |
| - vault: Fix param labels in output of vault owner commands | |
| - Resolves: #1253511 ipa vault-find does not use criteria | |
| - vault: Fix vault-find with criteria | |
| - Resolves: #1254038 ipa-replica-install pk12util error returns exit status 10 | |
| - install: Fix replica install with custom certificates | |
| - Resolves: #1254262 ipa-dnskeysync-replica crash cannot contact kdc | |
| - improve the handling of krb5-related errors in dnssec daemons | |
| - Resolves: #1254412 when dirsrv is off ,upgrade from 7.1 to 7.2 fails with | |
| starting CA and named-pkcs11.service | |
| - Server Upgrade: Start DS before CA is started. | |
| - Resolves: #1254637 Add ACI and permission for managing user userCertificate | |
| attribute | |
| - add permission: System: Manage User Certificates | |
| - Resolves: #1254641 Remove CSR allowed-extensions restriction | |
| - cert-request: remove allowed extensions check | |
| - Resolves: #1254693 vault --service does not normalize service principal | |
| - vault: normalize service principal in service vault operations | |
| - Resolves: #1254785 ipa-client-install does not properly handle dual stacked | |
| hosts | |
| - client: Add support for multiple IP addresses during installation. | |
| - Add dependency to SSSD 1.13.1 | |
| - client: Add description of --ip-address and --all-ip-addresses to man page | |
| - Remove ipa_webgui, its functions rolled into ipa_httpd | |
| - Change Requires from fedora-ds-base to 389-ds-base | |
| - Set minimum level of 389-ds-base to 1.2.6 for the replication | |
| version plugin. | |
| - No need to create /var/log/ipa_error.log since we aren't using | |
| TurboGears any more. | |
| - Deprecate --serial-autoincrement option (#1016645) | |
| - CA installation always failed on replica (#1005446) | |
| - Re-initializing a winsync connection exited with error (#994980) | |
| - Wrong directories created on full restore (#1186398) | |
| - ipa-restore crashes if replica is unreachable (#1186396) | |
| - idoverrideuser-add option --sshpubkey does not work (#1185410) | |
| - Fix postin scriplet for F-15/F-16 | |
| - Fix breakage caused by python-kerberos update to 1.1 | |
| - Fixed: rhbz#1643445 - External CA step 2 fails with pki_client_database_dir is missing | |
| - Fixed: rhbz#1642834 - Smart card advise script uses hard-coded Python interpreter | |
| - Update to upstream 3.3.2 (#991064) | |
| - Add delegation info to MS-PAC (#915799) | |
| - Warn about incompatibility with AD when IPA realm and domain | |
| differs (#1009044) | |
| - Allow PKCS#12 files with empty password in install tools (#1002639) | |
| - Privilege "SELinux User Map Administrators" did not list | |
| permissions (#997085) | |
| - SSH key upload broken when client joins an older server (#1009024) | |
| - Update to upstream 3.3.3 (#991064) | |
| - Resolves: #1416454 replication race condition prevents IPA to install | |
| - wait_for_entry: use only DN as parameter | |
| - Wait until HTTPS principal entry is replicated to replica | |
| - Use proper logging for error messages | |
| - Allow insecure binds for migration | |
| Resolves: RHBZ#1731963 | |
| - Updated to upstream 3.0.0 rc 1 | |
| - Update BR for 389-ds-base to 1.2.11.14 | |
| - Update BR for krb5 to 1.10 | |
| - Update BR for samba4-devel to 4.0.0-139 (rc1) | |
| - Add BR for python-polib | |
| - Update BR and Requires on sssd to 1.9.0 | |
| - Update Requires on policycoreutils to 2.1.12-5 | |
| - Update Requires on 389-ds-base to 1.2.11.14 | |
| - Update Requires on selinux-policy to 3.11.1-21 | |
| - Update Requires on dogtag to 10.0.0-0.33.a1 | |
| - Update Requires on certmonger to 0.60 | |
| - Update Requires on tomcat to 7.0.29 | |
| - Update minimum version of bind to 9.9.1-10.P3 | |
| - Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1 | |
| - Remove Requires on authconfig from python sub-package | |
| - Add redhat-access-plugin-ipa dependency | |
| - Require platform-python-setuptools instead of python3-setuptools | |
| - Resolves: rhbz#1650139 | |
| - Add a- heck into ipa-cert-fix tool to avoid updating certs if CA is close to expire | |
| Resolves: RHEL-4941 | |
| - Fix rpminspect's 'patches' warnings | |
| Resolves: RHEL-22497 | |
| - Added patch to fix problem reported by ldapmodify | |
| - Installer did not detect different server and IPA domain (#1026845) | |
| - Allow kernel keyring CCACHE when supported (#1026861) | |
| - Abstracted client class to work directly or over RPC | |
| - Reinstalling ipa server hangs when configuring certificate | |
| server (#1018804) | |
| - rpcserver: validate Kerberos principal name before running kinit | |
| Resolves: RHEL-26153 | |
| - Vault: add additional fallback to RSA-OAEP wrapping algo | |
| Resolves: RHEL-28259 | |
| - "an internal error has occurred" during ipa host-del --updatedns (#1198431) | |
| - Renamed patch 1013 to 0114, as it was merged upstream | |
| - Fax number not displayed for user-show when kinit'ed as normal user. | |
| (#1198430) | |
| - Replication agreement with replica not disabled when ipa-restore done without | |
| IPA installed (#1199060) | |
| - Limit deadlocks between DS plugin DNA and slapi-nis (#1199128) | |
| - Updated to upstream 2.2.0 GA | |
| - Update minimum n-v-r of certmonger to 0.53 | |
| - Update minimum n-v-r of slapi-nis to 0.40 | |
| - Add Requires in client to oddjob-mkhomedir and python-krbV | |
| - Update minimum selinux-policy to 3.10.0-110 | |
| - Convert to autotools-based build | |
| - Pull upstream changelog 678 | |
| - Add new subpackage, ipa-server-selinux | |
| - Add Requires: authconfig to ipa-python (bz #433747) | |
| - Package i18n files | |
| - Resolves: #837369 [RFE] Switch to client promotion to replica model | |
| - Resolves: #1199516 [RFE] Move replication topology to the shared tree | |
| - Resolves: #1206588 [RFE] Visualize FreeIPA server replication topology | |
| - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) | |
| - Resolves: #1212713 ipa-csreplica-manage: it could be nice to have also | |
| list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend | |
| - Resolves: #1267206 ipa-server-install uninstall should warn if no | |
| installation found | |
| - Resolves: #1295865 The Domain option is not correctly set in idmapd.conf when | |
| ipa-client-automount is executed. | |
| - Resolves: #1327092 URI details missing and OCSP-URI details are incorrectly | |
| displayed when certificate generated using IPA on RHEL 7.2up2. | |
| - Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install | |
| because of missing dependencies | |
| - Related: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.3.1.201605191449GITf8edf37 | |
| - selinux don't audit rules deny fetching trust topology | |
| Resolves: RHBZ#1845596 | |
| - fix iPAddress cert issuance for >1 host/service | |
| Resolves: RHBZ#1846352 | |
| - Specify cert_paths when calling PKIConnection | |
| Resolves: RHBZ#1849155 | |
| - Update crypto policy to allow AD-SUPPORT when installing IPA | |
| Resolves: RHBZ#1851139 | |
| - Add version to ipa-idoverride-memberof obsoletes | |
| Related: RHBZ#1846434 | |
| - Resolves: #1081561 CA not start during ipa server install in pure IPv6 env | |
| - Fix ipa-server-install in pure IPv6 environment | |
| - Resolves: #1318169 Tree-root domains in a trusted AD forest aren't marked as | |
| reachable via the forest root | |
| - trust: make sure ID range is created for the child domain even if it exists | |
| - ipa-kdb: simplify trusted domain parent search | |
| - Resolves: #1335567 Update Warning in IdM Web UI API browser | |
| - WebUI: add API browser is tech preview warning | |
| - Resolves: #1348560 Mulitple domain Active Directory Trust conflict | |
| - ipaserver/dcerpc: reformat to make the code closer to pep8 | |
| - trust: automatically resolve DNS trust conflicts for triangle trusts | |
| - Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in | |
| certificate revocation | |
| - cert-revoke: fix permission check bypass (CVE-2016-5404) | |
| - Resolves: #1353936 custodia.conf and server.keys file is world-readable. | |
| - Remove Custodia server keys from LDAP | |
| - Secure permissions of Custodia server.keys | |
| - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is | |
| converted from CA-less to CA-full | |
| - custodia: include known CA certs in the PKCS#12 file for Dogtag | |
| - custodia: force reconnect before retrieving CA certs from LDAP | |
| - Resolves: #1362333 ipa vault container owner cannot add vault | |
| - Fix: container owner should be able to add vault | |
| - Resolves: #1365546 External trust with root domain is transitive | |
| - trust: make sure external trust topology is correctly rendered | |
| - Resolves: #1365572 IPA server broken after upgrade | |
| - Require pki-core-10.3.3-7 | |
| - Resolves: #1367864 Server assumes latest version of command instead of | |
| version 1 for old / 3rd party clients | |
| - rpcserver: assume version 1 for unversioned command calls | |
| - rpcserver: fix crash in XML-RPC system commands | |
| - Resolves: #1367773 thin client ignores locale change | |
| - schema cache: Fallback to 'en_us' when locale is not available | |
| - Resolves: #1368754 ipa server uninstall fails with Python "Global Name error" | |
| - Fail on topology disconnect/last role removal | |
| - Resolves: #1368981 ipa otptoken-add --type=hotp --key creates wrong OTP | |
| - otptoken, permission: Convert custom type parameters on server | |
| - Resolves: #1369414 ipa server-del fails with Python stack trace | |
| - Handled empty hostname in server-del command | |
| - Resolves: #1369761 ipa-server must depend on a version of httpd that support | |
| mod_proxy with UDS | |
| - Require httpd 2.4.6-31 with mod_proxy Unix socket support | |
| - Resolves: #1370512 Received ACIError instead of DuplicatedError in | |
| stageuser_tests | |
| - Raise DuplicatedEnrty error when user exists in delete_container | |
| - Resolves: #1371479 cert-find --all does not show information about revocation | |
| - cert: add missing param values to cert-find output | |
| - Renamed patch 1011 to 0100, as it was merged upstream | |
| - Resolves: #1452216 Replica installation grants HTTP principal | |
| access in WebUI | |
| - Make sure we check ccaches in all rpcserver paths | |
| - Replica installation fails for RHEL 6.4 master (#1004680) | |
| - Server uninstallation crashes if DS is not available (#998069) | |
| - Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to | |
| handle PKINIT certificates/anchors | |
| - certdb: add named trust flag constants | |
| - certdb, certs: make trust flags argument mandatory | |
| - certdb: use custom object for trust flags | |
| - install: trust IPA CA for PKINIT | |
| - client install: fix client PKINIT configuration | |
| - install: introduce generic Kerberos Augeas lens | |
| - server install: fix KDC PKINIT configuration | |
| - ipapython.ipautil.run: Add option to set umask before executing command | |
| - certs: do not export keys world-readable in install_key_from_p12 | |
| - certs: do not export CA certs in install_pem_from_p12 | |
| - server install: fix KDC certificate validation in CA-less | |
| - replica install: respect --pkinit-cert-file | |
| - cacert manage: support PKINIT | |
| - server certinstall: support PKINIT | |
| - Resolves: #1444432 CA-less pkinit not installable with --pkinit-cert-file | |
| option | |
| - certs: do not export CA certs in install_pem_from_p12 | |
| - server install: fix KDC certificate validation in CA-less | |
| - Resolves: #1451228 ipa-kra-install fails when primary KRA server has been | |
| decommissioned | |
| - ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname | |
| - Resolves: #1451712 KRA installation fails on server that was originally | |
| installed as CA-less | |
| - ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt | |
| - Resolves: #1441499 ipa cert-show does not raise error if no file name | |
| specified | |
| - ca/cert-show: check certificate_out in options | |
| - Resolves: #1449522 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+ | |
| - Remove pkinit-anonymous command | |
| - Resolves: #1449523 Provide an API command to retrieve PKINIT status | |
| in the FreeIPA topology | |
| - Allow for multivalued server attributes | |
| - Refactor the role/attribute member reporting code | |
| - Add an attribute reporting client PKINIT-capable servers | |
| - Add the list of PKINIT servers as a virtual attribute to global config | |
| - Add `pkinit-status` command | |
| - test_serverroles: Get rid of MockLDAP and use ldap2 instead | |
| - Resolves: #1452216 Replica installation grants HTTP principal access in WebUI | |
| - Fix rare race condition with missing ccache file | |
| - Resolves: #1455045 Simple service uninstallers must be able to handle | |
| missing service files gracefully | |
| - only stop/disable simple service if it is installed | |
| - Resolves: #1455541 after upgrade login from web ui breaks | |
| - krb5: make sure KDC certificate is readable | |
| - Resolves: #1455862 "ipa: ERROR: an internal error has occurred" on executing | |
| command "ipa cert-request --add" after upgrade | |
| - Change python-cryptography to python2-cryptography | |
| - Resolves: #1449189 ipa-kra-install timeouts on replica | |
| - ipa-kra-install: fix check_host_keys | |
| - Fix --external-ca-profile not passed to CSR | |
| Resolves: RHBZ#1731813 | |
| - Resolves: #1373910 IPA server upgrade fails with DNS timed out errors. | |
| - Resolves: #1375269 ipa trust-fetch-domains throws internal error | |
| - sudo rule for "admins" members should be created by default (#1609873) | |
| - Added Require mod_wsgi, added share/ipa/wsgi.py | |
| - Rebuild to samba 4.17.2. | |
| Related: RHBZ#2132051 | |
| - Use java-1.8.0-openjdk-devel | |
| - Hardening for CVE-2020-25717 | |
| - Harden processing of trusted domains' users in S4U operations | |
| - Resolves: RHBZ#2021443 | |
| - Update to upstream 2.2.0 alpha 1 (2.1.90.pre1) | |
| - Resolves: #1277696 IPA certificate auto renewal fail with "Invalid | |
| Credential" | |
| - cert renewal: make renewal of ipaCert atomic | |
| - Resolves: #1278330 installer options are not validated at the beginning of | |
| installation | |
| - install: fix command line option validation | |
| - Resolves: #1282845 sshd_config change on ipa-client-install can prevent sshd | |
| from starting up | |
| - client install: do not corrupt OpenSSH config with Match sections | |
| - Resolves: #1282935 ipa upgrade causes vault internal error | |
| - install: export KRA agent PEM file in ipa-kra-install | |
| - Resolves: #1283429 Default CA ACL rule is not created during | |
| ipa-replica-install | |
| - TLS and Dogtag HTTPS request logging improvements | |
| - Avoid race condition caused by profile delete and recreate | |
| - Do not erroneously reinit NSS in Dogtag interface | |
| - Add profiles and default CA ACL on migration | |
| - disconnect ldap2 backend after adding default CA ACL profiles | |
| - do not disconnect when using existing connection to check default CA ACLs | |
| - Resolves: #1283430 ipa-kra-install: fails to apply updates | |
| - suppress errors arising from adding existing LDAP entries during KRA | |
| install | |
| - Resolves: #1283748 Caching of ipaconfig does not work in framework | |
| - fix caching in get_ipa_config | |
| - Resolves: #1283943 IPA DNS Zone/DNS Forward Zone details missing after | |
| upgrade from RHEL 7.0 to RHEL 7.2 | |
| - upgrade: fix migration of old dns forward zones | |
| - Fix upgrade of forwardzones when zone is in realmdomains | |
| - Resolves: #1284413 ipa-cacert-manage renew fails on nonexistent ldap | |
| connection | |
| - ipa-cacert-renew: Fix connection to ldap. | |
| - Resolves: #1284414 ipa-otptoken-import fails on nonexistent ldap connection | |
| - ipa-otptoken-import: Fix connection to ldap. | |
| - Resolves: #1286635 IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using | |
| "yum update ipa* sssd" | |
| - Set minimal required version for openssl | |
| - Resolves: #1286781 ipa-nis-manage does not update ldap with all NIS maps | |
| - Upgrade: Fix upgrade of NIS Server configuration | |
| - Resolves: #1289311 umask setting causes named-pkcs11 issue with directory | |
| permissions on /var/lib/ipa/dnssec | |
| - DNS: fix file permissions | |
| - Explicitly call chmod on newly created directories | |
| - Fix: replace mkdir with chmod | |
| - Resolves: #1290142 Broken 7.2.0 to 7.2.z upgrade - flawed version comparison | |
| - Fix version comparison | |
| - use FFI call to rpmvercmp function for version comparison | |
| - Resolves: #1292595 In IPA-AD trust environment some secondary IPA based Posix | |
| groups are missing | |
| - ipa-kdb: map_groups() consider all results | |
| - Resolves: #1293870 User should be notified for wrong password in password | |
| reset page | |
| - Fixed login error message box in LoginScreen page | |
| - Resolves: #1296196 Sysrestore did not restore state if a key is specified in | |
| mixed case | |
| - Allow to used mixed case for sysrestore | |
| - Resolves: #1296214 DNSSEC key purging is not handled properly | |
| - DNSSEC: Improve error reporting from ipa-ods-exporter | |
| - DNSSEC: Make sure that current state in OpenDNSSEC matches key state in | |
| LDAP | |
| - DNSSEC: Make sure that current key state in LDAP matches key state in BIND | |
| - DNSSEC: remove obsolete TODO note | |
| - DNSSEC: add debug mode to ldapkeydb.py | |
| - DNSSEC: logging improvements in ipa-ods-exporter | |
| - DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP | |
| - DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP | |
| - DNSSEC: ipa-ods-exporter: add ldap-cleanup command | |
| - DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal | |
| - DNSSEC: Log debug messages at log level DEBUG | |
| - Resolves: #1296216 ipa-server-upgrade fails if certmonger is not running | |
| - prevent crash of CA-less server upgrade due to absent certmonger | |
| - always start certmonger during IPA server configuration upgrade | |
| - Resolves: #1297811 The ipa -e skip_version_check=1 still issues | |
| incompatibility error when called against RHEL 6 server | |
| - ipalib: assume version 2.0 when skip_version_check is enabled | |
| - Resolves: #1298289 install fails when locale is "fr_FR.UTF-8" | |
| - Do not decode HTTP reason phrase from Dogtag | |
| - Resolves: #1300252 shared certificateProfiles container is missing on a | |
| freshly installed RHEL7.2 system | |
| - upgrade: unconditional import of certificate profiles into LDAP | |
| - Resolves: #1301674 --setup-dns and other options is forgotten for using an | |
| external PKI | |
| - installer: Propagate option values from components instead of copying them. | |
| - installer: Fix logic of reading option values from cache. | |
| - Resolves: #1301687 issues with migration from RHEL 6 self-signed to RHEL 7 CA | |
| IPA setup | |
| - ipa-ca-install: print more specific errors when CA is already installed | |
| - cert renewal: import all external CA certs on IPA CA cert renewal | |
| - CA install: explicitly set dogtag_version to 10 | |
| - fix standalone installation of externally signed CA on IPA master | |
| - replica install: validate DS and HTTP server certificates | |
| - replica install: improvements in the handling of CA-related IPA config | |
| entries | |
| - Resolves: #1301901 [RFE] compat tree: show AD members of IPA groups | |
| - slapi-nis: update configuration to allow external members of IPA groups | |
| - Resolves: #1305533 ipa trust-add succeded but after that ipa trust-find | |
| returns "0 trusts matched" | |
| - upgrade: fix config of sidgen and extdom plugins | |
| - trusts: use ipaNTTrustPartner attribute to detect trust entries | |
| - Warn user if trust is broken | |
| - fix upgrade: wait for proper DS socket after DS restart | |
| - Insure the admin_conn is disconnected on stop | |
| - Fix connections to DS during installation | |
| - Fix broken trust warnings | |
| - Resolves: #1321092 Installers fail when there are multiple versions of the | |
| same certificate | |
| - certdb: never use the -r option of certutil | |
| - Related: #1317381 Crash during IPA upgrade due to slapd | |
| - spec file: update minimum required version of slapi-nis | |
| - Related: #1322691 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 | |
| CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 samba: various flaws | |
| [rhel-7.3] | |
| - Rebuild against newer Samba version | |
| - Config plugin: return EmptyModlist when no change is applied. | |
| Resolves: RHBZ#2031825 | |
| - Custodia: use a stronger encryption algo when exporting keys. | |
| Resolves: RHBZ#2032806 | |
| - ipa-kdb: do not remove keys for hardened auth-enabled users. | |
| Resolves: RHBZ#2033342 | |
| - ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus | |
| Resolves: RHBZ#2049167 | |
| - Backport latest test fxes in python3 ipatests. | |
| Resolves: RHBZ#2048509 | |
| - Removed unused patch files that were part of 4.9.8 rebase. | |
| - Fix replica installation failing on certificate subject (#983075) | |
| - Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1 | |
| Any type | |
| - New command automember-find-orphans to find and remove orphan automemeber | |
| rules has been added | |
| Resolves: RHBZ#1638373 | |
| - Moved ipa/idm logos and background to redhat-logos-ipa-80.4: | |
| header-logo.png, login-screen-background.jpg, login-screen-logo.png, | |
| product-name.png | |
| New requirement to redhat-logos-ipa >= 80.4 in ipa-server-common | |
| Resolves: RHBZ#1626507 | |
| - Resolves: #1353829 traceback message seen in ipaserver-uninstall.log file. | |
| - Do not initialize API in ipa-client-automount uninstall | |
| - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin | |
| client changes | |
| - idrange: fix unassigned global variable | |
| - Resolves: #1360792 Migrating users doesn't update krbCanonicalName | |
| - re-set canonical principal name on migrated users | |
| - Resolves: #1362012 ipa hbactest produces error about cannot concatenate 'str' | |
| and 'bool' objects | |
| - Fix ipa hbactest output | |
| - Resolves: #1362260 ipa vault-mod no longer allows defining salt | |
| - vault: add missing salt option to vault_mod | |
| - Resolves: #1362312 ipa vault-retrieve internal error when using the wrong | |
| public key | |
| - vault: Catch correct exception in decrypt | |
| - Resolves: #1362537 ipa-server-install fails to create symlink from | |
| /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ | |
| - Correct path to HTTPD's systemd service directory | |
| - Resolves: #1363756 Increase length of passwords generated by installer | |
| - Increase default length of auto generated passwords | |
| - When IdM server trusts multiple AD forests, IPA client returns invalid group | |
| membership info (#1079498) | |
| - Remove ipa-server-selinux obsoletes as upgrades from version prior to | |
| 3.3.0 are not allowed | |
| - Wrap server-trust-ad subpackage description better | |
| - Add (noreplace) flag for %{_sysconfdir}/tmpfiles.d/ipa.conf | |
| - Change permissions on default_encoding_utf8.so to fix ipa-python Provides | |
| - Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum | |
| version to 1.0.7-4 so we pick up the NSS fixes. | |
| - Add selinux-policy-base(post) to Requires (446496) | |
| - Resolves: #1449189 ipa-kra-install timeouts on replica | |
| - kra: promote: Get ticket before calling custodia | |
| - ipa-replica-install never checks for 7389 port (#1075165) | |
| - Non-terminated string may be passed to LDAP search (#1075091) | |
| - ipa-sam may fail to translate group SID into GID (#1073829) | |
| - Excessive LDAP calls by ipa-sam during Samba FS operations (#1075132) | |
| - ipatests: remove additional check for failed units. | |
| Resolves: RHBZ#2053024 | |
| - ipa-cldap: fix memory leak. | |
| Resolves: RHBZ#2032738 | |
| - ipatests: Update ipa-adtrust-install test | |
| Resolves: RHEL-40894 | |
| - IPA Replicate creation fails with error "Update failed! Status: [10 Total | |
| update abortedLDAP error: Referral]" (#1166265) | |
| - running ipa-server-install --setup-dns results in a crash (#1072502) | |
| - DNS zones are not migrated into forward zones if 4.0+ replica is added | |
| (#1175384) | |
| - gid is overridden by uid in default trust view (#1168904) | |
| - When migrating warn user if compat is enabled (#1177133) | |
| - Clean up debug log for trust-add (#1168376) | |
| - No error message thrown on restore(full kind) on replica from full backup | |
| taken on master (#1175287) | |
| - ipa-restore proceed even IPA not configured (#1175326) | |
| - Data replication not working as expected after data restore from full backup | |
| (#1175277) | |
| - IPA externally signed CA cert expiration warning missing from log (#1178128) | |
| - ipa-upgradeconfig fails in CA-less installs (#1181767) | |
| - IPA certs fail to autorenew simultaneouly (#1173207) | |
| - More validation required on ipa-restore's options (#1176034) | |
| - 2.1.3 | |
| - Resolves: #1388135 [RFE] limit the retro changelog to dns subtree. | |
| - ldap: limit the retro changelog to dns subtree | |
| - Resolves: #1427798 Use X509v3 Basic Constraints "CA:TRUE" instead | |
| of "CA:FALSE" IPA CA CSR | |
| - Include the CA basic constraint in CSRs when renewing a CA | |
| - Resolves: #1493145 ipa-replica-install might fail because of an already | |
| existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX | |
| - Checks if replica-s4u2proxy.ldif should be applied | |
| - Resolves: #1493150 [RFE] set nsslapd-ignore-time-skew: on by default | |
| - ds: ignore time skew during initial replication step | |
| - ipa-replica-manage: implicitly ignore initial time skew in force-sync | |
| - Resolves: #1500218 Replica installation at domain-level 0 fails against | |
| upgraded ipa-server | |
| - Fix ipa-replica-conncheck when called with --principal | |
| - Resolves: #1506188 server-del doesn't remove dns-server configuration | |
| from ldap | |
| - Make sure ipa-server depends on krb5-kdb-version to pick up | |
| right MIT Kerberos KDB ABI | |
| Related: RHBZ#1700121 | |
| - User field separator uses '$$' within ipaSELInuxUserMapOrder | |
| Fixes: RHBZ#1729099 | |
| - ipa-server-install crashes when AD subpackage is not installed (#1026434) | |
| - Allow Web-based migration to work with tightened SE Linux policy (#769440) | |
| - Rebuild slapi plugins against re-enterant version of libldap | |
| - Add ipa init script | |
| - Fix mapping of BUILTIN\Guests to 'nobody' group during upgrade | |
| to not use generated Samba config at this point | |
| - Related: rhbz#1623895 | |
| - Resolves: #1614301 Remove --no-sssd and --noac options | |
| - Resolves: #1613879 Disable Domain Level 0 | |
| - New patch sets to disable domain level 0 | |
| - New adapted patch to disable DL0 specific tests (pytest_ipa vs. | |
| pytest_plugins) | |
| - Adapted branding patch in ipa-replica-install.1 due to DL0 removal | |
| - Removed python-cherrypy from BuildRequires and Requires | |
| - Added Requires python-assets, python-wehjit | |
| - Resolves: #1356102 Server uninstall does not stop tracking lightweight sub-CA | |
| with certmonger | |
| - uninstall: untrack lightweight CA certs | |
| - Resolves: #1351807 ipa-nis-manage config.get_dn missing | |
| - ipa-nis-manage: Use server API to retrieve plugin status | |
| - Resolves: #1353452 ipa-compat-manage command failed, | |
| exception: NotImplementedError: config.get_dn() | |
| - ipa-compat-manage: use server API to retrieve plugin status | |
| - Resolves: #1353899 ipa-advise: object of type 'type' has no len() | |
| - ipa-advise: correct handling of plugin namespace iteration | |
| - Resolves: #1356134 'kinit -E' does not work for IPA user | |
| - kdb: check for local realm in enterprise principals | |
| - Resolves: #1353072 ipa unknown command vault-add | |
| - Enable vault-* commands on client | |
| - vault-add: set the default vault type on the client side if none was given | |
| - Resolves: #1353995 Default CA can be used without a CA ACL | |
| - caacl: expand plugin documentation | |
| - Resolves: #1356144 host-find should not print SSH keys by default, only | |
| SSH fingerprints | |
| - host-find: do not show SSH key by default | |
| - Resolves: #1353506 ipa migrate-ds command fails for IPA in RHEL 7.3 | |
| - Removed unused method parameter from migrate-ds | |
| - Resolves: #1262996 ipa vault internal error on replica without KRA | |
| - upgrade: make sure ldap2 is connected in export_kra_agent_pem | |
| - Resolves: #1270608 IPA upgrade fails for server with CA cert signed by | |
| external CA | |
| - schema: do not derive ipaVaultPublicKey from ipaPublicKey | |
| - Resolves: #1361119 UPN-based search for AD users does not match an entry in | |
| slapi-nis map cache | |
| - support multiple uid values in schema compatibility tree | |
| - Included LICENSE and README in all packages for documentation | |
| - Move user-modifiable content to /etc/ipa and linked back to | |
| /usr/share/ipa/html | |
| - Changed some references to /usr to the {_usr} macro and /etc | |
| to {_sysconfdir} | |
| - Added popt-devel to BuildRequires for Fedora 8 and higher and | |
| popt for Fedora 7 | |
| - Package the egg-info for Fedora 9 and higher for ipa-python | |
| - Add ipa-host-net-manage script | |
| - Add Requires: python-nss to ipa-python sub-package | |
| - Adopt to samba4 beta6 (libsecurity -> libsamba-security) | |
| - Add dependency to samba4-winbind | |
| - Bump up minimum version of python-nss to pick up nss_is_initialize() API | |
| - Resolves: #800545 [RFE] Support SUDO command rename | |
| - Reworked the renaming mechanism | |
| - Allow renaming of the sudorule objects | |
| - Resolves: #872671 IPA WebUI login for AD Trusted User fails | |
| - WebUI: check principals in lowercase | |
| - WebUI: add method for disabling item in user dropdown menu | |
| - WebUI: Add support for login for AD users | |
| - Resolves: #1200767 [RFE] Allow Kerberos authentication for users with | |
| certificates on smart cards (pkinit) | |
| - ipa-kdb: add ipadb_fetch_principals_with_extra_filter() | |
| - IPA certauth plugin | |
| - ipa-kdb: do not depend on certauth_plugin.h | |
| - spec file: bump krb5-devel BuildRequires for certauth | |
| - Resolves: #1264370 RFE: disable last successful authentication by default in | |
| ipa. | |
| - Set "KDC:Disable Last Success" by default | |
| - Resolves: #1318186 Misleading error message during external-ca IPA master | |
| install | |
| - certs: do not implicitly create DS pin.txt | |
| - httpinstance: clean up /etc/httpd/alias on uninstall | |
| - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR | |
| CA certificate chain in ... incomplete" | |
| - certs: do not implicitly create DS pin.txt | |
| - httpinstance: clean up /etc/httpd/alias on uninstall | |
| - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication | |
| - configure: fix --disable-server with certauth plugin | |
| - rpcserver.login_x509: Actually return reply from __call__ method | |
| - spec file: Bump requires to make Certificate Login in WebUI work | |
| - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping | |
| - extdom: do reverse search for domain separator | |
| - extdom: improve cert request | |
| - Resolves: #1430363 [RFE] HBAC rule names command rename | |
| - Reworked the renaming mechanism | |
| - Allow renaming of the HBAC rule objects | |
| - Resolves: #1433082 systemctl daemon-reload needs to be called after | |
| httpd.service.d/ipa.conf is manipulated | |
| - tasks: run `systemctl daemon-reload` after httpd.service.d updates | |
| - Resolves: #1434032 Run ipa-custodia with custom SELinux context | |
| - Use Custodia 0.3.1 features | |
| - Resolves: #1434384 RPC client should use HTTP persistent connection | |
| - Use connection keep-alive | |
| - Add debug logging for keep-alive | |
| - Increase Apache HTTPD's default keep alive timeout | |
| - Resolves: #1434729 man ipa-cacert-manage install needs clarification | |
| - man ipa-cacert-manage install needs clarification | |
| - Resolves: #1434910 replica install against IPA v3 master fails with ACIError | |
| - Fixing replica install: fix ldap connection in domlvl 0 | |
| - Resolves: #1435394 Ipa-kra-install fails with weird output when backspace is | |
| used during typing Directory Manager password | |
| - ipapython.ipautil.nolog_replace: Do not replace empty value | |
| - Resolves: #1435397 ipa-replica-install can't install replica file produced by | |
| ipa-replica-prepare on 4.5 | |
| - replica prepare: fix wrong IPA CA nickname in replica file | |
| - Resolves: #1435599 WebUI: in self-service Vault menu item is shown even if | |
| KRA is not installed | |
| - WebUI: Fix showing vault in selfservice view | |
| - Resolves: #1435718 As a ID user I cannot call a command with --rights option | |
| - ldap2: use LDAP whoami operation to retrieve bind DN for current connection | |
| - Resolves: #1436319 "Truncated search results" pop-up appears in user details | |
| in WebUI | |
| - WebUI: Add support for suppressing warnings | |
| - WebUI: suppress truncation warning in select widget | |
| - Resolves: #1436333 Uninstall fails with No such file or directory: | |
| '/var/run/ipa/services.list' | |
| - Create temporaty directories at the begining of uninstall | |
| - Resolves: #1436334 WebUI: Adding certificate mapping data using certificate | |
| fails | |
| - WebUI: Allow to add certs to certmapping with CERT LINES around | |
| - Resolves: #1436338 CLI doesn't work after ipa-restore | |
| - Backup ipa-specific httpd unit-file | |
| - Backup CA cert from kerberos folder | |
| - Resolves: #1436342 Bump samba version, required for FIPS mode and privilege | |
| separation | |
| - Bump samba version for FIPS and priv. separation | |
| - Resolves: #1436642 [ipalib/rpc.py] - "maximum recursion depth exceeded" with | |
| ipa vault commands | |
| - Avoid growing FILE ccaches unnecessarily | |
| - Handle failed authentication via cookie | |
| - Work around issues fetching session data | |
| - Prevent churn on ccaches | |
| - Resolves: #1436657 Add workaround for pki_pin for FIPS | |
| - Generate PIN for PKI to help Dogtag in FIPS | |
| - Resolves: #1436714 [vault] cache KRA transport cert | |
| - Simplify KRA transport cert cache | |
| - Resolves: #1436723 cert-find does not find all certificates without | |
| sizelimit=0 | |
| - cert: do not limit internal searches in cert-find | |
| - Resolves: #1436724 Renewal of IPA RA fails on replica | |
| - dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function | |
| - Resolves: #1436753 Master tree fails to install | |
| - httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not | |
| available | |
| - ipatests: fix TestOTPToken::test_check_otpd_after_idle_timeout | |
| Related: RHBZ#2053024 | |
| - Remove unnecessary moving of v1 CA serial number file in post script | |
| - Add Obsoletes for server-selinxu subpackage | |
| - Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da | |
| - Pull upstream changelog 608 which renamed several files | |
| - clean up spec | |
| - Depend on sssd >= 1.6.2 for better user experience | |
| - Update slapi-nis dependency to pull 0.54-2 (#891984) | |
| - ipa-restore: Don't crash if AD trust is not installed (#951581) | |
| - Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type (#1138791) | |
| - Trust setting not restored for CA cert with ipa-restore command (#1159011) | |
| - ipa-server-install fails when restarting named (#1162340) | |
| - Resolves: #1228671 pkispawn fails in ipa-ca-install and ipa-kra-install | |
| - Related: #1204809 Rebase ipa to 4.2 | |
| - Fix minimum version of slapi-nis | |
| - Require python-sss and python-sss-murmur (provided by sssd-1.13.0) | |
| - Fix: DNS installer adds invalid zonemgr email (#1056202) | |
| - ipaplatform: Use the dirsrv service, not target (#951581) | |
| - Fix: DNS policy upgrade raises asertion error (#1161128) | |
| - Fix upgrade referint plugin (#1161128) | |
| - Upgrade: fix trusts objectclass violationi (#1161128) | |
| - group-add doesn't accept gid parameter (#1149124) | |
| - ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL | |
| Resolves: RHBZ#1982956 | |
| - Unable to remove replica by ipa-replica-manage (#1001662) | |
| - Before uninstalling a server, warn about active replicas (#998069) | |
| - Fix Fedora package changelog after merging systemd changes | |
| - ipaclient-install: chmod needs octal permissions (#1609880) | |
| - Move ipalib to ipa-python subpackage | |
| - Bump minimum version of slapi-nis to 0.15 | |
| - Ensure that /etc/ipa exists before moving user-modifiable html files there | |
| - Put html files into /etc/ipa/html instead of /etc/ipa | |
| - Added auto* BuildRequires | |
| - New upstream release 1.2.1 | |
| - Rely on sssd-krb5 to include SSSD-generated krb5 configuration | |
| Resolves: RHBZ#2214563 | |
| - Add end to end integration tests for external IdP | |
| Resolves: RHBZ#2106346 | |
| - Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install | |
| because of missing dependencies | |
| - Rebuild with krb5-1.14.1 | |
| - schema update on RHEL-6.6 using latest copy-schema-to-ca.py from RHEL-7.1 | |
| build fails (#1167196) | |
| - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) | |
| - "ipa trust-add ... " cmd says : (Trust status: Established and verified) | |
| while in the logs we see "WERR_ACCESS_DENIED" during verification step. | |
| (#1144121) | |
| - POODLE: force using safe ciphers (non-SSLv3) in IPA client and server | |
| (#1156466) | |
| - Add support/hooks for a one-time password system like SecureID in IPA | |
| (#919228) | |
| - Tracebacks with latest build for --zonemgr cli option (#1167270) | |
| - ID Views: Support migration from the sync solution to the trust solution | |
| (#891984) | |
| - Mass rebuild 2014-01-24 | |
| - Move initialization of Guests mapping after cifs/ principal is created | |
| - Related: rhbz#1623895 | |
| - Preverse mode on ipa-keytab-util | |
| - Version bump for relase and rpm name change | |
| - Updated upstream pull (596) to fix bug in ipa_webgui that was causing the | |
| UI to not start. | |
| - Update to upstream 4.7.0 GA | |
| - Fixed License in specfile | |
| - Include files from /usr/lib/python*/site-packages/ipaserver | |
| - Allow ipa-tests to work with older version (1.7.7) of python-paramiko | |
| - Fixed kdcproxy_version to 0.4-3 | |
| - Fixed krb5_version to 1.17-7 | |
| Related: RHBZ#1684528 | |
| - Remove "Listen 443 http" hack from deployed nss.conf (#1029046) | |
| - Re-adding existing trust fails (#1033216) | |
| - IPA uninstall exits with a samba error (#1033075) | |
| - Added RELRO hardening on /usr/libexec/ipa-otpd (#1026260) | |
| - Fixed ownership of /usr/share/ipa/ui/js (#1026260) | |
| - ipa-tests: support external names for hosts (#1032668) | |
| - ipa-client-install fail due fail to obtain host TGT (#1029354) | |
| - Update to upstream 4.0.3 (#1109726) | |
| - Server installation fails using external signed certificates with | |
| "IndexError: list index out of range" (#1111320) | |
| - Add rhino to BuildRequires to fix Web UI build error | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Set krbCanonicalName admin@REALM on the admin user | |
| Resolves: RHEL-89895 | |
| - Handle new samba exception types. | |
| Resolves: RHEL-17623 | |
| - Fix for CVE-2008-3274 | |
| - Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface | |
| - Add fix for bug #453185 | |
| - Rebuild against openldap libraries, mozldap ones do not work properly | |
| - TurboGears is currently broken in rawhide. Added patch to not build | |
| the UI locales and removed them from the ipa-server files section. | |
| - ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older | |
| Resolves: RHEL-12198 | |
| - Update dependency for bind-dndb-ldap to 11.2-2 | |
| Related: RHBZ#1762813 | |
| - Drop requires on python-configobj (not used any more) | |
| - Drop ipa-ldap-updater message, upgrades are done differently now | |
| - Update Requires on pki-ca to 10.1.2-4 (#1129558) | |
| - build: increase java stack size for all arches | |
| - Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides (#891984) | |
| - Fix dns zonemgr validation regression (#1056202) | |
| - Handle profile changes in dogtag-ipa-ca-renew-agent (#886645) | |
| - Do not wait for new CA certificate to appear in LDAP in ipa-certupdate | |
| (#886645) | |
| - Add bind-dyndb-ldap working dir to IPA specfile | |
| - Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage | |
| (#886645) | |
| - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) | |
| - Deadlock in schema compat plugin (#1161131) | |
| - ipactl stop should stop dirsrv last (#1161129) | |
| - Upgrade 3.3.5 to 4.1 failed (#1161128) | |
| - CVE-2014-7828 freeipa: password not required when OTP in use (#1160877) | |
| - Remove ipa-idoverride-memberof as superceded by ipa-server 4.8.7 | |
| Resolves: RHBZ#1846434 | |
| - Require python-wehjit >= 0.2.0 | |
| - Replica CA installation: ignore skew during initial replication | |
| Resolves RHEL-80995 | |
| - Revert bind-pkcs11-utils configuration in freeipa.spec. | |
| Resolves: RHBZ#2026732 | |
| - Configure CA replication to use TLS instead of SSL | |
| - Update to upstream 3.2.0 Beta 1 | |
| - Added support for libipa-dna-plugin | |
| - Remove posixAccount from service_find search filter | |
| Resolves: RHBZ#1731437 | |
| - Fix repeated uninstallation of ipa-client-samba crashes | |
| Resolves: RHBZ#1732529 | |
| - WebUI: Add PKINIT status field to 'Configuration' page | |
| Resolves: RHBZ#1518153 | |
| - Resolves: #1461177 ipa-otptoken-import - XML file is missing PBKDF2 | |
| parameters! | |
| - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during | |
| search in cn=ad, cn=trusts,dc=example,dc=com | |
| - Resolves: #1467887 iommu platform support for ipxe | |
| - Resolves: #1477178 [ipa-replica-install] - 406 Client Error: Failed to | |
| validate message: Incorrect number of results (0) searching forpublic key for | |
| host | |
| - Resolves: #1478251 IPA WebUI does not work after upgrade from IPA 4.4 to | |
| 4.5 | |
| - Resolves: #1480102 ipa-server-upgrade failes with "This entry already | |
| exists" | |
| - Resolves: #1482802 Unable to set ca renewal master on replica | |
| - Resolves: #1484428 Updating from RHEL 7.3 fails with Server-Cert not found | |
| (ipa-server-upgrade) | |
| - Resolves: #1484826 FreeIPA/IdM installations which were upgraded from | |
| versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and | |
| thus startup of Web UI fails | |
| - Resolves: #1486283 TypeError in renew_ca_cert prevents from swiching back | |
| to self-signed CA | |
| - Resolves: #1469246 Replica install fails to configure IPA-specific | |
| temporary files/directories | |
| - Resolves: #1469480 bind package is not automatically updated during | |
| ipa-server upgrade process | |
| - Resolves: #1475238 Use CommonNameToSANDefault in default profile (new | |
| installs only) | |
| - Resolves: #1477703 IPA upgrade fails for latest ipa package | |
| - Throw zonemgr error message before installation proceeds (#1163849) | |
| - Winsync: Setup is broken due to incorrect import of certificate (#1169867) | |
| - Enable last token deletion when password auth type is configured (#919228) | |
| - ipa-otp-lasttoken loads all user's tokens on every mod/del (#1166641) | |
| - add --hosts and --hostgroup options to allow/retrieve keytab methods | |
| (#1007367) | |
| - Extend host-show to add the view attribute in set of default attributes | |
| (#1168916) | |
| - Prefer TCP connections to UDP in krb5 clients (#919228) | |
| - [WebUI] Not able to unprovisioning service in IPA 4.1 (#1168214) | |
| - webui: increase notification duration (#1171089) | |
| - RHEL7.1 ipa automatic CA cert renewal stuck in submitting state (#1166931) | |
| - RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert | |
| (#1170003) | |
| - Improve validation of --instance and --backend options in ipa-restore | |
| (#951581) | |
| - RHEL7.1 ipa replica unable to replicate to rhel6 master (#1167964) | |
| - Disable TLS 1.2 in nss.conf until mod_nss supports it (#1156466) | |
| - Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to | |
| Trusts | |
| - winsync-migrate: Convert entity names to posix friendly strings | |
| - winsync-migrate: Properly handle collisions in the names of external groups | |
| - Resolves: #1261074 Adjust Firefox configuration to new extension signing | |
| policy | |
| - webui: use manual Firefox configuration for Firefox >= 40 | |
| - Resolves: #1263337 IPA Restore failed with installed KRA | |
| - ipa-backup: Add mechanism to store empty directory structure | |
| - Resolves: #1264793 CVE-2015-5284 ipa: ipa-kra-install includes certificate | |
| and private key in world readable file [rhel-7.2] | |
| - install: fix KRA agent PEM file permissions | |
| - Resolves: #1265086 Mark IdM API Browser as experimental | |
| - WebUI: add API browser is experimental warning | |
| - Resolves: #1265277 Fix kdcproxy user creation | |
| - install: create kdcproxy user during server install | |
| - platform: add option to create home directory when adding user | |
| - install: fix kdcproxy user home directory | |
| - Resolves: #1265559 GSS failure after ipa-restore | |
| - destroy httpd ccache after stopping the service | |
| - Remove redundat Requires versions that are already in Fedora 17 | |
| - Replace python-crypto Requires with m2crypto | |
| - Add missing Requires(post) for client and server-trust-ad subpackages | |
| - Restart httpd service when server-trust-ad subpackage is installed | |
| - Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes | |
| - trustdomain-find with pkey-only fails (#1068611) | |
| - Invalid credential cache in trust-add (#1069182) | |
| - ipa-replica-install prints unexpected error (#1069722) | |
| - Too big font in input fields in details facet in Firefox (#1069720) | |
| - trust-add for POSIX AD does not fetch trustdomains (#1070925) | |
| - Misleading trust-add error message in some cases (#1070926) | |
| - Access is not rejected for disabled domain (#1070924) | |
| - Rebuild for broken deps | |
| - Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1 | |
| - Resolves: #1377973 ipa-server-install fails when the provided or resolved | |
| IP address is not found on local interfaces | |
| - Only warn when specified server IP addresses don't match intf | |
| - Resolves: #1438016 gssapi errors after IPA server upgrade | |
| - Bump version of python-gssapi | |
| - Resolves: #1457942 certauth: use canonical principal for lookups | |
| - ipa-kdb: use canonical principal in certauth plugin | |
| - Resolves: #1459153 Do not send Max-Age in ipa_session cookie to avoid | |
| breaking older clients | |
| - Add code to be able to set default kinit lifetime | |
| - Revert setting sessionMaxAge for old clients | |
| - Rebase to security release 4.8.3 (CVE-2019-14867, CVE-2019-10195) | |
| Resolves: RHBZ#1767304 | |
| Resolves: RHBZ#1776939 | |
| - Support KDC ticket policies for authentication indicators | |
| Resolves: RHBZ#1777564 | |
| - Added support for ipa_kpasswd and ipa_pwd_extop | |
| - Backport latest test fixes in python3-ipatests | |
| Resolves: RHBZ#2060841 | |
| - extdom: user getorigby{user|group}name if available | |
| Resolves: RHBZ#2062379 | |
| - Set the mode on ipaupgrade.log during RPM post snipppet | |
| Resolves: RHBZ#2061957 | |
| - test_krbtpolicy: skip SPAKE-related tests in FIPS mode | |
| Resolves: RHBZ#1909630 | |
| - Remove radius subpackages | |
| - Don't always override the port in import_included_profiles | |
| Fixes: RHBZ#2022483 | |
| - Remove ipa-join errors from behind the debug option | |
| Fixes: RHBZ#2048558 | |
| - Enable the ccache sweep timer during installation | |
| Fixes: RHBZ#2051575 | |
| - Set 0.14 as minimum version for slapi-nis | |
| - Marked with wrong license. IPA is GPLv2. | |
| - Update to upstream 3.2.1 | |
| - Drop dogtag-pki-server-theme requires, it won't be build for RHEL-7.0 | |
| - Fix bug #702633 | |
| - Resolves: #1451804 "AttributeError: 'tuple' object has no attribute 'append'" | |
| error observed during ipa upgrade with latest package. | |
| - ipa-server-install: fix uninstall | |
| - Resolves: #1445390 ipa-[ca|kra]-install with invalid DM password break | |
| replica | |
| - ca install: merge duplicated code for DM password | |
| - installutils: add DM password validator | |
| - ca, kra install: validate DM password | |
| - Fix status trust-add command status message (#910453) | |
| - NetBIOS was not trimmed at 15 characters (#1030517) | |
| - Harden CA subsystem certificate renewal on CA clones (#1040018) | |
| - Replace TurboGears requirement with python-cherrypy | |
| - Resolves: #1382812 Creation of replica for disconnected environment is | |
| failing with CA issuance errors; Need good steps. | |
| - gracefully handle setting replica bind dn group on old masters | |
| - Resolves: #1397439 ipa-ca-install on promoted replica hangs on creating a | |
| temporary CA admin | |
| - replication: ensure bind DN group check interval is set on replica config | |
| - add missing attribute to ipaca replica during CA topology update | |
| - Resolves: #1401088 IPA upgrade of replica without DNS fails during restart of | |
| named-pkcs11 | |
| - bindinstance: use data in named.conf to determine configuration status | |
| - Unable to add trust successfully with --trust-secret (#1075704) | |
| - Fix krb5-kdb-server -> krb5-kdb-version | |
| Related: RHBZ#1700121 | |
| - Resolves: #1477367 ipa-server-upgrade timeouts on wait_for_open ports | |
| expecting IPA services listening on IPv6 ports | |
| - Make sure upgrade also checks for IPv6 stack | |
| - control logging of host_port_open from caller | |
| - log progress of wait_for_open_ports | |
| - Resolves: #1477243 ipa help command returns traceback when no cache | |
| is present | |
| - Store help in Schema before writing to disk | |
| - Disable pylint in get_help function because of type confusion. | |
| - Update to upstream version 1.2.0 | |
| - Set fedora-ds-base minimum version to 1.1.3 for winsync header | |
| - Set the minimum version for SELinux policy | |
| - Remove references to Fedora 7 | |
| - Resolves: #828866 [RFE] enhance --subject option for ipa-server-install | |
| - Resolves: #1160555 ipa-server-install: Cannot handle double hyphen "--" in | |
| hostname | |
| - Resolves: #1286288 Insufficient 'write' privilege to the 'ipaExternalMember' | |
| attribute | |
| - Resolves: #1321652 ipa-server-install fails when using external certificates | |
| that encapsulate RDN components in double quotes | |
| - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on | |
| revocation reasons | |
| - Resolves: #1340880 ipa-server-install: improve prompt on interactive | |
| installation | |
| - Resolves: #1353841 ipa-replica-install fails to install when resolv.conf | |
| incomplete entries | |
| - Resolves: #1356104 cert-show command does not display Subject Alternative | |
| Names | |
| - Resolves: #1357511 Traceback message seen when ipa is provided with invalid | |
| configuration file name | |
| - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is | |
| converted from CA-less to CA-full | |
| - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication | |
| - Resolves: #1367572 improve error message in ipa migrate-ds: mention ipa | |
| config-mod --enable-migration=TRUE | |
| - Resolves: #1367868 Add options to retrieve lightweight CA certificate/chain | |
| - Resolves: #1371927 Implement ca-enable/disable commands. | |
| - Resolves: #1372202 Add Users into User Group editors fails to show Full names | |
| - Resolves: #1373091 Adding an auth indicator from the CLI creates an extra | |
| check box in the UI | |
| - Resolves: #1375596 Ipa-server WebUI - long user/group name show wrong error | |
| message | |
| - Resolves: #1375905 "Normal" group type in the UI is confusing | |
| - Resolves: #1376040 IPA client ipv6 - invalid --ip-address shows traceback | |
| - Resolves: #1376630 IDM admin password gets written to | |
| /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf | |
| - Resolves: #1376729 ipa-server-install script option --no_hbac_allow should | |
| match other options | |
| - Resolves: #1378461 IPA Allows Password Reuse with History value defined when | |
| admin resets the password. | |
| - Resolves: #1379029 conncheck failing intermittently during single step | |
| replica installs | |
| - Resolves: #1379858 [RFE] better debugging for ipa-replica-conncheck | |
| - Resolves: #1384310 ipa dnsrecord-add fails with Keyerror stack trace | |
| - Resolves: #1392778 Update man page for ipa-adtrust-install by | |
| removing --no-msdcs option | |
| - Resolves: #1392858 Rebase to FreeIPA 4.5+ | |
| - Rebase to 4.5.0 | |
| - Resolves: #1399133 Delete option shouldn't be available for hosts applied to | |
| view. | |
| - Resolves: #1399190 [RFE] Certificates issued by externally signed IdM CA | |
| should contain full trust chain | |
| - Resolves: #1400416 RFE: Provide option to take backup of IPA server before | |
| uninstalling IPA server | |
| - Resolves: #1400529 cert-request is not aware of Kerberos principal aliases | |
| - Resolves: #1401526 IPA WebUI certificates are grayed out on overview page but | |
| not on details page | |
| - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping | |
| - Resolves: #1404750 ipa-client-install fails to get CA cert via LDAP when | |
| non-FQDN name of IPA server is first in /etc/hosts | |
| - Resolves: #1409628 [RFE] Semi-automatic integration with external DNS using | |
| nsupdate | |
| - Resolves: #1413742 Backport request for bug/issue Change IP address | |
| validation errors to warnings | |
| - Resolves: #1415652 IPA replica install log shows password in plain text | |
| - Resolves: #1427897 different behavior regarding system wide certs in master | |
| and replica. | |
| - Resolves: #1430314 The ipa-managed-entries command failed, exception: | |
| AttributeError: ldap2 | |
| - Unified spec file | |
| - Fix SELinux code | |
| - Allow the admin user to be disabled | |
| Resolves: RHEL-34756 | |
| - ipa-otptoken-import: open the key file in binary mode | |
| Resolves: RHEL-39616 | |
| - ipa-crlgen-manage: manage the cert status task execution time | |
| Resolves: RHEL-30280 | |
| - idrange-add: add a warning because 389ds restart is required | |
| Resolves: RHEL-28996 | |
| - PKINIT certificate: fix renewal on hidden replica | |
| Resolves: RHEL-4913, RHEL-45908 | |
| - [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: | |
| (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312) | |
| - Resolves: #1348948 IPA server install fails with build | |
| ipa-server-4.4.0-0.el7.1.alpha1 | |
| - Revert "Increased mod_wsgi socket-timeout" | |
| - Add mod_auth_kerb and cyrus-sasl-gssapi to Requires | |
| - Remove references to admin server in ipa-server-setupssl | |
| - Generate a client certificate for the XML-RPC server to connect to LDAP with | |
| - Create a keytab for Apache | |
| - Create an ldif with a test user | |
| - Provide a certmap.conf for doing SSL client authentication | |
| - Remove strict dependencies to krb5-server version in order to allow | |
| update of krb5 to 1.17 and change dependency to KDB DAL version. | |
| Resolves: RHBZ#1700121 | |
| - kdb: apply combinatorial logic for ticket flags (CVE-2024-3183) | |
| Resolves: RHEL-29927 | |
| - kdb: fix vulnerability in GCD rules handling (CVE-2024-2698) | |
| Resolves: RHEL-29692 | |
| - Update Requires on krb5-server to 1.11 | |
| - Upstream release FreeIPA 4.9.6 | |
| Related: RHBZ#1945038 | |
| - Revise PKINIT upgrade code | |
| Resolves: RHBZ#1886837 | |
| - ipa-cert-fix man page: add note about certmonger renewal | |
| Resolves: RHBZ#1780317 | |
| - Certificate Serial Number issue | |
| Resolves: RHBZ#1919384 | |
| - Update to upstream 3.3.1 (#991064) | |
| - Update minimum version of bind-dyndb-ldap to 3.5 | |
| - Rebuild for Python 2.6 | |
| - Load ipa_dogtag.pp in post install | |
| - Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services | |
| by abusing password policy | |
| - password policy: Add explicit default password policy for hosts and | |
| services | |
| - Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in | |
| certprofile-mod | |
| - certprofile-mod: correctly authorise config update | |
| - Fix systemd-user HBAC rule | |
| Resolves: RHBZ#1664974 | |
| - dcerpc: invalidate forest trust intfo cache when filtering out realm domains | |
| Resolves: RHEL-28559 | |
| - Backport latests test fixes in python3-tests | |
| ipatests: add xfail for autoprivate group test with override | |
| ipatests: remove xfail thanks to sssd 2.9.4 | |
| ipatests: adapt for new automembership fixup behavior | |
| ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation testcases | |
| test_xmlrpc: adopt to automember plugin message changes in 389-ds | |
| Resolves: RHEL-29908 | |
| - Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations | |
| Resolves: RHBZ#1870202 | |
| - Do not check if port 8443 is available in step 2 of external CA install | |
| (#1129481) | |
| - Rebuilt for glibc bug#747377 | |
| - Resolves: #1260663 crash of ipa-dnskeysync-replica component during | |
| ipa-restore | |
| - IPA Restore: allows to specify files that should be removed | |
| - Resolves: #1261806 Installing ipa-server package breaks httpd | |
| - Handle timeout error in ipa-httpd-kdcproxy | |
| - Resolves: #1262322 Failed to backup CS.cfg message in upgrade. | |
| - Server Upgrade: backup CS.cfg when dogtag is turned off | |
| - Resolves: #1477178 - [ipa-replica-install] - 406 Client Error: Failed to | |
| validate message: Incorrect number of results (0) searching forpublic | |
| key for host | |
| - Always check peer has keys before connecting | |
| - Resolves: #1482802 - Unable to set ca renewal master on replica | |
| - Fix ipa config-mod --ca-renewal-master | |
| - Resolves: #1486283 - TypeError in renew_ca_cert prevents from swiching | |
| back to self-signed CA | |
| - Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca) | |
| - Resolves: #1480102 - ipa-server-upgrade failes with "This entry already exists" | |
| - Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already exists | |
| - Resolves: #1484826 - FreeIPA/IdM installations which were upgraded from | |
| versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and | |
| thus startup of Web UI fails | |
| - Adds whoami DS plugin in case that plugin is missing | |
| - Resolves: #1478251 - IPA WebUI does not work after upgrade from IPA 4.4 to 4.5 | |
| - Fixing how sssd.conf is updated when promoting a client to replica | |
| - Resolves: #1461177 - ipa-otptoken-import - XML file is missing PBKDF2 | |
| parameters! | |
| - ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace | |
| - Resolves: #1484428 - Updating from RHEL 7.3 fails with Server-Cert not found | |
| (ipa-server-upgrade) | |
| - Backport 4-5: Fix ipa-server-upgrade with server cert tracking | |
| - Add explicit dependency for libvert-libev | |
| Resolves: RHBZ#2104929 | |
| - Add versioned dependency of samba-client-libs to ipa-server | |
| - Related: RHBZ#2021443 | |
| - Version bump for release | |
| - PKI service restart after CA renewal failed (#1040018) | |
| - Resolves: #1469246 Replica install fails to configure IPA-specific | |
| temporary files/directories | |
| - replica install: drop-in IPA specific config to tmpfiles.d | |
| - Resolves: #1469480 bind package is not automatically updated during | |
| ipa-server upgrade process | |
| - Bumped Required version of bind-dyndb-ldap and bind package | |
| - Add dependency for python-krbV | |
| - Remove client-epn left over files for ONLY_CLIENT | |
| Related: RHBZ#1847999 | |
| - Drop Requires of python-krbV on ipa-client | |
| - Upstream release FreeIPA 4.9.5 | |
| Related: RHBZ#1945038 | |
| - IPA to allow setting a new range type | |
| Resolves: RHBZ#1688267 | |
| - ipa-server-install displays debug output when --debug output is not | |
| specified. | |
| Resolves: RHBZ#1943151 | |
| - ACME fails to generate a cert on migrated RHEL8.4 server | |
| Resolves: RHBZ#1934991 | |
| - Switch ipa-client to use the JSON API | |
| Resolves: RHBZ#1937856 | |
| - IDM - Allow specifying permanent logging settings for BIND | |
| Resolves: RHBZ#1951511 | |
| - Cache LDAP data within a request | |
| Resolves: RHBZ#1953656 | |
| - ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4 | |
| Resolves: RHBZ#1957768 | |
| - Upstream release FreeIPA 4.8.6 | |
| - New SELinux sub package to provide own module | |
| - Depend on selinux-policy-devel 3.14.3-43 for build due to a makefile issue in | |
| SELinux external policy support | |
| Related: RHBZ#1818765 | |
| - Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf | |
| - Upstream pre release FreeIPA 4.9.0rc1 | |
| Resolves: RHBZ#1891832 | |
| - Requirements and design for libpwquality integration | |
| Resolves: RHBZ#1340463 | |
| - When parsing options require name/value pairs | |
| Resolves: RHBZ#1357495 | |
| - WebUI: Fix issue with opening links in new tab/window | |
| Resolves: RHBZ#1484088 | |
| - Use a state to determine if a 389-ds upgrade is in progress | |
| Resolves: RHBZ#1569011 | |
| - Unlock user accounts after a password reset and replicate that unlock to | |
| all IdM servers | |
| Resolves: RHBZ#1784657 | |
| - Set the certmonger subject with a string, not an object | |
| Resolves: RHBZ#1810148 | |
| - Implement ACME certificate enrolment | |
| Resolves: RHBZ#1851835 | |
| - [WebUI] Backport jQuery patches from newer versions of the library (e.g. | |
| 3.5.0) | |
| Resolves: RHBZ#1859249 | |
| - It is not possible to edit KDC database when the FreeIPA server is running | |
| Resolves: RHBZ#1875001 | |
| - Fix nsslapd-db-lock tuning of BDB backend | |
| Resolves: RHBZ#1882340 | |
| - ipa-kdb: support subordinate/superior UPN suffixes | |
| Resolves: RHBZ#1891056 | |
| - wgi/plugins.py: ignore empty plugin directories | |
| Resolves: RHBZ#1894800 | |
| - Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit | |
| Resolves: RHBZ#1790663 | |
| - Rebase ipa to 4.9.12 | |
| Resolves: RHBZ#2196425 | |
| - user or group name: explain the supported format | |
| Resolves: RHBZ#2150217 | |
| - PassSync does not sync passwords due to missing ACIs (#1181093) | |
| - ipa-replica-manage list does not list synced domain (#1181010) | |
| - Do not assume certmonger is running in httpinstance (#1181767) | |
| - ipa-replica-manage disconnect fails without password (#1183279) | |
| - Put LDIF files to their original location in ipa-restore (#1175277) | |
| - DUA profile not available anonymously (#1184149) | |
| - IPA replica missing data after master upgraded (#1176995) | |
| - Resolves: #1258965 ipa vault: set owner of vault container | |
| - baseldap: make subtree deletion optional in LDAPDelete | |
| - vault: add vault container commands | |
| - vault: set owner to current user on container creation | |
| - vault: update access control | |
| - vault: add permissions and administrator privilege | |
| - install: support KRA update | |
| - Resolves: #1261586 ipa config-mod addattr fails for ipauserobjectclasses | |
| - config: allow user/host attributes with tagging options | |
| - Resolves: #1262315 Unable to establish winsync replication | |
| - winsync: Add inetUser objectclass to the passsync sysaccount | |
| - Hardening for CVE-2020-25717 | |
| - Related: RHBZ#2019668 | |
| - Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca | |
| - Keep NSS trust flags of existing certificates | |
| - Resolves: #1360813 ipa-server-certinstall does not update all certificate | |
| stores and doesn't set proper trust permissions | |
| - Add cert checks in ipa-server-certinstall | |
| - Resolves: #1371479 cert-find --all does not show information about revocation | |
| - cert: add revocation reason back to cert-find output | |
| - Resolves: #1375133 WinSync users who have First.Last casing creates users who | |
| can have their password set | |
| - ipa passwd: use correct normalizer for user principals | |
| - Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers | |
| - Properly handle LDAP socket closures in ipa-otpd | |
| - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 | |
| - Make httpd publish its CA certificate on DL1 | |
| - Use the OpenSSL certificate parser in cert-find | |
| Resolves: RHBZ#2209947 | |
| - Resolves: #1170770 [AD TRUST]IPA should detect inconsistent realm domains | |
| that conflicts with AD DC | |
| - trusts: Check for AD root domain among our trusted domains | |
| - Resolves: #1195339 ipa-client-install changes the label on various files | |
| which causes SELinux denials | |
| - sysrestore: copy files instead of moving them to avoind SELinux issues | |
| - Resolves: #1196656 [ipa-client][rhel71] enable debugging for spawned | |
| commands / ntpd -qgc $tmpfile hangs | |
| - enable debugging of ntpd during client installation | |
| - Resolves: #1205264 Migration UI Does Not Work When Anonymous Bind is Disabled | |
| - migration: Use api.env variables. | |
| - Resolves: #1212719 abort-clean-ruv subcommand should allow | |
| replica-certifyall: no | |
| - Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand | |
| - Resolves: #1216935 ipa trust-add shows ipa: ERROR: an internal error has | |
| occurred | |
| - dcerpc: Expand explanation for WERR_ACCESS_DENIED | |
| - dcerpc: Fix UnboundLocalError for ccache_name | |
| - Resolves: #1222778 idoverride group-del can delete user and user-del can | |
| delete group | |
| - dcerpc: Add get_trusted_domain_object_type method | |
| - idviews: Restrict anchor to name and name to anchor conversions | |
| - idviews: Enforce objectclass check in idoverride*-del | |
| - Resolves: #1234919 Be able to request certificates without certmonger service | |
| running | |
| - cermonger: Use private unix socket when DBus SystemBus is not available. | |
| - ipa-client-install: Do not (re)start certmonger and DBus daemons. | |
| - Resolves: #1240939 Please add dependency on bind-pkcs11 | |
| - Create server-dns sub-package. | |
| - ipaplatform: Add constants submodule | |
| - DNS: check if DNS package is installed | |
| - Resolves: #1242914 Bump minimal selinux-policy and add booleans to allow | |
| calling out oddjobd-activated services | |
| - selinux: enable httpd_run_ipa to allow communicating with oddjobd services | |
| - Resolves: #1243261 non-admin users cannot search hbac rules | |
| - fix hbac rule search for non-admin users | |
| - fix selinuxusermap search for non-admin users | |
| - Resolves: #1243652 Client has missing dependency on memcache | |
| - do not import memcache on client | |
| - Resolves: #1243835 [webui] user change password dialog does not work | |
| - webui: fix user reset password dialog | |
| - Resolves: #1244802 spec: selinux denial during kdcproxy user creation | |
| - Fix selinux denial during kdcproxy user creation | |
| - Resolves: #1246132 trust-fetch-domains: Do not chown keytab to the sssd user | |
| - oddjob: avoid chown keytab to sssd if sssd user does not exist | |
| - Resolves: #1246136 Adding a privilege to a permission avoids validation | |
| - Validate adding privilege to a permission | |
| - Resolves: #1246141 DNS Administrators cannot search in zones | |
| - DNS: Consolidate DNS RR types in API and schema | |
| - Resolves: #1246143 User plugin - user-find doesn't work properly with manager | |
| option | |
| - fix broken search for users by their manager | |
| - Updated to upstream 3.1.0 GA | |
| - Set minimum for sssd to 1.9.2 | |
| - Set minimum for pki-ca to 10.0.0-1 | |
| - Set minimum for 389-ds-base to 1.3.0 | |
| - Set minimum for selinux-policy to 3.11.1-60 | |
| - Remove unneeded dogtag package requires | |
| - Allow longer dirsrv startup with systemd: | |
| - IPAdmin class will wait until dirsrv instance is available up to 10 seconds | |
| - Helps with restarts during upgrade for ipa-ldap-updater | |
| - Fix pylint warnings from F16 and Rawhide | |
| - Update to upstream 2.2.0 beta 1 (2.1.90.rc1) | |
| - Set minimum n-v-r for pki-ca and pki-silent to 9.0.18. | |
| - Add Conflicts on mod_ssl | |
| - Update minimum n-v-r of 389-ds-base to 1.2.10.4 | |
| - Update minimum n-v-r of sssd to 1.8.0 | |
| - Update minimum n-v-r of slapi-nis to 0.38 | |
| - Update minimum n-v-r of pki-* to 9.0.18 | |
| - Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1 | |
| - Update conflicts on bind to < 9.9.0-1 | |
| - Drop requires on krb5-server-ldap | |
| - Add patch to remove escaping arguments to pkisilent | |
| - Resolves: #1475238 Use CommonNameToSANDefault in default profile | |
| (new installs only) | |
| - Restore old version of caIPAserviceCert for upgrade only | |
| - Default to systemd for Fedora 16 and onwards | |
| - Remove duplicate %files entries on share/ipa/static | |
| - Add python default encoding shared library | |
| - webui: Do not allow empty pagination size | |
| Resolves: RHBZ#2094672 | |
| - Fix requirement for python3-kdcproxy, add no autoreqprov for ipatests sub | |
| package | |
| Related: RHBZ#1891832 | |
| - Require krb5 release 1.18.2-25 or later | |
| Resolves: RHBZ#2234711 | |
| - Resolves: #1382053 Need to have validation for idrange names | |
| - idrange-add: properly handle empty --dom-name option | |
| - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit | |
| helper when installing replica | |
| - dsinstance: reconnect ldap2 after DS is restarted by certmonger | |
| - httpinstance: avoid httpd restart during certificate request | |
| - dsinstance, httpinstance: consolidate certificate request code | |
| - install: request service certs after host keytab is set up | |
| - renew agent: revert to host keytab authentication | |
| - renew agent, restart scripts: connect to LDAP after kinit | |
| - Resolves: #1436987 ipasam: gidNumber attribute is not created in the trusted | |
| domain entry | |
| - ipa-sam: create the gidNumber attribute in the trusted domain entry | |
| - Upgrade: add gidnumber to trusted domain entry | |
| - Resolves: #1438679 [ipa-replica-install] - IncorrectPasswordException: | |
| Incorrect client security database password | |
| - Add pki_pin only when needed | |
| - Resolves: #1438348 Console output message while adding trust should be | |
| mapped with texts changed in Samba. | |
| - ipaserver/dcerpc: unify error processing | |
| - Resolves: #1438366 ipa trust-fetch-domains: ValidationError: invalid | |
| 'Credentials': Missing credentials for cross-forest communication | |
| - trust: always use oddjobd helper for fetching trust information | |
| - Resolves: #1441192 Add the name of URL parameter which will be check for | |
| username during cert login | |
| - WebUI: cert login: Configure name of parameter used to pass username | |
| - Resolves: #1437879 [copr] Replica install failing | |
| - Create system users for FreeIPA services during package installation | |
| - Resolves: #1441316 WebUI cert auth fails after ipa-adtrust-install | |
| - Fix s4u2self with adtrust | |
| - Update to upstream 4.6.90.pre1 | |
| - Fix misleading errors during client install rollback | |
| Resolves: RHBZ#1658283 | |
| - ipa-advise: update url of cacerdir_rehash tool | |
| Resolves: RHBZ#1658287 | |
| - Handle NTP configuration in a replica server installation | |
| Resolves: RHBZ#1651679 | |
| - Fix defects found by static analysis | |
| Resolves: RHBZ#1658182 | |
| - ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad | |
| Resolves: RHBZ#1658294 | |
| - ipaldap: invalid modlist when attribute encoding can vary | |
| Resolves: RHBZ#1658302 | |
| - Allow ipaapi and Apache user to access SSSD IFP | |
| Resolves: RHBZ#1639910 | |
| - Add sysadm_r to default SELinux user map order | |
| Resolves: RHBZ#1658303 | |
| - certdb: ensure non-empty Subject Key Identifier and validate server cert sig | |
| Resolves: RHBZ#1641988 | |
| - ipa-replica-install: password and admin-password options mutually exclusive | |
| Resolves: RHBZ#1658309 | |
| - ipa upgrade: handle double-encoded certificates | |
| Resolves: RHBZ#1658310 | |
| - PKINIT: fix ipa-pkinit-manage enable|disable | |
| Resolves: RHBZ#1658313 | |
| - Enable LDAP debug output in client to display TLS errors in join | |
| Resolves: RHBZ#1658316 | |
| - rpc: always read response | |
| Resolves: RHBZ#1639890 | |
| - ipa vault-retrieve: fix internal error | |
| Resolves: RHBZ#1658485 | |
| - Move ipa's systemd tmpfiles from /var/run to /run | |
| Resolves: RHBZ#1658487 | |
| - Fix authselect invocations to work with 1.0.2 | |
| Resolves: RHBZ#1654291 | |
| - ipa-client-automount and NFS unit name changes | |
| Resolves: RHBZ#1645501 | |
| - Fix compile issue with new 389-ds | |
| Resolves: RHBZ#1659448 | |
| - Update to upstream 3.2.0 Prerelease 1 | |
| - Use upstream reference spec file as a base for Fedora spec file | |
| - Add dep for freeipa-admintools and acl | |
| - Drop conflicts on mod_nss | |
| - Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847) | |
| - Drop a slew of conditionals on older Fedora releases (< 12) | |
| - Add a few conditionals against RHEL 6 | |
| - Add Requires of nss-tools on ipa-client | |
| - Require samba packages instead of obsoleted samba4 packages | |
| - Upstream release FreeIPA 4.8.7 | |
| - Require new samba build 4.12.3-0 | |
| Related: RHBZ#1818765 | |
| - New client-epn sub package | |
| Resolves: RHBZ#913799 | |
| - Fix ipa-replica-install crashes | |
| - Fix ipa-server-install and ipa-dns-install logging | |
| - Set minimum version of pki-ca to 9.0.17 to fix sslget problem | |
| caused by FEDORA-2011-17400 update (#771357) | |
| - Added httpd SELinux policy so CRLs can be read | |
| - Build radius separately | |
| - Fix a few minor issues | |
| - rebuild with new openssl | |
| - Update to upstream 3.2.2 | |
| - Drop ipa-server-selinux subpackage | |
| - Drop redundant directory /var/cache/ipa/sessions | |
| - Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost | |
| - Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency | |
| issues when there are still old parts of software (like entitlements plugin) | |
| - [WebUI] IPA Error 3007: RequirmentError" while adding members in | |
| "User ID overrides" tab (updated) | |
| Resolves: RHBZ#1757045 | |
| - ipa-client-install: use the authselect backup during uninstall | |
| Resolves: RHBZ#1810179 | |
| - Replace SSLCertVerificationError with CertificateError for py36 | |
| Resolves: RHBZ#1858318 | |
| - Fix AVC denial during ipa-adtrust-install --add-agents | |
| Resolves: RHBZ#1859213 | |
| - Update to upstream 3.2.0 GA | |
| - ipa-client-install fails if /etc/ipa does not exist (#961483) | |
| - Certificate status is not visible in Service and Host page (#956718) | |
| - ipa-client-install removes needed options from ldap.conf (#953991) | |
| - Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957) | |
| - Add triggerin scriptlet to support OpenSSH 6.2 (#953617) | |
| - Require nss 3.14.3-12.0 to address certutil certificate import | |
| errors (#953485) | |
| - Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6 | |
| environments. (#953464) | |
| - ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453) | |
| - ipa-server-install --uninstall doesn't stop dirsrv instances (#953432) | |
| - Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for | |
| socket based connections (#960222) | |
| - Require libsss_nss_idmap-python | |
| - Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to | |
| member is now done automatically and having it in the config file raises | |
| an error. | |
| - Add backup and restore tools, directory. | |
| - require at least systemd 38 which provides the journal (we no longer | |
| need to require syslog.target) | |
| - Update Requires on policycoreutils to 2.1.14-37 | |
| - Update Requires on selinux-policy to 3.12.1-42 | |
| - Update Requires on 389-ds-base to 1.3.1.0 | |
| - Remove a Requires for java-atk-wrapper | |
| - Re-add accidentally removed patches for #1170695 and #1164896 | |
| - Broke invididual Requires and BuildRequires onto separate lines and | |
| reordered them | |
| - Added python-tgexpandingformwidget as a dependency | |
| - Require at least fedora-ds-base 1.1 | |
| - Resolves: #1432630 python2-jinja2 needed for python2-ipaclient | |
| - Remove csrgen | |
| - Resolves: #1432903 Set GssProxy options to enable caching of ldap tickets | |
| - Add options to allow ticket caching | |
| - Drop BuildRequires on mozldap-devel | |
| - Resolves: #747612 [RFE] IPA should support and manage DNS sites | |
| - Resolves: #826790 Disabling password expiration (--maxlife=0 and --minlife=0) | |
| in the default global_policy in IPA sets user's password expiration | |
| (krbPasswordExpiration) to be 90 days | |
| - Resolves: #896699 ipa-replica-manage -H does not delete DNS SRV records | |
| - Resolves: #1084018 [RFE] Add IdM user password change support for legacy | |
| client compat tree | |
| - Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos | |
| aliases) | |
| - Fix incorrect check for principal type when evaluating CA ACLs | |
| - Resolves: #1146860 [RFE] Offer OTP generation for host enrollment in the UI | |
| - Resolves: #1238190 ipasam unable to lookup group in directory yet manual | |
| search works | |
| - Resolves: #1250110 search by users which don't have read rights for all attrs | |
| in search_attributes fails | |
| - Resolves: #1263764 Show Certificate displays in useless format | |
| - Resolves: #1272491 [WebUI] Certificate action dropdown does not display all | |
| the options after adding new certificate | |
| - Resolves: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.4.0 | |
| - Resolves: #1294503 IPA fails to issue 3rd party certs | |
| - Resolves: #1298242 [RFE] API compatibility - compatibility of clients | |
| - Resolves: #1298848 [RFE] Centralized topology management | |
| - Resolves: #1298966 [RFE] Extend Smart Card support | |
| - Resolves: #1315146 Multiple clients cannot join domain simultaneously: | |
| /var/run/httpd/ipa/clientcaches race condition? | |
| - Resolves: #1318903 ipa server install failing when SUBCA signs the cert | |
| - Resolves: #1319003 ipa-winsync-migrate: Traceback should be fixed with proper | |
| console output | |
| - Resolves: #1324055 IPA always qualify requests for admin | |
| - Resolves: #1328552 [RFE] Allow users to authenticate with alternative names | |
| - Resolves: #1334582 Inconsistent UI and CLI options for removing certificate | |
| hold | |
| - Resolves: #1346321 Exclude o=ipaca subtree from Retro Changelog (syncrepl) | |
| - Resolves: #1349281 Fix `Conflicts` with ipa-python | |
| - Resolves: #1350695 execution of copy-schema script fails | |
| - Resolves: #1351118 upgrade failed for RHEL-7.3 from RHEL-7.2.z | |
| - Resolves: #1351153 AVC seen on Replica during ipa-server upgrade test | |
| execution to 7.3 | |
| - Resolves: #1351276 ipa-server-install with dns cannot resolve itself to | |
| create ipa-ca entry | |
| - Related: #1343422 [RFE] Add GssapiImpersonate option | |
| - Upstream pre release FreeIPA 4.9.0rc3 | |
| Related: RHBZ#1891832 | |
| - kdb: PAC generator: do not fail if canonical principal is missing | |
| Resolves: RHEL-23630 | |
| - ipa-kdb: Fix memory leak during PAC verification | |
| Resolves: RHEL-22644 | |
| - Fix session cookie access | |
| Resolves: RHEL-23622 | |
| - Do not ignore staged users in sidgen plugin | |
| Resovlves: RHEL-23626 | |
| - ipa-kdb: Disable Bronze-Bit check if PAC not available | |
| Resolves: RHEL-22313 | |
| - krb5kdc: Fix start when pkinit and otp auth type are enabled | |
| Resolves: RHEL-4874 | |
| - hbactest was not collecting or returning messages | |
| Resolves: RHEL-12780 | |
| - Update to upstream freeipa-2.0.0.rc2 | |
| - Set minimum version of python-nss to 0.11 to make sure IPv6 support is in | |
| - Set minimum version of sssd to 1.5.1 | |
| - Patch to include SuiteSpotGroup when setting up 389-ds instances | |
| - Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled | |
| - Rebase ipa to 4.9.13 | |
| Resolves: RHEL-16936 | |
| - Add BuildRequires for authconfig | |
| - Move ipa-tests package to separate srpm (#1032668) | |
| - Remove dependency on python-paramiko (#1002884) | |
| - Broken redirection when deleting last entry of DNS resource | |
| record (#1006360) | |
| - Resolves: #1256840 [webui] majority of required fields is no longer marked as | |
| required | |
| - fix missing information in object metadata | |
| - Resolves: #1256842 [webui] no option to choose trust type when creating a | |
| trust | |
| - webui: add option to establish bidirectional trust | |
| - Resolves: #1256853 Clear text passwords in KRA install log | |
| - Removed clear text passwords from KRA install log. | |
| - Resolves: #1257072 The "Standard Vault" MUST not be the default and must be | |
| discouraged | |
| - vault: change default vault type to symmetric | |
| - Resolves: #1257163 renaming certificatte profile with --rename option leads | |
| to integrity issues | |
| - certprofile: prevent rename (modrdn) | |
| - Resolves: #1447284 Upgrade from ipa-4.1 fails when enabling KDC proxy | |
| - python2-ipalib: add missing python dependency | |
| - installer service: fix typo in service entry | |
| - upgrade: add missing suffix to http instance | |
| - Resolves: #1444791 Update man page of ipa-kra-install | |
| - ipa-kra-install manpage: document domain-level 1 | |
| - Resolves: #1441493 ipa cert-show raises stack traces when | |
| --certificate-out=/tmp | |
| - cert-show: writable files does not mean dirs | |
| - Resolves: #1441192 Add the name of URL parameter which will be check for | |
| username during cert login | |
| - Bump version of ipa.conf file | |
| - Resolves: #1378797 Web UI must check OCSP and CRL during smartcard login | |
| - Turn on NSSOCSP check in mod_nss conf | |
| - Resolves: #1322963 Errors from AD when trying to sign ipa.csr, conflicting | |
| template on | |
| - renew agent: respect CA renewal master setting | |
| - server upgrade: always fix certmonger tracking request | |
| - cainstance: use correct profile for lightweight CA certificates | |
| - renew agent: allow reusing existing certs | |
| - renew agent: always export CSR on IPA CA certificate renewal | |
| - renew agent: get rid of virtual profiles | |
| - ipa-cacert-manage: add --external-ca-type | |
| - Resolves: #1441593 error adding authenticator indicators to host | |
| - Fixing adding authenticator indicators to host | |
| - Resolves: #1449525 Set directory ownership in spec file | |
| - Added plugins directory to ipaclient subpackages | |
| - ipaclient: fix missing RPM ownership | |
| - Resolves: #1451279 otptoken-add-yubikey KeyError: 'ipatokenotpdigits' | |
| - otptoken-add-yubikey: When --digits not provided use default value | |
|
|
|
| ipa-selinux-4.9.13-20.module+el8.10.0+2067+377bdd64.noarch.rpm | - Updated to upstream 3.0.0 GA |
| - Set minimum for samba to 4.0.0-153. | |
| - Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so | |
| plugin to /dev/null since they cannot be used when trusts are configured | |
| - Restrict krb5-server to 1.10. | |
| - Update BR for 389-ds-base to 1.3.0 | |
| - Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca | |
| - Add Requires on zip for generating FF browser extension | |
| - Update to 4.7.90-pre1 | |
| Related: RHBZ#1684528 | |
| - Removed patches 0002 to 0031 as these are upsteram and part of 4.7.90-pre1 | |
| - Added new patches 0001-revert-minssf-defaults.patch and | |
| 0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch | |
| - Require slapi-nis 0.47.7 delivering a core feature of 3.3.0 release | |
| - Use default crypto policy for TLS and enable TLS 1.3 support | |
| Resolves: RHBZ#1777809 | |
| - Covscan fixes | |
| Resolves: RHBZ#1777920 | |
| - Change pki_version to 10.8.0 | |
| Related: RHBZ#1748987 | |
| - Updated to upstream 3.0.0 beta 2 | |
| - Respin after the tarball has been re-released upstream | |
| New hash is 506c9c92dcaf9f227cba5030e999f177 | |
| - Do not add krbPwdPolicyReference for new accounts, hardcode it (#1045218) | |
| - Increase default timeout for IPA services (#1033273) | |
| - Error while running trustdomain-find (#1054376) | |
| - group-show lists SID instead of name for external groups (#1054391) | |
| - Fix IPA server NetBIOS name in samba configuration (#1030517) | |
| - dnsrecord-mod produces missing API version warning (#1054869) | |
| - Hide trust-resolve command as internal (#1052860) | |
| - Add Trust domain Web UI (#1054870) | |
| - ipasam cannot delete multiple child trusted domains (#1056120) | |
| - diffstat was missing as a build dependency causing multilib problems | |
| - kdb: Use-krb5_pac_full_sign_compat() when available | |
| Resolves: RHBZ#2176406 | |
| - OTP: fix-data-type-to-avoid-endianness-issue | |
| Resolves: RHBZ#2218293 | |
| - Upgrade: fix replica agreement | |
| Resolves: RHBZ#2216551 | |
| - Upgrade: add PKI drop-in file if missing | |
| Resolves: RHBZ#2215336 | |
| - Use the python-cryptography parser directly in cert-find | |
| Resolves: RHBZ#2164349 | |
| - Backport test updates | |
| Resolves: RHBZ#221884 | |
| - Initial rpm version | |
| - Re-enable otptoken_yubikey plugin | |
| - Resolves: #805188 [RFE] "ipa migrate-ds" ldapsearches with scope=1 | |
| - Resolves: #1019272 With 20000+ users, adding a user to a group intermittently | |
| throws Internal server error | |
| - Resolves: #1035494 Unable to add Kerberos principal via kadmin.local | |
| - Resolves: #1045153 ipa-managed-entries --list -p |
|
| DM password | |
| - Resolves: #1125950 ipa-server-install --uinstall doesn't remove port 7389 | |
| from ldap_port_t | |
| - Resolves: #1132540 [RFE] Expose service delegation rules in UI and CLI | |
| - Resolves: #1145584 ipaserver/install/cainstance.py creates pkiuser not | |
| matching uidgid | |
| - Resolves: #1176036 IDM client registration failure in a high load environment | |
| - Resolves: #1183116 Remove Requires: subscription-manager | |
| - Resolves: #1186054 permission-add does not prompt to enter --right option in | |
| interactive mode | |
| - Resolves: #1187524 Replication agreement with replica not disabled when | |
| ipa-restore done without IPA installed | |
| - Resolves: #1188195 Fax number not displayed for user-show when kinit'ed as | |
| normal user. | |
| - Resolves: #1189034 "an internal error has occurred" during ipa host-del | |
| --updatedns | |
| - Resolves: #1193554 ipa-client-automount: failing with error LDAP server | |
| returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled. | |
| - Resolves: #1193759 IPA extdom plugin fails when encountering large groups | |
| - Resolves: #1194312 [ipa-python] ipalib.errors.LDAPError: failed to decode | |
| certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. | |
| - Resolves: #1194633 Default trust view can be deleted in lower case | |
| - Resolves: #1196455 ipa-server-install step [8/27]: starting certificate | |
| server instance - confusing CA staus message on TLS error | |
| - Resolves: #1198263 Limit deadlocks between DS plugin DNA and slapi-nis | |
| - Resolves: #1199527 [RFE] Use datepicker component for datetime fields | |
| - Resolves: #1200867 [RFE] Make OTP validation window configurable | |
| - Resolves: #1200883 [RFE] Switch apache to use mod_auth_gssapi | |
| - Resolves: #1202998 CVE-2015-1827 ipa: memory corruption when using | |
| get_user_grouplist() [rhel-7.2] | |
| - Resolves: #1204637 slow group operations | |
| - Resolves: #1204642 migrate-ds: slow add o users to default group | |
| - Resolves: #1208461 IPA CA master server update stuck on checking getStatus | |
| via https | |
| - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) | |
| - Resolves: #1211708 ipa-client-install gets stuck during NTP sync | |
| - Resolves: #1215197 ipa-client-install ignores --ntp-server option during time | |
| sync | |
| - Resolves: #1215200 ipa-client-install configures IPA server as NTP source | |
| even if IPA server has not ntpd configured | |
| - Resolves: #1217009 OTP sync in UI does not work for TOTP tokens | |
| - Related: #1204809 Rebase ipa to 4.2 | |
| - Update to upstream 4.2.0.alpha1 | |
| - Rebuild against samba4 beta4 | |
| - Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to | |
| users in IdM | |
| - store certificates issued for user entries as | |
| - user-show: add --out option to save certificates to file | |
| - Resolves: #1145748 [RFE] IPA running with One Way Trust | |
| - Fix upgrade of sidgen and extdom plugins | |
| - Resolves: #1195339 ipa-client-install changes the label on various files | |
| which causes SELinux denials | |
| - Use 'mv -Z' in specfile to restore SELinux context | |
| - Resolves: #1198796 Text in UI should describe differing LDAP vs Krb behavior | |
| for combinations of "User authentication types" | |
| - webui: add LDAP vs Kerberos behavior description to user auth | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - ULC: Fix stageused-add --from-delete command | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - certprofile-import: do not require profileId in profile data | |
| - Give more info on virtual command access denial | |
| - Allow SAN extension for cert-request self-service | |
| - Add profile for DNP3 / IEC 62351-8 certificates | |
| - Work around python-nss bug on unrecognised OIDs | |
| - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality | |
| - Validate vault's file parameters | |
| - Fixed missing KRA agent cert on replica. | |
| - Resolves: #1225866 display browser config options that apply to the browser. | |
| - webui: add Kerberos configuration instructions for Chrome | |
| - Remove ico files from Makefile | |
| - Resolves: #1246342 Unapply idview raises internal error | |
| - idviews: Check for the Default Trust View only if applying the view | |
| - Resolves: #1248102 [webui] regression - incorrect/no failed auth messages | |
| - webui: fix regressions failed auth messages | |
| - Resolves: #1248396 Internal error in DomainValidator.__search_in_dc | |
| - dcerpc: Fix UnboundLocalError for ccache_name | |
| - Resolves: #1249455 ipa trust-add failed CIFS server configuration does not | |
| allow access to \\pipe\lsarpc | |
| - Fix selector of protocol for LSA RPC binding string | |
| - dcerpc: Simplify generation of LSA-RPC binding strings | |
| - Resolves: #1250192 Error in ipa trust-fecth-domains | |
| - Fix incorrect type comparison in trust-fetch-domains | |
| - Resolves: #1251553 Winsync setup fails with unexpected error | |
| - replication: Fix incorrect exception invocation | |
| - Resolves: #1251854 ipa aci plugin is not parsing aci's correctly. | |
| - ACI plugin: correctly parse bind rules enclosed in | |
| - Resolves: #1252414 Trust agent install does not detect available replicas to | |
| add to master | |
| - adtrust-install: Correctly determine 4.2 FreeIPA servers | |
| - Add ipa-rmkeytab tool | |
| - Update Requires on selinux-policy to 3.13.1-4 | |
| - Update to upstream 4.1.0 (#1109726) | |
| - Fixed weekday in 4.8.4-2 changelog date | |
| Related: RHBZ#1784003 | |
| - adtrust: print DNS records for external DNS case after role is enabled | |
| Resolves: RHBZ#1665051 | |
| - AD user without override receive InternalServerError with API | |
| Resolves: RHBZ#1782572 | |
| - ipa-client-automount fails after repeated installation/uninstallation | |
| Resolves: RHBZ#1790886 | |
| - install/updates: move external members past schema compat update | |
| Resolves: RHBZ#1803165 | |
| - kdb: make sure audit_as_req callback signature change is preserved | |
| Resolves: RHBZ#1803786 | |
| - Fix otptoken_sync plugin | |
| Resolves: RHBZ#1777811 | |
| - Create systemd-user HBAC service and rule | |
| Resolves: RHBZ#1664974 | |
| - ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned | |
| Resolves: RHBZ#1664023 | |
| - ipa-kdb: fix error handling of is_master_host() | |
| Resolves: RHBZ#2214638 | |
| - ipatests: enable firewall rule for http service on acme client | |
| Resolves: RHBZ#2230256 | |
| - User plugin: improve error related to non existing idp | |
| Resolves: RHBZ#2224572 | |
| - Prevent admin user from being deleted | |
| Resolves: RHBZ#1821181 | |
| - Fix memory leak in the OTP last token plugin | |
| Resolves: RHBZ#2227783 | |
| - Rebuild for broken deps in rawhide | |
| - Fix 389-ds-base strict dep to be 1.3.0.3 | |
| - Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos | |
| aliases) | |
| - harden the check for trust namespace overlap in new principals | |
| - Resolves: #1351142 CLI is not using session cookies for communication with | |
| IPA API | |
| - Fix session cookies | |
| - Resolves: #1353888 Fix the help for ipa otp and other topics | |
| - help: Add dnsserver commands to help topic 'dns' | |
| - Resolves: #1354406 host-del updatedns options complains about missing ptr | |
| record for host | |
| - Host-del: fix behavior of --updatedns and PTR records | |
| - Resolves: #1355718 ipa-replica-manage man page example output differs actual | |
| command output | |
| - Minor fix in ipa-replica-manage MAN page | |
| - Resolves: #1358229 Traceback message should be fixed, seen while editing | |
| winsync migrated user information in Default trust view. | |
| - baseldap: Fix MidairCollision instantiation during entry modification | |
| - Resolves: #1358849 CA replica install logs to wrong log file | |
| - unite log file name of ipa-ca-install | |
| - Resolves: #1359130 ipa-server-install command fails to install IPA server. | |
| - DNS Locations: fix update-system-records unpacking error | |
| - Resolves: #1359237 AVC on dirsrv config caused by IPA installer | |
| - Use copy when replacing files to keep SELinux context | |
| - Resolves: #1359692 ipa-client-install join fail with traceback against | |
| RHEL-6.8 ipa-server | |
| - compat: fix ping call | |
| - Resolves: #1359738 ipa-replica-install --domain= |
|
| does not work | |
| - replica-install: Fix --domain | |
| - Resolves: #1360778 Vault commands are available in CLI even when the server | |
| does not support them | |
| - Revert "Enable vault-* commands on client" | |
| - client: fix hiding of commands which lack server support | |
| - Related: #1281704 Rebase to softhsm 2.1.0 | |
| - Remove the workaround for softhsm bug #1293340 | |
| - Related: #1298288 [RFE] Improve performance in large environments. | |
| - Create indexes for krbCanonicalName attribute | |
| - Rebuild against samba4 beta8 | |
| - Require the Python interpreter directly instead of using the package name | |
| - Related: rhbz#1619153 | |
| - Require mod_nss-1.0.7-2 for mod_proxy fixes | |
| - Drop workaround for building on AArch64 (#1482244) | |
| - Temporarily reduce Requires on python-netaddr to 0.7.5-7 (#1506485) | |
| - ipa-kdb: Detect and block Bronze-Bit attacks | |
| Resolves: RHEL-9984 | |
| - Fix for CVE-2023-5455 | |
| Resolves: RHEL-12578 | |
| - Rebase to upstream release 4.9.10 | |
| Remove upstream patches 0002 to 0016 that are part of version 4.9.10 | |
| Remove patches 1101 that is part of version 4.9.10 | |
| Rename patch 0001 to 1002 as it will be used in future RHEL 8 releases | |
| Add patches 0001 and 0002 to fix build on RHEL 8.7 | |
| Resolves: RHBZ#2079466 | |
| Resolves: RHBZ#2063155 | |
| Resolves: RHBZ#1958777 | |
| Resolves: RHBZ#2068088 | |
| Resolves: RHBZ#2004646 | |
| Resolves: RHBZ#782917 | |
| Resolves: RHBZ#2059396 | |
| Resolves: RHBZ#2092015 | |
| - webui: Allow grace login limit | |
| Resolves: RHBZ#2109243 | |
| - check_repl_update: in progress is a boolean | |
| Resolves: RHBZ#2117303 | |
| - Disabling gracelimit does not prevent LDAP binds | |
| Resolves: RHBZ#2109236 | |
| - Set passwordgracelimit to match global policy on group pw policies | |
| Resolves: RHBZ#2115475 | |
| - Add missing part of backported CVE-2024-3183 fix | |
| Resolves: RHEL-29927 | |
| - Update to upstream 3.3.0 Beta 2 (#991064) | |
| - Update to upstream GA release | |
| - Automatically apply updates when the package is upgraded | |
| - Moved directory install/static to install/ui | |
| - Upstream pre release FreeIPA 4.9.0rc2 | |
| Related: RHBZ#1891832 | |
| - Synchronize spec file with upstream and Fedora | |
| Related: RHBZ#1891832 | |
| - Traceback while doing ipa-backup | |
| Resolves: RHBZ#1901068 | |
| - ipa-client-install changes system wide ssh configuration | |
| Resolves: RRBZ#1544379 | |
| - ipa-kdb: support subordinate/superior UPN suffixes | |
| Resolves: RHBZ#1891056 | |
| - KRA Transport and Storage Certificates do not renew | |
| Resolves: RHBZ#1872603 | |
| - Move where the restore state is marked during IPA server upgrade | |
| Resolves: RHBZ#1569011 | |
| - Intermittent IdM Client Registration Failures | |
| Resolves: RHBZ#1812871 | |
| - Nightly test failure in test_acme.py::TestACME::test_third_party_certs | |
| (updates-testing) | |
| Resolves: RHBZ#1903025 | |
| - Add IPA RA Agent to ACME group on the CA | |
| Resolves: RHBZ#1902727 | |
| - 4.7.1 | |
| - Fixes: rhbz#1633105 - rebase to 4.7.1 | |
| - Remove the IPA DNA plugin, use the DS one | |
| - Conditionally restart also dirsrv and httpd when upgrading | |
| - Set krb5 DAL version to 7.0 (#1580711) | |
| - Rebuild aclocal and configure during build | |
| - Remove dependency on nss_ldap/nss-pam-ldapd | |
| - The official client is sssd and that's what we use by default. | |
| - Resolve user/group names in idoverride*-find | |
| Resolves: RHBZ#1657745 | |
| - PKI database is ugraded during replica installation (#1075118) | |
| - Server install failure during client enrollment shouldn't | |
| roll back (#1023086) | |
| - nsds5ReplicaStripAttrs are not set on agreements (#1023085) | |
| - ipa-server conflicts with mod_ssl (#1018172) | |
| - Updated to current upstream state of 3.0.0 beta 2 development | |
| - Pull upstream changelog 722 | |
| - Add Conflicts mod_ssl (435360) | |
| - Resolves: #1318186 Misleading error message during external-ca IPA master | |
| install | |
| - httpinstance: make sure NSS database is backed up | |
| - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR | |
| CA certificate chain in ... incomplete" | |
| - httpinstance: make sure NSS database is backed up | |
| - Resolves: #1393726 Enumerate all available request type options in ipa | |
| cert-request help | |
| - Hide request_type doc string in cert-request help | |
| - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping | |
| - spec file: bump libsss_nss_idmap-devel BuildRequires | |
| - server: make sure we test for sss_nss_getlistbycert | |
| - Resolves: #1437378 ipa-adtrust-install produced an error and failed on | |
| starting smb when hostname is not FQDN | |
| - adtrust: make sure that runtime hostname result is consistent with the | |
| configuration | |
| - Resolves: #1437555 ipa-replica-install with DL0 fails to get annonymous | |
| keytab | |
| - Always check and create anonymous principal during KDC install | |
| - Remove duplicate functionality in upgrade | |
| - Resolves: #1437946 Upgrade to FreeIPA 4.5.0 does not configure anonymous | |
| principal for PKINIT | |
| - Upgrade: configure PKINIT after adding anonymous principal | |
| - Remove unused variable from failed anonymous PKINIT handling | |
| - Split out anonymous PKINIT test to a separate method | |
| - Ensure KDC is propery configured after upgrade | |
| - Resolves: #1437951 Remove pkinit-related options from server/replica-install | |
| on DL0 | |
| - Fix the order of cert-files check | |
| - Don't allow setting pkinit-related options on DL0 | |
| - replica-prepare man: remove pkinit option refs | |
| - Remove redundant option check for cert files | |
| - Resolves: #1438490 CA-less installation fails on publishing CA certificate | |
| - Get correct CA cert nickname in CA-less | |
| - Remove publish_ca_cert() method from NSSDatabase | |
| - Resolves: #1438838 Avoid arch-specific path in /etc/krb5.conf.d/ipa-certmap | |
| - IPA-KDB: use relative path in ipa-certmap config snippet | |
| - Resolves: #1439038 Allow erasing ipaDomainResolutionOrder attribute | |
| - Allow erasing ipaDomainResolutionOrder attribute | |
| - Improve otptoken help messages (#919228) | |
| - Ensure users exist when assigning tokens to them (#919228) | |
| - Enable QR code display by default in otptoken-add (#919228) | |
| - Show warning instead of error if CA did not start (#1158410) | |
| - CVE-2014-7850 freeipa: XSS flaw can be used to escalate privileges (#1165774) | |
| - Traceback when adding zone with long name (#1164859) | |
| - Backup & Restore mechanism (#951581) | |
| - ignoring user attributes in migrate-ds does not work if uppercase characters | |
| are returned by ldap (#1159816) | |
| - Allow ipa-getkeytab to optionally fetch existing keys (#1007367) | |
| - Failure when installing on dual stacked system with external ca (#1128380) | |
| - ipa-server should keep backup of CS.cfg (#1059135) | |
| - Tracebacks with latest build for --zonemgr cli option (#1167270) | |
| - webui: use domain name instead of domain SID in idrange adder dialog | |
| (#891984) | |
| - webui: normalize idview tab labels (#891984) | |
| - Resolves: #1442233 IPA client commands fail when pointing to replica | |
| - httpinstance: wait until the service entry is replicated | |
| - Resolves: #1456769 ipaAnchorUUID index incorrectly configured and then | |
| not indexed | |
| - Fix index definition for ipaAnchorUUID | |
| - Resolves: #1438016 gssapi errors after IPA server upgrade | |
| - Avoid possible endless recursion in RPC call | |
| - rpc: preparations for recursion fix | |
| - rpc: avoid possible recursion in create_connection | |
| - Resolves: #1446087 services entries missing krbCanonicalName attribute. | |
| - Changing cert-find to do not use only primary key to search in LDAP. | |
| - Resolves: #1452763 ipa certmaprule change not reflected in krb5kdc workers | |
| - ipa-kdb: reload certificate mapping rules periodically | |
| - Resolves: #1455541 after upgrade login from web ui breaks | |
| - kdc.key should not be visible to all | |
| - Resolves: #1435606 Add pkinit_indicator option to KDC configuration | |
| - ipa-kdb: add pkinit authentication indicator in case of a successful | |
| certauth | |
| - Resolves: #1455945 Enabling OCSP checks in mod_nss breaks certificate | |
| issuance when ipa-ca records are not resolvable | |
| - Turn off OCSP check | |
| - Resolves: #1454483 rhel73 ipa ui - cannot del server - IPA Error 903 - | |
| server_del - TypeError: 'NoneType' object is not iterable | |
| - fix incorrect suffix handling in topology checks | |
| - Upstream release FreeIPA 4.9.2 | |
| Related: RHBZ#1891832 | |
| - Remove ipa-server dependency from ipa-selinux subpackage | |
| - Related: RHBZ#1891832 | |
| - Resolves: #1249226 IPA dnssec-validation not working for AD dnsforwardzone | |
| - DNSSEC: fix forward zone forwarders checks | |
| - Resolves: #1250190 idrange is not added for sub domain | |
| - trusts: format Kerberos principal properly when fetching trust topology | |
| - Resolves: #1252334 User life cycle: missing ability to provision a stage user | |
| from a preserved user | |
| - Add user-stage command | |
| - Resolves: #1252863 After applying RHBA-2015-1554 errata, IPA service fails to | |
| start. | |
| - spec file: Add Requires(post) on selinux-policy | |
| - Resolves: #1254304 Changing vault encryption attributes | |
| - Change internal rsa_(public|private)_key variable names | |
| - Added support for changing vault encryption. | |
| - Resolves: #1256715 Executing user-del --preserve twice removes the user | |
| pernamently | |
| - improve the usability of `ipa user-del --preserve` command | |
| - Prevent multilib failures in *.pyo and *.pyc files | |
| - Set minimum pki-ca and pki-silent versions to 9.0.0 | |
| - Update to upstream 3.3.0 (#991064) | |
| - Remove release from krb5-server in strict sub-package to allow for rebuilds. | |
| - Deletion of active subdomain range should not be allowed (#1075615) | |
| - ipa-kdb: Fix double free in ipadb_reinit_mspac() | |
| Resolves: RHEL-25742 | |
| - kra: set RSA-OAEP as default wrapping algo when FIPS is enabled | |
| Resolves: RHEL-12153 | |
| - Vault: improve vault server archival/retrieval calls error handling | |
| Resolves: RHEL-12153 | |
| - Vault: add support for RSA-OAEP wrapping algo | |
| Resolves: RHEL-12153 | |
| - Add missing entry for /var/cache/ipa/kpasswd (444624) | |
| - Added patch to fix permissions problems with the Apache NSS database. | |
| - Added patch to fix problem with DNS querying where the query could be | |
| returned as the answer. | |
| - Fix spec error where patch1 was in the wrong section | |
| - Resolves: #1339233 CA installed on replica is always marked as renewal master | |
| - Related: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.3.1.201605241723GIT1b427d3 | |
| - Remove ipa-backup and ipa-restore functionality from RHEL (#1003933) | |
| - Resolves: #1378353 Replica install fails with old IPA master sometimes during | |
| replication process | |
| - spec file: bump minimal required version of 389-ds-base | |
| - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 | |
| - Fix missing file that fails DL1 replica installation | |
| - Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade | |
| - WebUI: services without canonical name are shown correctly | |
| - Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run | |
| - trustdomain-del: fix the way how subdomain is searched | |
| - Add a Requires for java-atk-wrapper until we can determine which package | |
| should be pulling it in, dogtag or tomcat. | |
| - Fix Requires for krb5-server that was missing for Fedora versions > 9 | |
| - Remove quotes around test for fedora version to package egg-info | |
| - Winsync agreement cannot be created (#1023085) | |
| - IPA extdom plugin fails when encountering large groups (#1193759) | |
| - CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() | |
| (#1202998) | |
| - CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf() | |
| Resolves: RHBZ#1767304 | |
| - CVE-2019-10195: Don't log passwords embedded in commands in calls using batch | |
| Resolves: RHBZ#1776939 | |
| - Display server name in ipa command's verbose mode (#1061703) | |
| - Remove sourcehostcategory from default HBAC rule (#1061187) | |
| - dnszone-add cannot add classless PTR zones (#1058688) | |
| - Move ipa-otpd socket directory to /var/run/krb5kdc (#1063850) | |
| - Resolves: #1339483 ipa-server-install fails with ERROR pkinit_cert_files | |
| - Fix incorrect rebase of patch 1001 | |
| - Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 | |
| - Revert "spec: add conflict with bind-chroot to freeipa-server-dns" | |
| - Resolves: #1341249 Subsequent external CA installation fails | |
| - install: fix external CA cert validation | |
| - Resolves: #1353831 ipa-server-install fails in container because of | |
| hostnamectl set-hostname | |
| - server-install: Fix --hostname option to always override api.env values | |
| - install: Call hostnamectl set-hostname only if --hostname option is used | |
| - Resolves: #1356091 ipa-cacert-manage --help and man differ | |
| - Improvements for the ipa-cacert-manage man and help | |
| - Resolves: #1360631 ipa-backup is not keeping the | |
| /etc/tmpfiles.d/dirsrv- |
|
| - ipa-backup: backup /etc/tmpfiles.d/dirsrv- |
|
| - Resolves: #1361047 ipa-replica-install --help usage line suggests the replica | |
| file is needed | |
| - Update ipa-replica-install documentation | |
| - Resolves: #1361545 ipa-client-install starts rhel-domainname.service but does | |
| not rpm-require it | |
| - client: RPM require initscripts to get *-domainname.service | |
| - Resolves: #1364197 caacl: error when instantiating rules with service | |
| principals | |
| - caacl: fix regression in rule instantiation | |
| - Resolves: #1364310 ipa otptoken-add bytes object has no attribute confirm | |
| - parameters: move the `confirm` kwarg to Param | |
| - Resolves: #1364464 Topology graph: ca and domain adders shows question marks | |
| instead of plus icon | |
| - Fix unicode characters in ca and domain adders | |
| - Resolves: #1365083 Incomplete output returned for command ipa vault-add | |
| - client: add missing output params to client-side commands | |
| - Resolves: #1365526 build fails during "make check" | |
| - ipa-kdb: Fix unit test after packaging changes in krb5 | |
| - Resolves: #1365858 ipa-ca-install fails on replica when IPA Master is | |
| installed without CA | |
| - Set up DS TLS on replica in CA-less topology | |
| - Resolves: #1398600 IPA replica install fails with dirsrv errors. | |
| - Do not configure PKI ajp redirection to use "::1" | |
| - Resolves: #1413137 CVE-2017-2590 ipa: Insufficient permission check for | |
| ca-del, ca-disable and ca-enable commands | |
| - ca: correctly authorise ca-del, ca-enable and ca-disable | |
| - Update SELinux policy to allow ipa_kpasswd to connect ldap and | |
| read /dev/urandom. (#759679) | |
| - Depend on krb5-kdb-version-devel for BuildRequires | |
| - Update nss dependency to 3.44.0-4 | |
| - Reset per-indicator Kebreros policy | |
| Resolves: RHBZ#1784761 | |
| - Resolves: #1443869 Command "openssl pkcs12 ..." failed during IPA upgrade | |
| - Fix CAInstance.import_ra_cert for empty passwords | |
| - Enforce uniqueness across krbprincipalname and krbcanonicalname | |
| ipa-kdb: enforce PAC presence on TGT for TGS-REQ | |
| ipatests: extend test for unique krbcanonicalname | |
| Resolves: RHEL-110061 | |
| - replica install failing with avc denial for custodia component | |
| Resolves: RHBZ#1857157 | |
| - Update to upstream 3.1.2 | |
| - CVE-2012-4546: Incorrect CRLs publishing | |
| - CVE-2012-5484: MITM Attack during Join process | |
| - CVE-2013-0199: Cross-Realm Trust key leak | |
| - Updated strict dependencies to 389-ds-base = 1.3.0.2 and | |
| pki-ca = 10.0.1 | |
| - Resolves: #1254689 Storing big file as a secret in vault raises traceback | |
| - vault: Limit size of data stored in vault | |
| - Resolves: #1255880 ipactl status should distinguish between different | |
| pki-tomcat services | |
| - ipactl: Do not start/stop/restart single service multiple times | |
| - ipatests: fix test_topology | |
| Resolves: RHBZ#2232351 | |
| - Installer: activate nss and pam services in sssd.conf | |
| Resolves: RHBZ#2216532 | |
| - Add ipa-idrange-fix | |
| Resolves: RHEL-56920 | |
| - Unconditionally add MS-PAC to global config on update | |
| Resolves: RHEL-49437 | |
| - ipatests: Update ipa-adtrust-install test | |
| Resolves: RHEL-40894 | |
| - Require python-qrcode version 5.3 or later | |
| Related: RHEL-15090 | |
| - CAless installation: set the perms on KDC cert file | |
| Resolves: RHBZ#1863616 | |
| - EPN: handle empty attributes | |
| Resolves: RHBZ#1866938 | |
| - IPA-EPN: enhance input validation | |
| Resolves: RHBZ#1866291 | |
| - EPN: enhance input validation | |
| Resolves: RHBZ#1863079 | |
| - Require new samba build 4.12.3-52 | |
| Related: RHBZ#1868558 | |
| - Require new selinux-policy build 3.14.3-52 | |
| Related: RHBZ#1869311 | |
| - RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible | |
| (#1169591) | |
| - CLI doesn't show SSHFP records with SHA256 added via nsupdate (regression) | |
| (#1172578) | |
| - Resolves: #1415162 ipa-exdom-extop plugin can exhaust DS worker threads | |
| - New upstream release 4.8.0 | |
| - New subpackage: freeipa-client-samba | |
| - Added command ipa-cert-fix with man page | |
| - New sysconfdir sysconfig/certmonger | |
| - Updated pki_version, certmonger_version, sssd_version and kdcproxy_version | |
| Related: RHBZ#1684528 | |
| - remove ipa-fix-CVE-2008-3274 | |
| - Resolves: #1200767 [RFE] Allow Kerberos authentication for users with | |
| certificates on smart cards (pkinit) | |
| - spec file: bump krb5 Requires for certauth fixes | |
| - Resolves: #1438729 Configure local PKINIT on DL0 or when '--no-pkinit' option | |
| is used | |
| - separate function to set ipaConfigString values on service entry | |
| - Allow for configuration of all three PKINIT variants when deploying KDC | |
| - API for retrieval of master's PKINIT status and publishing it in LDAP | |
| - Use only anonymous PKINIT to fetch armor ccache | |
| - Stop requesting anonymous keytab and purge all references of it | |
| - Use local anchor when armoring password requests | |
| - Upgrade: configure local/full PKINIT depending on the master status | |
| - Do not test anonymous PKINIT after install/upgrade | |
| - Resolves: #1442427 ipa.ipaserver.install.plugins.adtrust. | |
| update_tdo_gidnumber: ERROR Default SMB Group not found | |
| - upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is | |
| installed | |
| - Resolves: #1442932 ipa restore fails to restore IPA user | |
| - restore: restart/reload gssproxy after restore | |
| - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode | |
| - Fix CA/server cert validation in FIPS | |
| - Resolves: #1444947 Deadlock between topology and schema-compat plugins | |
| - compat-manage: behave the same for all users | |
| - Move the compat plugin setup at the end of install | |
| - compat: ignore cn=topology,cn=ipa,cn=etc subtree | |
| - Resolves: #1445358 ipa vault-add raises TypeError | |
| - vault: piped input for ipa vault-add fails | |
| - Resolves: #1445382 ipa vault-retrieve fails to retrieve data from vault | |
| - Vault: Explicitly default to 3DES CBC | |
| - Resolves: #1445432 uninstall ipa client automount failed with RuntimeWarning | |
| - automount install: fix checking of SSSD functionality on uninstall | |
| - Resolves: #1446137 pki_client_database_password is shown in | |
| ipaserver-install.log | |
| - Hide PKI Client database password in log file | |
| - Resolves: #1131907 [ipa-client-install] cannot write certificate file | |
| '/etc/ipa/ca.crt.new': must be string or buffer, not None | |
| - Resolves: #1195775 unsaved changes dialog internally inconsistent | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - Stageusedr-activate: show username instead of DN | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - Prevent to rename certprofile profile id | |
| - Resolves: #1222047 IPA to AD Trust: IPA ERROR 4016: Remote Retrieve Error | |
| - Resolves: #1224769 copy-schema-to-ca.py does not overwrites schema files | |
| - copy-schema-to-ca: allow to overwrite schema files | |
| - Resolves: #1241941 kdc component installation of IPA failed | |
| - spec file: Update minimum required version of krb5 | |
| - Resolves: #1242036 Replica install fails to update DNS records | |
| - Fix DNS records installation for replicas | |
| - Resolves: #1242884 Upgrade to 4.2.0 fails when enabling kdc proxy | |
| - Start dirsrv for kdcproxy upgrade | |
| - extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT | |
| Resolves: RHBZ#1741530 | |
| - Fix ipa-pwd-extop global configuration caching (#1187342) | |
| - group-detach does not add correct objectclasses (#1187540) | |
| - Add sssd and certmonger as a Requires on ipa-client | |
| - DNS install check: Fix overlapping DNS zone from the master itself | |
| Resolves: RHBZ#1784003 | |
| - Add OTP patches | |
| - Add patch to set KRB5CCNAME for 389-ds-base | |
| - Update to upstream 2.1.4 (CVE-2011-3636) | |
| - Refactor ipatests for unique krbcanonicalname | |
| Resolves: RHEL-110061 | |
| - Require certmonger 0.79.7-1 | |
| Related: RHBZ#1708095 | |
| - Fix wrong path in packaging freeipa-systemd-upgrade | |
| - Resolves: #1462112 ipaserver installation fails in FIPS mode: OpenSSL | |
| internal error, assertion failed: Digest MD4 forbidden in FIPS mode! | |
| - ipa-sam: replace encode_nt_key() with E_md4hash() | |
| - ipa_pwd_extop: do not generate NT hashes in FIPS mode | |
| - Resolves: #1377973 ipa-server-install fails when the provided or resolved | |
| IP address is not found on local interfaces | |
| - Fix local IP address validation | |
| - ipa-dns-install: remove check for local ip address | |
| - refactor CheckedIPAddress class | |
| - CheckedIPAddress: remove match_local param | |
| - Remove ip_netmask from option parser | |
| - replica install: add missing check for non-local IP address | |
| - Remove network and broadcast address warnings | |
| - Set minimum level of sssd to 1.1.1 to pull in required hbac fixes. | |
| - Add Requires on krb5-pkinit-openssl | |
| - Introduce upgrade script to recover existing configuration after systemd migration | |
| as user has no means to recover FreeIPA from systemd migration | |
| - Upgrade script: | |
| - recovers symlinks in Dogtag instance install | |
| - recovers systemd configuration for FreeIPA's directory server instances | |
| - recovers freeipa.service | |
| - migrates directory server and KDC configs to use proper keytabs for systemd services | |
| - Add call to /usr/sbin/upgradeconfig to post install | |
| - Handle NFS configuration file changes. nfs-utils moved the | |
| configuration file from /etc/sysconfig/nfs to /etc/nfs.conf. | |
| Resolves: RHBZ#1676981 | |
| - IPA server in debug mode fails to run because time.perf_counter_ns is | |
| Python 3.7+ | |
| Resolves: RHBZ#1974822 | |
| - Add checks to prevent assigning authentication indicators to internal IPA | |
| services | |
| Resolves: RHBZ#1979625 | |
| - Unable to set ipaUserAuthType with stageuser-add | |
| Resolves: RHBZ#1979605 | |
| - Upstream release FreeIPA 4.9.3 | |
| Resolves: RHBZ#1945038 | |
| - Update minimum selinux-policy to 3.9.16-18 | |
| - Update minimum pki-ca and pki-selinux to 9.0.7 | |
| - Update minimum 389-ds-base to 1.2.8.0-1 | |
| - Update to upstream 2.0.1 | |
| - Rebase to upstream release 4.8.4 | |
| - Removed upstream patches 0001 to 0008 that are part of version 4.8.3-3 | |
| Resolves: RHBZ#1782658 | |
| Resolves: RHBZ#1782169 | |
| Resolves: RHBZ#1783046 | |
| Related: RHBZ#1748987 | |
| - Revert DNSResolver Fix use of nameservers with ports. | |
| Related: RHBZ#2141316 | |
| - package the sessions dir /var/cache/ipa/sessions | |
| - Pull upstream changelog 597 | |
| - Trust add tries to add same value of --base-id for sub domain, | |
| causing an error (#1033068) | |
| - Improved error reporting for adding trust case (#1029856) | |
| - ipatests: Backport test fixes in python3-ipatests. | |
| Resolves: RHBZ#2057505 | |
| - Expand the token auth/sync windows (#919228) | |
| - Access is not rejected for disabled domain (#1172598) | |
| - krb5kdc crash in ldap_pvt_search (#1170695) | |
| - RHEL7.1 IPA server httpd avc denials after upgrade (#1164896) | |
| - ipa-client-automount fails with incompatibility error when installed against | |
| older IPA server (#1083108) | |
| - Resolves: #1217009 OTP sync in UI does not work for TOTP tokens | |
| - Fix an integer underflow bug in libotp | |
| - Resolves: #1262996 ipa vault internal error on replica without KRA | |
| - install: always export KRA agent PEM file | |
| - vault: select a server with KRA for vault operations | |
| - Resolves: #1269777 IPA restore overwrites /etc/passwd and /etc/group files | |
| - do not overwrite files with local users/groups when restoring authconfig | |
| - Renamed patch 1011 to 0138, as it was merged upstream | |
| - Resolve: #1455946 Provide a tooling automating the configuration | |
| of Smart Card authentication on a FreeIPA master | |
| - server certinstall: update KDC master entry | |
| - pkinit manage: introduce ipa-pkinit-manage | |
| - server upgrade: do not enable PKINIT by default | |
| - Extend the advice printing code by some useful abstractions | |
| - Prepare advise plugin for smart card auth configuration | |
| - Resolve: #1461053 allow to modify list of UPNs of a trusted forest | |
| - trust-mod: allow modifying list of UPNs of a trusted forest | |
| - WebUI: add support for changing trust UPN suffixes | |
| - Update to upstream 4.1.0 Alpha 1 (#1109726) | |
| - Updated to upstream 3.0.0 rc 2 | |
| - Include new FF configuration extension | |
| - Set minimum Requires of selinux-policy to 3.11.1-33 | |
| - Set minimum Requires dogtag to 10.0.0-0.43.b1 | |
| - Add new optional strict sub-package to allow users to limit other | |
| package upgrades. | |
| - Resolves: #1419735 ipa-replica-install fails promotecustodia.create_replica | |
| with cert errors (untrusted) | |
| - added ssl verification using IPA trust anchor | |
| - Resolves: #1428472 batch param compatibility is incorrect | |
| - compat: fix `Any` params in `batch` and `dnsrecord` | |
| - Renamed patches 1011 and 1012 to 0159 and 0157, as they were merged upstream | |
| - Resolves: #1609883 ipaserver/plugins/cert.py: Add reason to raise of | |
| errors.NotFound | |
| - Resolves: #1615765 do-not-use-RC4-in-FIPS-mode | |
| - Move fips_enabled to a common library to share across different plugins | |
| - ipasam: do not use RC4 in FIPS mode | |
| - Resolves: #1298288 [RFE] Improve performance in large environments. | |
| - cert: speed up cert-find | |
| - Resolves: #1317379 [EXPERIMENTAL][RFE] Web UI: allow Smart Card | |
| authentication | |
| - service: add flag to allow S4U2Self | |
| - Add 'trusted to auth as user' checkbox | |
| - Added new authentication method | |
| - Resolves: #1353881 ipa-replica-install suggests about | |
| non-existent --force-ntpd option | |
| - Don't show --force-ntpd option in replica install | |
| - Resolves: #1354441 DNS forwarder check is too strict: unable to add | |
| sub-domain to already-broken domain | |
| - DNS: allow to add forward zone to already broken sub-domain | |
| - Resolves: #1356146 performance regression in CLI help | |
| - schema: Speed up schema cache | |
| - frontend: Change doc, summary, topic and NO_CLI to class properties | |
| - schema: Introduce schema cache format | |
| - schema: Generate bits for help load them on request | |
| - help: Do not create instances to get information about commands and topics | |
| - schema cache: Do not reset ServerInfo dirty flag | |
| - schema cache: Do not read fingerprint and format from cache | |
| - Access data for help separately | |
| - frontent: Add summary class property to CommandOverride | |
| - schema cache: Read server info only once | |
| - schema cache: Store API schema cache in memory | |
| - client: Do not create instance just to check isinstance | |
| - schema cache: Read schema instead of rewriting it when SchemaUpToDate | |
| - Resolves: #1360769 ipa-server-certinstall couldnt unlock private key file | |
| - server install: do not prompt for cert file PIN repeatedly | |
| - Resolves: #1364113 ipa-password: ipa: ERROR: RuntimeError: Unable to create | |
| cache directory: [Errno 13] Permission denied: '/home/test_user' | |
| - schema: Speed up schema cache | |
| - Resolves: #1366604 `cert-find` crashes on invalid certificate data | |
| - cert: do not crash on invalid data in cert-find | |
| - Resolves: #1366612 Middle replica uninstallation in line topology works | |
| without '--ignore-topology-disconnect' | |
| - Fail on topology disconnect/last role removal | |
| - Resolves: #1366626 caacl-add-service: incorrect error message when service | |
| does not exists | |
| - Fix ipa-caalc-add-service error message | |
| - Resolves: #1367022 The ipa-server-upgrade command failed when named-pkcs11 | |
| does not happen to run during dnf upgrade | |
| - DNS server upgrade: do not fail when DNS server did not respond | |
| - Resolves: #1367759 [RFE] [webui] warn admin if there is only one IPA server | |
| with CA | |
| - Add warning about only one existing CA server | |
| - Set servers list as default facet in topology facet group | |
| - Resolves: #1367773 thin client ignores locale change | |
| - schema check: Check current client language against cached one | |
| - Lockout plugin crashed during ipa-server-install (#912725) | |
| - Fallback to global policy in ipa lockout plugin (#912725) | |
| - Migration does not add users to default group (#903232) | |
| - hbactest does not work for external users (#848531) | |
| - Resolves: #1296140 Remove redhat-access-plugin-ipa support | |
| - Obsolete and conflict redhat-access-plugin-ipa | |
| - Resolves: #1351119 Multiple issues while uninstalling ipa-server | |
| - server uninstall fails to remove krb principals | |
| - Resolves: #1351758 ipa commands not showing expected error messages | |
| - frontend: copy command arguments to output params on client | |
| - Show full error message for selinuxusermap-add-hostgroup | |
| - Resolves: #1352883 Traceback on adding default automember group and hostgroup | |
| set | |
| - allow 'value' output param in commands without primary key | |
| - Resolves: #1353888 Fix the help for ipa otp and other topics | |
| - schema: Fix subtopic -> topic mapping | |
| - Resolves: #1354348 ipa trustconfig-show throws internal error. | |
| - allow 'value' output param in commands without primary key | |
| - Resolves: #1354381 ipa trust-add with raw option gives internal error. | |
| - trust-add: handle `--all/--raw` options properly | |
| - Resolves: #1354493 Replica install fails with old IPA master | |
| - DNS install: Ensure that DNS servers container exists | |
| - Resolves: #1354628 ipa hostgroup-add-member does not return error message | |
| when adding itself as member | |
| - frontend: copy command arguments to output params on client | |
| - Resolves: #1355856 ipa otptoken-add --type=totp gives internal error | |
| - messages: specify message type for ResultFormattingError | |
| - Resolves: #1356063 "ipa radiusproxy-add" command needs to prompt to enter | |
| secret key | |
| - expose `--secret` option in radiusproxy-* commands | |
| - prevent search for RADIUS proxy servers by secret | |
| - Resolves: #1356099 Bug in the ipapwd plugin | |
| - Heap corruption in ipapwd plugin | |
| - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin | |
| client changes | |
| - Use server API in com.redhat.idm.trust-fetch-domains oddjob helper | |
| - Resolves: #1356964 Renaming a user removes all of his principal aliases | |
| - Preserve user principal aliases during rename operation | |
| - Add bash completion script and own /etc/bash_completion.d in case it | |
| doesn't already exist | |
| - Update to upstream version 1.1.0 | |
| - Patch for indexing memberof attribute | |
| - Patch for indexing uidnumber and gidnumber | |
| - Patch to change DNA default values for replicas | |
| - Patch to fix uninitialized variable in ipa-getkeytab | |
| - Improve server affinity for CA-less deployments | |
| Resolves: RHEL-22283 | |
| - host: update system: Manage Host Keytab permission | |
| Resolves: RHEL-22286 | |
| - adtrustinstance: make sure NetBIOS name defaults are set properly | |
| Resolves: RHEL-21938 | |
| - ipatests: Fix healthcheck report when nsslapd accesslog logbuffering is set to off | |
| Resolves: RHEL-19672 | |
| - webui IdP: Remove arrow notation due to uglify-js limitation | |
| Related: RHBZ#2141316 | |
| - Fixed share/ipa/wsgi.py so .pyc, .pyo files are included | |
| - Set minimum version of sssd to 1.5.1 | |
| - Update to upstream freeipa-2.0.0.rc1 | |
| - Move server-only binaries from admintools subpackage to server | |
| - Upstream release FreeIPA 4.9.8 | |
| Related: RHBZ#2015607 | |
| - Hardening for CVE-2020-25717 | |
| - Set minimum version of certmonger to 0.26 (to pck up #621670) | |
| - Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm) | |
| - Set minimum version of pki-ca to 1.3.6 | |
| - Set minimum version of sssd to 1.2.1 | |
| - Re-arrange doc and defattr to clean up rpmlint warnings | |
| - Remove conditionals on older releases | |
| - Move some man pages into admintools subpackage | |
| - Remove some explicit Requires in client that aren't needed | |
| - Consistent use of buildroot vs RPM_BUILD_ROOT | |
| - Resolves: #1252556 Missing CLI param and ACL for vault service operations | |
| - vault: fix private service vault creation | |
| - Resolves: #1431520 ipa cert-find runs a large number of searches, so IPA | |
| WebUI is slow to display user details page | |
| - cert: defer cert-find result post-processing | |
| - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit | |
| helper when installing replica | |
| - server-install: No double Kerberos install | |
| - Resolves: #1437502 ipa-replica-install fails with requirement to | |
| use --force-join that is a client install option. | |
| - Add the force-join option to replica install | |
| - replicainstall: better client install exception handling | |
| - Resolves: #1437953 Server CA-less impossible option check | |
| - server-install: remove broken no-pkinit check | |
| - Resolves: #1441160 FreeIPA client <= 4.4 fail to parse 4.5 cookies | |
| - Add debug log in case cookie retrieval went wrong | |
| - Resolves: #1441548 ipa server install fails with --external-ca option | |
| - ext. CA: correctly write the cert chain | |
| - Resolves: #1441718 Conversion of CA-less server to CA fails on CA instance | |
| spawn | |
| - Fix CA-less to CA-full upgrade | |
| - Resolves: #1442133 Do not link libkrad, liblber, libldap_r and | |
| libsss_nss_idmap to every binary in IPA | |
| - configure: fix AC_CHECK_LIB usage | |
| - Resolves: #1442815 Replica install fails during migration from older IPA | |
| master | |
| - Fix RA cert import during DL0 replication | |
| - Related: #1442004 Building IdM/FreeIPA internally on all architectures - | |
| filtering unsupported packages | |
| - Build all subpackages on all architectures | |
| - ipa-server-install fails if --subject parameter is other than default | |
| realm (#983075) | |
| - do not allow configuring bind-dyndb-ldap without persistent search (#967876) | |
| - Set the N-V-R so rc1 is an update to beta2. | |
| - ipa-kdb: Rework ipadb_reinit_mspac() | |
| Resolves: RHEL-25742 | |
| - ipatests: wait for replica update in test_dns_locations | |
| Resolves: RHEL-22373 | |
| - ipatests: fix tasks.wait_for_replication() method | |
| Resolves: RHEL-25708 | |
| - Upgrade: fix replica agreement, fix backported patch | |
| Related: RHBZ#2216551 | |
| - Temporarily move ipa-backup and ipa-restore functionality | |
| back to make them available in public Beta (#1003933) | |
| - Update to upstream 2.1.0 | |
| - ipa man page format the EXAMPLES section | |
| Resolves: RHBZ#2129895 | |
| - Fix canonicalization issue in Web UI | |
| Resolves: RHBZ#2127035 | |
| - Remove idnssoaserial argument from dns zone API. | |
| Resolves: RHBZ#2108630 | |
| - Warn for permissions with read/write/search/compare and no attrs | |
| Resolves: RHBZ#2098187 | |
| - Add PKINIT support to ipa-client-install | |
| Resolves: RHBZ#2075452 | |
| - Generate CNAMEs for TXT+URI location krb records | |
| Resolves: RHBZ#2104185 | |
| - Vault: fix interoperability issues with older RHEL systems | |
| Resolves: RHBZ#2144737 | |
| - Fix typo on ipaupgrade.log chmod during RPM %post snipppet | |
| Resolves: RHBZ#2140994 | |
| - Pull upstream changelog 641 | |
| - Require minimum version of krb5-server on F-7 and F-8 | |
| - Package some new files | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - [WebUI] IPA Error 3007: RequirmentError" while adding members in | |
| "User ID overrides" tab | |
| Resolves: RHBZ#1757045 | |
| - EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in | |
| freeipa-client-epn | |
| Resolves: RHBZ#1847999 | |
| - FreeIPA - Utilize 256-bit AJP connector passwords | |
| Resolves: RHBZ#1849914 | |
| - ipa: typo issue in ipanthomedirectoryrive deffinition | |
| Resolves: RHBZ#1851411 | |
| - Upstream release FreeIPA 4.9.1 | |
| Related: RHBZ#1891832 | |
| - Fix automount behavior with authselect | |
| Resolves: RHBZ#1740167 | |
| - SELinux Policy: let custodia replicate keys | |
| Resolves: RHBZ#1868432 | |
| - Missing objectclasses when empty password passed to host-add (#1052979) | |
| - sudoOrder missing in sudoers (#1052983) | |
| - Missing examples in sudorule help (#1049464) | |
| - Client automount does not uninstall when fstore is empty (#910899) | |
| - Error not clear for invalid realm given to trust-fetch-domains (#1052981) | |
| - trust-fetch-domains does not add idrange for subdomains found (#1049926) | |
| - Add option to show if an AD subdomain is enabled/disabled (#1052973) | |
| - ipa-adtrust-install still failed with long NetBIOS names (#1030517) | |
| - Error not clear for invalid relam given to trustdomain-find (#1049455) | |
| - renewed client cert not recognized during IPA CA renewal (#1033273) | |
| - Remove ipa-backup and ipa-restore functionality from RHEL (#1003933) | |
| - Fix S4U2Self regression for cross-realm requester SID buffer | |
| - Related: RHBZ#2021443 | |
| - Add missing ipa-selinux package | |
| Resolves: RHBZ#1853263 | |
| - Proxy PKI URI /ca/ee/ca/profileSubmit to enable replication with future | |
| PKI versions (#1080865) | |
| - Rebuild against samba4 beta7 | |
| - Resolves: #1477703 IPA upgrade fails for latest ipa package | |
| - Restore old version of caIPAserviceCert for upgrade only | |
| - Rebase to upstream release 4.8.2 | |
| - Removed upstream patches 0001 to 0010 that are part of version 4.8.2 | |
| - Updated branding patch | |
| Resolves: RHBZ#1748987 | |
| - Version bump for release | |
| - ipa-csreplica-manage connect fails (#1157735) | |
| - error message which is not understandable when IDNA2003 characters are | |
| present in --zonemgr (#1163849) | |
| - Fix warning message should not contain CLI commands (#1114013) | |
| - Renewing the CA signing certificate does not extend its validity period end | |
| (#1163498) | |
| - RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for | |
| httpd (#1159330) | |
| - Hardening for CVE-2020-25717 | |
| - Rebuild against samba-4.14.5-11.el8 | |
| - Resolves: RHBZ#2021443 | |
| - Fix upgrade issue with AD trust when no trust yet established | |
| Fixes: RHBZ#1708874 | |
| Related: RHBZ#1684528 | |
| - Resolves: #1438833 [ipa-replica-install] - 406 Client Error: Failed to | |
| validate message: Incorrect number of results (0) searching forpublic key for | |
| host | |
| - Make sure remote hosts have our keys | |
| - Resolves: #1442815 Replica install fails during migration from older IPA | |
| master | |
| - Refresh Dogtag RestClient.ca_host property | |
| - Remove the cachedproperty class | |
| - Resolves: #1444787 Update warning message when KRA installation fails | |
| - kra install: update installation failure message | |
| - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode | |
| - ipa-server-install with external CA: fix pkinit cert issuance | |
| - Resolves: #1445397 GET in KerberosSession.finalize_kerberos_acquisition() | |
| must use FreeIPA CA | |
| - kerberos session: use CA cert with full cert chain for obtaining cookie | |
| - Resolves: #1447375 ipa-client-install: extra space in pkinit_anchors | |
| definition | |
| - ipa-client-install: remove extra space in pkinit_anchors definition | |
| - Resolves: #1447703 Fix SELinux contex of http.keytab during upgrade | |
| - Use proper SELinux context with http.keytab | |
| - Use OpenJDK 8 to bootstrap on AArch64 until RH1482244 is resolved in | |
| buildroot | |
| - Resolves: #1470177 - Rebase IPA to latest 4.5.x version | |
| - Resolves: #1398594 ipa topologysuffix-verify should only warn about | |
| maximum number of replication agreements. | |
| - Resolves: #1404236 Web UI: Change "Host Based" and "Role Based" | |
| to "Host-Based" and "Role-Based" | |
| - Resolves: #1409786 Second phase of --external-ca ipa-server-install | |
| setup fails when dirsrv is not running | |
| - Resolves: #1451576 ipa cert-request failed to generate certificate from csr | |
| - Resolves: #1452086 Pagination Size under Customization in IPA WebUI | |
| accepts negative values | |
| - Resolves: #1458169 --force-join option is not mentioned in | |
| ipa-replica-install man page | |
| - Resolves: #1463186 IPA shouldn't allow objectclass if not all in lower case | |
| - Resolves: #1478322 user-show command fails when sizelimit is configured | |
| to number <= number of entity which is user member of | |
| - Resolves: #1496775 Enterprise principals should be able to trigger | |
| a refresh of the trusted domain data in the KDC | |
| - Resolves: #1502533 Changing cert-find to go through the proxy | |
| instead of using the port 8080 | |
| - Resolves: #1502663 pkinit-status command fails after an upgrade from | |
| a pre-4.5 IPA | |
| - Resolves: #1498168 Error when trying to modify a PTR record | |
| - Resolves: #1457876 ipa-backup fails silently | |
| - Resolves: #1493531 In case full PKINIT configuration is failing during | |
| server/replica install the error message should be more meaningful. | |
| - Resolves: #1449985 Suggest CA installation command in KRA installation | |
| warning | |
| - Use NSS protocol range API to set available TLS protocols (#1156466) | |
| - Removed python-asset based webui | |
| - Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin | |
| - man page: update ipa-server-upgrade.1 | |
| Resolves: RHBZ#1973273 | |
| - Fall back to krbprincipalname when validating host auth indicators | |
| Resolves: RHBZ#1979625 | |
| - Add dependency for sssd-winbind-idmap to server-trust-ad | |
| Resolves: RHBZ#1982211 | |
| - Resolves: #1373359 ipa-certupdate fails with "CA is not configured" | |
| - Fix regression introduced in ipa-certupdate | |
| - Mass rebuild 2013-12-27 | |
| - Pull upstream changelog 698 | |
| - Fix ownership of /var/log/ipa_error.log during install (435119) | |
| - Add pwpolicy command and man page | |
| - Resolves: #846033 [RFE] Documentation for JSONRPC IPA API | |
| - Resolves: #989091 Ability to manage IdM/IPA directly from a standard LDAP | |
| client | |
| - Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to | |
| users in IdM | |
| - Resolves: #1115294 [RFE] Add support for DNSSEC | |
| - Resolves: #1145748 [RFE] IPA running with One Way Trust | |
| - Resolves: #1199520 [RFE] Introduce single upgrade tool - ipa-server-upgrade | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - Resolves: #1200728 [RFE] Replicate PKI Profile information | |
| - Resolves: #1200735 [RFE] Allow issuing certificates for user accounts | |
| - Resolves: #1204054 SSSD database is not cleared between installs and | |
| uninstalls of ipa | |
| - Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to | |
| Trusts | |
| - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality | |
| - Resolves: #1204504 [RFE] Add access control so hosts can create their own | |
| services | |
| - Resolves: #1206534 [RFE] Offer Kerberos over HTTP (kdcproxy) by default | |
| - Resolves: #1206613 [RFE] Configure IPA to be a trust agent by default | |
| - Resolves: #1209476 package ipa-client does not require package dbus-python | |
| - Resolves: #1211589 [RFE] Add option to skip the verify_client_version | |
| - Resolves: #1211608 [RFE] Generic support for unknown DNS RR types (RFC 3597) | |
| - Resolves: #1215735 ipa-replica-prepare automatically adds a DNS zone | |
| - Resolves: #1217010 OTP Manager field is not exposed in the UI | |
| - Resolves: #1222475 krb5kdc : segfault at 0 ip 00007fa9f64d82bb sp | |
| 00007fffd68b2340 error 6 in libc-2.17.so | |
| - Related: #1204809 Rebase ipa to 4.2 | |
| - Update to upstream 4.2.0 | |
| - Move /etc/ipa/kdcproxy to the server subpackage | |
| - Fix NetBIOS name generation in CLDAP plugin (#1030517) | |
| - FreeIPA 4.8.0 tarball lacks two update files that are in git | |
| Resolves: RHBZ#1741170 | |
| - Resolves: #1257074 The KRA agent cert is stored in a PEM file that is not | |
| tracked | |
| - cert renewal: Include KRA users in Dogtag LDAP update | |
| - cert renewal: Automatically update KRA agent PEM file | |
| - Resolves: #1257163 renaming certificatte profile with --rename option leads | |
| to integrity issues | |
| - certprofile: remove 'rename' option | |
| - Resolves: #1257968 kinit stop working after ipa-restore | |
| - Backup: back up the hosts file | |
| - Resolves: #1258926 Remove 'DNSSEC is experimental' warnings | |
| - DNSSEC: remove "DNSSEC is experimental" warnings | |
| - Resolves: #1258929 Uninstallation of IPA leaves extra entry in /etc/hosts | |
| - Installer: do not modify /etc/hosts before user agreement | |
| - Resolves: #1258944 DNSSEC daemons may deadlock when processing more than 1 | |
| zone | |
| - DNSSEC: backup and restore opendnssec zone list file | |
| - DNSSEC: remove ccache and keytab of ipa-ods-exporter | |
| - DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart | |
| - DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction | |
| - DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on DNSSEC | |
| key master | |
| - DNSSEC: Fix key metadata export | |
| - DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5. | |
| - Resolves: #1258964 revert to use ldapi to add kra agent in KRA install | |
| - Using LDAPI to setup CA and KRA agents. | |
| - Resolves: #1259848 server closes connection and refuses commands after | |
| deleting user that is still logged in | |
| - ldap: Make ldap2 connection management thread-safe again | |
| - Resolves: #1259996 AttributeError: 'NameSpace' object has no attribute | |
| 'ra_certprofile' while ipa-ca-install | |
| - load RA backend plugins during standalone CA install on CA-less IPA master | |
| - Update to upstream version 1.0.0 | |
| - Resolves: #712109 "krbExtraData not allowed" is logged in DS error log while | |
| setting password for default sudo binddn. | |
| - Resolves: #747612 [RFE] IPA should support and manage DNS sites | |
| - Resolves: #768316 [RFE] ipa-getkeytab should auto-detect the ipa server name | |
| - Resolves: #825391 [RFE] Replica installation should provide a means for | |
| inheriting nssldap security access settings | |
| - Resolves: #921497 Incorrect *.py[co] files placement | |
| - Resolves: #1029640 RHEL7 IPA to add DNA Plugin config for dnaRemote support | |
| - Resolves: #1029905 389 DS cache sizes not replicated to IPA replicas | |
| - Resolves: #1196958 IPA replica installation failing with high number of users | |
| (160000). | |
| - Resolves: #1219402 IPA suggests to uninstall a client when the user needs to | |
| uninstall a replica | |
| - Resolves: #1224057 [RFE] TGS authorization decisions in KDC based on | |
| Authentication Indicator | |
| - Resolves: #1234222 [WebUI] UI error message is not appropriate for "Kerberos | |
| principal expiration" | |
| - Resolves: #1234223 [WebUI] General invalid password error message appearing | |
| for "Locked user" | |
| - Resolves: #1254267 ipa-server-install failure applying ldap updates with | |
| limits exceeded | |
| - Resolves: #1258626 realmdomains-mod --add-domain command throwing error when | |
| doamin already is in forwardzone. | |
| - Resolves: #1259020 ipa-server-adtrust-install doesn't allow | |
| NetBIOS-name=EXAMPLE-TEST.COM (dash character) | |
| - Resolves: #1260993 DNSSEC signing enablement on dnszone should throw error | |
| message when DNSSEC master not installed | |
| - Resolves: #1262747 dnssec options missing in ipa-dns-install man page | |
| - Resolves: #1265900 Fail installation immediately after dirsrv fails to | |
| install using ipa-server-install | |
| - Resolves: #1265915 idoverrideuser-find fails if any SID anchor is not | |
| resolvable anymore | |
| - Resolves: #1268027 ipa-dnskeysync-replica crash with backtrace - | |
| LimitsExceeded: limits exceeded for this query | |
| - Resolves: #1269089 Certificate of managed-by host/service fails to resubmit | |
| - Resolves: #1269200 ipa-server crashing while trying to preserve admin user | |
| - Resolves: #1271321 Reduce ioblocktimeout and idletimeout defaults | |
| - Resolves: #1271579 Automember rule expressions disappear from tables on | |
| single expression delete | |
| - Resolves: #1275816 Incomplete ports for IPA ad-trust | |
| - Resolves: #1276351 [RFE] Remove | |
| /usr/share/ipa/updates/50-lockout-policy.update file from IPA releases | |
| - Resolves: #1277109 Add tool tips for Revert, Refresh, Undo, and Undo All in | |
| the IPA UI | |
| - Resolves: #1278426 Better error message needed for invalid ca-signing-algo | |
| option | |
| - Resolves: #1279932 ipa-client-install --request-cert needs workaround in | |
| anaconda chroot | |
| - Resolves: #1282521 Creating a user w/o private group fails when doing so in | |
| WebUI | |
| - Resolves: #1283879 ipa-winsync-migrate: Traceback message should be replaced | |
| by "IPA is not configured on this system" | |
| - Resolves: #1285071 ipa-kra-install fails on replica looking for admin cert | |
| file | |
| - Resolves: #1287194 [RFE] Support of UPN for trusted domains | |
| - Resolves: #1288967 Normalize Manager entry in ipa user-add | |
| - Resolves: #1289487 Priority field missing in Password Policy detail tab | |
| - Resolves: #1291140 ipa client should configure kpasswd_server directive in | |
| krb5.conf | |
| - Resolves: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.4.0.alpha1 | |
| - Resolves: #1298848 [RFE] Centralized topology management | |
| - Resolves: #1300576 Browser setup page includes instructions for Internet | |
| Explorer | |
| - Resolves: #1301586 ipa host-del --updatedns should remove related dns | |
| entries. | |
| - Resolves: #1304618 Residual Files After IPA Server Uninstall | |
| - Resolves: #1305144 ipa-python does not require its dependencies | |
| - Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 | |
| - Resolves: #1313798 Console output post ipa-winsync-migrate command should be | |
| corrected. | |
| - Resolves: #1314786 [RFE] External Trust with Active Directory domain | |
| - Resolves: #1319023 Include description for 'status' option in man page for | |
| ipactl command. | |
| - Resolves: #1319912 ipa-server-install does not completely change hostname and | |
| named-pkcs11 fails | |
| - Resolves: #1320891 IPA Error 3009: Validation error: Invalid 'ptrrecord': | |
| Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 given | |
| - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on | |
| revocation reasons | |
| - Resolves: #1328549 "ipa-kra-install" command reports incorrect message when | |
| it is executed on server already installed with KRA. | |
| - Resolves: #1329209 ipa-nis-manage enable: change service name from 'portmap' | |
| to 'rpcbind' | |
| - Resolves: #1329275 ipa-nis-manage command should include status option | |
| - Resolves: #1330843 'man ipa' should be updated with latest commands | |
| - Resolves: #1333755 ipa cert-request causes internal server error while | |
| requesting certificate | |
| - Resolves: #1337484 EOF is not handled for ipa-client-install command | |
| - Resolves: #1338031 Insufficient 'write' privilege on some attributes for the | |
| members of the role which has "User Administrators" privilege. | |
| - Resolves: #1343142 IPA DNS should do better verification of DNS zones | |
| - Resolves: #1347928 Frontpage exposes runtime error with no cookies enabled in | |
| browser | |
| - Require samba 4.14.5-13 with IPA DC server role fixes | |
| - Related: RHBZ#2021443 | |
| - Require python-wehjit >= 0.2.2 | |
| - Resolves: #1434032 Run ipa-custodia with custom SELinux context | |
| - Require correct custodia version | |
| - Upstream final release FreeIPA 4.9.0 | |
| Related: RHBZ#1891832 | |
| - Preserve user: fix the confusing summary | |
| Resolves: RHBZ#2022028 | |
| - Only calculate LDAP password grace when the password is expired | |
| Related: RHBZ#782917 | |
| - Update dependencies for samba, 389-ds and sssd | |
| Resolves: RHBZ#1792848 | |
| - Do not fetch a principal two times, remove potential memory leak (#1070924) | |
| - Set min version of 389-ds-base to 1.2.8 | |
| - Set min version of mod_nss 1.0.8-10 | |
| - Set min version of selinux-policy to 3.9.7-27 | |
| - Add dogtag themes to Requires | |
| - Update to upstream freeipa-2.0.0.pre2 | |
| - Resolves: #1355753 adding two way non transitive(external) trust displays | |
| internal error on the console | |
| - Always fetch forest info from root DCs when establishing two-way trust | |
| - factor out `populate_remote_domain` method into module-level function | |
| - Always fetch forest info from root DCs when establishing one-way trust | |
| - Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger | |
| after `ipa-replica-install` | |
| - Track lightweight CAs on replica installation | |
| - Resolves: #1357488 ipa command stuck forever on higher versioned client with | |
| lower versioned server | |
| - compat: Save server's API version in for pre-schema servers | |
| - compat: Fix ping command call | |
| - schema cache: Store and check info for pre-schema servers | |
| - Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag | |
| - Fix man page ipa-replica-manage: remove duplicate -c option | |
| from --no-lookup | |
| - Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA | |
| when revoking certificate | |
| - cert: include CA name in cert command output | |
| - WebUI add support for sub-CAs while revoking certificates | |
| - Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI | |
| - Add support for additional options taken from table facet | |
| - WebUI: Fix showing certificates issued by sub-CA | |
| - Resolves: #1368557 dnsrecord-add does not prompt for missing record parts | |
| internactively | |
| - dns: normalize record type read interactively in dnsrecord_add | |
| - dns: prompt for missing record parts in CLI | |
| - dns: fix crash in interactive mode against old servers | |
| - Resolves: #1370519 Certificate revocation in service-del and host-del isn't | |
| aware of Sub CAs | |
| - cert: fix cert-find --certificate when the cert is not in LDAP | |
| - Make host/service cert revocation aware of lightweight CAs | |
| - Resolves: #1371901 Use OAEP padding with custodia | |
| - Use RSA-OAEP instead of RSA PKCS#1 v1.5 | |
| - Resolves: #1371915 When establishing external two-way trust, forest root | |
| Administrator account is used to fetch domain info | |
| - do not use trusted forest name to construct domain admin principal | |
| - Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in | |
| certificate request | |
| - Fix CA ACL Check on SubjectAltNames | |
| - Resolves: #1373272 CLI always sends default command version | |
| - cli: use full name when executing a command | |
| - Resolves: #1373359 ipa-certupdate fails with "CA is not configured" | |
| - Fix ipa-certupdate for CA-less installation | |
| - Resolves: #1373540 client-install with IPv6 address fails on link-local | |
| address (always) | |
| - Fix parse errors with link-local addresses | |
| - Resolves: #1398670 Check IdM Topology for broken record caused by replication | |
| conflict before upgrading it | |
| - Check for conflict entries before raising domain level | |
| - Updated to upstream 3.0.0 beta 1 | |
| - Rebase ipa to 4.9.11 | |
| Resolves: RHBZ#2141316 | |
| - updates: fix memberManager ACI to allow managers from a specified group | |
| Resolves: RHBZ#2056009 | |
| - Defer creating the final krb5.conf on clients | |
| Resolves: RHBZ#2148259 | |
| - Exclude installed policy module file from RPM verification | |
| Resolves: RHBZ#2149567 | |
| - Spec file: ipa-client depends on krb5-pkinit-openssl | |
| Resolves: RHBZ#2149889 | |
| - Use default ssh host key algorithms | |
| Resolves: RHBZ#1756432 | |
| - Do not run trust upgrade code if master lacks Samba bindings | |
| Resolves: RHBZ#1757064 | |
| - Finish group membership management UI | |
| Resolves: RHBZ#1773528 | |
| - Require 389-ds-base-legacy-tools for setup tools | |
| - Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services | |
| by abusing password policy | |
| - ipa-kdb: search for password policies globally | |
| - Renamed patches 1011 and 1012 to 0151 and 0150, as they were merged upstream | |
| - Resolves: #1455946 Provide a tooling automating the configuration | |
| of Smart Card authentication on a FreeIPA master | |
| - smart-card advises: configure systemwide NSS DB also on master | |
| - smart-card advises: add steps to store smart card signing CA cert | |
| - Allow to pass in multiple CA cert paths to the smart card advises | |
| - add a class that tracks the indentation in the generated advises | |
| - delegate the indentation handling in advises to dedicated class | |
| - advise: add an infrastructure for formatting Bash compound statements | |
| - delegate formatting of compound Bash statements to dedicated classes | |
| - Fix indentation of statements in Smart card advises | |
| - Use the compound statement formatting API for configuring PKINIT | |
| - smart card advises: use a wrapper around Bash `for` loops | |
| - smart card advise: use password when changing trust flags on HTTP cert | |
| - smart-card-advises: ensure that krb5-pkinit is installed on client | |
| - Resolves: #1475238 Use CommonNameToSANDefault in default profile | |
| (new installs only) | |
| - Add CommonNameToSANDefault to default cert profile | |
| - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s | |
| during search in cn=ad,cn=trusts,dc=example,dc=com | |
| - NULL LDAP context in call to ldap_search_ext_s during search | |
| - Prepare spec file for release | |
| - Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503 | |
| - Force to use 389-ds 1.2.10-0.8.a7 or above | |
| - Improve upgrade script to handle systemd 389-ds change | |
| - Fix freeipa to work with python-ldap 2.4.6 | |
| - Resolves: #1274524 [RFE] Qualify up to 60 IdM replicas | |
| - Resolves: #1320838 [RFE] Support IdM Client in a DNS domain controlled by AD | |
| - Related: #1356134 'kinit -E' does not work for IPA user | |
| - Support krb5 1.18 | |
| Resolves: RHBZ#1817579 | |
| - kdb: keeep ipadb_get_connection() from succeding with null LDAP context | |
| Resolves: RHEL-58453 | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - user-undel: Fix error messages. | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - Prohibit deletion of predefined profiles | |
| - Resolves: #1232819 testing ipa-restore on fresh system install fails | |
| - Backup/resore authentication control configuration | |
| - Resolves: #1243331 pkispawn fails when migrating to 4.2 server from 3.0 | |
| server | |
| - Require Dogtag PKI >= 10.2.6 | |
| - Resolves: #1245225 Asymmetric vault drops traceback when the key is not | |
| proper | |
| - Asymmetric vault: validate public key in client | |
| - Resolves: #1248399 Missing DNSSEC related files in backup | |
| - fix typo in BasePathNamespace member pointing to ods exporter config | |
| - ipa-backup: archive DNSSEC zone file and kasp.db | |
| - Resolves: #1248405 PassSync should be disabled after ipa-winsync-migrate is | |
| finished | |
| - winsync-migrate: Add warning about passsync | |
| - winsync-migrate: Expand the man page | |
| - Resolves: #1248524 User can't find any hosts using "ipa host-find $HOSTNAME" | |
| - adjust search so that it works for non-admin users | |
| - Resolves: #1250093 ipa certprofile-import accepts invalid config | |
| - Require Dogtag PKI >= 10.2.6 | |
| - Resolves: #1250107 IPA framework should not allow modifying trust on AD trust | |
| agents | |
| - trusts: Detect missing Samba instance | |
| - Resolves: #1250111 User lifecycle - preserved users can be assigned | |
| membership | |
| - ULC: Prevent preserved users from being assigned membership | |
| - Resolves: #1250145 Add permission for user to bypass caacl enforcement | |
| - Add permission for bypassing CA ACL enforcement | |
| - Resolves: #1250190 idrange is not added for sub domain | |
| - idranges: raise an error when local IPA ID range is being modified | |
| - trusts: harden trust-fetch-domains oddjobd-based script | |
| - Resolves: #1250928 Man page for ipa-server-install is out of sync | |
| - install: Fix server and replica install options | |
| - Resolves: #1251225 IPA default CAACL does not allow cert-request for services | |
| after upgrade | |
| - Fix default CA ACL added during upgrade | |
| - Resolves: #1251561 ipa vault-add Unknown option: ipavaultpublickey | |
| - validate mutually exclusive options in vault-add | |
| - Resolves: #1251579 ipa vault-add --user should set container owner equal to | |
| user on first run | |
| - Fixed vault container ownership. | |
| - Resolves: #1252517 cert-request rejects request with correct | |
| krb5PrincipalName SAN | |
| - Fix KRB5PrincipalName / UPN SAN comparison | |
| - Resolves: #1252555 ipa vault-find doesn't work for services | |
| - vault: Add container information to vault command results | |
| - Add flag to list all service and user vaults | |
| - Resolves: #1252556 Missing CLI param and ACL for vault service operations | |
| - Added CLI param and ACL for vault service operations. | |
| - Resolves: #1252557 certprofile: improve profile format documentation | |
| - certprofile-import: improve profile format documentation | |
| - certprofile: add profile format explanation | |
| - Resolves: #1253443 ipa vault-add creates vault with invalid type | |
| - vault: validate vault type | |
| - Resolves: #1253480 ipa vault-add-owner does not fail when adding an existing | |
| owner | |
| - baseldap: Allow overriding member param label in LDAPModMember | |
| - vault: Fix param labels in output of vault owner commands | |
| - Resolves: #1253511 ipa vault-find does not use criteria | |
| - vault: Fix vault-find with criteria | |
| - Resolves: #1254038 ipa-replica-install pk12util error returns exit status 10 | |
| - install: Fix replica install with custom certificates | |
| - Resolves: #1254262 ipa-dnskeysync-replica crash cannot contact kdc | |
| - improve the handling of krb5-related errors in dnssec daemons | |
| - Resolves: #1254412 when dirsrv is off ,upgrade from 7.1 to 7.2 fails with | |
| starting CA and named-pkcs11.service | |
| - Server Upgrade: Start DS before CA is started. | |
| - Resolves: #1254637 Add ACI and permission for managing user userCertificate | |
| attribute | |
| - add permission: System: Manage User Certificates | |
| - Resolves: #1254641 Remove CSR allowed-extensions restriction | |
| - cert-request: remove allowed extensions check | |
| - Resolves: #1254693 vault --service does not normalize service principal | |
| - vault: normalize service principal in service vault operations | |
| - Resolves: #1254785 ipa-client-install does not properly handle dual stacked | |
| hosts | |
| - client: Add support for multiple IP addresses during installation. | |
| - Add dependency to SSSD 1.13.1 | |
| - client: Add description of --ip-address and --all-ip-addresses to man page | |
| - Remove ipa_webgui, its functions rolled into ipa_httpd | |
| - Change Requires from fedora-ds-base to 389-ds-base | |
| - Set minimum level of 389-ds-base to 1.2.6 for the replication | |
| version plugin. | |
| - No need to create /var/log/ipa_error.log since we aren't using | |
| TurboGears any more. | |
| - Deprecate --serial-autoincrement option (#1016645) | |
| - CA installation always failed on replica (#1005446) | |
| - Re-initializing a winsync connection exited with error (#994980) | |
| - Wrong directories created on full restore (#1186398) | |
| - ipa-restore crashes if replica is unreachable (#1186396) | |
| - idoverrideuser-add option --sshpubkey does not work (#1185410) | |
| - Fix postin scriplet for F-15/F-16 | |
| - Fix breakage caused by python-kerberos update to 1.1 | |
| - Fixed: rhbz#1643445 - External CA step 2 fails with pki_client_database_dir is missing | |
| - Fixed: rhbz#1642834 - Smart card advise script uses hard-coded Python interpreter | |
| - Update to upstream 3.3.2 (#991064) | |
| - Add delegation info to MS-PAC (#915799) | |
| - Warn about incompatibility with AD when IPA realm and domain | |
| differs (#1009044) | |
| - Allow PKCS#12 files with empty password in install tools (#1002639) | |
| - Privilege "SELinux User Map Administrators" did not list | |
| permissions (#997085) | |
| - SSH key upload broken when client joins an older server (#1009024) | |
| - Update to upstream 3.3.3 (#991064) | |
| - Resolves: #1416454 replication race condition prevents IPA to install | |
| - wait_for_entry: use only DN as parameter | |
| - Wait until HTTPS principal entry is replicated to replica | |
| - Use proper logging for error messages | |
| - Allow insecure binds for migration | |
| Resolves: RHBZ#1731963 | |
| - Updated to upstream 3.0.0 rc 1 | |
| - Update BR for 389-ds-base to 1.2.11.14 | |
| - Update BR for krb5 to 1.10 | |
| - Update BR for samba4-devel to 4.0.0-139 (rc1) | |
| - Add BR for python-polib | |
| - Update BR and Requires on sssd to 1.9.0 | |
| - Update Requires on policycoreutils to 2.1.12-5 | |
| - Update Requires on 389-ds-base to 1.2.11.14 | |
| - Update Requires on selinux-policy to 3.11.1-21 | |
| - Update Requires on dogtag to 10.0.0-0.33.a1 | |
| - Update Requires on certmonger to 0.60 | |
| - Update Requires on tomcat to 7.0.29 | |
| - Update minimum version of bind to 9.9.1-10.P3 | |
| - Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1 | |
| - Remove Requires on authconfig from python sub-package | |
| - Add redhat-access-plugin-ipa dependency | |
| - Require platform-python-setuptools instead of python3-setuptools | |
| - Resolves: rhbz#1650139 | |
| - Add a- heck into ipa-cert-fix tool to avoid updating certs if CA is close to expire | |
| Resolves: RHEL-4941 | |
| - Fix rpminspect's 'patches' warnings | |
| Resolves: RHEL-22497 | |
| - Added patch to fix problem reported by ldapmodify | |
| - Installer did not detect different server and IPA domain (#1026845) | |
| - Allow kernel keyring CCACHE when supported (#1026861) | |
| - Abstracted client class to work directly or over RPC | |
| - Reinstalling ipa server hangs when configuring certificate | |
| server (#1018804) | |
| - rpcserver: validate Kerberos principal name before running kinit | |
| Resolves: RHEL-26153 | |
| - Vault: add additional fallback to RSA-OAEP wrapping algo | |
| Resolves: RHEL-28259 | |
| - "an internal error has occurred" during ipa host-del --updatedns (#1198431) | |
| - Renamed patch 1013 to 0114, as it was merged upstream | |
| - Fax number not displayed for user-show when kinit'ed as normal user. | |
| (#1198430) | |
| - Replication agreement with replica not disabled when ipa-restore done without | |
| IPA installed (#1199060) | |
| - Limit deadlocks between DS plugin DNA and slapi-nis (#1199128) | |
| - Updated to upstream 2.2.0 GA | |
| - Update minimum n-v-r of certmonger to 0.53 | |
| - Update minimum n-v-r of slapi-nis to 0.40 | |
| - Add Requires in client to oddjob-mkhomedir and python-krbV | |
| - Update minimum selinux-policy to 3.10.0-110 | |
| - Convert to autotools-based build | |
| - Pull upstream changelog 678 | |
| - Add new subpackage, ipa-server-selinux | |
| - Add Requires: authconfig to ipa-python (bz #433747) | |
| - Package i18n files | |
| - Resolves: #837369 [RFE] Switch to client promotion to replica model | |
| - Resolves: #1199516 [RFE] Move replication topology to the shared tree | |
| - Resolves: #1206588 [RFE] Visualize FreeIPA server replication topology | |
| - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) | |
| - Resolves: #1212713 ipa-csreplica-manage: it could be nice to have also | |
| list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend | |
| - Resolves: #1267206 ipa-server-install uninstall should warn if no | |
| installation found | |
| - Resolves: #1295865 The Domain option is not correctly set in idmapd.conf when | |
| ipa-client-automount is executed. | |
| - Resolves: #1327092 URI details missing and OCSP-URI details are incorrectly | |
| displayed when certificate generated using IPA on RHEL 7.2up2. | |
| - Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install | |
| because of missing dependencies | |
| - Related: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.3.1.201605191449GITf8edf37 | |
| - selinux don't audit rules deny fetching trust topology | |
| Resolves: RHBZ#1845596 | |
| - fix iPAddress cert issuance for >1 host/service | |
| Resolves: RHBZ#1846352 | |
| - Specify cert_paths when calling PKIConnection | |
| Resolves: RHBZ#1849155 | |
| - Update crypto policy to allow AD-SUPPORT when installing IPA | |
| Resolves: RHBZ#1851139 | |
| - Add version to ipa-idoverride-memberof obsoletes | |
| Related: RHBZ#1846434 | |
| - Resolves: #1081561 CA not start during ipa server install in pure IPv6 env | |
| - Fix ipa-server-install in pure IPv6 environment | |
| - Resolves: #1318169 Tree-root domains in a trusted AD forest aren't marked as | |
| reachable via the forest root | |
| - trust: make sure ID range is created for the child domain even if it exists | |
| - ipa-kdb: simplify trusted domain parent search | |
| - Resolves: #1335567 Update Warning in IdM Web UI API browser | |
| - WebUI: add API browser is tech preview warning | |
| - Resolves: #1348560 Mulitple domain Active Directory Trust conflict | |
| - ipaserver/dcerpc: reformat to make the code closer to pep8 | |
| - trust: automatically resolve DNS trust conflicts for triangle trusts | |
| - Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in | |
| certificate revocation | |
| - cert-revoke: fix permission check bypass (CVE-2016-5404) | |
| - Resolves: #1353936 custodia.conf and server.keys file is world-readable. | |
| - Remove Custodia server keys from LDAP | |
| - Secure permissions of Custodia server.keys | |
| - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is | |
| converted from CA-less to CA-full | |
| - custodia: include known CA certs in the PKCS#12 file for Dogtag | |
| - custodia: force reconnect before retrieving CA certs from LDAP | |
| - Resolves: #1362333 ipa vault container owner cannot add vault | |
| - Fix: container owner should be able to add vault | |
| - Resolves: #1365546 External trust with root domain is transitive | |
| - trust: make sure external trust topology is correctly rendered | |
| - Resolves: #1365572 IPA server broken after upgrade | |
| - Require pki-core-10.3.3-7 | |
| - Resolves: #1367864 Server assumes latest version of command instead of | |
| version 1 for old / 3rd party clients | |
| - rpcserver: assume version 1 for unversioned command calls | |
| - rpcserver: fix crash in XML-RPC system commands | |
| - Resolves: #1367773 thin client ignores locale change | |
| - schema cache: Fallback to 'en_us' when locale is not available | |
| - Resolves: #1368754 ipa server uninstall fails with Python "Global Name error" | |
| - Fail on topology disconnect/last role removal | |
| - Resolves: #1368981 ipa otptoken-add --type=hotp --key creates wrong OTP | |
| - otptoken, permission: Convert custom type parameters on server | |
| - Resolves: #1369414 ipa server-del fails with Python stack trace | |
| - Handled empty hostname in server-del command | |
| - Resolves: #1369761 ipa-server must depend on a version of httpd that support | |
| mod_proxy with UDS | |
| - Require httpd 2.4.6-31 with mod_proxy Unix socket support | |
| - Resolves: #1370512 Received ACIError instead of DuplicatedError in | |
| stageuser_tests | |
| - Raise DuplicatedEnrty error when user exists in delete_container | |
| - Resolves: #1371479 cert-find --all does not show information about revocation | |
| - cert: add missing param values to cert-find output | |
| - Renamed patch 1011 to 0100, as it was merged upstream | |
| - Resolves: #1452216 Replica installation grants HTTP principal | |
| access in WebUI | |
| - Make sure we check ccaches in all rpcserver paths | |
| - Replica installation fails for RHEL 6.4 master (#1004680) | |
| - Server uninstallation crashes if DS is not available (#998069) | |
| - Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to | |
| handle PKINIT certificates/anchors | |
| - certdb: add named trust flag constants | |
| - certdb, certs: make trust flags argument mandatory | |
| - certdb: use custom object for trust flags | |
| - install: trust IPA CA for PKINIT | |
| - client install: fix client PKINIT configuration | |
| - install: introduce generic Kerberos Augeas lens | |
| - server install: fix KDC PKINIT configuration | |
| - ipapython.ipautil.run: Add option to set umask before executing command | |
| - certs: do not export keys world-readable in install_key_from_p12 | |
| - certs: do not export CA certs in install_pem_from_p12 | |
| - server install: fix KDC certificate validation in CA-less | |
| - replica install: respect --pkinit-cert-file | |
| - cacert manage: support PKINIT | |
| - server certinstall: support PKINIT | |
| - Resolves: #1444432 CA-less pkinit not installable with --pkinit-cert-file | |
| option | |
| - certs: do not export CA certs in install_pem_from_p12 | |
| - server install: fix KDC certificate validation in CA-less | |
| - Resolves: #1451228 ipa-kra-install fails when primary KRA server has been | |
| decommissioned | |
| - ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname | |
| - Resolves: #1451712 KRA installation fails on server that was originally | |
| installed as CA-less | |
| - ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt | |
| - Resolves: #1441499 ipa cert-show does not raise error if no file name | |
| specified | |
| - ca/cert-show: check certificate_out in options | |
| - Resolves: #1449522 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+ | |
| - Remove pkinit-anonymous command | |
| - Resolves: #1449523 Provide an API command to retrieve PKINIT status | |
| in the FreeIPA topology | |
| - Allow for multivalued server attributes | |
| - Refactor the role/attribute member reporting code | |
| - Add an attribute reporting client PKINIT-capable servers | |
| - Add the list of PKINIT servers as a virtual attribute to global config | |
| - Add `pkinit-status` command | |
| - test_serverroles: Get rid of MockLDAP and use ldap2 instead | |
| - Resolves: #1452216 Replica installation grants HTTP principal access in WebUI | |
| - Fix rare race condition with missing ccache file | |
| - Resolves: #1455045 Simple service uninstallers must be able to handle | |
| missing service files gracefully | |
| - only stop/disable simple service if it is installed | |
| - Resolves: #1455541 after upgrade login from web ui breaks | |
| - krb5: make sure KDC certificate is readable | |
| - Resolves: #1455862 "ipa: ERROR: an internal error has occurred" on executing | |
| command "ipa cert-request --add" after upgrade | |
| - Change python-cryptography to python2-cryptography | |
| - Resolves: #1449189 ipa-kra-install timeouts on replica | |
| - ipa-kra-install: fix check_host_keys | |
| - Fix --external-ca-profile not passed to CSR | |
| Resolves: RHBZ#1731813 | |
| - Resolves: #1373910 IPA server upgrade fails with DNS timed out errors. | |
| - Resolves: #1375269 ipa trust-fetch-domains throws internal error | |
| - sudo rule for "admins" members should be created by default (#1609873) | |
| - Added Require mod_wsgi, added share/ipa/wsgi.py | |
| - Rebuild to samba 4.17.2. | |
| Related: RHBZ#2132051 | |
| - Use java-1.8.0-openjdk-devel | |
| - Hardening for CVE-2020-25717 | |
| - Harden processing of trusted domains' users in S4U operations | |
| - Resolves: RHBZ#2021443 | |
| - Update to upstream 2.2.0 alpha 1 (2.1.90.pre1) | |
| - Resolves: #1277696 IPA certificate auto renewal fail with "Invalid | |
| Credential" | |
| - cert renewal: make renewal of ipaCert atomic | |
| - Resolves: #1278330 installer options are not validated at the beginning of | |
| installation | |
| - install: fix command line option validation | |
| - Resolves: #1282845 sshd_config change on ipa-client-install can prevent sshd | |
| from starting up | |
| - client install: do not corrupt OpenSSH config with Match sections | |
| - Resolves: #1282935 ipa upgrade causes vault internal error | |
| - install: export KRA agent PEM file in ipa-kra-install | |
| - Resolves: #1283429 Default CA ACL rule is not created during | |
| ipa-replica-install | |
| - TLS and Dogtag HTTPS request logging improvements | |
| - Avoid race condition caused by profile delete and recreate | |
| - Do not erroneously reinit NSS in Dogtag interface | |
| - Add profiles and default CA ACL on migration | |
| - disconnect ldap2 backend after adding default CA ACL profiles | |
| - do not disconnect when using existing connection to check default CA ACLs | |
| - Resolves: #1283430 ipa-kra-install: fails to apply updates | |
| - suppress errors arising from adding existing LDAP entries during KRA | |
| install | |
| - Resolves: #1283748 Caching of ipaconfig does not work in framework | |
| - fix caching in get_ipa_config | |
| - Resolves: #1283943 IPA DNS Zone/DNS Forward Zone details missing after | |
| upgrade from RHEL 7.0 to RHEL 7.2 | |
| - upgrade: fix migration of old dns forward zones | |
| - Fix upgrade of forwardzones when zone is in realmdomains | |
| - Resolves: #1284413 ipa-cacert-manage renew fails on nonexistent ldap | |
| connection | |
| - ipa-cacert-renew: Fix connection to ldap. | |
| - Resolves: #1284414 ipa-otptoken-import fails on nonexistent ldap connection | |
| - ipa-otptoken-import: Fix connection to ldap. | |
| - Resolves: #1286635 IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using | |
| "yum update ipa* sssd" | |
| - Set minimal required version for openssl | |
| - Resolves: #1286781 ipa-nis-manage does not update ldap with all NIS maps | |
| - Upgrade: Fix upgrade of NIS Server configuration | |
| - Resolves: #1289311 umask setting causes named-pkcs11 issue with directory | |
| permissions on /var/lib/ipa/dnssec | |
| - DNS: fix file permissions | |
| - Explicitly call chmod on newly created directories | |
| - Fix: replace mkdir with chmod | |
| - Resolves: #1290142 Broken 7.2.0 to 7.2.z upgrade - flawed version comparison | |
| - Fix version comparison | |
| - use FFI call to rpmvercmp function for version comparison | |
| - Resolves: #1292595 In IPA-AD trust environment some secondary IPA based Posix | |
| groups are missing | |
| - ipa-kdb: map_groups() consider all results | |
| - Resolves: #1293870 User should be notified for wrong password in password | |
| reset page | |
| - Fixed login error message box in LoginScreen page | |
| - Resolves: #1296196 Sysrestore did not restore state if a key is specified in | |
| mixed case | |
| - Allow to used mixed case for sysrestore | |
| - Resolves: #1296214 DNSSEC key purging is not handled properly | |
| - DNSSEC: Improve error reporting from ipa-ods-exporter | |
| - DNSSEC: Make sure that current state in OpenDNSSEC matches key state in | |
| LDAP | |
| - DNSSEC: Make sure that current key state in LDAP matches key state in BIND | |
| - DNSSEC: remove obsolete TODO note | |
| - DNSSEC: add debug mode to ldapkeydb.py | |
| - DNSSEC: logging improvements in ipa-ods-exporter | |
| - DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP | |
| - DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP | |
| - DNSSEC: ipa-ods-exporter: add ldap-cleanup command | |
| - DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal | |
| - DNSSEC: Log debug messages at log level DEBUG | |
| - Resolves: #1296216 ipa-server-upgrade fails if certmonger is not running | |
| - prevent crash of CA-less server upgrade due to absent certmonger | |
| - always start certmonger during IPA server configuration upgrade | |
| - Resolves: #1297811 The ipa -e skip_version_check=1 still issues | |
| incompatibility error when called against RHEL 6 server | |
| - ipalib: assume version 2.0 when skip_version_check is enabled | |
| - Resolves: #1298289 install fails when locale is "fr_FR.UTF-8" | |
| - Do not decode HTTP reason phrase from Dogtag | |
| - Resolves: #1300252 shared certificateProfiles container is missing on a | |
| freshly installed RHEL7.2 system | |
| - upgrade: unconditional import of certificate profiles into LDAP | |
| - Resolves: #1301674 --setup-dns and other options is forgotten for using an | |
| external PKI | |
| - installer: Propagate option values from components instead of copying them. | |
| - installer: Fix logic of reading option values from cache. | |
| - Resolves: #1301687 issues with migration from RHEL 6 self-signed to RHEL 7 CA | |
| IPA setup | |
| - ipa-ca-install: print more specific errors when CA is already installed | |
| - cert renewal: import all external CA certs on IPA CA cert renewal | |
| - CA install: explicitly set dogtag_version to 10 | |
| - fix standalone installation of externally signed CA on IPA master | |
| - replica install: validate DS and HTTP server certificates | |
| - replica install: improvements in the handling of CA-related IPA config | |
| entries | |
| - Resolves: #1301901 [RFE] compat tree: show AD members of IPA groups | |
| - slapi-nis: update configuration to allow external members of IPA groups | |
| - Resolves: #1305533 ipa trust-add succeded but after that ipa trust-find | |
| returns "0 trusts matched" | |
| - upgrade: fix config of sidgen and extdom plugins | |
| - trusts: use ipaNTTrustPartner attribute to detect trust entries | |
| - Warn user if trust is broken | |
| - fix upgrade: wait for proper DS socket after DS restart | |
| - Insure the admin_conn is disconnected on stop | |
| - Fix connections to DS during installation | |
| - Fix broken trust warnings | |
| - Resolves: #1321092 Installers fail when there are multiple versions of the | |
| same certificate | |
| - certdb: never use the -r option of certutil | |
| - Related: #1317381 Crash during IPA upgrade due to slapd | |
| - spec file: update minimum required version of slapi-nis | |
| - Related: #1322691 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 | |
| CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 samba: various flaws | |
| [rhel-7.3] | |
| - Rebuild against newer Samba version | |
| - Config plugin: return EmptyModlist when no change is applied. | |
| Resolves: RHBZ#2031825 | |
| - Custodia: use a stronger encryption algo when exporting keys. | |
| Resolves: RHBZ#2032806 | |
| - ipa-kdb: do not remove keys for hardened auth-enabled users. | |
| Resolves: RHBZ#2033342 | |
| - ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus | |
| Resolves: RHBZ#2049167 | |
| - Backport latest test fxes in python3 ipatests. | |
| Resolves: RHBZ#2048509 | |
| - Removed unused patch files that were part of 4.9.8 rebase. | |
| - Fix replica installation failing on certificate subject (#983075) | |
| - Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1 | |
| Any type | |
| - New command automember-find-orphans to find and remove orphan automemeber | |
| rules has been added | |
| Resolves: RHBZ#1638373 | |
| - Moved ipa/idm logos and background to redhat-logos-ipa-80.4: | |
| header-logo.png, login-screen-background.jpg, login-screen-logo.png, | |
| product-name.png | |
| New requirement to redhat-logos-ipa >= 80.4 in ipa-server-common | |
| Resolves: RHBZ#1626507 | |
| - Resolves: #1353829 traceback message seen in ipaserver-uninstall.log file. | |
| - Do not initialize API in ipa-client-automount uninstall | |
| - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin | |
| client changes | |
| - idrange: fix unassigned global variable | |
| - Resolves: #1360792 Migrating users doesn't update krbCanonicalName | |
| - re-set canonical principal name on migrated users | |
| - Resolves: #1362012 ipa hbactest produces error about cannot concatenate 'str' | |
| and 'bool' objects | |
| - Fix ipa hbactest output | |
| - Resolves: #1362260 ipa vault-mod no longer allows defining salt | |
| - vault: add missing salt option to vault_mod | |
| - Resolves: #1362312 ipa vault-retrieve internal error when using the wrong | |
| public key | |
| - vault: Catch correct exception in decrypt | |
| - Resolves: #1362537 ipa-server-install fails to create symlink from | |
| /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ | |
| - Correct path to HTTPD's systemd service directory | |
| - Resolves: #1363756 Increase length of passwords generated by installer | |
| - Increase default length of auto generated passwords | |
| - When IdM server trusts multiple AD forests, IPA client returns invalid group | |
| membership info (#1079498) | |
| - Remove ipa-server-selinux obsoletes as upgrades from version prior to | |
| 3.3.0 are not allowed | |
| - Wrap server-trust-ad subpackage description better | |
| - Add (noreplace) flag for %{_sysconfdir}/tmpfiles.d/ipa.conf | |
| - Change permissions on default_encoding_utf8.so to fix ipa-python Provides | |
| - Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum | |
| version to 1.0.7-4 so we pick up the NSS fixes. | |
| - Add selinux-policy-base(post) to Requires (446496) | |
| - Resolves: #1449189 ipa-kra-install timeouts on replica | |
| - kra: promote: Get ticket before calling custodia | |
| - ipa-replica-install never checks for 7389 port (#1075165) | |
| - Non-terminated string may be passed to LDAP search (#1075091) | |
| - ipa-sam may fail to translate group SID into GID (#1073829) | |
| - Excessive LDAP calls by ipa-sam during Samba FS operations (#1075132) | |
| - ipatests: remove additional check for failed units. | |
| Resolves: RHBZ#2053024 | |
| - ipa-cldap: fix memory leak. | |
| Resolves: RHBZ#2032738 | |
| - ipatests: Update ipa-adtrust-install test | |
| Resolves: RHEL-40894 | |
| - IPA Replicate creation fails with error "Update failed! Status: [10 Total | |
| update abortedLDAP error: Referral]" (#1166265) | |
| - running ipa-server-install --setup-dns results in a crash (#1072502) | |
| - DNS zones are not migrated into forward zones if 4.0+ replica is added | |
| (#1175384) | |
| - gid is overridden by uid in default trust view (#1168904) | |
| - When migrating warn user if compat is enabled (#1177133) | |
| - Clean up debug log for trust-add (#1168376) | |
| - No error message thrown on restore(full kind) on replica from full backup | |
| taken on master (#1175287) | |
| - ipa-restore proceed even IPA not configured (#1175326) | |
| - Data replication not working as expected after data restore from full backup | |
| (#1175277) | |
| - IPA externally signed CA cert expiration warning missing from log (#1178128) | |
| - ipa-upgradeconfig fails in CA-less installs (#1181767) | |
| - IPA certs fail to autorenew simultaneouly (#1173207) | |
| - More validation required on ipa-restore's options (#1176034) | |
| - 2.1.3 | |
| - Resolves: #1388135 [RFE] limit the retro changelog to dns subtree. | |
| - ldap: limit the retro changelog to dns subtree | |
| - Resolves: #1427798 Use X509v3 Basic Constraints "CA:TRUE" instead | |
| of "CA:FALSE" IPA CA CSR | |
| - Include the CA basic constraint in CSRs when renewing a CA | |
| - Resolves: #1493145 ipa-replica-install might fail because of an already | |
| existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX | |
| - Checks if replica-s4u2proxy.ldif should be applied | |
| - Resolves: #1493150 [RFE] set nsslapd-ignore-time-skew: on by default | |
| - ds: ignore time skew during initial replication step | |
| - ipa-replica-manage: implicitly ignore initial time skew in force-sync | |
| - Resolves: #1500218 Replica installation at domain-level 0 fails against | |
| upgraded ipa-server | |
| - Fix ipa-replica-conncheck when called with --principal | |
| - Resolves: #1506188 server-del doesn't remove dns-server configuration | |
| from ldap | |
| - Make sure ipa-server depends on krb5-kdb-version to pick up | |
| right MIT Kerberos KDB ABI | |
| Related: RHBZ#1700121 | |
| - User field separator uses '$$' within ipaSELInuxUserMapOrder | |
| Fixes: RHBZ#1729099 | |
| - ipa-server-install crashes when AD subpackage is not installed (#1026434) | |
| - Allow Web-based migration to work with tightened SE Linux policy (#769440) | |
| - Rebuild slapi plugins against re-enterant version of libldap | |
| - Add ipa init script | |
| - Fix mapping of BUILTIN\Guests to 'nobody' group during upgrade | |
| to not use generated Samba config at this point | |
| - Related: rhbz#1623895 | |
| - Resolves: #1614301 Remove --no-sssd and --noac options | |
| - Resolves: #1613879 Disable Domain Level 0 | |
| - New patch sets to disable domain level 0 | |
| - New adapted patch to disable DL0 specific tests (pytest_ipa vs. | |
| pytest_plugins) | |
| - Adapted branding patch in ipa-replica-install.1 due to DL0 removal | |
| - Removed python-cherrypy from BuildRequires and Requires | |
| - Added Requires python-assets, python-wehjit | |
| - Resolves: #1356102 Server uninstall does not stop tracking lightweight sub-CA | |
| with certmonger | |
| - uninstall: untrack lightweight CA certs | |
| - Resolves: #1351807 ipa-nis-manage config.get_dn missing | |
| - ipa-nis-manage: Use server API to retrieve plugin status | |
| - Resolves: #1353452 ipa-compat-manage command failed, | |
| exception: NotImplementedError: config.get_dn() | |
| - ipa-compat-manage: use server API to retrieve plugin status | |
| - Resolves: #1353899 ipa-advise: object of type 'type' has no len() | |
| - ipa-advise: correct handling of plugin namespace iteration | |
| - Resolves: #1356134 'kinit -E' does not work for IPA user | |
| - kdb: check for local realm in enterprise principals | |
| - Resolves: #1353072 ipa unknown command vault-add | |
| - Enable vault-* commands on client | |
| - vault-add: set the default vault type on the client side if none was given | |
| - Resolves: #1353995 Default CA can be used without a CA ACL | |
| - caacl: expand plugin documentation | |
| - Resolves: #1356144 host-find should not print SSH keys by default, only | |
| SSH fingerprints | |
| - host-find: do not show SSH key by default | |
| - Resolves: #1353506 ipa migrate-ds command fails for IPA in RHEL 7.3 | |
| - Removed unused method parameter from migrate-ds | |
| - Resolves: #1262996 ipa vault internal error on replica without KRA | |
| - upgrade: make sure ldap2 is connected in export_kra_agent_pem | |
| - Resolves: #1270608 IPA upgrade fails for server with CA cert signed by | |
| external CA | |
| - schema: do not derive ipaVaultPublicKey from ipaPublicKey | |
| - Resolves: #1361119 UPN-based search for AD users does not match an entry in | |
| slapi-nis map cache | |
| - support multiple uid values in schema compatibility tree | |
| - Included LICENSE and README in all packages for documentation | |
| - Move user-modifiable content to /etc/ipa and linked back to | |
| /usr/share/ipa/html | |
| - Changed some references to /usr to the {_usr} macro and /etc | |
| to {_sysconfdir} | |
| - Added popt-devel to BuildRequires for Fedora 8 and higher and | |
| popt for Fedora 7 | |
| - Package the egg-info for Fedora 9 and higher for ipa-python | |
| - Add ipa-host-net-manage script | |
| - Add Requires: python-nss to ipa-python sub-package | |
| - Adopt to samba4 beta6 (libsecurity -> libsamba-security) | |
| - Add dependency to samba4-winbind | |
| - Bump up minimum version of python-nss to pick up nss_is_initialize() API | |
| - Resolves: #800545 [RFE] Support SUDO command rename | |
| - Reworked the renaming mechanism | |
| - Allow renaming of the sudorule objects | |
| - Resolves: #872671 IPA WebUI login for AD Trusted User fails | |
| - WebUI: check principals in lowercase | |
| - WebUI: add method for disabling item in user dropdown menu | |
| - WebUI: Add support for login for AD users | |
| - Resolves: #1200767 [RFE] Allow Kerberos authentication for users with | |
| certificates on smart cards (pkinit) | |
| - ipa-kdb: add ipadb_fetch_principals_with_extra_filter() | |
| - IPA certauth plugin | |
| - ipa-kdb: do not depend on certauth_plugin.h | |
| - spec file: bump krb5-devel BuildRequires for certauth | |
| - Resolves: #1264370 RFE: disable last successful authentication by default in | |
| ipa. | |
| - Set "KDC:Disable Last Success" by default | |
| - Resolves: #1318186 Misleading error message during external-ca IPA master | |
| install | |
| - certs: do not implicitly create DS pin.txt | |
| - httpinstance: clean up /etc/httpd/alias on uninstall | |
| - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR | |
| CA certificate chain in ... incomplete" | |
| - certs: do not implicitly create DS pin.txt | |
| - httpinstance: clean up /etc/httpd/alias on uninstall | |
| - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication | |
| - configure: fix --disable-server with certauth plugin | |
| - rpcserver.login_x509: Actually return reply from __call__ method | |
| - spec file: Bump requires to make Certificate Login in WebUI work | |
| - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping | |
| - extdom: do reverse search for domain separator | |
| - extdom: improve cert request | |
| - Resolves: #1430363 [RFE] HBAC rule names command rename | |
| - Reworked the renaming mechanism | |
| - Allow renaming of the HBAC rule objects | |
| - Resolves: #1433082 systemctl daemon-reload needs to be called after | |
| httpd.service.d/ipa.conf is manipulated | |
| - tasks: run `systemctl daemon-reload` after httpd.service.d updates | |
| - Resolves: #1434032 Run ipa-custodia with custom SELinux context | |
| - Use Custodia 0.3.1 features | |
| - Resolves: #1434384 RPC client should use HTTP persistent connection | |
| - Use connection keep-alive | |
| - Add debug logging for keep-alive | |
| - Increase Apache HTTPD's default keep alive timeout | |
| - Resolves: #1434729 man ipa-cacert-manage install needs clarification | |
| - man ipa-cacert-manage install needs clarification | |
| - Resolves: #1434910 replica install against IPA v3 master fails with ACIError | |
| - Fixing replica install: fix ldap connection in domlvl 0 | |
| - Resolves: #1435394 Ipa-kra-install fails with weird output when backspace is | |
| used during typing Directory Manager password | |
| - ipapython.ipautil.nolog_replace: Do not replace empty value | |
| - Resolves: #1435397 ipa-replica-install can't install replica file produced by | |
| ipa-replica-prepare on 4.5 | |
| - replica prepare: fix wrong IPA CA nickname in replica file | |
| - Resolves: #1435599 WebUI: in self-service Vault menu item is shown even if | |
| KRA is not installed | |
| - WebUI: Fix showing vault in selfservice view | |
| - Resolves: #1435718 As a ID user I cannot call a command with --rights option | |
| - ldap2: use LDAP whoami operation to retrieve bind DN for current connection | |
| - Resolves: #1436319 "Truncated search results" pop-up appears in user details | |
| in WebUI | |
| - WebUI: Add support for suppressing warnings | |
| - WebUI: suppress truncation warning in select widget | |
| - Resolves: #1436333 Uninstall fails with No such file or directory: | |
| '/var/run/ipa/services.list' | |
| - Create temporaty directories at the begining of uninstall | |
| - Resolves: #1436334 WebUI: Adding certificate mapping data using certificate | |
| fails | |
| - WebUI: Allow to add certs to certmapping with CERT LINES around | |
| - Resolves: #1436338 CLI doesn't work after ipa-restore | |
| - Backup ipa-specific httpd unit-file | |
| - Backup CA cert from kerberos folder | |
| - Resolves: #1436342 Bump samba version, required for FIPS mode and privilege | |
| separation | |
| - Bump samba version for FIPS and priv. separation | |
| - Resolves: #1436642 [ipalib/rpc.py] - "maximum recursion depth exceeded" with | |
| ipa vault commands | |
| - Avoid growing FILE ccaches unnecessarily | |
| - Handle failed authentication via cookie | |
| - Work around issues fetching session data | |
| - Prevent churn on ccaches | |
| - Resolves: #1436657 Add workaround for pki_pin for FIPS | |
| - Generate PIN for PKI to help Dogtag in FIPS | |
| - Resolves: #1436714 [vault] cache KRA transport cert | |
| - Simplify KRA transport cert cache | |
| - Resolves: #1436723 cert-find does not find all certificates without | |
| sizelimit=0 | |
| - cert: do not limit internal searches in cert-find | |
| - Resolves: #1436724 Renewal of IPA RA fails on replica | |
| - dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function | |
| - Resolves: #1436753 Master tree fails to install | |
| - httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not | |
| available | |
| - ipatests: fix TestOTPToken::test_check_otpd_after_idle_timeout | |
| Related: RHBZ#2053024 | |
| - Remove unnecessary moving of v1 CA serial number file in post script | |
| - Add Obsoletes for server-selinxu subpackage | |
| - Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da | |
| - Pull upstream changelog 608 which renamed several files | |
| - clean up spec | |
| - Depend on sssd >= 1.6.2 for better user experience | |
| - Update slapi-nis dependency to pull 0.54-2 (#891984) | |
| - ipa-restore: Don't crash if AD trust is not installed (#951581) | |
| - Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type (#1138791) | |
| - Trust setting not restored for CA cert with ipa-restore command (#1159011) | |
| - ipa-server-install fails when restarting named (#1162340) | |
| - Resolves: #1228671 pkispawn fails in ipa-ca-install and ipa-kra-install | |
| - Related: #1204809 Rebase ipa to 4.2 | |
| - Fix minimum version of slapi-nis | |
| - Require python-sss and python-sss-murmur (provided by sssd-1.13.0) | |
| - Fix: DNS installer adds invalid zonemgr email (#1056202) | |
| - ipaplatform: Use the dirsrv service, not target (#951581) | |
| - Fix: DNS policy upgrade raises asertion error (#1161128) | |
| - Fix upgrade referint plugin (#1161128) | |
| - Upgrade: fix trusts objectclass violationi (#1161128) | |
| - group-add doesn't accept gid parameter (#1149124) | |
| - ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL | |
| Resolves: RHBZ#1982956 | |
| - Unable to remove replica by ipa-replica-manage (#1001662) | |
| - Before uninstalling a server, warn about active replicas (#998069) | |
| - Fix Fedora package changelog after merging systemd changes | |
| - ipaclient-install: chmod needs octal permissions (#1609880) | |
| - Move ipalib to ipa-python subpackage | |
| - Bump minimum version of slapi-nis to 0.15 | |
| - Ensure that /etc/ipa exists before moving user-modifiable html files there | |
| - Put html files into /etc/ipa/html instead of /etc/ipa | |
| - Added auto* BuildRequires | |
| - New upstream release 1.2.1 | |
| - Rely on sssd-krb5 to include SSSD-generated krb5 configuration | |
| Resolves: RHBZ#2214563 | |
| - Add end to end integration tests for external IdP | |
| Resolves: RHBZ#2106346 | |
| - Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install | |
| because of missing dependencies | |
| - Rebuild with krb5-1.14.1 | |
| - schema update on RHEL-6.6 using latest copy-schema-to-ca.py from RHEL-7.1 | |
| build fails (#1167196) | |
| - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) | |
| - "ipa trust-add ... " cmd says : (Trust status: Established and verified) | |
| while in the logs we see "WERR_ACCESS_DENIED" during verification step. | |
| (#1144121) | |
| - POODLE: force using safe ciphers (non-SSLv3) in IPA client and server | |
| (#1156466) | |
| - Add support/hooks for a one-time password system like SecureID in IPA | |
| (#919228) | |
| - Tracebacks with latest build for --zonemgr cli option (#1167270) | |
| - ID Views: Support migration from the sync solution to the trust solution | |
| (#891984) | |
| - Mass rebuild 2014-01-24 | |
| - Move initialization of Guests mapping after cifs/ principal is created | |
| - Related: rhbz#1623895 | |
| - Preverse mode on ipa-keytab-util | |
| - Version bump for relase and rpm name change | |
| - Updated upstream pull (596) to fix bug in ipa_webgui that was causing the | |
| UI to not start. | |
| - Update to upstream 4.7.0 GA | |
| - Fixed License in specfile | |
| - Include files from /usr/lib/python*/site-packages/ipaserver | |
| - Allow ipa-tests to work with older version (1.7.7) of python-paramiko | |
| - Fixed kdcproxy_version to 0.4-3 | |
| - Fixed krb5_version to 1.17-7 | |
| Related: RHBZ#1684528 | |
| - Remove "Listen 443 http" hack from deployed nss.conf (#1029046) | |
| - Re-adding existing trust fails (#1033216) | |
| - IPA uninstall exits with a samba error (#1033075) | |
| - Added RELRO hardening on /usr/libexec/ipa-otpd (#1026260) | |
| - Fixed ownership of /usr/share/ipa/ui/js (#1026260) | |
| - ipa-tests: support external names for hosts (#1032668) | |
| - ipa-client-install fail due fail to obtain host TGT (#1029354) | |
| - Update to upstream 4.0.3 (#1109726) | |
| - Server installation fails using external signed certificates with | |
| "IndexError: list index out of range" (#1111320) | |
| - Add rhino to BuildRequires to fix Web UI build error | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Set krbCanonicalName admin@REALM on the admin user | |
| Resolves: RHEL-89895 | |
| - Handle new samba exception types. | |
| Resolves: RHEL-17623 | |
| - Fix for CVE-2008-3274 | |
| - Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface | |
| - Add fix for bug #453185 | |
| - Rebuild against openldap libraries, mozldap ones do not work properly | |
| - TurboGears is currently broken in rawhide. Added patch to not build | |
| the UI locales and removed them from the ipa-server files section. | |
| - ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older | |
| Resolves: RHEL-12198 | |
| - Update dependency for bind-dndb-ldap to 11.2-2 | |
| Related: RHBZ#1762813 | |
| - Drop requires on python-configobj (not used any more) | |
| - Drop ipa-ldap-updater message, upgrades are done differently now | |
| - Update Requires on pki-ca to 10.1.2-4 (#1129558) | |
| - build: increase java stack size for all arches | |
| - Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides (#891984) | |
| - Fix dns zonemgr validation regression (#1056202) | |
| - Handle profile changes in dogtag-ipa-ca-renew-agent (#886645) | |
| - Do not wait for new CA certificate to appear in LDAP in ipa-certupdate | |
| (#886645) | |
| - Add bind-dyndb-ldap working dir to IPA specfile | |
| - Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage | |
| (#886645) | |
| - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) | |
| - Deadlock in schema compat plugin (#1161131) | |
| - ipactl stop should stop dirsrv last (#1161129) | |
| - Upgrade 3.3.5 to 4.1 failed (#1161128) | |
| - CVE-2014-7828 freeipa: password not required when OTP in use (#1160877) | |
| - Remove ipa-idoverride-memberof as superceded by ipa-server 4.8.7 | |
| Resolves: RHBZ#1846434 | |
| - Require python-wehjit >= 0.2.0 | |
| - Replica CA installation: ignore skew during initial replication | |
| Resolves RHEL-80995 | |
| - Revert bind-pkcs11-utils configuration in freeipa.spec. | |
| Resolves: RHBZ#2026732 | |
| - Configure CA replication to use TLS instead of SSL | |
| - Update to upstream 3.2.0 Beta 1 | |
| - Added support for libipa-dna-plugin | |
| - Remove posixAccount from service_find search filter | |
| Resolves: RHBZ#1731437 | |
| - Fix repeated uninstallation of ipa-client-samba crashes | |
| Resolves: RHBZ#1732529 | |
| - WebUI: Add PKINIT status field to 'Configuration' page | |
| Resolves: RHBZ#1518153 | |
| - Resolves: #1461177 ipa-otptoken-import - XML file is missing PBKDF2 | |
| parameters! | |
| - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during | |
| search in cn=ad, cn=trusts,dc=example,dc=com | |
| - Resolves: #1467887 iommu platform support for ipxe | |
| - Resolves: #1477178 [ipa-replica-install] - 406 Client Error: Failed to | |
| validate message: Incorrect number of results (0) searching forpublic key for | |
| host | |
| - Resolves: #1478251 IPA WebUI does not work after upgrade from IPA 4.4 to | |
| 4.5 | |
| - Resolves: #1480102 ipa-server-upgrade failes with "This entry already | |
| exists" | |
| - Resolves: #1482802 Unable to set ca renewal master on replica | |
| - Resolves: #1484428 Updating from RHEL 7.3 fails with Server-Cert not found | |
| (ipa-server-upgrade) | |
| - Resolves: #1484826 FreeIPA/IdM installations which were upgraded from | |
| versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and | |
| thus startup of Web UI fails | |
| - Resolves: #1486283 TypeError in renew_ca_cert prevents from swiching back | |
| to self-signed CA | |
| - Resolves: #1469246 Replica install fails to configure IPA-specific | |
| temporary files/directories | |
| - Resolves: #1469480 bind package is not automatically updated during | |
| ipa-server upgrade process | |
| - Resolves: #1475238 Use CommonNameToSANDefault in default profile (new | |
| installs only) | |
| - Resolves: #1477703 IPA upgrade fails for latest ipa package | |
| - Throw zonemgr error message before installation proceeds (#1163849) | |
| - Winsync: Setup is broken due to incorrect import of certificate (#1169867) | |
| - Enable last token deletion when password auth type is configured (#919228) | |
| - ipa-otp-lasttoken loads all user's tokens on every mod/del (#1166641) | |
| - add --hosts and --hostgroup options to allow/retrieve keytab methods | |
| (#1007367) | |
| - Extend host-show to add the view attribute in set of default attributes | |
| (#1168916) | |
| - Prefer TCP connections to UDP in krb5 clients (#919228) | |
| - [WebUI] Not able to unprovisioning service in IPA 4.1 (#1168214) | |
| - webui: increase notification duration (#1171089) | |
| - RHEL7.1 ipa automatic CA cert renewal stuck in submitting state (#1166931) | |
| - RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert | |
| (#1170003) | |
| - Improve validation of --instance and --backend options in ipa-restore | |
| (#951581) | |
| - RHEL7.1 ipa replica unable to replicate to rhel6 master (#1167964) | |
| - Disable TLS 1.2 in nss.conf until mod_nss supports it (#1156466) | |
| - Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to | |
| Trusts | |
| - winsync-migrate: Convert entity names to posix friendly strings | |
| - winsync-migrate: Properly handle collisions in the names of external groups | |
| - Resolves: #1261074 Adjust Firefox configuration to new extension signing | |
| policy | |
| - webui: use manual Firefox configuration for Firefox >= 40 | |
| - Resolves: #1263337 IPA Restore failed with installed KRA | |
| - ipa-backup: Add mechanism to store empty directory structure | |
| - Resolves: #1264793 CVE-2015-5284 ipa: ipa-kra-install includes certificate | |
| and private key in world readable file [rhel-7.2] | |
| - install: fix KRA agent PEM file permissions | |
| - Resolves: #1265086 Mark IdM API Browser as experimental | |
| - WebUI: add API browser is experimental warning | |
| - Resolves: #1265277 Fix kdcproxy user creation | |
| - install: create kdcproxy user during server install | |
| - platform: add option to create home directory when adding user | |
| - install: fix kdcproxy user home directory | |
| - Resolves: #1265559 GSS failure after ipa-restore | |
| - destroy httpd ccache after stopping the service | |
| - Remove redundat Requires versions that are already in Fedora 17 | |
| - Replace python-crypto Requires with m2crypto | |
| - Add missing Requires(post) for client and server-trust-ad subpackages | |
| - Restart httpd service when server-trust-ad subpackage is installed | |
| - Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes | |
| - trustdomain-find with pkey-only fails (#1068611) | |
| - Invalid credential cache in trust-add (#1069182) | |
| - ipa-replica-install prints unexpected error (#1069722) | |
| - Too big font in input fields in details facet in Firefox (#1069720) | |
| - trust-add for POSIX AD does not fetch trustdomains (#1070925) | |
| - Misleading trust-add error message in some cases (#1070926) | |
| - Access is not rejected for disabled domain (#1070924) | |
| - Rebuild for broken deps | |
| - Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1 | |
| - Resolves: #1377973 ipa-server-install fails when the provided or resolved | |
| IP address is not found on local interfaces | |
| - Only warn when specified server IP addresses don't match intf | |
| - Resolves: #1438016 gssapi errors after IPA server upgrade | |
| - Bump version of python-gssapi | |
| - Resolves: #1457942 certauth: use canonical principal for lookups | |
| - ipa-kdb: use canonical principal in certauth plugin | |
| - Resolves: #1459153 Do not send Max-Age in ipa_session cookie to avoid | |
| breaking older clients | |
| - Add code to be able to set default kinit lifetime | |
| - Revert setting sessionMaxAge for old clients | |
| - Rebase to security release 4.8.3 (CVE-2019-14867, CVE-2019-10195) | |
| Resolves: RHBZ#1767304 | |
| Resolves: RHBZ#1776939 | |
| - Support KDC ticket policies for authentication indicators | |
| Resolves: RHBZ#1777564 | |
| - Added support for ipa_kpasswd and ipa_pwd_extop | |
| - Backport latest test fixes in python3-ipatests | |
| Resolves: RHBZ#2060841 | |
| - extdom: user getorigby{user|group}name if available | |
| Resolves: RHBZ#2062379 | |
| - Set the mode on ipaupgrade.log during RPM post snipppet | |
| Resolves: RHBZ#2061957 | |
| - test_krbtpolicy: skip SPAKE-related tests in FIPS mode | |
| Resolves: RHBZ#1909630 | |
| - Remove radius subpackages | |
| - Don't always override the port in import_included_profiles | |
| Fixes: RHBZ#2022483 | |
| - Remove ipa-join errors from behind the debug option | |
| Fixes: RHBZ#2048558 | |
| - Enable the ccache sweep timer during installation | |
| Fixes: RHBZ#2051575 | |
| - Set 0.14 as minimum version for slapi-nis | |
| - Marked with wrong license. IPA is GPLv2. | |
| - Update to upstream 3.2.1 | |
| - Drop dogtag-pki-server-theme requires, it won't be build for RHEL-7.0 | |
| - Fix bug #702633 | |
| - Resolves: #1451804 "AttributeError: 'tuple' object has no attribute 'append'" | |
| error observed during ipa upgrade with latest package. | |
| - ipa-server-install: fix uninstall | |
| - Resolves: #1445390 ipa-[ca|kra]-install with invalid DM password break | |
| replica | |
| - ca install: merge duplicated code for DM password | |
| - installutils: add DM password validator | |
| - ca, kra install: validate DM password | |
| - Fix status trust-add command status message (#910453) | |
| - NetBIOS was not trimmed at 15 characters (#1030517) | |
| - Harden CA subsystem certificate renewal on CA clones (#1040018) | |
| - Replace TurboGears requirement with python-cherrypy | |
| - Resolves: #1382812 Creation of replica for disconnected environment is | |
| failing with CA issuance errors; Need good steps. | |
| - gracefully handle setting replica bind dn group on old masters | |
| - Resolves: #1397439 ipa-ca-install on promoted replica hangs on creating a | |
| temporary CA admin | |
| - replication: ensure bind DN group check interval is set on replica config | |
| - add missing attribute to ipaca replica during CA topology update | |
| - Resolves: #1401088 IPA upgrade of replica without DNS fails during restart of | |
| named-pkcs11 | |
| - bindinstance: use data in named.conf to determine configuration status | |
| - Unable to add trust successfully with --trust-secret (#1075704) | |
| - Fix krb5-kdb-server -> krb5-kdb-version | |
| Related: RHBZ#1700121 | |
| - Resolves: #1477367 ipa-server-upgrade timeouts on wait_for_open ports | |
| expecting IPA services listening on IPv6 ports | |
| - Make sure upgrade also checks for IPv6 stack | |
| - control logging of host_port_open from caller | |
| - log progress of wait_for_open_ports | |
| - Resolves: #1477243 ipa help command returns traceback when no cache | |
| is present | |
| - Store help in Schema before writing to disk | |
| - Disable pylint in get_help function because of type confusion. | |
| - Update to upstream version 1.2.0 | |
| - Set fedora-ds-base minimum version to 1.1.3 for winsync header | |
| - Set the minimum version for SELinux policy | |
| - Remove references to Fedora 7 | |
| - Resolves: #828866 [RFE] enhance --subject option for ipa-server-install | |
| - Resolves: #1160555 ipa-server-install: Cannot handle double hyphen "--" in | |
| hostname | |
| - Resolves: #1286288 Insufficient 'write' privilege to the 'ipaExternalMember' | |
| attribute | |
| - Resolves: #1321652 ipa-server-install fails when using external certificates | |
| that encapsulate RDN components in double quotes | |
| - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on | |
| revocation reasons | |
| - Resolves: #1340880 ipa-server-install: improve prompt on interactive | |
| installation | |
| - Resolves: #1353841 ipa-replica-install fails to install when resolv.conf | |
| incomplete entries | |
| - Resolves: #1356104 cert-show command does not display Subject Alternative | |
| Names | |
| - Resolves: #1357511 Traceback message seen when ipa is provided with invalid | |
| configuration file name | |
| - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is | |
| converted from CA-less to CA-full | |
| - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication | |
| - Resolves: #1367572 improve error message in ipa migrate-ds: mention ipa | |
| config-mod --enable-migration=TRUE | |
| - Resolves: #1367868 Add options to retrieve lightweight CA certificate/chain | |
| - Resolves: #1371927 Implement ca-enable/disable commands. | |
| - Resolves: #1372202 Add Users into User Group editors fails to show Full names | |
| - Resolves: #1373091 Adding an auth indicator from the CLI creates an extra | |
| check box in the UI | |
| - Resolves: #1375596 Ipa-server WebUI - long user/group name show wrong error | |
| message | |
| - Resolves: #1375905 "Normal" group type in the UI is confusing | |
| - Resolves: #1376040 IPA client ipv6 - invalid --ip-address shows traceback | |
| - Resolves: #1376630 IDM admin password gets written to | |
| /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf | |
| - Resolves: #1376729 ipa-server-install script option --no_hbac_allow should | |
| match other options | |
| - Resolves: #1378461 IPA Allows Password Reuse with History value defined when | |
| admin resets the password. | |
| - Resolves: #1379029 conncheck failing intermittently during single step | |
| replica installs | |
| - Resolves: #1379858 [RFE] better debugging for ipa-replica-conncheck | |
| - Resolves: #1384310 ipa dnsrecord-add fails with Keyerror stack trace | |
| - Resolves: #1392778 Update man page for ipa-adtrust-install by | |
| removing --no-msdcs option | |
| - Resolves: #1392858 Rebase to FreeIPA 4.5+ | |
| - Rebase to 4.5.0 | |
| - Resolves: #1399133 Delete option shouldn't be available for hosts applied to | |
| view. | |
| - Resolves: #1399190 [RFE] Certificates issued by externally signed IdM CA | |
| should contain full trust chain | |
| - Resolves: #1400416 RFE: Provide option to take backup of IPA server before | |
| uninstalling IPA server | |
| - Resolves: #1400529 cert-request is not aware of Kerberos principal aliases | |
| - Resolves: #1401526 IPA WebUI certificates are grayed out on overview page but | |
| not on details page | |
| - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping | |
| - Resolves: #1404750 ipa-client-install fails to get CA cert via LDAP when | |
| non-FQDN name of IPA server is first in /etc/hosts | |
| - Resolves: #1409628 [RFE] Semi-automatic integration with external DNS using | |
| nsupdate | |
| - Resolves: #1413742 Backport request for bug/issue Change IP address | |
| validation errors to warnings | |
| - Resolves: #1415652 IPA replica install log shows password in plain text | |
| - Resolves: #1427897 different behavior regarding system wide certs in master | |
| and replica. | |
| - Resolves: #1430314 The ipa-managed-entries command failed, exception: | |
| AttributeError: ldap2 | |
| - Unified spec file | |
| - Fix SELinux code | |
| - Allow the admin user to be disabled | |
| Resolves: RHEL-34756 | |
| - ipa-otptoken-import: open the key file in binary mode | |
| Resolves: RHEL-39616 | |
| - ipa-crlgen-manage: manage the cert status task execution time | |
| Resolves: RHEL-30280 | |
| - idrange-add: add a warning because 389ds restart is required | |
| Resolves: RHEL-28996 | |
| - PKINIT certificate: fix renewal on hidden replica | |
| Resolves: RHEL-4913, RHEL-45908 | |
| - [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: | |
| (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312) | |
| - Resolves: #1348948 IPA server install fails with build | |
| ipa-server-4.4.0-0.el7.1.alpha1 | |
| - Revert "Increased mod_wsgi socket-timeout" | |
| - Add mod_auth_kerb and cyrus-sasl-gssapi to Requires | |
| - Remove references to admin server in ipa-server-setupssl | |
| - Generate a client certificate for the XML-RPC server to connect to LDAP with | |
| - Create a keytab for Apache | |
| - Create an ldif with a test user | |
| - Provide a certmap.conf for doing SSL client authentication | |
| - Remove strict dependencies to krb5-server version in order to allow | |
| update of krb5 to 1.17 and change dependency to KDB DAL version. | |
| Resolves: RHBZ#1700121 | |
| - kdb: apply combinatorial logic for ticket flags (CVE-2024-3183) | |
| Resolves: RHEL-29927 | |
| - kdb: fix vulnerability in GCD rules handling (CVE-2024-2698) | |
| Resolves: RHEL-29692 | |
| - Update Requires on krb5-server to 1.11 | |
| - Upstream release FreeIPA 4.9.6 | |
| Related: RHBZ#1945038 | |
| - Revise PKINIT upgrade code | |
| Resolves: RHBZ#1886837 | |
| - ipa-cert-fix man page: add note about certmonger renewal | |
| Resolves: RHBZ#1780317 | |
| - Certificate Serial Number issue | |
| Resolves: RHBZ#1919384 | |
| - Update to upstream 3.3.1 (#991064) | |
| - Update minimum version of bind-dyndb-ldap to 3.5 | |
| - Rebuild for Python 2.6 | |
| - Load ipa_dogtag.pp in post install | |
| - Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services | |
| by abusing password policy | |
| - password policy: Add explicit default password policy for hosts and | |
| services | |
| - Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in | |
| certprofile-mod | |
| - certprofile-mod: correctly authorise config update | |
| - Fix systemd-user HBAC rule | |
| Resolves: RHBZ#1664974 | |
| - dcerpc: invalidate forest trust intfo cache when filtering out realm domains | |
| Resolves: RHEL-28559 | |
| - Backport latests test fixes in python3-tests | |
| ipatests: add xfail for autoprivate group test with override | |
| ipatests: remove xfail thanks to sssd 2.9.4 | |
| ipatests: adapt for new automembership fixup behavior | |
| ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation testcases | |
| test_xmlrpc: adopt to automember plugin message changes in 389-ds | |
| Resolves: RHEL-29908 | |
| - Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations | |
| Resolves: RHBZ#1870202 | |
| - Do not check if port 8443 is available in step 2 of external CA install | |
| (#1129481) | |
| - Rebuilt for glibc bug#747377 | |
| - Resolves: #1260663 crash of ipa-dnskeysync-replica component during | |
| ipa-restore | |
| - IPA Restore: allows to specify files that should be removed | |
| - Resolves: #1261806 Installing ipa-server package breaks httpd | |
| - Handle timeout error in ipa-httpd-kdcproxy | |
| - Resolves: #1262322 Failed to backup CS.cfg message in upgrade. | |
| - Server Upgrade: backup CS.cfg when dogtag is turned off | |
| - Resolves: #1477178 - [ipa-replica-install] - 406 Client Error: Failed to | |
| validate message: Incorrect number of results (0) searching forpublic | |
| key for host | |
| - Always check peer has keys before connecting | |
| - Resolves: #1482802 - Unable to set ca renewal master on replica | |
| - Fix ipa config-mod --ca-renewal-master | |
| - Resolves: #1486283 - TypeError in renew_ca_cert prevents from swiching | |
| back to self-signed CA | |
| - Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca) | |
| - Resolves: #1480102 - ipa-server-upgrade failes with "This entry already exists" | |
| - Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already exists | |
| - Resolves: #1484826 - FreeIPA/IdM installations which were upgraded from | |
| versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and | |
| thus startup of Web UI fails | |
| - Adds whoami DS plugin in case that plugin is missing | |
| - Resolves: #1478251 - IPA WebUI does not work after upgrade from IPA 4.4 to 4.5 | |
| - Fixing how sssd.conf is updated when promoting a client to replica | |
| - Resolves: #1461177 - ipa-otptoken-import - XML file is missing PBKDF2 | |
| parameters! | |
| - ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace | |
| - Resolves: #1484428 - Updating from RHEL 7.3 fails with Server-Cert not found | |
| (ipa-server-upgrade) | |
| - Backport 4-5: Fix ipa-server-upgrade with server cert tracking | |
| - Add explicit dependency for libvert-libev | |
| Resolves: RHBZ#2104929 | |
| - Add versioned dependency of samba-client-libs to ipa-server | |
| - Related: RHBZ#2021443 | |
| - Version bump for release | |
| - PKI service restart after CA renewal failed (#1040018) | |
| - Resolves: #1469246 Replica install fails to configure IPA-specific | |
| temporary files/directories | |
| - replica install: drop-in IPA specific config to tmpfiles.d | |
| - Resolves: #1469480 bind package is not automatically updated during | |
| ipa-server upgrade process | |
| - Bumped Required version of bind-dyndb-ldap and bind package | |
| - Add dependency for python-krbV | |
| - Remove client-epn left over files for ONLY_CLIENT | |
| Related: RHBZ#1847999 | |
| - Drop Requires of python-krbV on ipa-client | |
| - Upstream release FreeIPA 4.9.5 | |
| Related: RHBZ#1945038 | |
| - IPA to allow setting a new range type | |
| Resolves: RHBZ#1688267 | |
| - ipa-server-install displays debug output when --debug output is not | |
| specified. | |
| Resolves: RHBZ#1943151 | |
| - ACME fails to generate a cert on migrated RHEL8.4 server | |
| Resolves: RHBZ#1934991 | |
| - Switch ipa-client to use the JSON API | |
| Resolves: RHBZ#1937856 | |
| - IDM - Allow specifying permanent logging settings for BIND | |
| Resolves: RHBZ#1951511 | |
| - Cache LDAP data within a request | |
| Resolves: RHBZ#1953656 | |
| - ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4 | |
| Resolves: RHBZ#1957768 | |
| - Upstream release FreeIPA 4.8.6 | |
| - New SELinux sub package to provide own module | |
| - Depend on selinux-policy-devel 3.14.3-43 for build due to a makefile issue in | |
| SELinux external policy support | |
| Related: RHBZ#1818765 | |
| - Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf | |
| - Upstream pre release FreeIPA 4.9.0rc1 | |
| Resolves: RHBZ#1891832 | |
| - Requirements and design for libpwquality integration | |
| Resolves: RHBZ#1340463 | |
| - When parsing options require name/value pairs | |
| Resolves: RHBZ#1357495 | |
| - WebUI: Fix issue with opening links in new tab/window | |
| Resolves: RHBZ#1484088 | |
| - Use a state to determine if a 389-ds upgrade is in progress | |
| Resolves: RHBZ#1569011 | |
| - Unlock user accounts after a password reset and replicate that unlock to | |
| all IdM servers | |
| Resolves: RHBZ#1784657 | |
| - Set the certmonger subject with a string, not an object | |
| Resolves: RHBZ#1810148 | |
| - Implement ACME certificate enrolment | |
| Resolves: RHBZ#1851835 | |
| - [WebUI] Backport jQuery patches from newer versions of the library (e.g. | |
| 3.5.0) | |
| Resolves: RHBZ#1859249 | |
| - It is not possible to edit KDC database when the FreeIPA server is running | |
| Resolves: RHBZ#1875001 | |
| - Fix nsslapd-db-lock tuning of BDB backend | |
| Resolves: RHBZ#1882340 | |
| - ipa-kdb: support subordinate/superior UPN suffixes | |
| Resolves: RHBZ#1891056 | |
| - wgi/plugins.py: ignore empty plugin directories | |
| Resolves: RHBZ#1894800 | |
| - Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit | |
| Resolves: RHBZ#1790663 | |
| - Rebase ipa to 4.9.12 | |
| Resolves: RHBZ#2196425 | |
| - user or group name: explain the supported format | |
| Resolves: RHBZ#2150217 | |
| - PassSync does not sync passwords due to missing ACIs (#1181093) | |
| - ipa-replica-manage list does not list synced domain (#1181010) | |
| - Do not assume certmonger is running in httpinstance (#1181767) | |
| - ipa-replica-manage disconnect fails without password (#1183279) | |
| - Put LDIF files to their original location in ipa-restore (#1175277) | |
| - DUA profile not available anonymously (#1184149) | |
| - IPA replica missing data after master upgraded (#1176995) | |
| - Resolves: #1258965 ipa vault: set owner of vault container | |
| - baseldap: make subtree deletion optional in LDAPDelete | |
| - vault: add vault container commands | |
| - vault: set owner to current user on container creation | |
| - vault: update access control | |
| - vault: add permissions and administrator privilege | |
| - install: support KRA update | |
| - Resolves: #1261586 ipa config-mod addattr fails for ipauserobjectclasses | |
| - config: allow user/host attributes with tagging options | |
| - Resolves: #1262315 Unable to establish winsync replication | |
| - winsync: Add inetUser objectclass to the passsync sysaccount | |
| - Hardening for CVE-2020-25717 | |
| - Related: RHBZ#2019668 | |
| - Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca | |
| - Keep NSS trust flags of existing certificates | |
| - Resolves: #1360813 ipa-server-certinstall does not update all certificate | |
| stores and doesn't set proper trust permissions | |
| - Add cert checks in ipa-server-certinstall | |
| - Resolves: #1371479 cert-find --all does not show information about revocation | |
| - cert: add revocation reason back to cert-find output | |
| - Resolves: #1375133 WinSync users who have First.Last casing creates users who | |
| can have their password set | |
| - ipa passwd: use correct normalizer for user principals | |
| - Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers | |
| - Properly handle LDAP socket closures in ipa-otpd | |
| - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 | |
| - Make httpd publish its CA certificate on DL1 | |
| - Use the OpenSSL certificate parser in cert-find | |
| Resolves: RHBZ#2209947 | |
| - Resolves: #1170770 [AD TRUST]IPA should detect inconsistent realm domains | |
| that conflicts with AD DC | |
| - trusts: Check for AD root domain among our trusted domains | |
| - Resolves: #1195339 ipa-client-install changes the label on various files | |
| which causes SELinux denials | |
| - sysrestore: copy files instead of moving them to avoind SELinux issues | |
| - Resolves: #1196656 [ipa-client][rhel71] enable debugging for spawned | |
| commands / ntpd -qgc $tmpfile hangs | |
| - enable debugging of ntpd during client installation | |
| - Resolves: #1205264 Migration UI Does Not Work When Anonymous Bind is Disabled | |
| - migration: Use api.env variables. | |
| - Resolves: #1212719 abort-clean-ruv subcommand should allow | |
| replica-certifyall: no | |
| - Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand | |
| - Resolves: #1216935 ipa trust-add shows ipa: ERROR: an internal error has | |
| occurred | |
| - dcerpc: Expand explanation for WERR_ACCESS_DENIED | |
| - dcerpc: Fix UnboundLocalError for ccache_name | |
| - Resolves: #1222778 idoverride group-del can delete user and user-del can | |
| delete group | |
| - dcerpc: Add get_trusted_domain_object_type method | |
| - idviews: Restrict anchor to name and name to anchor conversions | |
| - idviews: Enforce objectclass check in idoverride*-del | |
| - Resolves: #1234919 Be able to request certificates without certmonger service | |
| running | |
| - cermonger: Use private unix socket when DBus SystemBus is not available. | |
| - ipa-client-install: Do not (re)start certmonger and DBus daemons. | |
| - Resolves: #1240939 Please add dependency on bind-pkcs11 | |
| - Create server-dns sub-package. | |
| - ipaplatform: Add constants submodule | |
| - DNS: check if DNS package is installed | |
| - Resolves: #1242914 Bump minimal selinux-policy and add booleans to allow | |
| calling out oddjobd-activated services | |
| - selinux: enable httpd_run_ipa to allow communicating with oddjobd services | |
| - Resolves: #1243261 non-admin users cannot search hbac rules | |
| - fix hbac rule search for non-admin users | |
| - fix selinuxusermap search for non-admin users | |
| - Resolves: #1243652 Client has missing dependency on memcache | |
| - do not import memcache on client | |
| - Resolves: #1243835 [webui] user change password dialog does not work | |
| - webui: fix user reset password dialog | |
| - Resolves: #1244802 spec: selinux denial during kdcproxy user creation | |
| - Fix selinux denial during kdcproxy user creation | |
| - Resolves: #1246132 trust-fetch-domains: Do not chown keytab to the sssd user | |
| - oddjob: avoid chown keytab to sssd if sssd user does not exist | |
| - Resolves: #1246136 Adding a privilege to a permission avoids validation | |
| - Validate adding privilege to a permission | |
| - Resolves: #1246141 DNS Administrators cannot search in zones | |
| - DNS: Consolidate DNS RR types in API and schema | |
| - Resolves: #1246143 User plugin - user-find doesn't work properly with manager | |
| option | |
| - fix broken search for users by their manager | |
| - Updated to upstream 3.1.0 GA | |
| - Set minimum for sssd to 1.9.2 | |
| - Set minimum for pki-ca to 10.0.0-1 | |
| - Set minimum for 389-ds-base to 1.3.0 | |
| - Set minimum for selinux-policy to 3.11.1-60 | |
| - Remove unneeded dogtag package requires | |
| - Allow longer dirsrv startup with systemd: | |
| - IPAdmin class will wait until dirsrv instance is available up to 10 seconds | |
| - Helps with restarts during upgrade for ipa-ldap-updater | |
| - Fix pylint warnings from F16 and Rawhide | |
| - Update to upstream 2.2.0 beta 1 (2.1.90.rc1) | |
| - Set minimum n-v-r for pki-ca and pki-silent to 9.0.18. | |
| - Add Conflicts on mod_ssl | |
| - Update minimum n-v-r of 389-ds-base to 1.2.10.4 | |
| - Update minimum n-v-r of sssd to 1.8.0 | |
| - Update minimum n-v-r of slapi-nis to 0.38 | |
| - Update minimum n-v-r of pki-* to 9.0.18 | |
| - Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1 | |
| - Update conflicts on bind to < 9.9.0-1 | |
| - Drop requires on krb5-server-ldap | |
| - Add patch to remove escaping arguments to pkisilent | |
| - Resolves: #1475238 Use CommonNameToSANDefault in default profile | |
| (new installs only) | |
| - Restore old version of caIPAserviceCert for upgrade only | |
| - Default to systemd for Fedora 16 and onwards | |
| - Remove duplicate %files entries on share/ipa/static | |
| - Add python default encoding shared library | |
| - webui: Do not allow empty pagination size | |
| Resolves: RHBZ#2094672 | |
| - Fix requirement for python3-kdcproxy, add no autoreqprov for ipatests sub | |
| package | |
| Related: RHBZ#1891832 | |
| - Require krb5 release 1.18.2-25 or later | |
| Resolves: RHBZ#2234711 | |
| - Resolves: #1382053 Need to have validation for idrange names | |
| - idrange-add: properly handle empty --dom-name option | |
| - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit | |
| helper when installing replica | |
| - dsinstance: reconnect ldap2 after DS is restarted by certmonger | |
| - httpinstance: avoid httpd restart during certificate request | |
| - dsinstance, httpinstance: consolidate certificate request code | |
| - install: request service certs after host keytab is set up | |
| - renew agent: revert to host keytab authentication | |
| - renew agent, restart scripts: connect to LDAP after kinit | |
| - Resolves: #1436987 ipasam: gidNumber attribute is not created in the trusted | |
| domain entry | |
| - ipa-sam: create the gidNumber attribute in the trusted domain entry | |
| - Upgrade: add gidnumber to trusted domain entry | |
| - Resolves: #1438679 [ipa-replica-install] - IncorrectPasswordException: | |
| Incorrect client security database password | |
| - Add pki_pin only when needed | |
| - Resolves: #1438348 Console output message while adding trust should be | |
| mapped with texts changed in Samba. | |
| - ipaserver/dcerpc: unify error processing | |
| - Resolves: #1438366 ipa trust-fetch-domains: ValidationError: invalid | |
| 'Credentials': Missing credentials for cross-forest communication | |
| - trust: always use oddjobd helper for fetching trust information | |
| - Resolves: #1441192 Add the name of URL parameter which will be check for | |
| username during cert login | |
| - WebUI: cert login: Configure name of parameter used to pass username | |
| - Resolves: #1437879 [copr] Replica install failing | |
| - Create system users for FreeIPA services during package installation | |
| - Resolves: #1441316 WebUI cert auth fails after ipa-adtrust-install | |
| - Fix s4u2self with adtrust | |
| - Update to upstream 4.6.90.pre1 | |
| - Fix misleading errors during client install rollback | |
| Resolves: RHBZ#1658283 | |
| - ipa-advise: update url of cacerdir_rehash tool | |
| Resolves: RHBZ#1658287 | |
| - Handle NTP configuration in a replica server installation | |
| Resolves: RHBZ#1651679 | |
| - Fix defects found by static analysis | |
| Resolves: RHBZ#1658182 | |
| - ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad | |
| Resolves: RHBZ#1658294 | |
| - ipaldap: invalid modlist when attribute encoding can vary | |
| Resolves: RHBZ#1658302 | |
| - Allow ipaapi and Apache user to access SSSD IFP | |
| Resolves: RHBZ#1639910 | |
| - Add sysadm_r to default SELinux user map order | |
| Resolves: RHBZ#1658303 | |
| - certdb: ensure non-empty Subject Key Identifier and validate server cert sig | |
| Resolves: RHBZ#1641988 | |
| - ipa-replica-install: password and admin-password options mutually exclusive | |
| Resolves: RHBZ#1658309 | |
| - ipa upgrade: handle double-encoded certificates | |
| Resolves: RHBZ#1658310 | |
| - PKINIT: fix ipa-pkinit-manage enable|disable | |
| Resolves: RHBZ#1658313 | |
| - Enable LDAP debug output in client to display TLS errors in join | |
| Resolves: RHBZ#1658316 | |
| - rpc: always read response | |
| Resolves: RHBZ#1639890 | |
| - ipa vault-retrieve: fix internal error | |
| Resolves: RHBZ#1658485 | |
| - Move ipa's systemd tmpfiles from /var/run to /run | |
| Resolves: RHBZ#1658487 | |
| - Fix authselect invocations to work with 1.0.2 | |
| Resolves: RHBZ#1654291 | |
| - ipa-client-automount and NFS unit name changes | |
| Resolves: RHBZ#1645501 | |
| - Fix compile issue with new 389-ds | |
| Resolves: RHBZ#1659448 | |
| - Update to upstream 3.2.0 Prerelease 1 | |
| - Use upstream reference spec file as a base for Fedora spec file | |
| - Add dep for freeipa-admintools and acl | |
| - Drop conflicts on mod_nss | |
| - Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847) | |
| - Drop a slew of conditionals on older Fedora releases (< 12) | |
| - Add a few conditionals against RHEL 6 | |
| - Add Requires of nss-tools on ipa-client | |
| - Require samba packages instead of obsoleted samba4 packages | |
| - Upstream release FreeIPA 4.8.7 | |
| - Require new samba build 4.12.3-0 | |
| Related: RHBZ#1818765 | |
| - New client-epn sub package | |
| Resolves: RHBZ#913799 | |
| - Fix ipa-replica-install crashes | |
| - Fix ipa-server-install and ipa-dns-install logging | |
| - Set minimum version of pki-ca to 9.0.17 to fix sslget problem | |
| caused by FEDORA-2011-17400 update (#771357) | |
| - Added httpd SELinux policy so CRLs can be read | |
| - Build radius separately | |
| - Fix a few minor issues | |
| - rebuild with new openssl | |
| - Update to upstream 3.2.2 | |
| - Drop ipa-server-selinux subpackage | |
| - Drop redundant directory /var/cache/ipa/sessions | |
| - Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost | |
| - Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency | |
| issues when there are still old parts of software (like entitlements plugin) | |
| - [WebUI] IPA Error 3007: RequirmentError" while adding members in | |
| "User ID overrides" tab (updated) | |
| Resolves: RHBZ#1757045 | |
| - ipa-client-install: use the authselect backup during uninstall | |
| Resolves: RHBZ#1810179 | |
| - Replace SSLCertVerificationError with CertificateError for py36 | |
| Resolves: RHBZ#1858318 | |
| - Fix AVC denial during ipa-adtrust-install --add-agents | |
| Resolves: RHBZ#1859213 | |
| - Update to upstream 3.2.0 GA | |
| - ipa-client-install fails if /etc/ipa does not exist (#961483) | |
| - Certificate status is not visible in Service and Host page (#956718) | |
| - ipa-client-install removes needed options from ldap.conf (#953991) | |
| - Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957) | |
| - Add triggerin scriptlet to support OpenSSH 6.2 (#953617) | |
| - Require nss 3.14.3-12.0 to address certutil certificate import | |
| errors (#953485) | |
| - Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6 | |
| environments. (#953464) | |
| - ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453) | |
| - ipa-server-install --uninstall doesn't stop dirsrv instances (#953432) | |
| - Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for | |
| socket based connections (#960222) | |
| - Require libsss_nss_idmap-python | |
| - Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to | |
| member is now done automatically and having it in the config file raises | |
| an error. | |
| - Add backup and restore tools, directory. | |
| - require at least systemd 38 which provides the journal (we no longer | |
| need to require syslog.target) | |
| - Update Requires on policycoreutils to 2.1.14-37 | |
| - Update Requires on selinux-policy to 3.12.1-42 | |
| - Update Requires on 389-ds-base to 1.3.1.0 | |
| - Remove a Requires for java-atk-wrapper | |
| - Re-add accidentally removed patches for #1170695 and #1164896 | |
| - Broke invididual Requires and BuildRequires onto separate lines and | |
| reordered them | |
| - Added python-tgexpandingformwidget as a dependency | |
| - Require at least fedora-ds-base 1.1 | |
| - Resolves: #1432630 python2-jinja2 needed for python2-ipaclient | |
| - Remove csrgen | |
| - Resolves: #1432903 Set GssProxy options to enable caching of ldap tickets | |
| - Add options to allow ticket caching | |
| - Drop BuildRequires on mozldap-devel | |
| - Resolves: #747612 [RFE] IPA should support and manage DNS sites | |
| - Resolves: #826790 Disabling password expiration (--maxlife=0 and --minlife=0) | |
| in the default global_policy in IPA sets user's password expiration | |
| (krbPasswordExpiration) to be 90 days | |
| - Resolves: #896699 ipa-replica-manage -H does not delete DNS SRV records | |
| - Resolves: #1084018 [RFE] Add IdM user password change support for legacy | |
| client compat tree | |
| - Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos | |
| aliases) | |
| - Fix incorrect check for principal type when evaluating CA ACLs | |
| - Resolves: #1146860 [RFE] Offer OTP generation for host enrollment in the UI | |
| - Resolves: #1238190 ipasam unable to lookup group in directory yet manual | |
| search works | |
| - Resolves: #1250110 search by users which don't have read rights for all attrs | |
| in search_attributes fails | |
| - Resolves: #1263764 Show Certificate displays in useless format | |
| - Resolves: #1272491 [WebUI] Certificate action dropdown does not display all | |
| the options after adding new certificate | |
| - Resolves: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.4.0 | |
| - Resolves: #1294503 IPA fails to issue 3rd party certs | |
| - Resolves: #1298242 [RFE] API compatibility - compatibility of clients | |
| - Resolves: #1298848 [RFE] Centralized topology management | |
| - Resolves: #1298966 [RFE] Extend Smart Card support | |
| - Resolves: #1315146 Multiple clients cannot join domain simultaneously: | |
| /var/run/httpd/ipa/clientcaches race condition? | |
| - Resolves: #1318903 ipa server install failing when SUBCA signs the cert | |
| - Resolves: #1319003 ipa-winsync-migrate: Traceback should be fixed with proper | |
| console output | |
| - Resolves: #1324055 IPA always qualify requests for admin | |
| - Resolves: #1328552 [RFE] Allow users to authenticate with alternative names | |
| - Resolves: #1334582 Inconsistent UI and CLI options for removing certificate | |
| hold | |
| - Resolves: #1346321 Exclude o=ipaca subtree from Retro Changelog (syncrepl) | |
| - Resolves: #1349281 Fix `Conflicts` with ipa-python | |
| - Resolves: #1350695 execution of copy-schema script fails | |
| - Resolves: #1351118 upgrade failed for RHEL-7.3 from RHEL-7.2.z | |
| - Resolves: #1351153 AVC seen on Replica during ipa-server upgrade test | |
| execution to 7.3 | |
| - Resolves: #1351276 ipa-server-install with dns cannot resolve itself to | |
| create ipa-ca entry | |
| - Related: #1343422 [RFE] Add GssapiImpersonate option | |
| - Upstream pre release FreeIPA 4.9.0rc3 | |
| Related: RHBZ#1891832 | |
| - kdb: PAC generator: do not fail if canonical principal is missing | |
| Resolves: RHEL-23630 | |
| - ipa-kdb: Fix memory leak during PAC verification | |
| Resolves: RHEL-22644 | |
| - Fix session cookie access | |
| Resolves: RHEL-23622 | |
| - Do not ignore staged users in sidgen plugin | |
| Resovlves: RHEL-23626 | |
| - ipa-kdb: Disable Bronze-Bit check if PAC not available | |
| Resolves: RHEL-22313 | |
| - krb5kdc: Fix start when pkinit and otp auth type are enabled | |
| Resolves: RHEL-4874 | |
| - hbactest was not collecting or returning messages | |
| Resolves: RHEL-12780 | |
| - Update to upstream freeipa-2.0.0.rc2 | |
| - Set minimum version of python-nss to 0.11 to make sure IPv6 support is in | |
| - Set minimum version of sssd to 1.5.1 | |
| - Patch to include SuiteSpotGroup when setting up 389-ds instances | |
| - Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled | |
| - Rebase ipa to 4.9.13 | |
| Resolves: RHEL-16936 | |
| - Add BuildRequires for authconfig | |
| - Move ipa-tests package to separate srpm (#1032668) | |
| - Remove dependency on python-paramiko (#1002884) | |
| - Broken redirection when deleting last entry of DNS resource | |
| record (#1006360) | |
| - Resolves: #1256840 [webui] majority of required fields is no longer marked as | |
| required | |
| - fix missing information in object metadata | |
| - Resolves: #1256842 [webui] no option to choose trust type when creating a | |
| trust | |
| - webui: add option to establish bidirectional trust | |
| - Resolves: #1256853 Clear text passwords in KRA install log | |
| - Removed clear text passwords from KRA install log. | |
| - Resolves: #1257072 The "Standard Vault" MUST not be the default and must be | |
| discouraged | |
| - vault: change default vault type to symmetric | |
| - Resolves: #1257163 renaming certificatte profile with --rename option leads | |
| to integrity issues | |
| - certprofile: prevent rename (modrdn) | |
| - Resolves: #1447284 Upgrade from ipa-4.1 fails when enabling KDC proxy | |
| - python2-ipalib: add missing python dependency | |
| - installer service: fix typo in service entry | |
| - upgrade: add missing suffix to http instance | |
| - Resolves: #1444791 Update man page of ipa-kra-install | |
| - ipa-kra-install manpage: document domain-level 1 | |
| - Resolves: #1441493 ipa cert-show raises stack traces when | |
| --certificate-out=/tmp | |
| - cert-show: writable files does not mean dirs | |
| - Resolves: #1441192 Add the name of URL parameter which will be check for | |
| username during cert login | |
| - Bump version of ipa.conf file | |
| - Resolves: #1378797 Web UI must check OCSP and CRL during smartcard login | |
| - Turn on NSSOCSP check in mod_nss conf | |
| - Resolves: #1322963 Errors from AD when trying to sign ipa.csr, conflicting | |
| template on | |
| - renew agent: respect CA renewal master setting | |
| - server upgrade: always fix certmonger tracking request | |
| - cainstance: use correct profile for lightweight CA certificates | |
| - renew agent: allow reusing existing certs | |
| - renew agent: always export CSR on IPA CA certificate renewal | |
| - renew agent: get rid of virtual profiles | |
| - ipa-cacert-manage: add --external-ca-type | |
| - Resolves: #1441593 error adding authenticator indicators to host | |
| - Fixing adding authenticator indicators to host | |
| - Resolves: #1449525 Set directory ownership in spec file | |
| - Added plugins directory to ipaclient subpackages | |
| - ipaclient: fix missing RPM ownership | |
| - Resolves: #1451279 otptoken-add-yubikey KeyError: 'ipatokenotpdigits' | |
| - otptoken-add-yubikey: When --digits not provided use default value | |
|
|
|
| iperf3-3.5-12.el8_10.x86_64.rpm | - Resolves: RHEL-136175 - iperf Heap Buffer Overflow (CVE-2025-54349) |
|
|
|
| iso-codes-3.79-2.el8.noarch.rpm | - Update to 3.67 |
| - LICENSE renamed to COPYING file | |
| - Update to 3.18 | |
| - Update to 3.59 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Update to 3.70 | |
| - Update to 3.10.2 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Update to 3.5.1 | |
| - Update to 3.77 version (#1516284) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Update to 3.23 | |
| - Update to 3.35 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Missing BR gettext | |
| - Update to 3.32.2 | |
| - Update to 3.22 | |
| - Update to 3.5 | |
| - Updated spec to use recent macros | |
| - Added needed BR: python3 | |
| - Update to 3.17 | |
| - Update to 3.3. | |
| - Address minor issues in merge review (#225918): update %description, | |
| don't use %makeinstall, drop unneeded %debug_package override, use | |
| parallel build. | |
| - Update to 3.58 | |
| - Update to 3.74 | |
| - Update to 3.32 | |
| - Update to 3.13 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Update to 3.31 | |
| - Update to 3.27.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Bump gettext BR | |
| - Use the smaller .bz2 tarball | |
| - Update to 1.7 | |
| - Update to 3.61 | |
| - Drop Group tag | |
| - use %license macro | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Update to 3.44 | |
| - Update to 3.47 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Update to 3.25.1 | |
| - Update to 3.12.1 | |
| - Update to 3.33 | |
| - Update to 3.7 | |
| - Update to 1.9 | |
| - Update to 3.56 | |
| - Update to 3.64 | |
| - Update to 3.20 | |
| - Drop buildroot, %clean and cleaning buildroot in %install | |
| - Update to 3.28 | |
| - Update to 0.53 | |
| - Update to 3.49 | |
| - Update to 3.65 | |
| - Update to 1.3 | |
| - Update the license field | |
| - Use %find_lang for translations | |
| - Don't create debuginfo | |
| - Update to 3.14 | |
| - Resolves:rh#1615536: iso-codes FTBFS for missing BR:python3-devel | |
| - Update to 3.75 version | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - bump the spec for missing updated sources | |
| - Update to 3.66 | |
| - Upstream now providing json formatted iso-codes data | |
| - Update to 3.76 version | |
| - Update to 3.62 | |
| - Update to 3.72 | |
| - Update to 3.37 | |
| - Update to 3.24.1 | |
| - Update to 3.32.1 | |
| - Update to 3.12 | |
| - Update to 3.50 | |
| - Update to 3.53 | |
| - Update to 3.24 | |
| - rebuilt | |
| - Update to 0.49 | |
| - The .pc file should be installed in %{_datadir} instead of %{_libdir} | |
| since this is a noarch package. 64bit platforms will otherwise look in | |
| the 64bit version of the %{_libdir} and not find the .pc file and | |
| cause them to not find iso-codes | |
| - Upstream renamed README to README.md | |
| - Update to 3.68 | |
| - Update to 3.48 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Update to 3.40 | |
| - Update to 3.41 | |
| - Initial RPM | |
| - Update to 1.4 | |
| - Update to 1.8 | |
| - Update to 3.60 | |
| - Update to 3.45 | |
| - Update to 1.6 | |
| - Update to 3.63 | |
| - Update to 3.11.1 | |
| - Update to 3.19 | |
| - Update to 3.51 | |
| - Update to 1.2 | |
| - Update to 3.43 | |
| - Update to 3.27 | |
| - Update to 3.54 | |
| - Update to 2.1 | |
| - Update to 3.46 | |
| - Update to 3.24.2 | |
| - Update to 3.10.3 | |
| - Update to 3.15 | |
| - Update to 3.69 | |
| - Update to 3.29 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Update to 3.42 | |
| - Update to 3.39 | |
| - Update to 3.79 version (#1577820) | |
| - Update to 3.38 | |
| - Update to 3.16 | |
| - Update to 3.11 | |
| - Update to 3.30 | |
| - Update to 2.0 | |
| - Update to 3.73 | |
| - Update to 1.5 | |
| - Update to 0.56 | |
| - Update to 3.1 | |
| - Update to 3.71 | |
| - Update to 3.57 | |
| - Update to 3.6 | |
| - Update to 3.25 | |
| - Update to 3.52 | |
| - Update to 3.55 | |
| - Update to 1.0 | |
| - Update to 3.10 | |
| - Upstream stopped providing iso_639.tab file since 3.9 release, | |
| so remove it from %files. | |
| - Update to 3.21 | |
| - Update to 3.34 | |
| - Update to 0.47 | |
| - Update to 3.36 | |
| - Update to 3.8 | |
| - Update to 3.10.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
|
|
|
| java-21-openjdk-21.0.8.0.9-1.el8.x86_64.rpm | - Update to jdk-21.0.8+9 (GA) |
| - Update release notes to 21.0.8+9 | |
| - Switch to GA mode | |
| - Sync the copy of the portable specfile with the latest update | |
| - ** This tarball is embargoed until 2025-07-15 @ 1pm PT. ** | |
| - Resolves: RHEL-102278 | |
| - Build for Rocky Linux 8 using our own portable | |
| - Update to jdk-21.0.8+9 (GA) | |
| - Update release notes to 21.0.8+9 | |
| - Switch to GA mode | |
| - Sync the copy of the portable specfile with the latest update | |
| - ** This tarball is embargoed until 2025-07-15 @ 1pm PT. ** | |
| - Resolves: RHEL-102278 | |
| - Update to jdk-21.0.9+10 (GA) | |
| - Update release notes to 21.0.9+10 | |
| - Bump harfbuzz version to 11.2.0 following JDK-8355528 | |
| - Add NEWS corrections from Thomas | |
| - Use double spacing consistently in notes for this release | |
| - Correct 11u release reference to corresponding 21u release as pointed out by Kieran | |
| - Sync the copy of the portable specfile with the latest update | |
| - ** This tarball is embargoed until 2025-10-21 @ 1pm PT. ** | |
| - Resolves: RHEL-118773 | |
| - Resolves: RHEL-119450 | |
| - Build for Rocky Linux 8 using our own portable | |
|
|
|
| java-21-openjdk-devel-21.0.8.0.9-1.el8.x86_64.rpm | - Update to jdk-21.0.8+9 (GA) |
| - Update release notes to 21.0.8+9 | |
| - Switch to GA mode | |
| - Sync the copy of the portable specfile with the latest update | |
| - ** This tarball is embargoed until 2025-07-15 @ 1pm PT. ** | |
| - Resolves: RHEL-102278 | |
| - Build for Rocky Linux 8 using our own portable | |
| - Update to jdk-21.0.8+9 (GA) | |
| - Update release notes to 21.0.8+9 | |
| - Switch to GA mode | |
| - Sync the copy of the portable specfile with the latest update | |
| - ** This tarball is embargoed until 2025-07-15 @ 1pm PT. ** | |
| - Resolves: RHEL-102278 | |
| - Update to jdk-21.0.9+10 (GA) | |
| - Update release notes to 21.0.9+10 | |
| - Bump harfbuzz version to 11.2.0 following JDK-8355528 | |
| - Add NEWS corrections from Thomas | |
| - Use double spacing consistently in notes for this release | |
| - Correct 11u release reference to corresponding 21u release as pointed out by Kieran | |
| - Sync the copy of the portable specfile with the latest update | |
| - ** This tarball is embargoed until 2025-10-21 @ 1pm PT. ** | |
| - Resolves: RHEL-118773 | |
| - Resolves: RHEL-119450 | |
| - Build for Rocky Linux 8 using our own portable | |
|
|
|
| java-21-openjdk-headless-21.0.8.0.9-1.el8.x86_64.rpm | - Update to jdk-21.0.8+9 (GA) |
| - Update release notes to 21.0.8+9 | |
| - Switch to GA mode | |
| - Sync the copy of the portable specfile with the latest update | |
| - ** This tarball is embargoed until 2025-07-15 @ 1pm PT. ** | |
| - Resolves: RHEL-102278 | |
| - Build for Rocky Linux 8 using our own portable | |
| - Update to jdk-21.0.8+9 (GA) | |
| - Update release notes to 21.0.8+9 | |
| - Switch to GA mode | |
| - Sync the copy of the portable specfile with the latest update | |
| - ** This tarball is embargoed until 2025-07-15 @ 1pm PT. ** | |
| - Resolves: RHEL-102278 | |
| - Update to jdk-21.0.9+10 (GA) | |
| - Update release notes to 21.0.9+10 | |
| - Bump harfbuzz version to 11.2.0 following JDK-8355528 | |
| - Add NEWS corrections from Thomas | |
| - Use double spacing consistently in notes for this release | |
| - Correct 11u release reference to corresponding 21u release as pointed out by Kieran | |
| - Sync the copy of the portable specfile with the latest update | |
| - ** This tarball is embargoed until 2025-10-21 @ 1pm PT. ** | |
| - Resolves: RHEL-118773 | |
| - Resolves: RHEL-119450 | |
| - Build for Rocky Linux 8 using our own portable | |
|
|
|
| kernel-4.18.0-553.97.1.el8_10.x86_64.rpm | - libceph: fix potential use-after-free in have_mon_and_osd_map() (CKI Backport Bot) [RHEL-137395] {CVE-2025-68285} |
| - media: rc: fix races with imon_disconnect() (Kate Hsuan) [RHEL-124396] {CVE-2025-39993} | |
| - media: imon: fix a race condition in send_packet() (Kate Hsuan) [RHEL-124396] | |
| - media: imon: reorganize serialization (Kate Hsuan) [RHEL-124396] | |
| - media: imon: drop references only after device is no longer used (Kate Hsuan) [RHEL-124396] | |
| - media: rc: Add support for another iMON 0xffdc device (Kate Hsuan) [RHEL-124396] | |
| - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping (CKI Backport Bot) [RHEL-129107] {CVE-2025-40154} | |
| - Bluetooth: hci_event: call disconnect callback before deleting conn (CKI Backport Bot) [RHEL-137039] {CVE-2023-53673} | |
| - drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE (CKI Backport Bot) [RHEL-134423] {CVE-2025-40277} | |
| - xen: delay xen_hvm_init_time_ops() if kdump is boot on vcpu>=32 (John J Coleman) [RHEL-111354] | |
| - xen: Fix x86 sched_clock() interface for xen (John J Coleman) [RHEL-111354] | |
| - x86/xen/time: Output xen sched_clock time from 0 (John J Coleman) [RHEL-111354] | |
| - Adding prod certs and changed cert date to 20210620 (Sherif Nagy) | |
| - Adding Rocky secure boot certs (Sherif Nagy) | |
| - Fixing vmlinuz removal (Sherif Nagy) | |
| - Fixing UEFI CA path (Sherif Nagy) | |
| - Porting to 8.10, debranding and Rocky branding (Louis Abel) | |
| - Fixing pesign_key_name values (Sherif Nagy) | |
| - Adding prod certs and changed cert date to 20210620 (Sherif Nagy) | |
| - Adding Rocky secure boot certs (Sherif Nagy) | |
| - Fixing vmlinuz removal (Sherif Nagy) | |
| - Fixing UEFI CA path (Sherif Nagy) | |
| - Porting to 8.10, debranding and Rocky branding (Louis Abel) | |
| - Fixing pesign_key_name values (Sherif Nagy) | |
| - NFSv4: xattr handlers should check for absent nfs filehandles (Scott Mayhew) [RHEL-129945] | |
| - gfs2: Do not cancel internal demote requests (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: run_queue cleanup (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: simplify finish_xmote (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Get rid of unnecessary test_and_set_bit (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Retries missing in gfs2_{rename,exchange} (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: glock cancelation flag fix (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Minor do_xmote cancelation fix (Andreas Gruenbacher) [RHEL-135355] | |
| - sctp: avoid NULL dereference when chunk data buffer is missing (CKI Backport Bot) [RHEL-133999] {CVE-2025-40240} | |
| - redhat: introduce RELEASE_LOCALVERSION variable (Jan Stancek) | |
| - cifs: fix automount with passwords that contain commas (Paulo Alcantara) [RHEL-125963] | |
| - perf/x86/intel/ds: Fix the conversion from TSC to perf time (Anubhav Shelat) [RHEL-127171] | |
| - perf/x86/intel/pebs: Fix PEBS timestamps overwritten (Anubhav Shelat) [RHEL-127171] | |
| - ceph: fix client race condition where r_parent becomes stale before sending message (Alex Markuze) [RHEL-120226] | |
| - ceph: fix client race condition validating r_parent before applying state (Alex Markuze) [RHEL-120226] | |
| - blk-mq: setup queue ->tag_set before initializing hctx (Ming Lei) [RHEL-30744] | |
| - blk-mq: add helper for checking if one CPU is mapped to specified hctx (Ming Lei) [RHEL-30744] | |
| - blk-mq: don't schedule block kworker on isolated CPUs (Ming Lei) [RHEL-30744] | |
| - sched/isolation: add cpu_is_isolated() API (Ming Lei) [RHEL-30744] | |
| - mm: compaction: update the COMPACT[STALL|FAIL] events properly (Lucas Oakley) [RHEL-132449] | |
| - drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies (Mika Penttilä) [RHEL-125456] {CVE-2025-40096} | |
| - drm/i915: mark requests for GuC virtual engines to avoid use-after-free (CKI Backport Bot) [RHEL-124682] {CVE-2023-53552} | |
| - NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() (Olga Kornievskaia) [RHEL-132819] | |
| - vsock: Ignore signal/timeout on connect() if already established (CKI Backport Bot) [RHEL-139273] {CVE-2025-40248} | |
| - scsi: lpfc: avoid crashing in lpfc_nlp_get() if lpfc_nodelist was freed (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Prevent failure to reregister with NVMe transport after PRLI retry (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Ignore ndlp rport mismatch in dev_loss_tmo callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Modify handling of ADISC based on ndlp state and RPI registration (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Delete NLP_TARGET_REMOVE flag due to obsolete usage (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Prevent NDLP reference count underflow in dev_loss_tmo callback (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Check devloss callbk done flag for potential stale NDLP ptrs (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Ensure DA_ID handling completion before deleting an NPIV instance (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix kref imbalance on fabric ndlps from dev_loss_tmo handler (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Update PRLO handling in direct attached topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix unsolicited FLOGI kref imbalance when in direct attached topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix handling of fully recovered fabric node in dev_loss callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Add condition to delete ndlp object after sending BLS_RJT to an ABTS (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Remove NLP_RCV_PLOGI early return during RSCN processing for ndlps (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Allow lpfc_plogi_confirm_nport() logic to execute for Fabric nodes (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix list_entry null check warning in lpfc_cmpl_els_plogi() (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix possible file string name overflow when updating firmware (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Validate ELS LS_ACC completion payload (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Remove extra ndlp kref decrement in FLOGI cmpl for loop topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Revise NPIV ELS unsol rcv cmpl logic to drop ndlp based on nlp_state (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix double free in lpfc_cmpl_els_logo_acc() caused by lpfc_nlp_not_used() (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Move scsi_host_template outside dynamically allocated/freed phba (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fill in missing ndlp kref puts in error paths (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login (Ewan D. Milne) [RHEL-32324] | |
| - net: atlantic: fix fragment overflow handling in RX path (CKI Backport Bot) [RHEL-139482] {CVE-2025-68301} | |
| - smb: client: let recv_done verify data_offset, data_length and remaining_data_length (Paulo Alcantara) [RHEL-131387] {CVE-2025-39933} | |
| - smb: client: Fix use-after-free in cifs_fill_dirent (CKI Backport Bot) [RHEL-134369] {CVE-2025-38051} | |
|
|
|
| kernel-core-4.18.0-553.97.1.el8_10.x86_64.rpm | - libceph: fix potential use-after-free in have_mon_and_osd_map() (CKI Backport Bot) [RHEL-137395] {CVE-2025-68285} |
| - media: rc: fix races with imon_disconnect() (Kate Hsuan) [RHEL-124396] {CVE-2025-39993} | |
| - media: imon: fix a race condition in send_packet() (Kate Hsuan) [RHEL-124396] | |
| - media: imon: reorganize serialization (Kate Hsuan) [RHEL-124396] | |
| - media: imon: drop references only after device is no longer used (Kate Hsuan) [RHEL-124396] | |
| - media: rc: Add support for another iMON 0xffdc device (Kate Hsuan) [RHEL-124396] | |
| - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping (CKI Backport Bot) [RHEL-129107] {CVE-2025-40154} | |
| - Bluetooth: hci_event: call disconnect callback before deleting conn (CKI Backport Bot) [RHEL-137039] {CVE-2023-53673} | |
| - drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE (CKI Backport Bot) [RHEL-134423] {CVE-2025-40277} | |
| - xen: delay xen_hvm_init_time_ops() if kdump is boot on vcpu>=32 (John J Coleman) [RHEL-111354] | |
| - xen: Fix x86 sched_clock() interface for xen (John J Coleman) [RHEL-111354] | |
| - x86/xen/time: Output xen sched_clock time from 0 (John J Coleman) [RHEL-111354] | |
| - Adding prod certs and changed cert date to 20210620 (Sherif Nagy) | |
| - Adding Rocky secure boot certs (Sherif Nagy) | |
| - Fixing vmlinuz removal (Sherif Nagy) | |
| - Fixing UEFI CA path (Sherif Nagy) | |
| - Porting to 8.10, debranding and Rocky branding (Louis Abel) | |
| - Fixing pesign_key_name values (Sherif Nagy) | |
| - Adding prod certs and changed cert date to 20210620 (Sherif Nagy) | |
| - Adding Rocky secure boot certs (Sherif Nagy) | |
| - Fixing vmlinuz removal (Sherif Nagy) | |
| - Fixing UEFI CA path (Sherif Nagy) | |
| - Porting to 8.10, debranding and Rocky branding (Louis Abel) | |
| - Fixing pesign_key_name values (Sherif Nagy) | |
| - NFSv4: xattr handlers should check for absent nfs filehandles (Scott Mayhew) [RHEL-129945] | |
| - gfs2: Do not cancel internal demote requests (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: run_queue cleanup (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: simplify finish_xmote (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Get rid of unnecessary test_and_set_bit (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Retries missing in gfs2_{rename,exchange} (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: glock cancelation flag fix (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Minor do_xmote cancelation fix (Andreas Gruenbacher) [RHEL-135355] | |
| - sctp: avoid NULL dereference when chunk data buffer is missing (CKI Backport Bot) [RHEL-133999] {CVE-2025-40240} | |
| - redhat: introduce RELEASE_LOCALVERSION variable (Jan Stancek) | |
| - cifs: fix automount with passwords that contain commas (Paulo Alcantara) [RHEL-125963] | |
| - perf/x86/intel/ds: Fix the conversion from TSC to perf time (Anubhav Shelat) [RHEL-127171] | |
| - perf/x86/intel/pebs: Fix PEBS timestamps overwritten (Anubhav Shelat) [RHEL-127171] | |
| - ceph: fix client race condition where r_parent becomes stale before sending message (Alex Markuze) [RHEL-120226] | |
| - ceph: fix client race condition validating r_parent before applying state (Alex Markuze) [RHEL-120226] | |
| - blk-mq: setup queue ->tag_set before initializing hctx (Ming Lei) [RHEL-30744] | |
| - blk-mq: add helper for checking if one CPU is mapped to specified hctx (Ming Lei) [RHEL-30744] | |
| - blk-mq: don't schedule block kworker on isolated CPUs (Ming Lei) [RHEL-30744] | |
| - sched/isolation: add cpu_is_isolated() API (Ming Lei) [RHEL-30744] | |
| - mm: compaction: update the COMPACT[STALL|FAIL] events properly (Lucas Oakley) [RHEL-132449] | |
| - drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies (Mika Penttilä) [RHEL-125456] {CVE-2025-40096} | |
| - drm/i915: mark requests for GuC virtual engines to avoid use-after-free (CKI Backport Bot) [RHEL-124682] {CVE-2023-53552} | |
| - NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() (Olga Kornievskaia) [RHEL-132819] | |
| - vsock: Ignore signal/timeout on connect() if already established (CKI Backport Bot) [RHEL-139273] {CVE-2025-40248} | |
| - scsi: lpfc: avoid crashing in lpfc_nlp_get() if lpfc_nodelist was freed (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Prevent failure to reregister with NVMe transport after PRLI retry (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Ignore ndlp rport mismatch in dev_loss_tmo callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Modify handling of ADISC based on ndlp state and RPI registration (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Delete NLP_TARGET_REMOVE flag due to obsolete usage (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Prevent NDLP reference count underflow in dev_loss_tmo callback (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Check devloss callbk done flag for potential stale NDLP ptrs (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Ensure DA_ID handling completion before deleting an NPIV instance (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix kref imbalance on fabric ndlps from dev_loss_tmo handler (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Update PRLO handling in direct attached topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix unsolicited FLOGI kref imbalance when in direct attached topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix handling of fully recovered fabric node in dev_loss callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Add condition to delete ndlp object after sending BLS_RJT to an ABTS (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Remove NLP_RCV_PLOGI early return during RSCN processing for ndlps (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Allow lpfc_plogi_confirm_nport() logic to execute for Fabric nodes (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix list_entry null check warning in lpfc_cmpl_els_plogi() (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix possible file string name overflow when updating firmware (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Validate ELS LS_ACC completion payload (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Remove extra ndlp kref decrement in FLOGI cmpl for loop topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Revise NPIV ELS unsol rcv cmpl logic to drop ndlp based on nlp_state (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix double free in lpfc_cmpl_els_logo_acc() caused by lpfc_nlp_not_used() (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Move scsi_host_template outside dynamically allocated/freed phba (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fill in missing ndlp kref puts in error paths (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login (Ewan D. Milne) [RHEL-32324] | |
| - net: atlantic: fix fragment overflow handling in RX path (CKI Backport Bot) [RHEL-139482] {CVE-2025-68301} | |
| - smb: client: let recv_done verify data_offset, data_length and remaining_data_length (Paulo Alcantara) [RHEL-131387] {CVE-2025-39933} | |
| - smb: client: Fix use-after-free in cifs_fill_dirent (CKI Backport Bot) [RHEL-134369] {CVE-2025-38051} | |
|
|
|
| kernel-headers-4.18.0-553.97.1.el8_10.x86_64.rpm | - libceph: fix potential use-after-free in have_mon_and_osd_map() (CKI Backport Bot) [RHEL-137395] {CVE-2025-68285} |
| - media: rc: fix races with imon_disconnect() (Kate Hsuan) [RHEL-124396] {CVE-2025-39993} | |
| - media: imon: fix a race condition in send_packet() (Kate Hsuan) [RHEL-124396] | |
| - media: imon: reorganize serialization (Kate Hsuan) [RHEL-124396] | |
| - media: imon: drop references only after device is no longer used (Kate Hsuan) [RHEL-124396] | |
| - media: rc: Add support for another iMON 0xffdc device (Kate Hsuan) [RHEL-124396] | |
| - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping (CKI Backport Bot) [RHEL-129107] {CVE-2025-40154} | |
| - Bluetooth: hci_event: call disconnect callback before deleting conn (CKI Backport Bot) [RHEL-137039] {CVE-2023-53673} | |
| - drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE (CKI Backport Bot) [RHEL-134423] {CVE-2025-40277} | |
| - xen: delay xen_hvm_init_time_ops() if kdump is boot on vcpu>=32 (John J Coleman) [RHEL-111354] | |
| - xen: Fix x86 sched_clock() interface for xen (John J Coleman) [RHEL-111354] | |
| - x86/xen/time: Output xen sched_clock time from 0 (John J Coleman) [RHEL-111354] | |
| - Adding prod certs and changed cert date to 20210620 (Sherif Nagy) | |
| - Adding Rocky secure boot certs (Sherif Nagy) | |
| - Fixing vmlinuz removal (Sherif Nagy) | |
| - Fixing UEFI CA path (Sherif Nagy) | |
| - Porting to 8.10, debranding and Rocky branding (Louis Abel) | |
| - Fixing pesign_key_name values (Sherif Nagy) | |
| - Adding prod certs and changed cert date to 20210620 (Sherif Nagy) | |
| - Adding Rocky secure boot certs (Sherif Nagy) | |
| - Fixing vmlinuz removal (Sherif Nagy) | |
| - Fixing UEFI CA path (Sherif Nagy) | |
| - Porting to 8.10, debranding and Rocky branding (Louis Abel) | |
| - Fixing pesign_key_name values (Sherif Nagy) | |
| - NFSv4: xattr handlers should check for absent nfs filehandles (Scott Mayhew) [RHEL-129945] | |
| - gfs2: Do not cancel internal demote requests (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: run_queue cleanup (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: simplify finish_xmote (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Get rid of unnecessary test_and_set_bit (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Retries missing in gfs2_{rename,exchange} (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: glock cancelation flag fix (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Minor do_xmote cancelation fix (Andreas Gruenbacher) [RHEL-135355] | |
| - sctp: avoid NULL dereference when chunk data buffer is missing (CKI Backport Bot) [RHEL-133999] {CVE-2025-40240} | |
| - redhat: introduce RELEASE_LOCALVERSION variable (Jan Stancek) | |
| - cifs: fix automount with passwords that contain commas (Paulo Alcantara) [RHEL-125963] | |
| - perf/x86/intel/ds: Fix the conversion from TSC to perf time (Anubhav Shelat) [RHEL-127171] | |
| - perf/x86/intel/pebs: Fix PEBS timestamps overwritten (Anubhav Shelat) [RHEL-127171] | |
| - ceph: fix client race condition where r_parent becomes stale before sending message (Alex Markuze) [RHEL-120226] | |
| - ceph: fix client race condition validating r_parent before applying state (Alex Markuze) [RHEL-120226] | |
| - blk-mq: setup queue ->tag_set before initializing hctx (Ming Lei) [RHEL-30744] | |
| - blk-mq: add helper for checking if one CPU is mapped to specified hctx (Ming Lei) [RHEL-30744] | |
| - blk-mq: don't schedule block kworker on isolated CPUs (Ming Lei) [RHEL-30744] | |
| - sched/isolation: add cpu_is_isolated() API (Ming Lei) [RHEL-30744] | |
| - mm: compaction: update the COMPACT[STALL|FAIL] events properly (Lucas Oakley) [RHEL-132449] | |
| - drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies (Mika Penttilä) [RHEL-125456] {CVE-2025-40096} | |
| - drm/i915: mark requests for GuC virtual engines to avoid use-after-free (CKI Backport Bot) [RHEL-124682] {CVE-2023-53552} | |
| - NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() (Olga Kornievskaia) [RHEL-132819] | |
| - vsock: Ignore signal/timeout on connect() if already established (CKI Backport Bot) [RHEL-139273] {CVE-2025-40248} | |
| - scsi: lpfc: avoid crashing in lpfc_nlp_get() if lpfc_nodelist was freed (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Prevent failure to reregister with NVMe transport after PRLI retry (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Ignore ndlp rport mismatch in dev_loss_tmo callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Modify handling of ADISC based on ndlp state and RPI registration (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Delete NLP_TARGET_REMOVE flag due to obsolete usage (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Prevent NDLP reference count underflow in dev_loss_tmo callback (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Check devloss callbk done flag for potential stale NDLP ptrs (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Ensure DA_ID handling completion before deleting an NPIV instance (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix kref imbalance on fabric ndlps from dev_loss_tmo handler (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Update PRLO handling in direct attached topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix unsolicited FLOGI kref imbalance when in direct attached topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix handling of fully recovered fabric node in dev_loss callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Add condition to delete ndlp object after sending BLS_RJT to an ABTS (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Remove NLP_RCV_PLOGI early return during RSCN processing for ndlps (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Allow lpfc_plogi_confirm_nport() logic to execute for Fabric nodes (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix list_entry null check warning in lpfc_cmpl_els_plogi() (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix possible file string name overflow when updating firmware (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Validate ELS LS_ACC completion payload (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Remove extra ndlp kref decrement in FLOGI cmpl for loop topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Revise NPIV ELS unsol rcv cmpl logic to drop ndlp based on nlp_state (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix double free in lpfc_cmpl_els_logo_acc() caused by lpfc_nlp_not_used() (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Move scsi_host_template outside dynamically allocated/freed phba (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fill in missing ndlp kref puts in error paths (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login (Ewan D. Milne) [RHEL-32324] | |
| - net: atlantic: fix fragment overflow handling in RX path (CKI Backport Bot) [RHEL-139482] {CVE-2025-68301} | |
| - smb: client: let recv_done verify data_offset, data_length and remaining_data_length (Paulo Alcantara) [RHEL-131387] {CVE-2025-39933} | |
| - smb: client: Fix use-after-free in cifs_fill_dirent (CKI Backport Bot) [RHEL-134369] {CVE-2025-38051} | |
|
|
|
| kernel-modules-4.18.0-553.97.1.el8_10.x86_64.rpm | - libceph: fix potential use-after-free in have_mon_and_osd_map() (CKI Backport Bot) [RHEL-137395] {CVE-2025-68285} |
| - media: rc: fix races with imon_disconnect() (Kate Hsuan) [RHEL-124396] {CVE-2025-39993} | |
| - media: imon: fix a race condition in send_packet() (Kate Hsuan) [RHEL-124396] | |
| - media: imon: reorganize serialization (Kate Hsuan) [RHEL-124396] | |
| - media: imon: drop references only after device is no longer used (Kate Hsuan) [RHEL-124396] | |
| - media: rc: Add support for another iMON 0xffdc device (Kate Hsuan) [RHEL-124396] | |
| - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping (CKI Backport Bot) [RHEL-129107] {CVE-2025-40154} | |
| - Bluetooth: hci_event: call disconnect callback before deleting conn (CKI Backport Bot) [RHEL-137039] {CVE-2023-53673} | |
| - drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE (CKI Backport Bot) [RHEL-134423] {CVE-2025-40277} | |
| - xen: delay xen_hvm_init_time_ops() if kdump is boot on vcpu>=32 (John J Coleman) [RHEL-111354] | |
| - xen: Fix x86 sched_clock() interface for xen (John J Coleman) [RHEL-111354] | |
| - x86/xen/time: Output xen sched_clock time from 0 (John J Coleman) [RHEL-111354] | |
| - Adding prod certs and changed cert date to 20210620 (Sherif Nagy) | |
| - Adding Rocky secure boot certs (Sherif Nagy) | |
| - Fixing vmlinuz removal (Sherif Nagy) | |
| - Fixing UEFI CA path (Sherif Nagy) | |
| - Porting to 8.10, debranding and Rocky branding (Louis Abel) | |
| - Fixing pesign_key_name values (Sherif Nagy) | |
| - Adding prod certs and changed cert date to 20210620 (Sherif Nagy) | |
| - Adding Rocky secure boot certs (Sherif Nagy) | |
| - Fixing vmlinuz removal (Sherif Nagy) | |
| - Fixing UEFI CA path (Sherif Nagy) | |
| - Porting to 8.10, debranding and Rocky branding (Louis Abel) | |
| - Fixing pesign_key_name values (Sherif Nagy) | |
| - NFSv4: xattr handlers should check for absent nfs filehandles (Scott Mayhew) [RHEL-129945] | |
| - gfs2: Do not cancel internal demote requests (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: run_queue cleanup (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: simplify finish_xmote (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Get rid of unnecessary test_and_set_bit (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Retries missing in gfs2_{rename,exchange} (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: glock cancelation flag fix (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Minor do_xmote cancelation fix (Andreas Gruenbacher) [RHEL-135355] | |
| - sctp: avoid NULL dereference when chunk data buffer is missing (CKI Backport Bot) [RHEL-133999] {CVE-2025-40240} | |
| - redhat: introduce RELEASE_LOCALVERSION variable (Jan Stancek) | |
| - cifs: fix automount with passwords that contain commas (Paulo Alcantara) [RHEL-125963] | |
| - perf/x86/intel/ds: Fix the conversion from TSC to perf time (Anubhav Shelat) [RHEL-127171] | |
| - perf/x86/intel/pebs: Fix PEBS timestamps overwritten (Anubhav Shelat) [RHEL-127171] | |
| - ceph: fix client race condition where r_parent becomes stale before sending message (Alex Markuze) [RHEL-120226] | |
| - ceph: fix client race condition validating r_parent before applying state (Alex Markuze) [RHEL-120226] | |
| - blk-mq: setup queue ->tag_set before initializing hctx (Ming Lei) [RHEL-30744] | |
| - blk-mq: add helper for checking if one CPU is mapped to specified hctx (Ming Lei) [RHEL-30744] | |
| - blk-mq: don't schedule block kworker on isolated CPUs (Ming Lei) [RHEL-30744] | |
| - sched/isolation: add cpu_is_isolated() API (Ming Lei) [RHEL-30744] | |
| - mm: compaction: update the COMPACT[STALL|FAIL] events properly (Lucas Oakley) [RHEL-132449] | |
| - drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies (Mika Penttilä) [RHEL-125456] {CVE-2025-40096} | |
| - drm/i915: mark requests for GuC virtual engines to avoid use-after-free (CKI Backport Bot) [RHEL-124682] {CVE-2023-53552} | |
| - NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() (Olga Kornievskaia) [RHEL-132819] | |
| - vsock: Ignore signal/timeout on connect() if already established (CKI Backport Bot) [RHEL-139273] {CVE-2025-40248} | |
| - scsi: lpfc: avoid crashing in lpfc_nlp_get() if lpfc_nodelist was freed (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Prevent failure to reregister with NVMe transport after PRLI retry (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Ignore ndlp rport mismatch in dev_loss_tmo callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Modify handling of ADISC based on ndlp state and RPI registration (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Delete NLP_TARGET_REMOVE flag due to obsolete usage (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Prevent NDLP reference count underflow in dev_loss_tmo callback (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Check devloss callbk done flag for potential stale NDLP ptrs (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Ensure DA_ID handling completion before deleting an NPIV instance (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix kref imbalance on fabric ndlps from dev_loss_tmo handler (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Update PRLO handling in direct attached topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix unsolicited FLOGI kref imbalance when in direct attached topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix handling of fully recovered fabric node in dev_loss callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Add condition to delete ndlp object after sending BLS_RJT to an ABTS (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Remove NLP_RCV_PLOGI early return during RSCN processing for ndlps (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Allow lpfc_plogi_confirm_nport() logic to execute for Fabric nodes (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix list_entry null check warning in lpfc_cmpl_els_plogi() (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix possible file string name overflow when updating firmware (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Validate ELS LS_ACC completion payload (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Remove extra ndlp kref decrement in FLOGI cmpl for loop topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Revise NPIV ELS unsol rcv cmpl logic to drop ndlp based on nlp_state (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix double free in lpfc_cmpl_els_logo_acc() caused by lpfc_nlp_not_used() (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Move scsi_host_template outside dynamically allocated/freed phba (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fill in missing ndlp kref puts in error paths (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login (Ewan D. Milne) [RHEL-32324] | |
| - net: atlantic: fix fragment overflow handling in RX path (CKI Backport Bot) [RHEL-139482] {CVE-2025-68301} | |
| - smb: client: let recv_done verify data_offset, data_length and remaining_data_length (Paulo Alcantara) [RHEL-131387] {CVE-2025-39933} | |
| - smb: client: Fix use-after-free in cifs_fill_dirent (CKI Backport Bot) [RHEL-134369] {CVE-2025-38051} | |
|
|
|
| kernel-tools-4.18.0-553.97.1.el8_10.x86_64.rpm | - libceph: fix potential use-after-free in have_mon_and_osd_map() (CKI Backport Bot) [RHEL-137395] {CVE-2025-68285} |
| - media: rc: fix races with imon_disconnect() (Kate Hsuan) [RHEL-124396] {CVE-2025-39993} | |
| - media: imon: fix a race condition in send_packet() (Kate Hsuan) [RHEL-124396] | |
| - media: imon: reorganize serialization (Kate Hsuan) [RHEL-124396] | |
| - media: imon: drop references only after device is no longer used (Kate Hsuan) [RHEL-124396] | |
| - media: rc: Add support for another iMON 0xffdc device (Kate Hsuan) [RHEL-124396] | |
| - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping (CKI Backport Bot) [RHEL-129107] {CVE-2025-40154} | |
| - Bluetooth: hci_event: call disconnect callback before deleting conn (CKI Backport Bot) [RHEL-137039] {CVE-2023-53673} | |
| - drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE (CKI Backport Bot) [RHEL-134423] {CVE-2025-40277} | |
| - xen: delay xen_hvm_init_time_ops() if kdump is boot on vcpu>=32 (John J Coleman) [RHEL-111354] | |
| - xen: Fix x86 sched_clock() interface for xen (John J Coleman) [RHEL-111354] | |
| - x86/xen/time: Output xen sched_clock time from 0 (John J Coleman) [RHEL-111354] | |
| - Adding prod certs and changed cert date to 20210620 (Sherif Nagy) | |
| - Adding Rocky secure boot certs (Sherif Nagy) | |
| - Fixing vmlinuz removal (Sherif Nagy) | |
| - Fixing UEFI CA path (Sherif Nagy) | |
| - Porting to 8.10, debranding and Rocky branding (Louis Abel) | |
| - Fixing pesign_key_name values (Sherif Nagy) | |
| - Adding prod certs and changed cert date to 20210620 (Sherif Nagy) | |
| - Adding Rocky secure boot certs (Sherif Nagy) | |
| - Fixing vmlinuz removal (Sherif Nagy) | |
| - Fixing UEFI CA path (Sherif Nagy) | |
| - Porting to 8.10, debranding and Rocky branding (Louis Abel) | |
| - Fixing pesign_key_name values (Sherif Nagy) | |
| - NFSv4: xattr handlers should check for absent nfs filehandles (Scott Mayhew) [RHEL-129945] | |
| - gfs2: Do not cancel internal demote requests (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: run_queue cleanup (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: simplify finish_xmote (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Get rid of unnecessary test_and_set_bit (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Retries missing in gfs2_{rename,exchange} (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: glock cancelation flag fix (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Minor do_xmote cancelation fix (Andreas Gruenbacher) [RHEL-135355] | |
| - sctp: avoid NULL dereference when chunk data buffer is missing (CKI Backport Bot) [RHEL-133999] {CVE-2025-40240} | |
| - redhat: introduce RELEASE_LOCALVERSION variable (Jan Stancek) | |
| - cifs: fix automount with passwords that contain commas (Paulo Alcantara) [RHEL-125963] | |
| - perf/x86/intel/ds: Fix the conversion from TSC to perf time (Anubhav Shelat) [RHEL-127171] | |
| - perf/x86/intel/pebs: Fix PEBS timestamps overwritten (Anubhav Shelat) [RHEL-127171] | |
| - ceph: fix client race condition where r_parent becomes stale before sending message (Alex Markuze) [RHEL-120226] | |
| - ceph: fix client race condition validating r_parent before applying state (Alex Markuze) [RHEL-120226] | |
| - blk-mq: setup queue ->tag_set before initializing hctx (Ming Lei) [RHEL-30744] | |
| - blk-mq: add helper for checking if one CPU is mapped to specified hctx (Ming Lei) [RHEL-30744] | |
| - blk-mq: don't schedule block kworker on isolated CPUs (Ming Lei) [RHEL-30744] | |
| - sched/isolation: add cpu_is_isolated() API (Ming Lei) [RHEL-30744] | |
| - mm: compaction: update the COMPACT[STALL|FAIL] events properly (Lucas Oakley) [RHEL-132449] | |
| - drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies (Mika Penttilä) [RHEL-125456] {CVE-2025-40096} | |
| - drm/i915: mark requests for GuC virtual engines to avoid use-after-free (CKI Backport Bot) [RHEL-124682] {CVE-2023-53552} | |
| - NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() (Olga Kornievskaia) [RHEL-132819] | |
| - vsock: Ignore signal/timeout on connect() if already established (CKI Backport Bot) [RHEL-139273] {CVE-2025-40248} | |
| - scsi: lpfc: avoid crashing in lpfc_nlp_get() if lpfc_nodelist was freed (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Prevent failure to reregister with NVMe transport after PRLI retry (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Ignore ndlp rport mismatch in dev_loss_tmo callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Modify handling of ADISC based on ndlp state and RPI registration (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Delete NLP_TARGET_REMOVE flag due to obsolete usage (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Prevent NDLP reference count underflow in dev_loss_tmo callback (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Check devloss callbk done flag for potential stale NDLP ptrs (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Ensure DA_ID handling completion before deleting an NPIV instance (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix kref imbalance on fabric ndlps from dev_loss_tmo handler (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Update PRLO handling in direct attached topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix unsolicited FLOGI kref imbalance when in direct attached topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix handling of fully recovered fabric node in dev_loss callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Add condition to delete ndlp object after sending BLS_RJT to an ABTS (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Remove NLP_RCV_PLOGI early return during RSCN processing for ndlps (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Allow lpfc_plogi_confirm_nport() logic to execute for Fabric nodes (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix list_entry null check warning in lpfc_cmpl_els_plogi() (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix possible file string name overflow when updating firmware (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Validate ELS LS_ACC completion payload (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Remove extra ndlp kref decrement in FLOGI cmpl for loop topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Revise NPIV ELS unsol rcv cmpl logic to drop ndlp based on nlp_state (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix double free in lpfc_cmpl_els_logo_acc() caused by lpfc_nlp_not_used() (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Move scsi_host_template outside dynamically allocated/freed phba (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fill in missing ndlp kref puts in error paths (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login (Ewan D. Milne) [RHEL-32324] | |
| - net: atlantic: fix fragment overflow handling in RX path (CKI Backport Bot) [RHEL-139482] {CVE-2025-68301} | |
| - smb: client: let recv_done verify data_offset, data_length and remaining_data_length (Paulo Alcantara) [RHEL-131387] {CVE-2025-39933} | |
| - smb: client: Fix use-after-free in cifs_fill_dirent (CKI Backport Bot) [RHEL-134369] {CVE-2025-38051} | |
|
|
|
| kernel-tools-libs-4.18.0-553.97.1.el8_10.x86_64.rpm | - libceph: fix potential use-after-free in have_mon_and_osd_map() (CKI Backport Bot) [RHEL-137395] {CVE-2025-68285} |
| - media: rc: fix races with imon_disconnect() (Kate Hsuan) [RHEL-124396] {CVE-2025-39993} | |
| - media: imon: fix a race condition in send_packet() (Kate Hsuan) [RHEL-124396] | |
| - media: imon: reorganize serialization (Kate Hsuan) [RHEL-124396] | |
| - media: imon: drop references only after device is no longer used (Kate Hsuan) [RHEL-124396] | |
| - media: rc: Add support for another iMON 0xffdc device (Kate Hsuan) [RHEL-124396] | |
| - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping (CKI Backport Bot) [RHEL-129107] {CVE-2025-40154} | |
| - Bluetooth: hci_event: call disconnect callback before deleting conn (CKI Backport Bot) [RHEL-137039] {CVE-2023-53673} | |
| - drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE (CKI Backport Bot) [RHEL-134423] {CVE-2025-40277} | |
| - xen: delay xen_hvm_init_time_ops() if kdump is boot on vcpu>=32 (John J Coleman) [RHEL-111354] | |
| - xen: Fix x86 sched_clock() interface for xen (John J Coleman) [RHEL-111354] | |
| - x86/xen/time: Output xen sched_clock time from 0 (John J Coleman) [RHEL-111354] | |
| - Adding prod certs and changed cert date to 20210620 (Sherif Nagy) | |
| - Adding Rocky secure boot certs (Sherif Nagy) | |
| - Fixing vmlinuz removal (Sherif Nagy) | |
| - Fixing UEFI CA path (Sherif Nagy) | |
| - Porting to 8.10, debranding and Rocky branding (Louis Abel) | |
| - Fixing pesign_key_name values (Sherif Nagy) | |
| - Adding prod certs and changed cert date to 20210620 (Sherif Nagy) | |
| - Adding Rocky secure boot certs (Sherif Nagy) | |
| - Fixing vmlinuz removal (Sherif Nagy) | |
| - Fixing UEFI CA path (Sherif Nagy) | |
| - Porting to 8.10, debranding and Rocky branding (Louis Abel) | |
| - Fixing pesign_key_name values (Sherif Nagy) | |
| - NFSv4: xattr handlers should check for absent nfs filehandles (Scott Mayhew) [RHEL-129945] | |
| - gfs2: Do not cancel internal demote requests (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: run_queue cleanup (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: simplify finish_xmote (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Get rid of unnecessary test_and_set_bit (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Retries missing in gfs2_{rename,exchange} (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: glock cancelation flag fix (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Minor do_xmote cancelation fix (Andreas Gruenbacher) [RHEL-135355] | |
| - sctp: avoid NULL dereference when chunk data buffer is missing (CKI Backport Bot) [RHEL-133999] {CVE-2025-40240} | |
| - redhat: introduce RELEASE_LOCALVERSION variable (Jan Stancek) | |
| - cifs: fix automount with passwords that contain commas (Paulo Alcantara) [RHEL-125963] | |
| - perf/x86/intel/ds: Fix the conversion from TSC to perf time (Anubhav Shelat) [RHEL-127171] | |
| - perf/x86/intel/pebs: Fix PEBS timestamps overwritten (Anubhav Shelat) [RHEL-127171] | |
| - ceph: fix client race condition where r_parent becomes stale before sending message (Alex Markuze) [RHEL-120226] | |
| - ceph: fix client race condition validating r_parent before applying state (Alex Markuze) [RHEL-120226] | |
| - blk-mq: setup queue ->tag_set before initializing hctx (Ming Lei) [RHEL-30744] | |
| - blk-mq: add helper for checking if one CPU is mapped to specified hctx (Ming Lei) [RHEL-30744] | |
| - blk-mq: don't schedule block kworker on isolated CPUs (Ming Lei) [RHEL-30744] | |
| - sched/isolation: add cpu_is_isolated() API (Ming Lei) [RHEL-30744] | |
| - mm: compaction: update the COMPACT[STALL|FAIL] events properly (Lucas Oakley) [RHEL-132449] | |
| - drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies (Mika Penttilä) [RHEL-125456] {CVE-2025-40096} | |
| - drm/i915: mark requests for GuC virtual engines to avoid use-after-free (CKI Backport Bot) [RHEL-124682] {CVE-2023-53552} | |
| - NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() (Olga Kornievskaia) [RHEL-132819] | |
| - vsock: Ignore signal/timeout on connect() if already established (CKI Backport Bot) [RHEL-139273] {CVE-2025-40248} | |
| - scsi: lpfc: avoid crashing in lpfc_nlp_get() if lpfc_nodelist was freed (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Prevent failure to reregister with NVMe transport after PRLI retry (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Ignore ndlp rport mismatch in dev_loss_tmo callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Modify handling of ADISC based on ndlp state and RPI registration (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Delete NLP_TARGET_REMOVE flag due to obsolete usage (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Prevent NDLP reference count underflow in dev_loss_tmo callback (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Check devloss callbk done flag for potential stale NDLP ptrs (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Ensure DA_ID handling completion before deleting an NPIV instance (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix kref imbalance on fabric ndlps from dev_loss_tmo handler (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Update PRLO handling in direct attached topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix unsolicited FLOGI kref imbalance when in direct attached topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix handling of fully recovered fabric node in dev_loss callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Add condition to delete ndlp object after sending BLS_RJT to an ABTS (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Remove NLP_RCV_PLOGI early return during RSCN processing for ndlps (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Allow lpfc_plogi_confirm_nport() logic to execute for Fabric nodes (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix list_entry null check warning in lpfc_cmpl_els_plogi() (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix possible file string name overflow when updating firmware (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Validate ELS LS_ACC completion payload (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Remove extra ndlp kref decrement in FLOGI cmpl for loop topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Revise NPIV ELS unsol rcv cmpl logic to drop ndlp based on nlp_state (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix double free in lpfc_cmpl_els_logo_acc() caused by lpfc_nlp_not_used() (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Move scsi_host_template outside dynamically allocated/freed phba (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fill in missing ndlp kref puts in error paths (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login (Ewan D. Milne) [RHEL-32324] | |
| - net: atlantic: fix fragment overflow handling in RX path (CKI Backport Bot) [RHEL-139482] {CVE-2025-68301} | |
| - smb: client: let recv_done verify data_offset, data_length and remaining_data_length (Paulo Alcantara) [RHEL-131387] {CVE-2025-39933} | |
| - smb: client: Fix use-after-free in cifs_fill_dirent (CKI Backport Bot) [RHEL-134369] {CVE-2025-38051} | |
|
|
|
| krb5-pkinit-1.18.2-32.el8_10.x86_64.rpm | - Make krb5-devel depend on libkadm5 |
| - Resolves: #1364487 | |
| - Merge krb5-configs back into krb5-libs. The krb5.conf file is marked as | |
| a %config file anyway. | |
| - Make krb5.conf a noreplace config file. | |
| - Fix KCM client time offset propagation | |
| - Resolves: #1738553 | |
| - gettextize init scripts | |
| - fix for CVE-2014-5355 (#1193939) "krb5: unauthenticated | |
| denial of service in recvauth_common() and others" | |
| - add preliminary patch to fix buffer overflow in krb5kdc and kadmind | |
| (#231528, CVE-2007-0957) | |
| - add preliminary patch to fix double-free in kadmind (#231537, CVE-2007-1216) | |
| - Clean up etype display on KDC | |
| - Resolves: #1664157 | |
| - build without -g3, which gives us large static libraries in -devel | |
| - further munge krb5-config so that 'libdir=/usr/lib' is given even on 64-bit | |
| architectures, to avoid multilib conflicts; other changes will conspire to | |
| strip out the -L flag which uses this, so it should be harmless (#192692) | |
| - Correct copyright: it's exportable now, provided the proper paperwork is | |
| filed with the government. | |
| - FIPS: disable 3DES and ed25519 | |
| - Resolves: #1616326 | |
| - Fix backward check in kprop.service | |
| - apply Mike Friedman's patch to fix format string problems | |
| - don't strip off argv[0] when invoking regular rsh/rlogin | |
| - work around a compile problem with new openssl | |
| - update to 1.12 final | |
| - use (a bundled, for now, copy of) nss_wrapper to let us run some of the | |
| self-tests at build-time in more places than we could previously (#978756) | |
| - cover inconsistencies in whether or not there's a local caching nameserver | |
| that's willing to answer when the build environment doesn't have a | |
| resolver configuration, so that nss_wrapper's faking of the local | |
| hostname can be complete | |
| - update to 1.2.5 | |
| - disable statglue | |
| - Backport certauth eku security fix | |
| - rebuilt with new openssl | |
| - Backport my interposer fixes from upstream | |
| - Supersedes krb5-mechglue_inqure_attrs.patch | |
| - New upstream prerelease (1.16-beta2) | |
| - Fix use of enterprise principals with forwarding | |
| - fix for CVE-2014-5354 (#1174546) "krb5: NULL pointer | |
| dereference when using keyless entries" | |
| - Use the correct patches this time. | |
| - Resolves: #1321135 | |
| - apply fix from Tom Yu for MITKRB5-SA-2004-004 (CAN-2004-1189) | |
| - remove hashless key types from the default kdc.conf, they're not supposed to | |
| be there, noted by Sam Hartman on krbdev | |
| - properly advertise that the kpropd init script now supports force-reload | |
| (Zbysek Mraz, #630587) | |
| - update to alpha 2 | |
| - drop a couple of patches which were integrated for alpha 2 | |
| - correct some configuration file paths which the KDC_DIR patch missed | |
| - Remove "-nodes" option from make-certs scripts | |
| - patch to avoid depending on |
|
| - initial update to alpha1 | |
| - drop backport of persistent keyring support | |
| - drop backport for RT#7689 | |
| - drop obsolete patch for fixing a use-before-init in a test program | |
| - drop obsolete patch teaching config.guess/config.sub about aarch64-linux | |
| - drop backport for RT#7598 | |
| - drop backport for RT#7172 | |
| - drop backport for RT#7642 | |
| - drop backport for RT#7643 | |
| - drop patches from master to not test GSSRPC-over-UDP and to not | |
| depend on the portmapper, which are areas where our build systems | |
| often give us trouble, too; obsolete | |
| - drop backports for RT#7682 | |
| - drop backport for RT#7709 | |
| - drop backport for RT#7590 and partial backport for RT#7680 | |
| - drop OTP backport | |
| - drop backports for RT#7656 and RT#7657 | |
| - BuildRequires: libedit-devel to prefer it | |
| - BuildRequires: pkgconfig, since configure uses it | |
| - pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443, | |
| - OpenSSL has an epoch, apparently | |
| - Resolves: #1754690 | |
| - selinux: hang on to the list of selinux contexts, freeing and reloading | |
| it only when the file we read it from is modified, freeing it when the | |
| shared library is being unloaded (#845125) | |
| - In FIPS mode, add plaintext fallback for RC4 usages and taint | |
| - disable optimizations on the alpha again | |
| - pull up Simo's patch to mark the correct mechanism on imported GSSAPI | |
| contexts (RT#7592) | |
| - go back to using reconf to run autoconf and autoheader (part of #925640) | |
| - add temporary patch to use newer config.guess/config.sub (more of #925640) | |
| - Remove downloadable source signature file | |
| - Resolves: rhbz#2219654 | |
| - don't include |
|
| - debloat | |
| - Fix network service dependencies | |
| - Resolves: #1525230 | |
| - New upstream beta version | |
| - Merge duplicate subsections in profile library | |
| - Fix gitignore problem with previous patchset | |
| - patch ksu man page because the -C option never works | |
| - add access() checks and disable debug mode in ksu | |
| - modify default ksu build arguments to specify more directories in CMD_PATH | |
| and to use getusershell() | |
| - Add patch to fix Redhat Bug #1227542 ("[SELinux] AVC denials may appear | |
| when kadmind starts"). The issue was caused by an unneeded |htons()| | |
| which triggered SELinux AVC denials due to the "random" port usage. | |
| - Update from krb5-1.13-alpha1 to final krb5-1.13 | |
| - Removed patch for CVE-2014-5351 (#1145425) "krb5: current | |
| keys returned when randomizing the keys for a service principal" - | |
| now part of upstream sources | |
| - Use patch for glibc |eventfd()| prototype mismatch (#1147887) only | |
| for Fedora > 20 | |
| - force -fPIC | |
| - Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED (RT#8063) | |
| - rebuilt | |
| - specify the location of the subsystem lock when using the status() function | |
| in the kadmind and kpropd init scripts, so that we get the right error when | |
| we're dead but have a lock file - requires initscripts 8.99 (#521772) | |
| - switch man pages to being generated with the right paths in them | |
| - drop old, incomplete SELinux patch | |
| - add patch from Greg Hudson to make srvtab routines report missing-file errors | |
| at same point that keytab routines do (#241805) | |
| - incorporate fixes from Tom Yu for CAN-2004-0642, CAN-2004-0772 | |
| (MITKRB5-SA-2004-002, #130732) | |
| - incorporate fixes from Tom Yu for CAN-2004-0644 (MITKRB5-SA-2004-003, #130732) | |
| - respin with updated version of patch for RT#7650 (#969331) | |
| - silence compiler warning in kprop by using an in-memory ccache with a fixed | |
| name instead of an on-disk ccache with a name generated by tmpnam() | |
| - Remove dependency on systemd-sysv which is no longer needed for fedora > 20 | |
| This also fixes a fail-to-build issue. | |
| - Miscalaneous spec cleanup fixes | |
| - Put KDB authdata first | |
| - Resolves: #1800575 | |
| - update to 1.10.1 | |
| - drop the KDC crash fix | |
| - drop the KDC lookaside cache fix | |
| - drop the fix for kadmind RPC ACLs (CVE-2012-1012) | |
| - update to beta 1 | |
| - add currently-proposed changes to teach ksu about credential cache | |
| collections and the default_ccache_name setting (#1015559,#1026099) | |
| - Re-enable test suite on ppc64le (no other changes) | |
| - modify the deltat grammar to also tell gcc (4.7) to suppress | |
| "maybe-uninitialized" warnings in addition to the "uninitialized" warnings | |
| it's already being told to suppress (RT#7080) | |
| - change /usr/dict/words to /usr/share/dict/words in default kdc.conf (#20000) | |
| - add patch to accept keytab entries with vno==0 as matches when we're | |
| searching for an entry with a specific name/kvno (#230382/#782211,RT#3349) | |
| - mktemp was long obsoleted by coreutils | |
| - ftp: add patch to fix "runique on" case when globbing fixes applied | |
| - stop adding a redundant but harmless call to initialize the gssapi internals | |
| - fix a typo in a ksu error message (Marek Mahut) | |
| - "rev" works the way the test suite expects now, so don't disable tests | |
| that use it | |
| - undo rename from krb5-pkinit-openssl to krb5-pkinit on EL6 | |
| - version the Obsoletes: on the krb5-pkinit-openssl to krb5-pkinit rename | |
| - reintroduce the init scripts for non-systemd releases | |
| - forward-port %{?_rawbuild} annotations from EL6 packaging | |
| - Patch CVE-2015-2697, CVE-2015-2696, CVE-2015-2695 | |
| - move /etc/pam.d/ksu from krb5-workstation-servers to krb5-workstation, | |
| where it's actually needed (#538703) | |
| - Fix log file permissions patch with our selinux | |
| - Resolves: #1309421 | |
| - Enable MD5 override for FIPS RADIUS | |
| - Resolves: #1872689 | |
| - go back to not messing with library file paths on Fedora 17: it breaks | |
| file path dependencies in other packages, and since Fedora 17 is already | |
| released, breaking that is our fault | |
| - Explicitly require python2 packages | |
| - Backport upstream certauth EKU fixes | |
| - Add temporay workaround for RH bug #1204646 ("krb5-config | |
| returns wrong -specs path") which modifies krb5-config post | |
| build so that development of krb5 dependicies gets unstuck. | |
| This MUST be removed before rawhide becomes F23 ... | |
| - Fix CVE-2017-11368 (remote triggerable assertion failure) | |
| - Properly close krad sockets | |
| - Resolves: #1380836 | |
| - allocate space for the nul-terminator in the local pathname when looking up | |
| a file context, and properly free a previous context (Jose Plans, #426085) | |
| - Move kdbversion info into -server for IPA (so we can rebase) | |
| - Resolves: #1645594 | |
| - update to 1.11.2 | |
| - drop pulled in patch for RT#7586, included in this release | |
| - drop pulled in patch for RT#7592, included in this release | |
| - pull in fix for keeping track of the message type when parsing FAST requests | |
| in the KDC (RT#7605, #951843) (also #951965) | |
| - if the init script fails to start krb5kdc/kadmind/kpropd because it's already | |
| running (according to status()), return 0 (part of #521772) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - build | |
| - pull in fix from master to return a NULL pointer rather than allocating | |
| zero bytes of memory if we read a zero-length input token (RT#7794, part of | |
| - pull in fix from master to ignore an empty token from an acceptor if | |
| we've already finished authenticating (RT#7797, part of #1043962) | |
| - pull in fix from master to avoid a memory leak when a mechanism's | |
| init_sec_context function fails (RT#7803, part of #1043962) | |
| - pull in fix from master to avoid a memory leak in a couple of error | |
| cases which could occur while obtaining acceptor credentials (RT#7805, part | |
| of #1043962) | |
| - Nix /usr/share/krb5.conf.d to reduce complexity | |
| - fix for kinit -C loops (#1184629, MIT/krb5 issue 243, "Do not | |
| loop on principal unknown errors"). | |
| - Added "python-sphinx-latex" to the build requirements | |
| to fix build failures on F22 machines. | |
| - add an auth stack to ksu's PAM configuration so that pam_setcred() calls | |
| won't just fail | |
| - omit dependent libraries from the krb5-config --libs output, as using | |
| shared libraries (no more static libraries) makes them unnecessary and | |
| they're not part of the libkrb5 interface (patch by Rex Dieter, #240220) | |
| (strips out libkeyutils, libresolv, libdl) | |
| - update to 1.3.4 beta1 | |
| - remove MITKRB5-SA-2004-001, included in 1.3.4 | |
| - add patch to fix server-side crashes when principals have no | |
| components (CAN-2003-0072) | |
| - Fix argument order on strlcpy() in enctype_name() | |
| - Resolves: #1754369 | |
| - switch to the updated patch for MITKRB-SA-2006-001 | |
| - Fix setting of AS key in OTP preauth failure | |
| - rebuild | |
| - Be more careful asking for AS key in SPAKE client | |
| - Fix CVE-2016-3119 (NULL deref in LDAP module) | |
| - add patch to correct GSSAPI library null pointer dereference which could be | |
| triggered by malformed client requests (CVE-2010-1321, #582466) | |
| - rename the krb5-libs package to krb5 (naming a subpackage -libs when there | |
| is no main package is silly) | |
| - move defaults for PAM to the appdefaults section of krb5.conf -- this is | |
| the area where the krb5_appdefault_* functions look for settings) | |
| - disable statglue (warning: breaks binary compatibility with previous | |
| packages, but has to be broken at some point to work correctly with | |
| unpatched versions built with newer versions of glibc) | |
| - Fix kprop for propagating dump files larger than 4GB | |
| - Resolves: #2026462 | |
| - rebuild | |
| - pull the changing of the compiled-in default ccache location to | |
| DIR:/run/user/%{uid}/krb5cc back into F19, in line with SSSD and | |
| the most recent pam_krb5 build | |
| - hardcode pid file as option in krb5kdc.service | |
| - Fix hex conversion of PKINIT certid strings | |
| - configure --without-krb5-config so that we don't pull in the old default | |
| ccache name when we want to stop setting a default ccache name at configure- | |
| time | |
| - make krb5-config suppress CFLAGS output when called with --libs (#544391) | |
| - add more etypes (arcfour) to the default enctype list in kdc.conf | |
| - don't apply previous patch, refused upstream | |
| - fix the problem where the %license file has been a dangling symlink | |
| - fix broken dependency on awk (should be gawk, rdieter) | |
| - use %global instead of %define | |
| - pull up proposed patch for creating previously-not-there lock files for | |
| kdb databases when 'kdb5_util' is called to 'load' (#551764) | |
| - fix predictable-tempfile-name bug in krb5-send-pr (CAN-2004-0971, #140036) | |
| - move /usr/kerberos/bin to end of PATH | |
| - update to beta2 | |
| - drop obsolete backports for storing KDC time offsets and expiration times | |
| in keyring credential caches | |
| - move initscript back | |
| - rebuilt | |
| - patch mkdir/rmdir problem in ftpcmd.y | |
| - add condrestart option to init script | |
| - split the server init script into three pieces and add one for kpropd | |
| - turn on NSS as the backend for libk5crypto, adding nss-devel as a build | |
| dependency when that switch is flipped | |
| - rebuild | |
| - rebuild | |
| - pull up the change to make kpasswd's behavior better match the docs | |
| when there's no ccache (#563431) | |
| - build with -fno-strict-aliasing, which is needed because the library | |
| triggers these warnings | |
| - don't forget to label principal database lock files | |
| - fix the labeling patch so that it doesn't break bootstrapping | |
| - fix double-free of enc_part2 in krb524d | |
| - rebuild on 1.1.1 | |
| - pull in patches from master to not test GSSRPC-over-UDP and to not | |
| depend on the portmapper, which are areas where our build systems | |
| often give us trouble, too | |
| - Add PKINIT KDC support for freshness token | |
| - Add hostname-based ccselect module | |
| - Resolves: #1463665 | |
| - Include fixes for previous commit | |
| - Resolves: #1433083 | |
| - Fix typo of crypto-policies file in previous version | |
| - Exit with status 0 from kadmind | |
| - don't break during %check when the session keyring is revoked | |
| - update to 1.7.1 | |
| - don't trip AD lockout on wrong password (#542687, #554351) | |
| - incorporates fixes for CVE-2009-4212 and CVE-2009-3295 | |
| - fixes gss_krb5_copy_ccache() when SPNEGO is used | |
| - move sim_client/sim_server, gss-client/gss-server, uuclient/uuserver to | |
| the devel subpackage, better lining up with the expected krb5/krb5-appl | |
| split in 1.8 | |
| - drop kvno,kadmin,k5srvutil,ktutil from -workstation-servers, as it already | |
| depends on -workstation which also includes them | |
| - New upstream release | |
| - Update names and numbers to match external git | |
| - Rebuilt for glibc bug#747377 | |
| - update to 1.2.1 | |
| - back out Tom Yu's patch, which is a big chunk of the 1.2 -> 1.2.1 update | |
| - start using the official source tarball instead of its contents | |
| - automatic rebuild | |
| - fix globbing patch port mode (#139075) | |
| - have -server require /usr/share/dict/words, which we set as the default | |
| dict_file in kdc.conf (#817089) | |
| - refresh patch for #542868 from trunk | |
| - incorporate updated fix for CVE-2007-3999 (CVE-2007-4743) | |
| - fix incorrect call to "test" in the kadmin init script (#252322,#287291) | |
| - update to the 1.2 release | |
| - ditch a lot of our patches which went upstream | |
| - enable use of DNS to look up things at build-time | |
| - disable use of DNS to look up things at run-time in default krb5.conf | |
| - change ownership of the convert-config-files script to root.root | |
| - compress PS docs | |
| - fix some typos in the kinit man page | |
| - run condrestart in server post, and shut down in preun | |
| - back that last change out | |
| - Support config snippets in /etc/krb5.conf.d/ and /usr/share/krb5.conf.d/ | |
| (#1225792, #1146370, #1145808) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - fix summaries and descriptions | |
| - switched the default transfer protocol from PORT to PASV as proposed on | |
| bugzilla (#16134), and to match the regular ftp package's behavior | |
| - build with -fstack-protector-all instead of the default -fstack-protector, | |
| so that we add checking to more functions (i.e., all of them) (#629950) | |
| - also link binaries with -Wl,-z,relro,-z,now (part of #629950) | |
| - add some minimal description to the top of the wrapper scripts we use | |
| when starting krb5kdc and kadmind to describe why they exist (tooling) | |
| - Fix some broken tests for Python 3 | |
| - fix for CVE-2014-5352 (#1179856) "gss_process_context_token() | |
| incorrectly frees context (MITKRB5-SA-2015-001)" | |
| - fix for CVE-2014-9421 (#1179857) "kadmind doubly frees partial | |
| deserialization results (MITKRB5-SA-2015-001)" | |
| - fix for CVE-2014-9422 (#1179861) "kadmind incorrectly | |
| validates server principal name (MITKRB5-SA-2015-001)" | |
| - fix for CVE-2014-9423 (#1179863) "libgssrpc server applications | |
| leak uninitialized bytes (MITKRB5-SA-2015-001)" | |
| - automated rebuild | |
| - libgssapi_krb5: backport fix for some errors which can occur when | |
| we fail to set up the server half of a context (CVE-2009-0845) | |
| - Fix configuration of default ccache name to match file indentation | |
| - drop patch to suppress key expiration warnings sent from the KDC in | |
| the last-req field, as the KDC is expected to just be configured to either | |
| send them or not as a particular key approaches expiration (#556495) | |
| - update to 1.2.8 | |
| - Remove Zanata test glue and related workarounds | |
| - Bug #1234292 ("IPA server cannot be run in container due to incorrect /usr/sbin/_kadmind") | |
| - Bug #1234326 ("krb5-server introduces new rpm dependency on ksh") | |
| - compile with %{?_smp_mflags} (Steve Grubb) | |
| - drop the bit where we munge part of the error table header, as it's not | |
| needed any more | |
| - incorporate a fix to teach the file labeling bits about when replay caches | |
| are expunged (#576093) | |
| - New upstream release (1.16) | |
| - No changes from beta2 | |
| - Update to krb5-1.13.2 | |
| - drop patch for krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC, fixed in krb5-1.13.2 | |
| - drop patch for krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling, fixed in krb5-1.13.2 | |
| - Add script processing for upcoming Zanata l10n support | |
| - Minor spec cleanup | |
| - back out this labeling change (dwalsh): | |
| - when building the new label for a file we're about to create, also mix | |
| in the current range, in addition to the current user | |
| - Full FIPS compliance | |
| - Resolves: #1754690 | |
| - backport fixes to teach libkrb5 to use descriptors higher than FD_SETSIZE | |
| to talk to a KDC by using poll() if it's detected at compile-time (#701446, | |
| RT#6905) | |
| - refresh nss_wrapper and add socket_wrapper to the %check environment | |
| - update the PIC patch for iaesx86.s to not use ELF relocations to the version | |
| that landed upstream (RT#7815, #1045699) | |
| - use %{_infodir} to better comply with FHS | |
| - move .so files to -devel subpackage | |
| - tweak xinetd config files (bugs #11833, #11835, #11836, #11840) | |
| - fix package descriptions again | |
| - update to 1.6.1 | |
| - drop no-longer-needed patches for CVE-2007-0956,CVE-2007-0957,CVE-2007-1216 | |
| - drop patch for sendto bug in 1.6, fixed in 1.6.1 | |
| - automated rebuild | |
| - add patch included in MITKRB5-SA-2003-003 (CAN-2003-0028) | |
| - incorporate fixes for MITKRB5-SA-2007-006 (CVE-2007-3999, CVE-2007-4000) | |
| - always #include |
|
| - enable LFS on a bunch of other 32-bit arches | |
| - pull in fix to store KDC time offsets in keyring credential caches (RT#7768, | |
| - pull in fix to set expiration times on credentials stored in keyring | |
| credential caches (RT#7769, #1031724) | |
| - Guess Samba client mutual flag using ap_option | |
| - Resolves: #1370980 | |
| - add explicit build-time dependency on a version of keyutils that's new | |
| enough to include keyctl_get_persistent() (more of #991148) | |
| - Backport patch to fix mechglue for gss_inqure_attrs_for_mech() | |
| - apply patch from upstream to fix KDC denial of service (CVE-2010-0283, | |
| - make sure workstation servers are all disabled by default | |
| - clean up krb5server init script | |
| - ensure that the gssapi library's been initialized before walking the | |
| internal mechanism list in gss_release_oid(), needed if called from | |
| gss_release_name() right after a gss_import_name() (#198092) | |
| - update to 1.4 | |
| - v1.4 kadmin client requires a v1.4 kadmind on the server, or use the "-O" | |
| flag to specify that it should communicate with the server using the older | |
| protocol | |
| - new libkrb5support library | |
| - v5passwdd and kadmind4 are gone | |
| - versioned symbols | |
| - pick up $KRB5KDC_ARGS from /etc/sysconfig/krb5kdc, if it exists, and pass | |
| it on to krb5kdc | |
| - pick up $KADMIND_ARGS from /etc/sysconfig/kadmin, if it exists, and pass | |
| it on to kadmind | |
| - pick up $KRB524D_ARGS from /etc/sysconfig/krb524, if it exists, and pass | |
| it on to krb524d *instead of* "-m" | |
| - set "forwardable" in [libdefaults] in the default krb5.conf to match the | |
| default setting which we supply for pam_krb5 | |
| - set a default of 24h for "ticket_lifetime" in [libdefaults], reflecting the | |
| compiled-in default | |
| - Fix CVE-2017-15088 (Buffer overflow in get_matching_data()) | |
| - Backport KCM performance enablements | |
| - Resolves: #1956388 | |
| - Remove "python-sphinx-latex" and "tar" from the build requirements | |
| to fix build failures on F22 machines. | |
| - Minor spec cleanup | |
| - fix license tag | |
| - krb5kdc init script: prototype some changes to do a quick spot-check | |
| of the TGS and kadmind keys and warn if there aren't any non-weak keys | |
| on file for them (to flush out parts of #651466) | |
| - Fix string RPC ACLs (RT#7093); CVE-2012-1012 | |
| - update to 1.9.1: | |
| - drop no-longer-needed patches for CVE-2010-4022, CVE-2011-0281, | |
| CVE-2011-0282, CVE-2011-0283, CVE-2011-0284, CVE-2011-0285 | |
| - drop krshd patch for now | |
| - fix build failure caused by change of prototype for glibc | |
| |eventfd()| (#1147887) | |
| - rebuild | |
| - gcc 3.3 doesn't implement varargs.h, include stdarg.h instead | |
| - rebuild in new environment | |
| - Use standard trigger logic for krb5 snippet | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Patch build by disabling failing test; will fix properly soon | |
| - merge security fixes from RHSA-2007:0095 | |
| - give a little bit more information to the user when kinit gets the catch-all | |
| I/O error (#180175) | |
| - update to 1.10 alpha 1 | |
| - on newer releases where we can assume NSS >= 3.13, configure PKINIT to build | |
| using NSS | |
| - on newer releases where we build PKINIT using NSS, configure libk5crypto to | |
| build using NSS | |
| - rename krb5-pkinit-openssl to krb5-pkinit on newer releases where we're | |
| expecting to build PKINIT using NSS instead | |
| - during %check, run check in the library and kdc subdirectories, which | |
| should be able to run inside of the build system without issue | |
| - add draft fix from Tom Yu for slc_add_reply() buffer overflow (CAN-2005-0469) | |
| - add draft fix from Tom Yu for env_opt_add() buffer overflow (CAN-2005-0468) | |
| - amend the PIC patch for iaesx86.s to also save/restore ebx in the | |
| functions where we modify it, because the ELF spec says we need to | |
| - stop exporting kadmin keys to a keytab file when kadmind starts -- the | |
| daemon's been able to use the database directly for a long long time now | |
| - belatedly add aes128,aes256 to the default set of supported key types | |
| - fix a type mismatch in krb5_copy_error_message() | |
| - ftp: fix some odd use of strlen() | |
| - selinux labeling: use selabel_open() family of functions rather than | |
| matchpathcon(), bail on it if attempting to get the mutex lock fails | |
| - Backport certauth plugin and related pkinit changes | |
| - Allow verification of attributes on krb5.conf | |
| - Restrict pre-authentication fallback cases | |
| - rebuild | |
| - change a LINE_MAX to 1024, fix from Ken Raeburn | |
| - add fix for login vulnerability in case anyone rebuilds without krb4 compat | |
| - add tweaks for byte-swapping macros in krb.h, also from Ken | |
| - add xinetd config files | |
| - make rsh and rlogin quieter | |
| - build with debug to fix credential forwarding | |
| - add rsh as a build-time req because the configure scripts look for it to | |
| determine paths | |
| - incorporate patch to fix double-free in the KDC (CVE-2010-1320, #581922) | |
| - incorporate fixes for MITKRB5-SA-2007-004 (CVE-2007-2442,CVE-2007-2443) | |
| and MITKRB5-SA-2007-005 (CVE-2007-2798) | |
| - add documentation for the ticket_lifetime option (#561174) | |
| - add patch to fix telnetd vulnerability | |
| - try to make gss_krb5_copy_ccache() work correctly for spnego (#542868) | |
| - Backport soft-pkcs11 testing code | |
| - Resolves: #1734158 | |
| - disable servers by default to keep linuxconf from thinking they need to be | |
| started when they don't | |
| - Use openssl's PRNG in FIPS mode | |
| - Resolves: #1663571 | |
| - add some comments to the ksu patches for the curious | |
| - re-enable optimization on alphas | |
| - Backport kdcpolicy interface | |
| - kdc.conf: default to listening for TCP clients, too (#248415) | |
| - rebuild with keyutils 1.5.8 (part of #1012043) | |
| - prereq chkconfig for the server subpackage | |
| - move the db2 kdb plugin from -server to -libs, because a multilib libkdb | |
| might need it | |
| - change the default configured encryption type for KDC databases to the | |
| compiled-in default of des3-hmac-sha1 (#57847) | |
| - grab a more-commented version of the most recent patch from upstream | |
| master | |
| - make a guess at making the 32-bit AES-NI implementation sufficiently | |
| position-independent to not require execmod permissions for libk5crypto | |
| (more of #1045699) | |
| - Process included directories in alphabetical order | |
| - backed out ncurses and makeshlib patches | |
| - update for krb5-1.1 | |
| - add KDC rotation to rc.boot, based on ideas from Michael's C version | |
| - prevent spurious EBADF in krshd when stdin is closed by the client while | |
| the command is running (#151111) | |
| - update to 1.3 | |
| - Zap data when freeing krb5_spake_factor | |
| - make krb5-server-ldap also depend on the same version-release of krb5-libs, | |
| as the other subpackages do, if only to make it clearer than it is when we | |
| just do it through krb5-server | |
| - drop explicit linking with libtinfo for applications that use libss, now | |
| that readline itself links with libtinfo (as of readline-5.2-3, since | |
| fedora 7 or so) | |
| - go back to building without strict aliasing (compiler warnings in gssrpc) | |
| - add upstream patches to fix standalone kpropd exiting if the per-client | |
| child process exits with an error (MITKRB5-SA-2011-001), a hang or crash | |
| in the KDC when using the LDAP kdb backend, and an uninitialized pointer | |
| use in the KDC (MITKRB5-SA-2011-002) (CVE-2010-4022, #664009, | |
| CVE-2011-0281, #668719, CVE-2011-0282, #668726, CVE-2011-0283, #676126) | |
| - Fix SPAKE memory leak | |
| - update to 1.12.2 | |
| - drop patch for RT#7820, fixed in 1.12.2 | |
| - drop patch for #231147, fixed as RT#3277 in 1.12.2 | |
| - drop patch for RT#7818, fixed in 1.12.2 | |
| - drop patch for RT#7836, fixed in 1.12.2 | |
| - drop patch for RT#7858, fixed in 1.12.2 | |
| - drop patch for RT#7924, fixed in 1.12.2 | |
| - drop patch for RT#7926, fixed in 1.12.2 | |
| - drop patches for CVE-2014-4341/CVE-2014-4342, included in 1.12.2 | |
| - drop patch for CVE-2014-4343, included in 1.12.2 | |
| - drop patch for CVE-2014-4344, included in 1.12.2 | |
| - drop patch for CVE-2014-4345, included in 1.12.2 | |
| - replace older proposed changes for ksu with backports of the changes | |
| after review and merging upstream (#1015559, #1026099, #1118347) | |
| - fixup URL in a comment | |
| - when built with NSS, require 3.12.10 rather than 3.12.9 | |
| - started changelog (previous package from zedz.net) | |
| - updated existing 1.0.5 RPM from Eos Linux to krb5 1.0.6 | |
| - added --force to makeinfo commands to skip errors during build | |
| - try to merge and clean up all the large file support for ftp and rcp | |
| - ftpd no longer prints a negative length when sending a large file | |
| from a 32-bit host | |
| - prefer the kdc which last replied to a request when sending requests to kdcs | |
| - Use responder for non-preauth AS requests | |
| - Resolves: #1370622 | |
| - Set error message on KCM get_princ failure | |
| - apply patch from MITKRB5-SA-2004-001 (#125001) | |
| - Fix KDC null deref on TGS inner body null server (CVE-2021-37750) | |
| - Resolves: #1997601 | |
| - removed rpath | |
| - CVE-2024-37370 CVE-2024-37371 | |
| Fix vulnerabilities in GSS message token handling | |
| Resolves: RHEL-45398 RHEL-45386 | |
| - update to 1.3.6, which includes the previous fix | |
| - add missing dependency on newer keyutils-libs (#1012034) | |
| - pass some structures by address instead of on the stack in krb5kdc | |
| - libgssapi_krb5: properly export the acceptor subkey when creating a lucid | |
| context (Kevin Coffman, via the nfs4 mailing list) | |
| - fix bug ID in changelog | |
| - Bump release number | |
| - Fix formatting typo in kinit.1 (krb5-kinit-man-typo.patch) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Update otp backport patches (libk5radius => libkrad) | |
| - if we successfully change the user's password during an attempt to get | |
| initial credentials, but then fail to get initial creds from a non-master | |
| using the new password, retry against the master (#432334) | |
| - create and own /var/kerberos/krb5/user instead of /var/kerberos/kdc/user, | |
| since that's what the libraries actually look for | |
| - add buildrequires on nss-myhostname, in an attempt to get more of the tests | |
| to run properly during builds | |
| - pull in Simo's patch to recognize "client_keytab" as a key type which can | |
| be passed in to gss_acquire_cred_from() (RT#7598) | |
| - apply fixes from draft of MIT-KRB5-SA-2005-002 (CAN-2005-1174,CAN-2005-1175) | |
| (#157104) | |
| - apply fixes from draft of MIT-KRB5-SA-2005-003 (CAN-2005-1689) (#159755) | |
| - kadmind.init: drop the attempt to detect no-database-present errors (#723723), | |
| which is too fragile in cases where the database has been manually moved or | |
| is accessed through another kdb plugin | |
| - backport fixes to krb5_copy_context (RT#7807, #1044735/#1044739) | |
| - Fix integer overflows in PAC parsing (CVE-2022-42898) | |
| - Resolves: rhbz#2140968 | |
| - update to 1.4.3 | |
| - make ksu setuid again (#137934, others) | |
| - Gain FIPS awareness | |
| - Resolves: #1660222 | |
| - rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - pull up fix for upstream #6745, in which the gssapi library would add the | |
| wrong error table but subsequently attempt to unload the right one | |
| - use gcc to build shared libraries | |
| - update to 1.11.3 | |
| - drop patch for RT#7605, fixed in this release | |
| - drop patch for CVE-2002-2443, fixed in this release | |
| - drop patch for RT#7369, fixed in this release | |
| - pull upstream fix for breaking t_skew.py by adding the patch for #961221 | |
| - Restore accidentally dropped patch | |
| - Resolves: #1754690 | |
| - Actually bump kdbversion like I was supposed to | |
| - update to 1.5 | |
| - mark %{krb5prefix}/man so that files which are packaged within it are | |
| flagged as %doc (#168163) | |
| - update to 1.2.4 | |
| - patch around TIOCGTLC defined on alpha and remove warnings from libpty.h | |
| - add installation of info docs | |
| - remove krb4 compat patch because it doesn't fix workstation-side servers | |
| - pkinit: when verifying signed data, use the CMS APIs for better | |
| interoperability (#636985, RT#6851) | |
| - update to 1.9 beta 3 | |
| - fix trigger scriptlet's invocation of sed (#1016945) | |
| - rename krb5.sh and krb5.csh so that they don't overlap (#210623) | |
| - way-late application of added error info in kadmind.init (#65853) | |
| - pull in upstream fix to start treating a KRB5CCNAME value that begins | |
| with DIR:: the same as it would a DIR: value with just one ccache file | |
| in it (RT#7172, #965574) | |
| - pull in fix from master to make reporting of errors encountered by | |
| the SPNEGO mechanism work better (RT#7045, part of #1043962) | |
| - catch krb4 send_to_kdc cases in kdc preference patch | |
| - backport change from SVN to fix a computed-value-not-used warning in | |
| kpropd (#684065) | |
| - incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345) | |
| - override the default build rules to not delete temporary y.tab.c files, | |
| so that they can be packaged, allowing debuginfo files which point to them | |
| do so usefully (#729044) | |
| - backport patch to disable replay detection in krb5_verify_init_creds() | |
| while reading the AP-REQ that's generated in the same function (RT#7229) | |
| - change cleanup code in post to not tickle chkconfig | |
| - add grep as a Prereq: for -libs | |
| - drop a patch we weren't not applying (build tooling) | |
| - wrap kadmind and kpropd in scripts which check for the presence/absence | |
| of files which dictate particular exit codes before exec'ing the actual | |
| binaries, instead of trying to use ConditionPathExists in the unit files | |
| to accomplish that, so that we exit with failure properly when what we | |
| expect isn't actually in effect on the system (#800343) | |
| - Eliminate preprocessor-disabled dead code | |
| - rebuilt | |
| - Fix KDC null dereference on large TGS replies | |
| - revise previous patch to initialize one more element | |
| - move the package changelog to the end to match the usual style (jdennis) | |
| - scrub out references to $RPM_SOURCE_DIR (jdennis) | |
| - include a symlink to the readme with the name LICENSE so that people can | |
| find it more easily (jdennis) | |
| - tweak configuration files used during tests to try to reduce the number | |
| of conflicts encountered when builds for multiple arches land on the same | |
| builder | |
| - Drop DES3 from sample kdc.conf | |
| - Resolves: #1802334 | |
| - Automatically add includedir where not present | |
| - Try removing sleep statement to see if it is still needed | |
| - Resolves: #1433083 | |
| - fix a regression (not labeling a kdb database lock file correctly, #569902) | |
| - Fix dependicy on binfmt.service | |
| - attempt to account for UnversionedDocdirs for the -libs subpackage | |
| - tighten up default permissions on kdc.conf and kadm5.acl (#558343) | |
| - include .so.* symlinks as well as .so.*.* | |
| - rebuild | |
| - pull in upstream patch for RT#6952, confusion following referrals for | |
| cross-realm auth (#734341) | |
| - pull in build-time deps for the tests | |
| - remove rc4-hmac:norealm and rc4-hmac:onlyrealm from the default list of | |
| supported keytypes in kdc.conf -- they produce exactly the same keys as | |
| rc4-hmac:normal because rc4 string-to-key ignores salts | |
| - nuke kdcrotate -- there are better ways to balance the load on KDCs, and | |
| the SELinux policy for it would have been scary-looking | |
| - update to 1.3.5, mainly to include MITKRB5SA 2004-002 and 2004-003 | |
| - cut down the number of times we load SELinux labeling configuration from | |
| a minimum of two times to actually one (more of #845125) | |
| - update to 1.9 beta 2 | |
| - remove the krb5-appl bits (the -workstation-clients and -workstation-servers | |
| subpackages) now that krb5-appl is its own package | |
| - replace our patch for #563431 (kpasswd doesn't fall back to guessing your | |
| principal name using your user name if you don't have a ccache) with the | |
| one upstream uses | |
| - broke out configuration files | |
| - Fix pkinit_anchors path | |
| - Resolves: #1661339 | |
| - actually pull up the patch for RT#7063, and not some other ticket (#773496) | |
| - temporarily back out %post changes, fix for #143289 for security update | |
| - add preliminary patch to correct unauthorized access via krb5-aware telnet | |
| - Document -k option in kvno(1) synopsis | |
| - Resolves: #1869055 | |
| - Tom Yu's patch to fix compatibility between 1.2 kadmin and 1.1.1 kadmind | |
| - pull out 6.2 options in the spec file (sonames changing in 1.2 means it's not | |
| compatible with other stuff in 6.2, so no need) | |
| - Disable dns_canonicalize_hostname. This may break some setups. | |
| - pull down patches from trunk to implement k5login_authoritative and | |
| k5login_directory settings for krb5.conf (#539423) | |
| - Set error message on KCM get_princ failure | |
| - fix an uninitialized length value which could cause a crash when parsing | |
| key data coming from a directory server | |
| - correct a typo in the krb5.conf man page ("ldap_server"->"ldap_servers") | |
| - Log preauth names in trace output | |
| - Misc bugfixes from upstream | |
| - build alpha with -O0 for now | |
| - create and own /etc/gss (#1019937) | |
| - update to 1.12.1 | |
| - drop patch for RT#7794, included now | |
| - drop patch for RT#7797, included now | |
| - drop patch for RT#7803, included now | |
| - drop patch for RT#7805, included now | |
| - drop patch for RT#7807, included now | |
| - drop patch for RT#7045, included now | |
| - drop patches for RT#7813 and RT#7815, included now | |
| - add patch to always retrieve the KDC time offsets from keyring caches, | |
| so that we don't mistakenly interpret creds as expired before their | |
| time when our clock is ahead of the KDC's (RT#7820, #1030607) | |
| - don't forget the README | |
| - handle an assertion failure that starts cropping up when the patch for | |
| using poll (#701446) meets servers that aren't running KDCs or against | |
| which the connection fails for other reasons (#727829, #734172) | |
| - start moving to 1.9 with beta 1 | |
| - drop patches for RT#5755, RT#6762, RT#6774, RT#6775 | |
| - drop no-longer-needed backport patch for #539423 | |
| - drop no-longer-needed patch for CVE-2010-1322 | |
| - if WITH_NSS is set, built with --with-crypto-impl=nss (requires NSS 3.12.9) | |
| - pull patch from svn to undo unintentional chattiness in ftp | |
| - pull patch from svn to handle NULL krb5_get_init_creds_opt structures | |
| better in a couple of places where they're expected | |
| - add patch from Dhiru Kholia for the AES-NI implementations to allow | |
| libk5crypto to be properly marked as not needing an executable stack | |
| on arches where they're used (#1045699, and so many others) | |
| - fix a compile error in the SELinux labeling patch when -DDEBUG is used (Sumit | |
| Bose) | |
| - correct a bug in the fix for #754001 so that the file creation context is | |
| consistently reset | |
| - Fix CVE-2016-3120 | |
| - Resolves: #1361051 | |
| - Remove incorrect KDC assertion | |
| - Resolves: #1673016 | |
| - incorporate upstream patch to fix uninitialized pointer crash in the KDC's | |
| authorization data handling (CVE-2010-1322, #636335) | |
| - Fix CVE-2015-8629, CVE-2015-8630, CVE-2015-8631 | |
| - Log when non-root ksu authorization fails | |
| - Resolves: #1575771 | |
| - set "rdns = false" in the default krb5.conf (#908323,#908324) | |
| - Add recursion limit for ASN.1 indefinite lengths (CVE-2020-28196) | |
| - Resolves: #1906492 | |
| - Address some optimized-out memset() calls | |
| - Resolves: #1663503 | |
| - make krb5.conf %verify(not md5 size mtime) in addition to | |
| %config(noreplace), like /etc/nsswitch.conf (#329811) | |
| - throw in a not-applied-by-default patch to try to make pkinit debugging | |
| into a run-time boolean option named "pkinit_debug" | |
| - pull in multiple changes to allow replay caches to be added to a GSS | |
| credential store as "rcache"-type credentials (RT#7818/#7819/#7836, | |
| - add missing pam-devel build requirement, force selinux-or-fail build | |
| - Explicitly use openssl rather than builtin crypto | |
| - Resolves: #1570910 | |
| - libkrad: implement support for Message-Authenticator (CVE-2024-3596) | |
| Resolves: RHEL-50253 | |
| - Remove RSA protocol for PKINIT | |
| Resolves: RHEL-17616 | |
| - in login, allow PAM to interact with the user when they've been strongly | |
| authenticated | |
| - in login, signal PAM when we're changing an expired password that it's an | |
| expired password, so that when cracklib flags a password as being weak it's | |
| treated as an error even if we're running as root | |
| - add patches for read overflow and null pointer dereference in the | |
| implementation of the SPNEGO mechanism (CVE-2009-0844, CVE-2009-0845) | |
| - add patch for attempt to free uninitialized pointer in libkrb5 | |
| (CVE-2009-0846) | |
| - add patch to fix length validation bug in libkrb5 (CVE-2009-0847) | |
| - put the krb5-user .info file into just -workstation and not also | |
| -workstation-clients | |
| - backport a fix to allow a PKINIT client to handle SignedData from a KDC | |
| that's signed with a certificate that isn't in the SignedData, but which | |
| is available as an anchor or intermediate on the client (RT#7183) | |
| - take another stab at accounting for UnversionedDocdirs for the -libs | |
| subpackage (spotted by ssorce) | |
| - switch to just the snapshot of nss_wrapper we were using, since we | |
| no longer need to carry anything that isn't in the cwrap.org repository | |
| (ssorce) | |
| - fix bug in krb5.csh which would cause the path check to always succeed | |
| - rebuild | |
| - pull up changes to allow GSSAPI modules to provide more functions | |
| (RT#7682, #986564/#986565) | |
| - add buildprereq for autoconf | |
| - adjust the patch which removes the use of rpath to also produce a | |
| krb5-config which is okay in multilib environments (#190118) | |
| - make the name-of-the-tempfile comment which compile_et adds to error code | |
| headers always list the same file to avoid conflicts on multilib installations | |
| - strip SIZEOF_LONG out of krb5.h so that it doesn't conflict on multilib boxes | |
| - strip GSS_SIZEOF_LONG out of gssapi.h so that it doesn't conflict on mulitlib | |
| boxes | |
| - drop netdb patch | |
| - kdb_ldap: add patch to treat 'nsAccountLock: true' as an indication that | |
| the DISALLOW_ALL_TIX flag is set on an entry, for better interop with Fedora, | |
| Netscape, Red Hat Directory Server (Simo Sorce) | |
| - Ensure we can build with the new CFLAGS | |
| - Remove the git versioning in patches | |
| - gssapi: pull in proposed fix for a double free in initiators (David | |
| Woodhouse, CVE-2014-4343, #1117963) | |
| - enable patch for key-expiration reporting | |
| - enable patch to make kpasswd fall back to TCP if UDP fails (#251206) | |
| - enable patch to make kpasswd use the right sequence number on retransmit | |
| - enable patch to allow mech-specific creds delegated under spnego to be found | |
| when searching for creds | |
| - pull up latest revision of patch to reduce lockups in rsh/rshd | |
| - Turn OFD locks back on with glibc workaround | |
| - Resolves: #1274922 | |
| - Backport fix of memory use after free during libkrad cleanup | |
| - Backport support for larger RADIUS attributes in libkrad | |
| - Resolves: rhbz#2103125 | |
| - New upstream prerelease (1.16-beta1) | |
| - put the conditional back for the -devel subpackage | |
| - back down to the earlier version of the patch for #551764; the backported | |
| alternate version was incomplete | |
| - update to 1.11 alpha 1 | |
| - drop backported patch for RT #7406 | |
| - drop backported patch for RT #7407 | |
| - drop backported patch for RT #7408 | |
| - the new docs system generates PDFs, so stop including them as sources | |
| - drop backported patch to allow deltat.y to build with the usual | |
| warning flags and the current gcc | |
| - drop backported fix for disabling use of a replay cache when verifying | |
| initial credentials | |
| - drop backported fix for teaching PKINIT clients which trust the KDC's | |
| certificate directly to verify signed-data messages that are signed with | |
| the KDC's certificate, when the blobs don't include a copy of the KDC's | |
| certificate | |
| - drop backported patches to make keytab-based authentication attempts | |
| work better when the client tells the KDC that it supports a particular | |
| cipher, but doesn't have a key for it in the keytab | |
| - drop backported fix for avoiding spurious clock skew when a TGT is | |
| decrypted long after the KDC sent it to the client which decrypts it | |
| - move the cross-referenced HTML docs into the -libs package to avoid | |
| broken internal links | |
| - drop patches to fixup paths in man pages, shouldn't be needed any more | |
| - build even libdb.a with -fPIC and $RPM_OPT_FLAGS. | |
| - add bison as a BuildPrereq (#20091) | |
| - rebuild | |
| - incorporate Simo's updated backport of his updated persistent-keyring changes | |
| (more of #991148) | |
| - Fix custom build with -DDEBUG | |
| - added -lncurses to telnet and telnetd makefiles | |
| - update to 1.2.6 | |
| - New upstream release | |
| - Update selinux with RHEL hygene | |
| - Resolves: #1314096 | |
| - fix combination of --with-netlib and --enable-dns (#82176) | |
| - apply upstream patch to fix a null pointer dereference when processing | |
| TGS requests (CVE-2011-1530, #753748) | |
| - use %{_lib} for the sake of multilib systems | |
| - tell krb5kdc and kadmind to create pid files, since they can | |
| - add logrotate configuration files for krb5kdc and kadmind (#462658) | |
| - fix parsing of the pidfile option in the KDC (upstream #6750) | |
| - fix credential forwarding problem in klogind (goof in KRB5CCNAME handling) | |
| (#11588) | |
| - fix heap corruption bug in FTP client (#14301) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - fix reading of keyUsage extensions when attempting to select pkinit client | |
| certs (part of #629022, RT#6775) | |
| - fix selection of pkinit client certs when one or more don't include a | |
| subjectAltName extension (part of #629022, RT#6774) | |
| - update to 1.10 final | |
| - correctly use stdargs | |
| - Add send/receive sendto_kdc hooks and corresponding tests | |
| - Resolves: #1321135 | |
| - add in glue code to make sure that libkrb5 continues to provide a | |
| weak copy of stat() | |
| - Make krb5kdc -p affect TCP ports | |
| - fix license handling | |
| - specify dependencies on the same arch of krb5-libs by using the %{?_isa} | |
| suffix, to avoid dragging 32-bit libraries onto 64-bit systems (#980155) | |
| - Switch to using autosetup macro. | |
| - Patches come from git, so it is easiest to just make a git repo | |
| - Add build dependency on gcc | |
| - check more thoroughly for errors when resolving KEYRING ccache names of type | |
| "persistent", which should only have a numeric UID as the next part of the | |
| name (#1029110) | |
| - Skip test suite on ppc64el | |
| - Related-to: #1464381 | |
| - add fixes from MITKRB5-SA-2008-001 for use of null or dangling pointer | |
| when v4 compatibility is enabled on the KDC (CVE-2008-0062, CVE-2008-0063, | |
| - add fixes from MITKRB5-SA-2008-002 for array out-of-bounds accesses when | |
| high-numbered descriptors are used (CVE-2008-0947, #433596) | |
| - add backport bug fix for an attempt to free non-heap memory in | |
| libgssapi_krb5 (CVE-2007-5901, #415321) | |
| - add backport bug fix for a double-free in out-of-memory situations in | |
| libgssapi_krb5 (CVE-2007-5971, #415351) | |
| - move the compiled-in default ccache location from the previous default of | |
| FILE:/tmp/krb5cc_%{uid} to DIR:/run/user/%{uid}/krb5cc (part of #949588) | |
| - fix 32/64-bit bug storing and retrieving the issue_date in v4 credentials | |
| - Add support for start_realm cache config | |
| - Resolves: #1901195 | |
| - apply updated patch from MITKRB5-SA-2004-001 (revision 2004-06-02) | |
| - Support PAC with KDC extended signature and without ticket signature | |
| - Resolves: rhbz#2169477 | |
| - Pass gss_localname() through SPNEGO | |
| - Resolves: #1802334 | |
| - add patch to support "ANY" keytab type (i.e., | |
| "default_keytab_name = ANY:FILE:/etc/krb5.keytab,SRVTAB:/etc/srvtab" | |
| patch from Gerald Britton, #42551) | |
| - build with -D_FILE_OFFSET_BITS=64 to get large file I/O in ftpd (#30697) | |
| - patch ftpd to use long long and %lld format specifiers to support the SIZE | |
| command on large files (also #30697) | |
| - don't use LOG_AUTH as an option value when calling openlog() in ksu (#45965) | |
| - implement reload in krb5kdc and kadmind init scripts (#41911) | |
| - lose the krb5server init script (not using it any more) | |
| - gssapi: pull in upstream fix for a possible NULL dereference | |
| in spnego (CVE-2014-4344) | |
| - remove libdefault ticket_lifetime option from the default krb5.conf, it is | |
| ignored by libkrb5 | |
| - update to 1.11 release | |
| - suppress warnings of impending password expiration if expiration is more than | |
| seven days away when the KDC reports it via the last-req field, just as we | |
| already do when it reports expiration via the key-expiration field (#556495) | |
| - link with libtinfo rather than libncurses, when we can, in future RHEL | |
| - reintroduce ld.so.conf munging in the -libs %post | |
| - ksu: move session management calls to before we drop privileges, like | |
| su does (#596887), and don't skip the PAM account check for root or the | |
| same user (more of #540769) | |
| - Update tmpfiles dropin to use /run instead of /var/run | |
| - Resolves: #1945679 | |
| - only remove old krb5server init script links if the init script is there | |
| - disable kshell and eklogin by default | |
| - update to 1.3.1 | |
| - Continue after KRB5_CC_END in KCM cache iteration | |
| - update to 1.4.1, incorporating fixes for CAN-2005-0468 and CAN-2005-0469 | |
| - when starting the KDC or kadmind, if KRB5REALM is set via the /etc/sysconfig | |
| file for the service, pass it as an argument for the -r flag | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Convert Python tests to Python 3 | |
| - make krb5-libs obsolete the old krb5-configs package (#18351) | |
| - don't quit from the kpropd init script if there's no principal database so | |
| that you can propagate the first time without running kpropd manually | |
| - don't complain if /etc/ld.so.conf doesn't exist in the -libs %post | |
| - change back dns_lookup_kdc to the default setting (Stef Walter, #805318) | |
| - comment out example.com examples in default krb5.conf (Stef Walter, #805320) | |
| - update to 1.9 final | |
| - Fix leak of default credentials in gss_inquire_cred() | |
| Resolves: RHEL-32258 | |
| - move condrestarts to postun | |
| - make xinetd configs noreplace | |
| - add descriptions to xinetd configs | |
| - add /etc/init.d as a prereq for the -server package | |
| - patch to properly truncate $TERM in krlogind | |
| - update to 1.11 beta 2 | |
| - move the default acl_file, dict_file, and admin_keytab settings to | |
| the part of the default/example kdc.conf where they'll actually have | |
| an effect (#236417) | |
| - New upstream release | |
| - pull fix for non-compliant encoding of salt field in etype-info2 preauth | |
| data from 1.3.1 beta 1, until 1.3.1 is released. | |
| - Make docs build python3-compatible | |
| - Resolves: #1590928 | |
| - when removing -workstation, remove our files from the info index while | |
| the file is still there, in %preun, rather than %postun, and use the | |
| compressed file's name (#801035) | |
| - add and own %{_libdir}/krb5/plugins/authdata | |
| - patch to handle truncated dns responses | |
| - ksu: move account management checks to before we drop privileges, like | |
| su does (#540769) | |
| - selinux: set the user part of file creation contexts to match the current | |
| context instead of what we looked up | |
| - configure with --enable-dns-for-realm instead of --enable-dns, which isn't | |
| recognized any more | |
| - remove hesiod dependency at build-time | |
| - New upstream version (1.17) | |
| - Resolves: #1645594 | |
| - rebuild with OpenSSL 1.1.0, added backported upstream patch | |
| - add upstream patch to fix freeing an uninitialized pointer and dereferencing | |
| another uninitialized pointer in the KDC (MITKRB5-SA-2012-001, CVE-2012-1014 | |
| and CVE-2012-1015, #844779 and #844777) | |
| - fix a thinko in whether or not we mess around with devel .so symlinks on | |
| systems without a separate /usr (sbose) | |
| - use portreserve correctly -- portrelease takes the basename of the file | |
| whose entries should be released, so we need three files, not one | |
| - update to 1.11.4 | |
| - drop patch for RT#7650, obsoleted | |
| - drop patch for RT#7706, obsoleted as RT#7723 | |
| - drop patch for CVE-2013-1418/CVE-2013-6800, included in 1.11.4 | |
| - update to 1.6.2 | |
| - add "buildrequires: texinfo-tex" to get texi2pdf | |
| - Update otp patches | |
| - Merge otp patches into a single patch | |
| - Add keycheck patch | |
| - fix telnet client environment variable disclosure the same way NetKit's | |
| telnet client did (CAN-2005-0488) (#159305) | |
| - keep apps which call krb5_principal_compare() or krb5_realm_compare() with | |
| malformed or NULL principal structures from crashing outright (Thomas Biege) | |
| (#161475) | |
| - add patch for buffer overflow in kadmind4 (not used by default) | |
| - make proper use of pam_loginuid and pam_selinux in rshd and ftpd | |
| - rebuild to compress man pages. | |
| - Match Heimdal behavior for channel bindings | |
| - Code hygiene + test stability fix included | |
| - Resolves: #1840518 | |
| - incorporate Simo's backport of his persistent-keyring changes (#991148) | |
| - restore build-time default DEFCCNAME on Fedora 21 and later and EL, and | |
| instead set default_ccache_name in the default krb5.conf's [libdefaults] | |
| section (#991148) | |
| - on releases where we expect krb5.conf to be configured with a | |
| default_ccache_name, add it whenever we upgrade from an older version of | |
| the package that wouldn't have included it in its default configuration | |
| file (#991148) | |
| - fix indexing error in server sorting patch (#127336) | |
| - Allow to make AD-SIGNEDPATH optional | |
| Resolves: RHEL-10514 | |
| - Bump 1%{?dist} to 2%{?dist} to workaround RPM sort issue | |
| which would lead yum updates to treat the last alpha as newer | |
| than the final version. | |
| - added krb5.csh and krb5.sh to /etc/profile.d | |
| - update to 1.2.7 | |
| - disable use of tcl | |
| - increase the maximum name length allowed by kuserok() to the higher value | |
| used in development versions | |
| - New upstream version 1.14.3 | |
| - fix a null pointer dereference and crash introduced in our PAM patch that | |
| would happen if ftpd was given the name of a user who wasn't known to the | |
| local system, limited to being triggerable by gssapi-authenticated clients by | |
| the default xinetd config (Olivier Fourdan, #569472) | |
| - run kadmin.local correctly at startup | |
| - don't let comments intended for one scriptlet become part of the "script" | |
| that gets passed to ldconfig as part of another one (Mattias Ellert, #1005675) | |
| - add upstream patch for integer underflow during AES and RC4 decryption | |
| (CVE-2009-4212), via Tom Yu (#545015) | |
| - fix pid path in krb5kdc.service | |
| - update backport of the preauth module interface | |
| - extend PAM support to ksu: perform account and session management for the | |
| target user | |
| - pull up and merge James Leddy's changes to also set PAM_RHOST in PAM-aware | |
| network-facing services | |
| - when testing the RPC library, treat denials from the local portmapper the | |
| same as a portmapper-not-running situation, to allow other library tests | |
| to be run while building the package | |
| - Switch to %ldconfig_scriptlets | |
| - fix the kpropd init script | |
| - Fix a leak in the previous commit | |
| - Restore dist macro that was accidentally removed | |
| - Resolves: #1540939 | |
| - Enable building with bad system /etc/krb5.conf | |
| - reintroduce missing %postun for the non-split_workstation case | |
| - rebuild to pick up the current forms of various patches | |
| - fix a typo in kerberos.ldif | |
| - remove patch to set TERM in klogind which, combined with the upstream fix in | |
| 1.3.1, actually produces the bug now (#114762) | |
| - only apply the patch to autocreate /run/user/0 when we're hard-wiring the | |
| default ccache location to be under it; otherwise it's unnecessary | |
| - add LDCOMBINE=-lc to configure invocation to use libc versioning (bug #10653) | |
| - change Requires: for/in subpackages to include %{version} | |
| - apply the fix for CVE-2007-4000 instead of the experimental patch for | |
| setting ok-as-delegate flags | |
| - override INSTALL_SETUID at build-time so that ksu is installed into | |
| the buildroot with the right permissions (part of #225974) | |
| - add man pages for kerberos(1), kvno(1), .k5login(5) | |
| - add kvno to -workstation | |
| - move man pages that live in the -libs subpackage into the regular | |
| %{_mandir} tree where they'll still be found if that package is the | |
| only one installed (#529319) | |
| - Separate out the kadm5 libs | |
| - rebuild in new environment | |
| - reenable statglue | |
| - New upstream version (1.18.1) | |
| - Resolves: #1802334 | |
| - Depend on crypto-policies which provides /etc/krb5.conf.d (#1225792) | |
| - move to using pregenerated PDF docs to cure multilib conflicts (#222721) | |
| - bump release number and rebuild | |
| - switch buildrequires: and requires: on e2fsprogs-devel into | |
| buildrequires: and requires: on libss-devel, libcom_err-devel, per | |
| sandeen on fedora-devel-list | |
| - don't discard the error code from an error message received in response | |
| to a change-password request (#658871, RT#6893) | |
| - install src/krb524/README as README.krb524 in the -servers package, | |
| includes information about converting for AFS principals | |
| - update a test wrapper to properly handle things that the new libkrad does, | |
| and add python-pyrad as a build requirement so that we can run its tests | |
| - pull in patch for RT#7046: tag a ccache containing credentials obtained via | |
| S4U2Proxy with the principal name of the proxying principal (part of #761317) | |
| so that the default principal name can be set to that of the client for which | |
| it is proxying, which results in the ccache looking more normal to consumers | |
| of the ccache that don't care that there's proxying going on | |
| - pull in patch for RT#7047: allow tickets obtained via S4U2Proxy to be cached | |
| (more of #761317) | |
| - pull in patch for RT#7048: allow PAC verification to only bother trying to | |
| verify the signature with keys that it's given (still more of #761317) | |
| - fix comments in krb5-configs | |
| - Add German translation | |
| - Up-port a bunch of stuff from the el-7.3 cycle | |
| - Resolves: #1255450, #1314989 | |
| - update to 1.3.4 final | |
| - Include more test suite changes from upstream | |
| - Resolves: #1464381 | |
| - rebuild in new environment | |
| - prebuild PDF docs to reduce multilib differences (internal tooling, #884065) | |
| - drop the kerberos-iv portreserve file, and drop the rest on systemd systems | |
| - escape uses of macros in comments (more of #884065) | |
| - update to 1.3.3 | |
| - rebuild | |
| - also perform PAM session and credential management when ftpd accepts a | |
| client using strong authentication, missed earlier | |
| - also label kadmind log files and files created by the db2 plugin | |
| - Fix problem with ccache_name logic in previous build | |
| - tweak graceful start/stop logic in post and preun | |
| - Add kprop service env config file | |
| - simplify the man pages patch by only preprocessing the files we care about | |
| and moving shared configure.in logic into a shared function | |
| - catch the case of ftpd printing file sizes using %i, when they might be | |
| bigger than an int now | |
| - pull the newer F21 defaults back to F20 (sgallagh) | |
| - bump again for double-long bug on ppc(64) | |
| - pull in fix for building against tcl 8.6 (#1107061) | |
| - update to latest patch kit for MITKRB5-SA-2003-004 | |
| - rebuild | |
| - add patch from Tom Yu for exploitable bugs in rpc code used in kadmind | |
| - install kadmin header files | |
| - Add upstream lookaside cache behavior fix (RT#7082) | |
| - Patch CVE-2015-2698 | |
| - Start using crypto-policies | |
| - Move krb5-kdb-version provides from -libs to -devel | |
| - pull in keyutils as a build requirement to get the "KEYRING:" ccache type, | |
| because we've merged | |
| - update to 1.3.2 | |
| - Save other programs from worrying about CVE-2017-11462 | |
| - Resolves: #1488873 | |
| - Resolves: #1488874 | |
| - switch to the upstream patch for #707145 | |
| - switch to the simplified version of the patch for #1029110 (RT#7764) | |
| - ftp: use the correct local filename during mget when the 'case' option is | |
| enabled (#442713) | |
| - Ensure pwsize is initialized in chpass_util.c | |
| - use PICFLAGS when building code from the ktany patch | |
| - don't bail from the KDC init script if there's no database, it may be in | |
| a different location than the default (fenlason) | |
| - remove the [kdc] section from the default krb5.conf -- doesn't seem to have | |
| been applicable for a while | |
| - pull in patch from master to move the default directory which the KDC uses | |
| when computing the socket path for a local OTP daemon from the database | |
| directory (/var/kerberos/krb5kdc) to the newly-added run directory | |
| (/run/krb5kdc), in line with what we're expecting in 1.13 (RT#7859, more | |
| of #1040056 as #1063905) | |
| - add a tmpfiles.d configuration file to have /run/krb5kdc created at | |
| boot-time | |
| - own /var/run/krb5kdc | |
| - add missing shebang headers to krsh and krlogin wrapper scripts (#209238) | |
| - libgssapi: pull in patch from svn to stop returning context-expired errors | |
| when the ticket which was used to set up the context expires (#605366, | |
| upstream #6739) | |
| - pull in changes from upstream which add processing of the contents of | |
| /etc/gss/mech.d/*.conf when loading GSS modules (#1102839) | |
| - update to 1.8 | |
| - temporarily bundling the krb5-appl package (split upstream as of 1.8) | |
| until its package review is complete | |
| - profile.d scriptlets are now only needed by -workstation-clients | |
| - adjust paths in init scripts | |
| - drop upstreamed fix for KDC denial of service (CVE-2010-0283) | |
| - drop patch to check the user's password correctly using crypt(), which | |
| isn't a code path we hit when we're using PAM | |
| - skip the setfscreatecon() if fopen() is passed "rb" as the open mode (part | |
| of #819115) | |
| - rebase to master | |
| - update to beta1 | |
| - drop obsolete backport of fix for RT#7706 | |
| - rebuild | |
| - Remove duplication between subpackages | |
| - Resolves: #1250228 | |
| - fix deadlock during file transfer via rsync/krsh | |
| - thanks goes to James Antill for hint | |
| - Add krb5_db_register_keytab | |
| - Resolves: #1376812 | |
| - Fix capaths "." values on client | |
| - Resolves: 1551099 | |
| - Upstream release. No actual change from beta, just version bump | |
| - Clean up unused parts of spec file | |
| - Add fix for RedHat Bug #1164304 ("Upstream unit tests loads | |
| the installed shared libraries instead the ones from the build") | |
| - login: don't truncate passwords before passing them into crypt(), in | |
| case they're significant (#149476) | |
| - Add support to query the SSF of a context | |
| - Pick up rename of perl dependency | |
| - drop a hunk from the dnsparse patch which is actually redundant (thanks to | |
| Tom Yu) | |
| - fix double-close in keytab handling | |
| - add port of fixes for CAN-2004-0175 to krb5-aware rcp (#151612) | |
| - back out setting default_ccache_name to the new default for now, resetting | |
| it to the old default while the kernel/keyutils bits get sorted (sgallagh) | |
| - rebuild | |
| - incorporate upstream patch for remote crash of KDCs which serve multiple | |
| realms simultaneously (RT#7756, CVE-2013-1418/CVE-2013-6800, | |
| - Add SPAKE support | |
| - Improve protections on internal sensitive buffers | |
| - Improve internal hex encoding/decoding | |
| - Fix k5test prompts for Python 3 | |
| - make use of install-info more failsafe (Ville Skyttä, #223704) | |
| - preserve timestamps on shell scriptlets at %install-time | |
| - Backport fix for change password requests when using FAST (RT#7868) | |
| - Make klogind pass a clean environment to children, like NetKit's rlogind does. | |
| - on EL6, conflict with libsmbclient before 3.5.10-124, which is when it | |
| stopped linking with a symbol which we no longer export (#771687) | |
| - pull up patch for RT#7063, in which not noticing a prompt for a long | |
| time throws the client library's idea of the time difference between it | |
| and the KDC really far out of whack (#773496) | |
| - add a backport of more patches to set the client's list of supported enctypes | |
| when using a keytab to be the list of types of keys in the keytab, plus the | |
| list of other types the client supports but for which it doesn't have keys, | |
| in that order, so that KDCs have a better chance of being able to issue | |
| tickets with session keys of types that the client can use (#837855) | |
| - use portreserve to make sure the KDC can always bind to the kerberos-iv | |
| port, kpropd can always bind to the krb5_prop port, and that kadmind can | |
| always bind to the kerberos-adm port (#555279) | |
| - correct inadvertent use of macros in the changelog (rpmlint) | |
| - update backport of the preauth module interface | |
| - add proposed patches 4566, 4567 | |
| - add proposed edata reporting interface for KDC | |
| - add temporary placeholder for module global context fixes | |
| - Unify kvno option documentation | |
| - Resolves: #1869055 | |
| - Don't enable the server by default. | |
| - Compress info pages. | |
| - Add defaults for the PAM module to krb5.conf | |
| - rebuild properly when pthread_mutexattr_setrobust_np() is defined but not | |
| declared, such as with recent glibc when _GNU_SOURCE isn't being used | |
| - Use SHA-256 instead of MD5 for audit ticket IDs | |
| - New upstream release - 1.16.1 | |
| - update to 1.2.7-beta2 (internal only, not for release), dropping dnsparse | |
| and kadmind4 fixes | |
| - Backport getrandom() support | |
| - Remove patch numbering | |
| - fix link flags and permissions on shared libraries (ausil) | |
| - update to 1.2.2, which fixes some bugs relating to empty ETYPE-INFO | |
| - re-enable optimization on Alpha | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - tweak statglue.c to fix stat/stat64 aliasing problems | |
| - be cleaner in use of gcc to build shlibs | |
| - rebuild | |
| - fix a logic bug in computing key expiration times (RT#6762, #627022) | |
| - Backport kdc policy plugin, but this time with dependencies | |
| - move the rather large pile of html and pdf docs to -workstation, so | |
| that just having something that links to the libraries won't drag | |
| them onto a system, and we avoid having to sort out hard-coded paths | |
| that include %{_libdir} showing up in docs in multilib packages | |
| - actually create %{_var}/kerberos/kdc/user, so that it can be packaged | |
| - correct the list of packaged man pages | |
| - don't dummy up required tex stylesheets, require them | |
| - require pdflatex and makeindex | |
| - switch to the version of persistent-keyring that was just merged to | |
| master (RT#7711), along with related changes to kinit (RT#7689) | |
| - go back to setting default_ccache_name to a KEYRING type | |
| - add patch to build semi-useful static libraries, but don't apply it unless | |
| we need them | |
| - update to 1.6.3, dropping now-integrated patches for CVE-2007-3999 | |
| and CVE-2007-4000 (the new pkinit module is built conditionally and goes | |
| into the -pkinit-openssl package, at least for now, to make a buildreq | |
| loop with openssl avoidable) | |
| - Work around KDC client prinicipal in referrals issue (#1259844) | |
| - pass absolute path to kadm5.keytab if/when extracting keys at startup | |
| - add upstream fix for denial-of-service in SPNEGO (CVE-2010-0628, #576325) | |
| - kdc.conf: no more need to suggest keeping keys with v4-compatible salting | |
| - kadmin.service: fix #723723 again | |
| - kadmin.service,krb5kdc.service: remove optional use of $KRB5REALM in command | |
| lines, because systemd parsing doesn't handle alternate value shell variable | |
| syntax | |
| - kprop.service: add missing Type=forking so that systemd doesn't assume simple | |
| - kprop.service: expect the ACL configuration to be there, not absent | |
| - handle a harder-to-trigger assertion failure that starts cropping up when we | |
| exit the transmit loop on time (#739853) | |
| - update backport of the preauth module interface (part of #194654) | |
| - rebuild | |
| - don't forget to set the SELinux label when creating the directory for | |
| a DIR: ccache | |
| - pull in proposed fix for attempts to get initial creds, which end up | |
| following referrals, incorrectly trying to always use master KDCs if | |
| they talked to a master at any point (should fix RT#7650) | |
| - Hammer refresh around transient rawhide issue | |
| - special-case /run/user/0, attempting to create it when resolving a | |
| directory cache below it fails due to ENOENT and we find that it doesn't | |
| already exist, either, before attempting to create the directory cache | |
| (maybe helping, maybe just making things more confusing for #961235) | |
| - fix a version comparison to expect newer texlive build requirements when | |
| %{_rhel} > 6 rather than when it's > 7 | |
| - apply upstream patch to fix a null pointer dereference with the LDAP kdb | |
| backend (CVE-2011-1527, #744125), an assertion failure with multiple kdb | |
| backends (CVE-2011-1528), and a null pointer dereference with multiple kdb | |
| backends (CVE-2011-1529) (#737711) | |
| - turn off krb4 support (it won't be part of the 1.7 release, but do it now) | |
| - use triggeruns to properly shut down and disable krb524d when -server and | |
| -workstation-servers gets upgraded, because it's gone now | |
| - move the libraries to /%{_lib}, but leave --libdir alone so that plugins | |
| get installed and are searched for in the same locations (#473333) | |
| - clean up buildprereq/prereqs, explicit mktemp requires, and add the | |
| ldconfig for the -server-ldap subpackage (part of #225974) | |
| - escape possible macros in the changelog (part of #225974) | |
| - fixup summary texts (part of #225974) | |
| - take the execute bit off of the protocol docs (part of #225974) | |
| - unflag init scripts as configuration files (part of #225974) | |
| - make the kpropd init script treat 'reload' as 'restart' (part of #225974) | |
| - switch to the upstream patch for #727829 | |
| - Update includedir processing to match upstream | |
| - New upstream beta version | |
| - klist: don't trip over referral entries when invoked with -s (#707145, | |
| RT#6915) | |
| - krb5_get_init_creds_password: check opte->flags instead of options->flags | |
| when checking whether or not we get to use the prompter callback (#555875) | |
| - add upstream patch for KDC crash during referral processing (CVE-2009-3295), | |
| via Tom Yu (#545002) | |
| - update to 1.4.2, incorporating the fixes for MIT-KRB5-SA-2005-002 and | |
| MIT-KRB5-SA-2005-003 | |
| - re-enable large file support, fell out in 1.3-1 | |
| - patch rcp to use long long and %lld format specifiers when reporting file | |
| sizes on large files | |
| - backport fix for not being able to verify the list of transited realms | |
| in GSS acceptors (RT#7639, #959685) | |
| - backport fix for not being able to pass an empty password to the | |
| get-init-creds APIs and have them actually use it (RT#7642, #960001) | |
| - add backported proposed fix to use the unauthenticated server time | |
| as the basis for computing the requested credential expiration times, | |
| rather than the client's idea of the current time, which could be | |
| significantly incorrect (#961221) | |
| - fix segfault in telnet due to incorrect checking of gethostbyname_r result | |
| codes (#129059) | |
| - Omit KDC indicator check for S4U2Self requests | |
| - Resolves: #1802334 | |
| - add backport of in-development preauth module interface (#208643) | |
| - New upstream release | |
| - Add flag to disable encrypted timestamp on client | |
| - Replace _kadmin/_kprop with systemd macros | |
| - Remove traces of upstart from fedora package per policy | |
| - Resolves: #1290185 | |
| - Fix leak in KERB_AP_OPTIONS_CBT server support | |
| - Resolves: #1860831 | |
| - Fix KDC return code and set prompt types for OTP client preauth | |
| - Resolves: #1370072 | |
| - back out buildrequires: keyutils-libs-devel for now | |
| - Fix memory leak in GSSAPI interface | |
| Resolves: RHEL-27250 | |
| - Fix memory leak in PMAP RPC interface | |
| Resolves: RHEL-27244 | |
| - Make TCP waiting time configurable | |
| Resolves: RHEL-17131 | |
| - rebuild | |
| - Backport interposer fix (#1284985) | |
| - Drop workaround pwsize initialization patch (gcc has been fixed) | |
| - apply upstream patch by way of Burt Holzman to fall back to a non-referral | |
| method in cases where we might be derailed by a KDC that rejects the | |
| canonicalize option (for example, those from the RHEL 2.1 or 3 era) (#715074) | |
| - Fix RC4 blocking in FIPS mode | |
| - Resolves: #1660222 | |
| - rebuild | |
| - own the directories which are created for each package (#26342) | |
| - Update backports of certauth and corresponding test | |
| - rework file labeling patch to not depend on fragile preprocessor trickery, | |
| in another attempt at fixing #428355 and friends | |
| - provide docs in PDF format instead of as tex source (Enrico Scholz, #209943) | |
| - pull a fix from SVN to get libgssrpc clients (e.g. kadmin) authenticating | |
| using the old protocol over IPv4 again (RT#6920) | |
| - update to 1.8.2 | |
| - drop patches for CVE-2010-1320, CVE-2010-1321 | |
| - Bump release + rebuild. | |
| - pass -Wl,--warn-shared-textrel to the compiler when we're creating shared | |
| libraries | |
| - and put it back in | |
| - drop patch to add additional access() checks to ksu - they add to breakage | |
| when non-FILE: caches are in use (#1026099), shouldn't be resulting in any | |
| benefit, and clash with proposed changes to fix its cache handling | |
| - Fix upstream URLs in spec file | |
| - Resolves: #1868039 | |
| - Fix flaws in LDAP DN checking | |
| - CVE-2018-5729, CVE-2018-5730 | |
| - Ignore bad enctypes in krb5_string_to_keysalts() | |
| - Resolves: #1858322 | |
| - update to 1.7 | |
| - no need to work around build issues with ASN1BUF_OMIT_INLINE_FUNCS | |
| - configure recognizes --enable/--disable-pkinit now | |
| - configure can take --disable-rpath now | |
| - no more libdes425, krb524d, krb425.info | |
| - kadmin/k5srvutil/ktutil are user commands now | |
| - new kproplog | |
| - FAST encrypted-challenge plugin is new | |
| - drop static build logic | |
| - drop pam_krb5-specific configuration from the default krb5.conf | |
| - drop only-use-v5 flags being passed to various things started by xinetd | |
| - put %{krb5prefix}/sbin in everyone's path, too (#504525) | |
| - add patch based on one from Filip Krska to not call poll() with a negative | |
| timeout when the caller's intent is for us to just stop calling it (#838548) | |
| - fix for CVE-2015-2694 (#1216133) "requires_preauth bypass | |
| in PKINIT-enabled KDC". | |
| In MIT krb5 1.12 and later, when the KDC is configured with | |
| PKINIT support, an unauthenticated remote attacker can | |
| bypass the requires_preauth flag on a client principal and | |
| obtain a ciphertext encrypted in the principal's long-term | |
| key. This ciphertext could be used to conduct an off-line | |
| dictionary attack against the user's password. | |
| - Prevent overflow when calculating ulog block size (CVE-2025-24528) | |
| Resolves: RHEL-78248 | |
| - kdb5_util: fix DB entry flags on modification | |
| Resolves: RHEL-56060 | |
| - Do not block HMAC-MD4/5 in FIPS mode | |
| Resolves: RHEL-86786 | |
| - Don't issue RC4 session keys by default (CVE-2025-3576) | |
| Resolves: RHEL-88049 | |
| - Add PKINIT paChecksum2 from MS-PKCA v20230920 | |
| Resolves: RHEL-82648 | |
| - pull up fix for not calling a kdb plugin's check-transited-path | |
| method before calling the library's default version, which only knows | |
| how to read what's in the configuration file (RT#7709, #1013664) | |
| - fix conditional for future RHEL | |
| - rebuild | |
| - apply second set of buffer overflow fixes from Tom Yu | |
| - fix from Dirk Husung for a bug in buffer cleanups in the test suite | |
| - work around possibly broken rev binary in running test suite | |
| - move default realm configs from /var/kerberos to %{_var}/kerberos | |
| - Adjust dependency on crypto-polices to be just the file we want | |
| - Patch courtesy of lslebodn | |
| - Resolves: #1308984 | |
| - pull in fix for denial of service by injection of malformed GSSAPI tokens | |
| (CVE-2014-4341, CVE-2014-4342, #1116181) | |
| - pam_rhosts_auth.so's been gone, use pam_rhosts.so instead | |
| - fix bug in patch to make rlogind start login with a clean environment a la | |
| netkit rlogin, spotted and fixed by Scott McClung | |
| - apply kpasswd bug fixes from David Wragg | |
| - fix for potentially gzipped man pages | |
| - Fix incorrect recv() size calculation in libkrad | |
| - label all files at creation-time according to the SELinux policy (#228157) | |
| - pull a fix from SVN to try to avoid triggering a PTR lookup in getaddrinfo() | |
| during krb5_sname_to_principal(), and to let getaddrinfo() decide whether or | |
| not to ask for an IPv6 address based on the set of configured interfaces | |
| (#717378, RT#6922) | |
| - pull a fix from SVN to use AI_ADDRCONFIG more often (RT#6923) | |
| - kadmind: add upstream patch to fix free() on an invalid pointer (#696343, | |
| MITKRB5-SA-2011-004, CVE-2011-0285) | |
| - Fix krb5kdf support and add proper openssl version requirements | |
| - Resolves: #1754690 | |
| - drop not-needed-since-1.8 build dependency on rsh (ssorce) | |
| - add deadlock patch, removed old patch | |
| - when iterating over lists of interfaces which are "up" from getifaddrs(), | |
| skip over those which have no address (#113347) | |
| - Fix FTBFS by no longer working around bug in nss_wrapper | |
| - add patch to document the reject-bad-transited option in kdc.conf | |
| - New upstream release - 1.15.1 | |
| - Fix source URLs in spec file | |
| - Resolves: #1755959 | |
| - tweak server init script to automatically extract kadm5 keys if | |
| /var/kerberos/krb5kdc/kadm5.keytab doesn't exist yet | |
| - adjust package descriptions | |
| - pull up fix for importing previously-exported credential caches in the | |
| gssapi library (RT# 7706, #1019420) | |
| - kpropd hasn't bothered with -S since 1.11; stop trying to use that flag | |
| in the systemd unit file | |
| - rebuild | |
| - fix for CVE-2014-5351 (#1145425) "krb5: current keys returned when | |
| randomizing the keys for a service principal" | |
| - Remove outdated note in krb5kdc man page | |
| - convert to systemd | |
| - apply fixes from Tom Yu for MITKRB5-SA-2006-002 (CVE-2006-6143) (#218456) | |
| - apply fixes from Tom Yu for MITKRB5-SA-2006-003 (CVE-2006-6144) (#218456) | |
| - Backport fix for GSSAPI fallback realm | |
| - revert that last change for a bit while sorting out execstack when we | |
| use AES-NI (#1045699) | |
| - some init script cleanups | |
| - drop unquoted check and silent exit for "$NETWORKING" (#426852, #242502) | |
| - krb524: don't barf on missing database if it looks like we're using kldap, | |
| same as for kadmin | |
| - return non-zero status for missing files which cause startup to | |
| fail (#242502) | |
| - incorporate revised fixes from Tom Yu for CAN-2004-0642, CAN-2004-0644, | |
| CAN-2004-0772 | |
| - Fix use of KKDCPP with SNI | |
| - Resolves: #1365027 | |
| - when building with our bundled copy of libverto, package it in with -libs | |
| rather than with -server (#886049) | |
| - Add libverto-devel requires for krb5-devel | |
| - Add otp support | |
| - make PAM support for ksu also set PAM_RUSER | |
| - Fix leaks in gss_inquire_cred_by_oid() | |
| - update to 1.8.3 | |
| - drop backports of fixes for gss context expiration and error table | |
| registration/deregistration mismatch | |
| - drop patch for upstream #6750 | |
| - pull up patch to get the client libraries to correctly perform password | |
| changes over IPv6 (Sumit Bose, RT#6661) | |
| - spnego: pull in patch from master to restore preserving the OID of the | |
| mechanism the initiator requested when we have multiple OIDs for the same | |
| mechanism, so that we reply using the same mechanism OID and the initiator | |
| doesn't get confused (#1066000, RT#7858) | |
| - pull in patch from trunk to rename krb5int_pac_sign() to krb5_pac_sign() and | |
| make it public (#745533) | |
| - fix info page insertions | |
| - Add pkinit_anchors default value to krb5.conf | |
| - Reindent krb5.conf to not be terrible | |
| - Use "new" systemd macros for service handling. (Thanks vpavlin!) | |
| - Resolves: #850399 | |
| - Backport fix for chrome crash in spnego_gss_inquire_context | |
| - Resolves: #1295893 | |
| - remove setuid bit on v4rcp and ksu in case the checks previously added | |
| don't close all of the problems in ksu | |
| - apply patches from Jeffrey Schiller to fix overruns Chris Evans found | |
| - reintroduce configs subpackage for use in the errata | |
| - add PreReq: sh-utils | |
| - fix for CVE-2014-5353 (#1174543) "Fix LDAP misused policy | |
| name crash" | |
| - make profile.d scriptlets mode 644 instead of 755 (part of #225974) | |
| - fix a memory leak when acquiring credentials using a keytab (RT#7586, #911110) | |
| - cover more cases in labeling files on creation | |
| - add missing gawk build dependency | |
| - build shared libraries with partial RELRO support (#723995) | |
| - filter out potentially multiple instances of -Wl,-z,relro from krb5-config | |
| output, now that it's in the buildroot's default LDFLAGS | |
| - pull in a patch to fix losing track of the replay cache FD, from SVN by | |
| way of Kevin Coffman | |
| - mark profile.d config files noreplace (Laurent Rineau, #196447) | |
| - fix krb5-send-pr (#18932) and move it from -server to -workstation | |
| - buildprereq libtermcap-devel | |
| - temporariliy disable optimization on alphas | |
| - gettextize init scripts | |
| - fix config_subpackage logic | |
| - update to 1.10.2 | |
| - when building the new label for a file we're about to create, also mix | |
| in the current range, in addition to the current user | |
| - also package the PDF format admin, user, and install guides | |
| - drop some PDFs that no longer get built right | |
| - add a backport of Stef's patch to set the client's list of supported | |
| enctypes to match the types of keys that we have when we are using a | |
| keytab to try to get initial credentials, so that a KDC won't send us | |
| an AS reply that we can't encrypt (RT#2131, #748528) | |
| - don't shuffle around any shared libraries on releases with no-separate-/usr, | |
| since /usr/lib is the same place as /lib | |
| - add explicit buildrequires: on 'hostname', for the tests, on systems where | |
| it's in its own package, and require net-tools, which used to provide the | |
| command, everywhere | |
| - Explicitly look for python2 in configure.in | |
| - fixup some int/pointer varargs wackiness | |
| - add patch from Tom Yu to fix ftpd overflows (#37731) | |
| - build alpha with -O0 for now | |
| - own %{_var}/kerberos | |
| - make ksu and v4rcp owned by root | |
| - fix double-free in the kdc (patch merged into MIT tree) | |
| - include convert-config-files script as a documentation file | |
| - New upstream release - krb5-1.15.2 | |
| - Adjust patches as appropriate | |
| - apply patch to address MITKRB-SA-2006-001 (CVE-2006-3084) | |
| - update to 1.11.1 | |
| - drop patch for noticing negative timeouts being passed to the poll() | |
| wrapper in the client transmit functions | |
| - rebuild | |
| - rebuild | |
| - Add APIs for marshalling credentials | |
| - Resolves: #1964619 | |
| - set SS_LIB at configure-time so that libss-using apps get working readline | |
| support (#197044) | |
| - handle releases where texlive packaging wasn't yet as complicated as it | |
| is in Fedora 18 | |
| - fix an uninitialized-variable error building one of the test programs | |
| - add patch from Mark Cox for exploitable bugs in ftp client | |
| - Backport usage of SHA-256 instead of SHA-1 for PKINIT CMS digest | |
| - Resolves: #2066316 | |
| - Fix arch name (ppc64le, not ppc64el) | |
| - Related-to: #1464381 | |
| - include profile.d scriptlets in krb5-devel so that krb5-config will be in | |
| the path if krb5-workstation isn't installed, reported by Kir Kolyshkin | |
| - add an xinetd configuration file for encryption-only telnetd, parallelling | |
| the kshell/ekshell pair (#167535) | |
| - clean up quoting of command-line arguments passed to the krsh/krlogin | |
| wrapper scripts | |
| - Display an error message if ocsp pkinit is requested | |
| - Don't check for write access on /etc/krb5.conf if SELinux | |
| - add yasm as a build requirement for AES-NI support, on arches that have | |
| yasm and AES-NI | |
| - rebuilt | |
| - New rawhide, new upstream version | |
| - Drop CVE patches | |
| - Rename fix_interposer.patch to acquire_cred_interposer.patch | |
| - Update acquire_cred_interposer.patch to apply to new source | |
| - explicitly run the pdf generation script using sh (part of #225974) | |
| - generate src/include/krb5/krb5.h before building | |
| - fix conditional for sparcv9 | |
| - Add free hook to KDB; increments KDB version | |
| - Add KDB version flag | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - New upstream release (1.18.2) | |
| - Resolves: #1802334 | |
| - add some conditional logic to simplify building on older Fedora releases | |
| - Re-provide krb5-kdb-version in -devel as well (IPA wants it) | |
| - Resolves: #1645594 | |
| - add LSB-style init script info | |
| - TEMPORARILY disable usage of OFD locks as a workaround for x86 | |
| - update to 1.11 beta 1 | |
| - update to 1.13 alpha1 | |
| - drop upstreamed and backported patches | |
| - fix output of kprop's init script's "status" and "reload" commands (#588222) | |
| - add patch to correct unauthorized access via krb5-aware telnet | |
| daemon (#229782, CVE-2007-0956) | |
| - add patch to fix buffer overflow in krb5kdc and kadmind | |
| (#231528, CVE-2007-0957) | |
| - add patch to fix double-free in kadmind (#231537, CVE-2007-1216) | |
| - clean up init script for server, verify that it works [jlkatz] | |
| - clean up rotation script so that rc likes it better | |
| - add clean stanza | |
| - turn off NSS as the backend for libk5crypto for now to work around its | |
| DES string2key not working (#679012) | |
| - add revised upstream patch to fix double-free in KDC while returning | |
| typed-data with errors (MITKRB5-SA-2011-003, CVE-2011-0284, #674325) | |
| - Use full paths in krb5.sh to avoid path lookups | |
| - fix configure stuff for ia64 | |
| - Backport OID mech fix | |
| - Resolves: #1317609 | |
| - rebuilt | |
| - pull in upstream fix for an incorrect check on the value returned by a | |
| strdup() call (#1132062) | |
| - Switch to python3-sphinx for docs | |
| - Resolves: #1590928 | |
| - kadmind.init: don't fail outright if the default principal database | |
| isn't there if it looks like we might be using the kldap plugin | |
| - kadmind.init: attempt to extract the key for the host-specific kadmin | |
| service when we try to create the keytab | |
| - Use system nss_wrapper and socket_wrapper for testing. | |
| Patch by Andreas Schneider |
|
| - Zap copy of secret in RC4 string-to-key | |
| - tag a couple of other patches which we still need to be applied during | |
| %{?_rawbuild} builds (zmraz) | |
| - add buildrequires: on keyutils-libs-devel to enable use of keyring ccaches, | |
| dragging keyutils-libs in as a dependency | |
| - rebuild | |
| - rebuilt | |
| - Make krb5kdc.log not world-readable by default | |
| - Resolves: #1276484 | |
| - New upstream version (1.18) | |
| - Resolves: #1802334 | |
| - Resolves: #1820311 | |
| - Resolves: #1791062 | |
| - Resolves: #1784655 | |
| - Remove WITH_NSS macro (always false) | |
| - Remove WITH_SYSTEMD macro (always true) | |
| - Remove WITH_LDAP macro (always true) | |
| - Remove WITH_OPENSSL macro (always true) | |
| - rename the krb5 package back to krb5-libs; the previous rename caused | |
| something of an uproar | |
| - update to 1.2.3, which includes the FTP and telnetd fixes | |
| - configure without --enable-dns-for-kdc --enable-dns-for-realm, which now set | |
| the default behavior instead of enabling the feature (the feature is enabled | |
| by --enable-dns, which we still use) | |
| - reenable optimizations on Alpha | |
| - support more encryption types in the default kdc.conf (heads-up from post | |
| to comp.protocols.kerberos by Jason Heiss) | |
| - Try harder to avoid password change replay errors | |
| - Resolves: #2077563 | |
| - rebuild | |
| - test update to 1.3 beta 4 | |
| - ditch statglue build option | |
| - krb5-devel requires e2fsprogs-devel, which now provides libss and libcom_err | |
| - Drop dependency on python2-pyrad (dead upstream, broken with new python) | |
| - fix buffer underrun in unparsing certain principals (CAN-2003-0082) | |
| - Drop dependency on pax, ksh | |
| - Remove support for fedora < 20 | |
| - Add BuildRequires on python2 so we can run tests at build-time | |
| - clear fuzz out of patches, dropping a man page patch which is no longer | |
| necessary | |
| - quote %{__cc} where needed because it includes whitespace now | |
| - define ASN1BUF_OMIT_INLINE_FUNCS at compile-time (for now) to keep building | |
| - Add upstream crashfix patch (RT#7081) | |
| - fixed server package so that it works now | |
| - update to 1.8.1 | |
| - no longer need patches for #555875, #561174, #563431, RT#6661, CVE-2010-0628 | |
| - replace buildrequires on tetex-latex with one on texlive-latex, which is | |
| the package that provides it now | |
| - initial update to 1.6, pre-package-reorg | |
| - move workstation daemons to a new subpackage (#81836, #216356, #217301), and | |
| make the new subpackage require xinetd (#211885) | |
| - Fix KDC null deref on bad encrypted challenge (CVE-2021-36222) | |
| - Resolves: #1983729 | |
| - Update to krb5-1.13.1 | |
| - drop patch for CVE_2014_5353_fix_LDAP_misused_policy_name_crash, fixed in krb5-1.13.1 | |
| - drop patch for kinit -C loops (MIT/krb5 bug #243), fixed in krb5-1.13.1 | |
| - drop patch for CVEs { 2014-9421, 2014-9422, 2014-9423, 2014-5352 }, fixed in krb5-1.13.1 | |
| - Minor spec cleanup | |
| - update to 1.10.3, rolling in the fixes from MITKRB5-SA-2012-001 | |
| - Put openssl runtime requirement in the right place this time | |
| - Resolves: #1754690 | |
| - Rebuilt for gcc bug 634757 | |
| - backport the callback to use the libkrb5 prompter when we can't load PEM | |
| files for PKINIT (RT#7590, includes part of #965721/#1016690) | |
| - extract the rest of the fix #965721/#1016690 from the changes for RT#7680 | |
| - add patches from patchkit from MITKRB5-SA-2003-004 (CAN-2003-0138 and | |
| CAN-2003-0139) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
|
|
|
| krb5-workstation-1.18.2-32.el8_10.x86_64.rpm | - Make krb5-devel depend on libkadm5 |
| - Resolves: #1364487 | |
| - Merge krb5-configs back into krb5-libs. The krb5.conf file is marked as | |
| a %config file anyway. | |
| - Make krb5.conf a noreplace config file. | |
| - Fix KCM client time offset propagation | |
| - Resolves: #1738553 | |
| - gettextize init scripts | |
| - fix for CVE-2014-5355 (#1193939) "krb5: unauthenticated | |
| denial of service in recvauth_common() and others" | |
| - add preliminary patch to fix buffer overflow in krb5kdc and kadmind | |
| (#231528, CVE-2007-0957) | |
| - add preliminary patch to fix double-free in kadmind (#231537, CVE-2007-1216) | |
| - Clean up etype display on KDC | |
| - Resolves: #1664157 | |
| - build without -g3, which gives us large static libraries in -devel | |
| - further munge krb5-config so that 'libdir=/usr/lib' is given even on 64-bit | |
| architectures, to avoid multilib conflicts; other changes will conspire to | |
| strip out the -L flag which uses this, so it should be harmless (#192692) | |
| - Correct copyright: it's exportable now, provided the proper paperwork is | |
| filed with the government. | |
| - FIPS: disable 3DES and ed25519 | |
| - Resolves: #1616326 | |
| - Fix backward check in kprop.service | |
| - apply Mike Friedman's patch to fix format string problems | |
| - don't strip off argv[0] when invoking regular rsh/rlogin | |
| - work around a compile problem with new openssl | |
| - update to 1.12 final | |
| - use (a bundled, for now, copy of) nss_wrapper to let us run some of the | |
| self-tests at build-time in more places than we could previously (#978756) | |
| - cover inconsistencies in whether or not there's a local caching nameserver | |
| that's willing to answer when the build environment doesn't have a | |
| resolver configuration, so that nss_wrapper's faking of the local | |
| hostname can be complete | |
| - update to 1.2.5 | |
| - disable statglue | |
| - Backport certauth eku security fix | |
| - rebuilt with new openssl | |
| - Backport my interposer fixes from upstream | |
| - Supersedes krb5-mechglue_inqure_attrs.patch | |
| - New upstream prerelease (1.16-beta2) | |
| - Fix use of enterprise principals with forwarding | |
| - fix for CVE-2014-5354 (#1174546) "krb5: NULL pointer | |
| dereference when using keyless entries" | |
| - Use the correct patches this time. | |
| - Resolves: #1321135 | |
| - apply fix from Tom Yu for MITKRB5-SA-2004-004 (CAN-2004-1189) | |
| - remove hashless key types from the default kdc.conf, they're not supposed to | |
| be there, noted by Sam Hartman on krbdev | |
| - properly advertise that the kpropd init script now supports force-reload | |
| (Zbysek Mraz, #630587) | |
| - update to alpha 2 | |
| - drop a couple of patches which were integrated for alpha 2 | |
| - correct some configuration file paths which the KDC_DIR patch missed | |
| - Remove "-nodes" option from make-certs scripts | |
| - patch to avoid depending on |
|
| - initial update to alpha1 | |
| - drop backport of persistent keyring support | |
| - drop backport for RT#7689 | |
| - drop obsolete patch for fixing a use-before-init in a test program | |
| - drop obsolete patch teaching config.guess/config.sub about aarch64-linux | |
| - drop backport for RT#7598 | |
| - drop backport for RT#7172 | |
| - drop backport for RT#7642 | |
| - drop backport for RT#7643 | |
| - drop patches from master to not test GSSRPC-over-UDP and to not | |
| depend on the portmapper, which are areas where our build systems | |
| often give us trouble, too; obsolete | |
| - drop backports for RT#7682 | |
| - drop backport for RT#7709 | |
| - drop backport for RT#7590 and partial backport for RT#7680 | |
| - drop OTP backport | |
| - drop backports for RT#7656 and RT#7657 | |
| - BuildRequires: libedit-devel to prefer it | |
| - BuildRequires: pkgconfig, since configure uses it | |
| - pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443, | |
| - OpenSSL has an epoch, apparently | |
| - Resolves: #1754690 | |
| - selinux: hang on to the list of selinux contexts, freeing and reloading | |
| it only when the file we read it from is modified, freeing it when the | |
| shared library is being unloaded (#845125) | |
| - In FIPS mode, add plaintext fallback for RC4 usages and taint | |
| - disable optimizations on the alpha again | |
| - pull up Simo's patch to mark the correct mechanism on imported GSSAPI | |
| contexts (RT#7592) | |
| - go back to using reconf to run autoconf and autoheader (part of #925640) | |
| - add temporary patch to use newer config.guess/config.sub (more of #925640) | |
| - Remove downloadable source signature file | |
| - Resolves: rhbz#2219654 | |
| - don't include |
|
| - debloat | |
| - Fix network service dependencies | |
| - Resolves: #1525230 | |
| - New upstream beta version | |
| - Merge duplicate subsections in profile library | |
| - Fix gitignore problem with previous patchset | |
| - patch ksu man page because the -C option never works | |
| - add access() checks and disable debug mode in ksu | |
| - modify default ksu build arguments to specify more directories in CMD_PATH | |
| and to use getusershell() | |
| - Add patch to fix Redhat Bug #1227542 ("[SELinux] AVC denials may appear | |
| when kadmind starts"). The issue was caused by an unneeded |htons()| | |
| which triggered SELinux AVC denials due to the "random" port usage. | |
| - Update from krb5-1.13-alpha1 to final krb5-1.13 | |
| - Removed patch for CVE-2014-5351 (#1145425) "krb5: current | |
| keys returned when randomizing the keys for a service principal" - | |
| now part of upstream sources | |
| - Use patch for glibc |eventfd()| prototype mismatch (#1147887) only | |
| for Fedora > 20 | |
| - force -fPIC | |
| - Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED (RT#8063) | |
| - rebuilt | |
| - specify the location of the subsystem lock when using the status() function | |
| in the kadmind and kpropd init scripts, so that we get the right error when | |
| we're dead but have a lock file - requires initscripts 8.99 (#521772) | |
| - switch man pages to being generated with the right paths in them | |
| - drop old, incomplete SELinux patch | |
| - add patch from Greg Hudson to make srvtab routines report missing-file errors | |
| at same point that keytab routines do (#241805) | |
| - incorporate fixes from Tom Yu for CAN-2004-0642, CAN-2004-0772 | |
| (MITKRB5-SA-2004-002, #130732) | |
| - incorporate fixes from Tom Yu for CAN-2004-0644 (MITKRB5-SA-2004-003, #130732) | |
| - respin with updated version of patch for RT#7650 (#969331) | |
| - silence compiler warning in kprop by using an in-memory ccache with a fixed | |
| name instead of an on-disk ccache with a name generated by tmpnam() | |
| - Remove dependency on systemd-sysv which is no longer needed for fedora > 20 | |
| This also fixes a fail-to-build issue. | |
| - Miscalaneous spec cleanup fixes | |
| - Put KDB authdata first | |
| - Resolves: #1800575 | |
| - update to 1.10.1 | |
| - drop the KDC crash fix | |
| - drop the KDC lookaside cache fix | |
| - drop the fix for kadmind RPC ACLs (CVE-2012-1012) | |
| - update to beta 1 | |
| - add currently-proposed changes to teach ksu about credential cache | |
| collections and the default_ccache_name setting (#1015559,#1026099) | |
| - Re-enable test suite on ppc64le (no other changes) | |
| - modify the deltat grammar to also tell gcc (4.7) to suppress | |
| "maybe-uninitialized" warnings in addition to the "uninitialized" warnings | |
| it's already being told to suppress (RT#7080) | |
| - change /usr/dict/words to /usr/share/dict/words in default kdc.conf (#20000) | |
| - add patch to accept keytab entries with vno==0 as matches when we're | |
| searching for an entry with a specific name/kvno (#230382/#782211,RT#3349) | |
| - mktemp was long obsoleted by coreutils | |
| - ftp: add patch to fix "runique on" case when globbing fixes applied | |
| - stop adding a redundant but harmless call to initialize the gssapi internals | |
| - fix a typo in a ksu error message (Marek Mahut) | |
| - "rev" works the way the test suite expects now, so don't disable tests | |
| that use it | |
| - undo rename from krb5-pkinit-openssl to krb5-pkinit on EL6 | |
| - version the Obsoletes: on the krb5-pkinit-openssl to krb5-pkinit rename | |
| - reintroduce the init scripts for non-systemd releases | |
| - forward-port %{?_rawbuild} annotations from EL6 packaging | |
| - Patch CVE-2015-2697, CVE-2015-2696, CVE-2015-2695 | |
| - move /etc/pam.d/ksu from krb5-workstation-servers to krb5-workstation, | |
| where it's actually needed (#538703) | |
| - Fix log file permissions patch with our selinux | |
| - Resolves: #1309421 | |
| - Enable MD5 override for FIPS RADIUS | |
| - Resolves: #1872689 | |
| - go back to not messing with library file paths on Fedora 17: it breaks | |
| file path dependencies in other packages, and since Fedora 17 is already | |
| released, breaking that is our fault | |
| - Explicitly require python2 packages | |
| - Backport upstream certauth EKU fixes | |
| - Add temporay workaround for RH bug #1204646 ("krb5-config | |
| returns wrong -specs path") which modifies krb5-config post | |
| build so that development of krb5 dependicies gets unstuck. | |
| This MUST be removed before rawhide becomes F23 ... | |
| - Fix CVE-2017-11368 (remote triggerable assertion failure) | |
| - Properly close krad sockets | |
| - Resolves: #1380836 | |
| - allocate space for the nul-terminator in the local pathname when looking up | |
| a file context, and properly free a previous context (Jose Plans, #426085) | |
| - Move kdbversion info into -server for IPA (so we can rebase) | |
| - Resolves: #1645594 | |
| - update to 1.11.2 | |
| - drop pulled in patch for RT#7586, included in this release | |
| - drop pulled in patch for RT#7592, included in this release | |
| - pull in fix for keeping track of the message type when parsing FAST requests | |
| in the KDC (RT#7605, #951843) (also #951965) | |
| - if the init script fails to start krb5kdc/kadmind/kpropd because it's already | |
| running (according to status()), return 0 (part of #521772) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - build | |
| - pull in fix from master to return a NULL pointer rather than allocating | |
| zero bytes of memory if we read a zero-length input token (RT#7794, part of | |
| - pull in fix from master to ignore an empty token from an acceptor if | |
| we've already finished authenticating (RT#7797, part of #1043962) | |
| - pull in fix from master to avoid a memory leak when a mechanism's | |
| init_sec_context function fails (RT#7803, part of #1043962) | |
| - pull in fix from master to avoid a memory leak in a couple of error | |
| cases which could occur while obtaining acceptor credentials (RT#7805, part | |
| of #1043962) | |
| - Nix /usr/share/krb5.conf.d to reduce complexity | |
| - fix for kinit -C loops (#1184629, MIT/krb5 issue 243, "Do not | |
| loop on principal unknown errors"). | |
| - Added "python-sphinx-latex" to the build requirements | |
| to fix build failures on F22 machines. | |
| - add an auth stack to ksu's PAM configuration so that pam_setcred() calls | |
| won't just fail | |
| - omit dependent libraries from the krb5-config --libs output, as using | |
| shared libraries (no more static libraries) makes them unnecessary and | |
| they're not part of the libkrb5 interface (patch by Rex Dieter, #240220) | |
| (strips out libkeyutils, libresolv, libdl) | |
| - update to 1.3.4 beta1 | |
| - remove MITKRB5-SA-2004-001, included in 1.3.4 | |
| - add patch to fix server-side crashes when principals have no | |
| components (CAN-2003-0072) | |
| - Fix argument order on strlcpy() in enctype_name() | |
| - Resolves: #1754369 | |
| - switch to the updated patch for MITKRB-SA-2006-001 | |
| - Fix setting of AS key in OTP preauth failure | |
| - rebuild | |
| - Be more careful asking for AS key in SPAKE client | |
| - Fix CVE-2016-3119 (NULL deref in LDAP module) | |
| - add patch to correct GSSAPI library null pointer dereference which could be | |
| triggered by malformed client requests (CVE-2010-1321, #582466) | |
| - rename the krb5-libs package to krb5 (naming a subpackage -libs when there | |
| is no main package is silly) | |
| - move defaults for PAM to the appdefaults section of krb5.conf -- this is | |
| the area where the krb5_appdefault_* functions look for settings) | |
| - disable statglue (warning: breaks binary compatibility with previous | |
| packages, but has to be broken at some point to work correctly with | |
| unpatched versions built with newer versions of glibc) | |
| - Fix kprop for propagating dump files larger than 4GB | |
| - Resolves: #2026462 | |
| - rebuild | |
| - pull the changing of the compiled-in default ccache location to | |
| DIR:/run/user/%{uid}/krb5cc back into F19, in line with SSSD and | |
| the most recent pam_krb5 build | |
| - hardcode pid file as option in krb5kdc.service | |
| - Fix hex conversion of PKINIT certid strings | |
| - configure --without-krb5-config so that we don't pull in the old default | |
| ccache name when we want to stop setting a default ccache name at configure- | |
| time | |
| - make krb5-config suppress CFLAGS output when called with --libs (#544391) | |
| - add more etypes (arcfour) to the default enctype list in kdc.conf | |
| - don't apply previous patch, refused upstream | |
| - fix the problem where the %license file has been a dangling symlink | |
| - fix broken dependency on awk (should be gawk, rdieter) | |
| - use %global instead of %define | |
| - pull up proposed patch for creating previously-not-there lock files for | |
| kdb databases when 'kdb5_util' is called to 'load' (#551764) | |
| - fix predictable-tempfile-name bug in krb5-send-pr (CAN-2004-0971, #140036) | |
| - move /usr/kerberos/bin to end of PATH | |
| - update to beta2 | |
| - drop obsolete backports for storing KDC time offsets and expiration times | |
| in keyring credential caches | |
| - move initscript back | |
| - rebuilt | |
| - patch mkdir/rmdir problem in ftpcmd.y | |
| - add condrestart option to init script | |
| - split the server init script into three pieces and add one for kpropd | |
| - turn on NSS as the backend for libk5crypto, adding nss-devel as a build | |
| dependency when that switch is flipped | |
| - rebuild | |
| - rebuild | |
| - pull up the change to make kpasswd's behavior better match the docs | |
| when there's no ccache (#563431) | |
| - build with -fno-strict-aliasing, which is needed because the library | |
| triggers these warnings | |
| - don't forget to label principal database lock files | |
| - fix the labeling patch so that it doesn't break bootstrapping | |
| - fix double-free of enc_part2 in krb524d | |
| - rebuild on 1.1.1 | |
| - pull in patches from master to not test GSSRPC-over-UDP and to not | |
| depend on the portmapper, which are areas where our build systems | |
| often give us trouble, too | |
| - Add PKINIT KDC support for freshness token | |
| - Add hostname-based ccselect module | |
| - Resolves: #1463665 | |
| - Include fixes for previous commit | |
| - Resolves: #1433083 | |
| - Fix typo of crypto-policies file in previous version | |
| - Exit with status 0 from kadmind | |
| - don't break during %check when the session keyring is revoked | |
| - update to 1.7.1 | |
| - don't trip AD lockout on wrong password (#542687, #554351) | |
| - incorporates fixes for CVE-2009-4212 and CVE-2009-3295 | |
| - fixes gss_krb5_copy_ccache() when SPNEGO is used | |
| - move sim_client/sim_server, gss-client/gss-server, uuclient/uuserver to | |
| the devel subpackage, better lining up with the expected krb5/krb5-appl | |
| split in 1.8 | |
| - drop kvno,kadmin,k5srvutil,ktutil from -workstation-servers, as it already | |
| depends on -workstation which also includes them | |
| - New upstream release | |
| - Update names and numbers to match external git | |
| - Rebuilt for glibc bug#747377 | |
| - update to 1.2.1 | |
| - back out Tom Yu's patch, which is a big chunk of the 1.2 -> 1.2.1 update | |
| - start using the official source tarball instead of its contents | |
| - automatic rebuild | |
| - fix globbing patch port mode (#139075) | |
| - have -server require /usr/share/dict/words, which we set as the default | |
| dict_file in kdc.conf (#817089) | |
| - refresh patch for #542868 from trunk | |
| - incorporate updated fix for CVE-2007-3999 (CVE-2007-4743) | |
| - fix incorrect call to "test" in the kadmin init script (#252322,#287291) | |
| - update to the 1.2 release | |
| - ditch a lot of our patches which went upstream | |
| - enable use of DNS to look up things at build-time | |
| - disable use of DNS to look up things at run-time in default krb5.conf | |
| - change ownership of the convert-config-files script to root.root | |
| - compress PS docs | |
| - fix some typos in the kinit man page | |
| - run condrestart in server post, and shut down in preun | |
| - back that last change out | |
| - Support config snippets in /etc/krb5.conf.d/ and /usr/share/krb5.conf.d/ | |
| (#1225792, #1146370, #1145808) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - fix summaries and descriptions | |
| - switched the default transfer protocol from PORT to PASV as proposed on | |
| bugzilla (#16134), and to match the regular ftp package's behavior | |
| - build with -fstack-protector-all instead of the default -fstack-protector, | |
| so that we add checking to more functions (i.e., all of them) (#629950) | |
| - also link binaries with -Wl,-z,relro,-z,now (part of #629950) | |
| - add some minimal description to the top of the wrapper scripts we use | |
| when starting krb5kdc and kadmind to describe why they exist (tooling) | |
| - Fix some broken tests for Python 3 | |
| - fix for CVE-2014-5352 (#1179856) "gss_process_context_token() | |
| incorrectly frees context (MITKRB5-SA-2015-001)" | |
| - fix for CVE-2014-9421 (#1179857) "kadmind doubly frees partial | |
| deserialization results (MITKRB5-SA-2015-001)" | |
| - fix for CVE-2014-9422 (#1179861) "kadmind incorrectly | |
| validates server principal name (MITKRB5-SA-2015-001)" | |
| - fix for CVE-2014-9423 (#1179863) "libgssrpc server applications | |
| leak uninitialized bytes (MITKRB5-SA-2015-001)" | |
| - automated rebuild | |
| - libgssapi_krb5: backport fix for some errors which can occur when | |
| we fail to set up the server half of a context (CVE-2009-0845) | |
| - Fix configuration of default ccache name to match file indentation | |
| - drop patch to suppress key expiration warnings sent from the KDC in | |
| the last-req field, as the KDC is expected to just be configured to either | |
| send them or not as a particular key approaches expiration (#556495) | |
| - update to 1.2.8 | |
| - Remove Zanata test glue and related workarounds | |
| - Bug #1234292 ("IPA server cannot be run in container due to incorrect /usr/sbin/_kadmind") | |
| - Bug #1234326 ("krb5-server introduces new rpm dependency on ksh") | |
| - compile with %{?_smp_mflags} (Steve Grubb) | |
| - drop the bit where we munge part of the error table header, as it's not | |
| needed any more | |
| - incorporate a fix to teach the file labeling bits about when replay caches | |
| are expunged (#576093) | |
| - New upstream release (1.16) | |
| - No changes from beta2 | |
| - Update to krb5-1.13.2 | |
| - drop patch for krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC, fixed in krb5-1.13.2 | |
| - drop patch for krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling, fixed in krb5-1.13.2 | |
| - Add script processing for upcoming Zanata l10n support | |
| - Minor spec cleanup | |
| - back out this labeling change (dwalsh): | |
| - when building the new label for a file we're about to create, also mix | |
| in the current range, in addition to the current user | |
| - Full FIPS compliance | |
| - Resolves: #1754690 | |
| - backport fixes to teach libkrb5 to use descriptors higher than FD_SETSIZE | |
| to talk to a KDC by using poll() if it's detected at compile-time (#701446, | |
| RT#6905) | |
| - refresh nss_wrapper and add socket_wrapper to the %check environment | |
| - update the PIC patch for iaesx86.s to not use ELF relocations to the version | |
| that landed upstream (RT#7815, #1045699) | |
| - use %{_infodir} to better comply with FHS | |
| - move .so files to -devel subpackage | |
| - tweak xinetd config files (bugs #11833, #11835, #11836, #11840) | |
| - fix package descriptions again | |
| - update to 1.6.1 | |
| - drop no-longer-needed patches for CVE-2007-0956,CVE-2007-0957,CVE-2007-1216 | |
| - drop patch for sendto bug in 1.6, fixed in 1.6.1 | |
| - automated rebuild | |
| - add patch included in MITKRB5-SA-2003-003 (CAN-2003-0028) | |
| - incorporate fixes for MITKRB5-SA-2007-006 (CVE-2007-3999, CVE-2007-4000) | |
| - always #include |
|
| - enable LFS on a bunch of other 32-bit arches | |
| - pull in fix to store KDC time offsets in keyring credential caches (RT#7768, | |
| - pull in fix to set expiration times on credentials stored in keyring | |
| credential caches (RT#7769, #1031724) | |
| - Guess Samba client mutual flag using ap_option | |
| - Resolves: #1370980 | |
| - add explicit build-time dependency on a version of keyutils that's new | |
| enough to include keyctl_get_persistent() (more of #991148) | |
| - Backport patch to fix mechglue for gss_inqure_attrs_for_mech() | |
| - apply patch from upstream to fix KDC denial of service (CVE-2010-0283, | |
| - make sure workstation servers are all disabled by default | |
| - clean up krb5server init script | |
| - ensure that the gssapi library's been initialized before walking the | |
| internal mechanism list in gss_release_oid(), needed if called from | |
| gss_release_name() right after a gss_import_name() (#198092) | |
| - update to 1.4 | |
| - v1.4 kadmin client requires a v1.4 kadmind on the server, or use the "-O" | |
| flag to specify that it should communicate with the server using the older | |
| protocol | |
| - new libkrb5support library | |
| - v5passwdd and kadmind4 are gone | |
| - versioned symbols | |
| - pick up $KRB5KDC_ARGS from /etc/sysconfig/krb5kdc, if it exists, and pass | |
| it on to krb5kdc | |
| - pick up $KADMIND_ARGS from /etc/sysconfig/kadmin, if it exists, and pass | |
| it on to kadmind | |
| - pick up $KRB524D_ARGS from /etc/sysconfig/krb524, if it exists, and pass | |
| it on to krb524d *instead of* "-m" | |
| - set "forwardable" in [libdefaults] in the default krb5.conf to match the | |
| default setting which we supply for pam_krb5 | |
| - set a default of 24h for "ticket_lifetime" in [libdefaults], reflecting the | |
| compiled-in default | |
| - Fix CVE-2017-15088 (Buffer overflow in get_matching_data()) | |
| - Backport KCM performance enablements | |
| - Resolves: #1956388 | |
| - Remove "python-sphinx-latex" and "tar" from the build requirements | |
| to fix build failures on F22 machines. | |
| - Minor spec cleanup | |
| - fix license tag | |
| - krb5kdc init script: prototype some changes to do a quick spot-check | |
| of the TGS and kadmind keys and warn if there aren't any non-weak keys | |
| on file for them (to flush out parts of #651466) | |
| - Fix string RPC ACLs (RT#7093); CVE-2012-1012 | |
| - update to 1.9.1: | |
| - drop no-longer-needed patches for CVE-2010-4022, CVE-2011-0281, | |
| CVE-2011-0282, CVE-2011-0283, CVE-2011-0284, CVE-2011-0285 | |
| - drop krshd patch for now | |
| - fix build failure caused by change of prototype for glibc | |
| |eventfd()| (#1147887) | |
| - rebuild | |
| - gcc 3.3 doesn't implement varargs.h, include stdarg.h instead | |
| - rebuild in new environment | |
| - Use standard trigger logic for krb5 snippet | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Patch build by disabling failing test; will fix properly soon | |
| - merge security fixes from RHSA-2007:0095 | |
| - give a little bit more information to the user when kinit gets the catch-all | |
| I/O error (#180175) | |
| - update to 1.10 alpha 1 | |
| - on newer releases where we can assume NSS >= 3.13, configure PKINIT to build | |
| using NSS | |
| - on newer releases where we build PKINIT using NSS, configure libk5crypto to | |
| build using NSS | |
| - rename krb5-pkinit-openssl to krb5-pkinit on newer releases where we're | |
| expecting to build PKINIT using NSS instead | |
| - during %check, run check in the library and kdc subdirectories, which | |
| should be able to run inside of the build system without issue | |
| - add draft fix from Tom Yu for slc_add_reply() buffer overflow (CAN-2005-0469) | |
| - add draft fix from Tom Yu for env_opt_add() buffer overflow (CAN-2005-0468) | |
| - amend the PIC patch for iaesx86.s to also save/restore ebx in the | |
| functions where we modify it, because the ELF spec says we need to | |
| - stop exporting kadmin keys to a keytab file when kadmind starts -- the | |
| daemon's been able to use the database directly for a long long time now | |
| - belatedly add aes128,aes256 to the default set of supported key types | |
| - fix a type mismatch in krb5_copy_error_message() | |
| - ftp: fix some odd use of strlen() | |
| - selinux labeling: use selabel_open() family of functions rather than | |
| matchpathcon(), bail on it if attempting to get the mutex lock fails | |
| - Backport certauth plugin and related pkinit changes | |
| - Allow verification of attributes on krb5.conf | |
| - Restrict pre-authentication fallback cases | |
| - rebuild | |
| - change a LINE_MAX to 1024, fix from Ken Raeburn | |
| - add fix for login vulnerability in case anyone rebuilds without krb4 compat | |
| - add tweaks for byte-swapping macros in krb.h, also from Ken | |
| - add xinetd config files | |
| - make rsh and rlogin quieter | |
| - build with debug to fix credential forwarding | |
| - add rsh as a build-time req because the configure scripts look for it to | |
| determine paths | |
| - incorporate patch to fix double-free in the KDC (CVE-2010-1320, #581922) | |
| - incorporate fixes for MITKRB5-SA-2007-004 (CVE-2007-2442,CVE-2007-2443) | |
| and MITKRB5-SA-2007-005 (CVE-2007-2798) | |
| - add documentation for the ticket_lifetime option (#561174) | |
| - add patch to fix telnetd vulnerability | |
| - try to make gss_krb5_copy_ccache() work correctly for spnego (#542868) | |
| - Backport soft-pkcs11 testing code | |
| - Resolves: #1734158 | |
| - disable servers by default to keep linuxconf from thinking they need to be | |
| started when they don't | |
| - Use openssl's PRNG in FIPS mode | |
| - Resolves: #1663571 | |
| - add some comments to the ksu patches for the curious | |
| - re-enable optimization on alphas | |
| - Backport kdcpolicy interface | |
| - kdc.conf: default to listening for TCP clients, too (#248415) | |
| - rebuild with keyutils 1.5.8 (part of #1012043) | |
| - prereq chkconfig for the server subpackage | |
| - move the db2 kdb plugin from -server to -libs, because a multilib libkdb | |
| might need it | |
| - change the default configured encryption type for KDC databases to the | |
| compiled-in default of des3-hmac-sha1 (#57847) | |
| - grab a more-commented version of the most recent patch from upstream | |
| master | |
| - make a guess at making the 32-bit AES-NI implementation sufficiently | |
| position-independent to not require execmod permissions for libk5crypto | |
| (more of #1045699) | |
| - Process included directories in alphabetical order | |
| - backed out ncurses and makeshlib patches | |
| - update for krb5-1.1 | |
| - add KDC rotation to rc.boot, based on ideas from Michael's C version | |
| - prevent spurious EBADF in krshd when stdin is closed by the client while | |
| the command is running (#151111) | |
| - update to 1.3 | |
| - Zap data when freeing krb5_spake_factor | |
| - make krb5-server-ldap also depend on the same version-release of krb5-libs, | |
| as the other subpackages do, if only to make it clearer than it is when we | |
| just do it through krb5-server | |
| - drop explicit linking with libtinfo for applications that use libss, now | |
| that readline itself links with libtinfo (as of readline-5.2-3, since | |
| fedora 7 or so) | |
| - go back to building without strict aliasing (compiler warnings in gssrpc) | |
| - add upstream patches to fix standalone kpropd exiting if the per-client | |
| child process exits with an error (MITKRB5-SA-2011-001), a hang or crash | |
| in the KDC when using the LDAP kdb backend, and an uninitialized pointer | |
| use in the KDC (MITKRB5-SA-2011-002) (CVE-2010-4022, #664009, | |
| CVE-2011-0281, #668719, CVE-2011-0282, #668726, CVE-2011-0283, #676126) | |
| - Fix SPAKE memory leak | |
| - update to 1.12.2 | |
| - drop patch for RT#7820, fixed in 1.12.2 | |
| - drop patch for #231147, fixed as RT#3277 in 1.12.2 | |
| - drop patch for RT#7818, fixed in 1.12.2 | |
| - drop patch for RT#7836, fixed in 1.12.2 | |
| - drop patch for RT#7858, fixed in 1.12.2 | |
| - drop patch for RT#7924, fixed in 1.12.2 | |
| - drop patch for RT#7926, fixed in 1.12.2 | |
| - drop patches for CVE-2014-4341/CVE-2014-4342, included in 1.12.2 | |
| - drop patch for CVE-2014-4343, included in 1.12.2 | |
| - drop patch for CVE-2014-4344, included in 1.12.2 | |
| - drop patch for CVE-2014-4345, included in 1.12.2 | |
| - replace older proposed changes for ksu with backports of the changes | |
| after review and merging upstream (#1015559, #1026099, #1118347) | |
| - fixup URL in a comment | |
| - when built with NSS, require 3.12.10 rather than 3.12.9 | |
| - started changelog (previous package from zedz.net) | |
| - updated existing 1.0.5 RPM from Eos Linux to krb5 1.0.6 | |
| - added --force to makeinfo commands to skip errors during build | |
| - try to merge and clean up all the large file support for ftp and rcp | |
| - ftpd no longer prints a negative length when sending a large file | |
| from a 32-bit host | |
| - prefer the kdc which last replied to a request when sending requests to kdcs | |
| - Use responder for non-preauth AS requests | |
| - Resolves: #1370622 | |
| - Set error message on KCM get_princ failure | |
| - apply patch from MITKRB5-SA-2004-001 (#125001) | |
| - Fix KDC null deref on TGS inner body null server (CVE-2021-37750) | |
| - Resolves: #1997601 | |
| - removed rpath | |
| - CVE-2024-37370 CVE-2024-37371 | |
| Fix vulnerabilities in GSS message token handling | |
| Resolves: RHEL-45398 RHEL-45386 | |
| - update to 1.3.6, which includes the previous fix | |
| - add missing dependency on newer keyutils-libs (#1012034) | |
| - pass some structures by address instead of on the stack in krb5kdc | |
| - libgssapi_krb5: properly export the acceptor subkey when creating a lucid | |
| context (Kevin Coffman, via the nfs4 mailing list) | |
| - fix bug ID in changelog | |
| - Bump release number | |
| - Fix formatting typo in kinit.1 (krb5-kinit-man-typo.patch) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Update otp backport patches (libk5radius => libkrad) | |
| - if we successfully change the user's password during an attempt to get | |
| initial credentials, but then fail to get initial creds from a non-master | |
| using the new password, retry against the master (#432334) | |
| - create and own /var/kerberos/krb5/user instead of /var/kerberos/kdc/user, | |
| since that's what the libraries actually look for | |
| - add buildrequires on nss-myhostname, in an attempt to get more of the tests | |
| to run properly during builds | |
| - pull in Simo's patch to recognize "client_keytab" as a key type which can | |
| be passed in to gss_acquire_cred_from() (RT#7598) | |
| - apply fixes from draft of MIT-KRB5-SA-2005-002 (CAN-2005-1174,CAN-2005-1175) | |
| (#157104) | |
| - apply fixes from draft of MIT-KRB5-SA-2005-003 (CAN-2005-1689) (#159755) | |
| - kadmind.init: drop the attempt to detect no-database-present errors (#723723), | |
| which is too fragile in cases where the database has been manually moved or | |
| is accessed through another kdb plugin | |
| - backport fixes to krb5_copy_context (RT#7807, #1044735/#1044739) | |
| - Fix integer overflows in PAC parsing (CVE-2022-42898) | |
| - Resolves: rhbz#2140968 | |
| - update to 1.4.3 | |
| - make ksu setuid again (#137934, others) | |
| - Gain FIPS awareness | |
| - Resolves: #1660222 | |
| - rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - pull up fix for upstream #6745, in which the gssapi library would add the | |
| wrong error table but subsequently attempt to unload the right one | |
| - use gcc to build shared libraries | |
| - update to 1.11.3 | |
| - drop patch for RT#7605, fixed in this release | |
| - drop patch for CVE-2002-2443, fixed in this release | |
| - drop patch for RT#7369, fixed in this release | |
| - pull upstream fix for breaking t_skew.py by adding the patch for #961221 | |
| - Restore accidentally dropped patch | |
| - Resolves: #1754690 | |
| - Actually bump kdbversion like I was supposed to | |
| - update to 1.5 | |
| - mark %{krb5prefix}/man so that files which are packaged within it are | |
| flagged as %doc (#168163) | |
| - update to 1.2.4 | |
| - patch around TIOCGTLC defined on alpha and remove warnings from libpty.h | |
| - add installation of info docs | |
| - remove krb4 compat patch because it doesn't fix workstation-side servers | |
| - pkinit: when verifying signed data, use the CMS APIs for better | |
| interoperability (#636985, RT#6851) | |
| - update to 1.9 beta 3 | |
| - fix trigger scriptlet's invocation of sed (#1016945) | |
| - rename krb5.sh and krb5.csh so that they don't overlap (#210623) | |
| - way-late application of added error info in kadmind.init (#65853) | |
| - pull in upstream fix to start treating a KRB5CCNAME value that begins | |
| with DIR:: the same as it would a DIR: value with just one ccache file | |
| in it (RT#7172, #965574) | |
| - pull in fix from master to make reporting of errors encountered by | |
| the SPNEGO mechanism work better (RT#7045, part of #1043962) | |
| - catch krb4 send_to_kdc cases in kdc preference patch | |
| - backport change from SVN to fix a computed-value-not-used warning in | |
| kpropd (#684065) | |
| - incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345) | |
| - override the default build rules to not delete temporary y.tab.c files, | |
| so that they can be packaged, allowing debuginfo files which point to them | |
| do so usefully (#729044) | |
| - backport patch to disable replay detection in krb5_verify_init_creds() | |
| while reading the AP-REQ that's generated in the same function (RT#7229) | |
| - change cleanup code in post to not tickle chkconfig | |
| - add grep as a Prereq: for -libs | |
| - drop a patch we weren't not applying (build tooling) | |
| - wrap kadmind and kpropd in scripts which check for the presence/absence | |
| of files which dictate particular exit codes before exec'ing the actual | |
| binaries, instead of trying to use ConditionPathExists in the unit files | |
| to accomplish that, so that we exit with failure properly when what we | |
| expect isn't actually in effect on the system (#800343) | |
| - Eliminate preprocessor-disabled dead code | |
| - rebuilt | |
| - Fix KDC null dereference on large TGS replies | |
| - revise previous patch to initialize one more element | |
| - move the package changelog to the end to match the usual style (jdennis) | |
| - scrub out references to $RPM_SOURCE_DIR (jdennis) | |
| - include a symlink to the readme with the name LICENSE so that people can | |
| find it more easily (jdennis) | |
| - tweak configuration files used during tests to try to reduce the number | |
| of conflicts encountered when builds for multiple arches land on the same | |
| builder | |
| - Drop DES3 from sample kdc.conf | |
| - Resolves: #1802334 | |
| - Automatically add includedir where not present | |
| - Try removing sleep statement to see if it is still needed | |
| - Resolves: #1433083 | |
| - fix a regression (not labeling a kdb database lock file correctly, #569902) | |
| - Fix dependicy on binfmt.service | |
| - attempt to account for UnversionedDocdirs for the -libs subpackage | |
| - tighten up default permissions on kdc.conf and kadm5.acl (#558343) | |
| - include .so.* symlinks as well as .so.*.* | |
| - rebuild | |
| - pull in upstream patch for RT#6952, confusion following referrals for | |
| cross-realm auth (#734341) | |
| - pull in build-time deps for the tests | |
| - remove rc4-hmac:norealm and rc4-hmac:onlyrealm from the default list of | |
| supported keytypes in kdc.conf -- they produce exactly the same keys as | |
| rc4-hmac:normal because rc4 string-to-key ignores salts | |
| - nuke kdcrotate -- there are better ways to balance the load on KDCs, and | |
| the SELinux policy for it would have been scary-looking | |
| - update to 1.3.5, mainly to include MITKRB5SA 2004-002 and 2004-003 | |
| - cut down the number of times we load SELinux labeling configuration from | |
| a minimum of two times to actually one (more of #845125) | |
| - update to 1.9 beta 2 | |
| - remove the krb5-appl bits (the -workstation-clients and -workstation-servers | |
| subpackages) now that krb5-appl is its own package | |
| - replace our patch for #563431 (kpasswd doesn't fall back to guessing your | |
| principal name using your user name if you don't have a ccache) with the | |
| one upstream uses | |
| - broke out configuration files | |
| - Fix pkinit_anchors path | |
| - Resolves: #1661339 | |
| - actually pull up the patch for RT#7063, and not some other ticket (#773496) | |
| - temporarily back out %post changes, fix for #143289 for security update | |
| - add preliminary patch to correct unauthorized access via krb5-aware telnet | |
| - Document -k option in kvno(1) synopsis | |
| - Resolves: #1869055 | |
| - Tom Yu's patch to fix compatibility between 1.2 kadmin and 1.1.1 kadmind | |
| - pull out 6.2 options in the spec file (sonames changing in 1.2 means it's not | |
| compatible with other stuff in 6.2, so no need) | |
| - Disable dns_canonicalize_hostname. This may break some setups. | |
| - pull down patches from trunk to implement k5login_authoritative and | |
| k5login_directory settings for krb5.conf (#539423) | |
| - Set error message on KCM get_princ failure | |
| - fix an uninitialized length value which could cause a crash when parsing | |
| key data coming from a directory server | |
| - correct a typo in the krb5.conf man page ("ldap_server"->"ldap_servers") | |
| - Log preauth names in trace output | |
| - Misc bugfixes from upstream | |
| - build alpha with -O0 for now | |
| - create and own /etc/gss (#1019937) | |
| - update to 1.12.1 | |
| - drop patch for RT#7794, included now | |
| - drop patch for RT#7797, included now | |
| - drop patch for RT#7803, included now | |
| - drop patch for RT#7805, included now | |
| - drop patch for RT#7807, included now | |
| - drop patch for RT#7045, included now | |
| - drop patches for RT#7813 and RT#7815, included now | |
| - add patch to always retrieve the KDC time offsets from keyring caches, | |
| so that we don't mistakenly interpret creds as expired before their | |
| time when our clock is ahead of the KDC's (RT#7820, #1030607) | |
| - don't forget the README | |
| - handle an assertion failure that starts cropping up when the patch for | |
| using poll (#701446) meets servers that aren't running KDCs or against | |
| which the connection fails for other reasons (#727829, #734172) | |
| - start moving to 1.9 with beta 1 | |
| - drop patches for RT#5755, RT#6762, RT#6774, RT#6775 | |
| - drop no-longer-needed backport patch for #539423 | |
| - drop no-longer-needed patch for CVE-2010-1322 | |
| - if WITH_NSS is set, built with --with-crypto-impl=nss (requires NSS 3.12.9) | |
| - pull patch from svn to undo unintentional chattiness in ftp | |
| - pull patch from svn to handle NULL krb5_get_init_creds_opt structures | |
| better in a couple of places where they're expected | |
| - add patch from Dhiru Kholia for the AES-NI implementations to allow | |
| libk5crypto to be properly marked as not needing an executable stack | |
| on arches where they're used (#1045699, and so many others) | |
| - fix a compile error in the SELinux labeling patch when -DDEBUG is used (Sumit | |
| Bose) | |
| - correct a bug in the fix for #754001 so that the file creation context is | |
| consistently reset | |
| - Fix CVE-2016-3120 | |
| - Resolves: #1361051 | |
| - Remove incorrect KDC assertion | |
| - Resolves: #1673016 | |
| - incorporate upstream patch to fix uninitialized pointer crash in the KDC's | |
| authorization data handling (CVE-2010-1322, #636335) | |
| - Fix CVE-2015-8629, CVE-2015-8630, CVE-2015-8631 | |
| - Log when non-root ksu authorization fails | |
| - Resolves: #1575771 | |
| - set "rdns = false" in the default krb5.conf (#908323,#908324) | |
| - Add recursion limit for ASN.1 indefinite lengths (CVE-2020-28196) | |
| - Resolves: #1906492 | |
| - Address some optimized-out memset() calls | |
| - Resolves: #1663503 | |
| - make krb5.conf %verify(not md5 size mtime) in addition to | |
| %config(noreplace), like /etc/nsswitch.conf (#329811) | |
| - throw in a not-applied-by-default patch to try to make pkinit debugging | |
| into a run-time boolean option named "pkinit_debug" | |
| - pull in multiple changes to allow replay caches to be added to a GSS | |
| credential store as "rcache"-type credentials (RT#7818/#7819/#7836, | |
| - add missing pam-devel build requirement, force selinux-or-fail build | |
| - Explicitly use openssl rather than builtin crypto | |
| - Resolves: #1570910 | |
| - libkrad: implement support for Message-Authenticator (CVE-2024-3596) | |
| Resolves: RHEL-50253 | |
| - Remove RSA protocol for PKINIT | |
| Resolves: RHEL-17616 | |
| - in login, allow PAM to interact with the user when they've been strongly | |
| authenticated | |
| - in login, signal PAM when we're changing an expired password that it's an | |
| expired password, so that when cracklib flags a password as being weak it's | |
| treated as an error even if we're running as root | |
| - add patches for read overflow and null pointer dereference in the | |
| implementation of the SPNEGO mechanism (CVE-2009-0844, CVE-2009-0845) | |
| - add patch for attempt to free uninitialized pointer in libkrb5 | |
| (CVE-2009-0846) | |
| - add patch to fix length validation bug in libkrb5 (CVE-2009-0847) | |
| - put the krb5-user .info file into just -workstation and not also | |
| -workstation-clients | |
| - backport a fix to allow a PKINIT client to handle SignedData from a KDC | |
| that's signed with a certificate that isn't in the SignedData, but which | |
| is available as an anchor or intermediate on the client (RT#7183) | |
| - take another stab at accounting for UnversionedDocdirs for the -libs | |
| subpackage (spotted by ssorce) | |
| - switch to just the snapshot of nss_wrapper we were using, since we | |
| no longer need to carry anything that isn't in the cwrap.org repository | |
| (ssorce) | |
| - fix bug in krb5.csh which would cause the path check to always succeed | |
| - rebuild | |
| - pull up changes to allow GSSAPI modules to provide more functions | |
| (RT#7682, #986564/#986565) | |
| - add buildprereq for autoconf | |
| - adjust the patch which removes the use of rpath to also produce a | |
| krb5-config which is okay in multilib environments (#190118) | |
| - make the name-of-the-tempfile comment which compile_et adds to error code | |
| headers always list the same file to avoid conflicts on multilib installations | |
| - strip SIZEOF_LONG out of krb5.h so that it doesn't conflict on multilib boxes | |
| - strip GSS_SIZEOF_LONG out of gssapi.h so that it doesn't conflict on mulitlib | |
| boxes | |
| - drop netdb patch | |
| - kdb_ldap: add patch to treat 'nsAccountLock: true' as an indication that | |
| the DISALLOW_ALL_TIX flag is set on an entry, for better interop with Fedora, | |
| Netscape, Red Hat Directory Server (Simo Sorce) | |
| - Ensure we can build with the new CFLAGS | |
| - Remove the git versioning in patches | |
| - gssapi: pull in proposed fix for a double free in initiators (David | |
| Woodhouse, CVE-2014-4343, #1117963) | |
| - enable patch for key-expiration reporting | |
| - enable patch to make kpasswd fall back to TCP if UDP fails (#251206) | |
| - enable patch to make kpasswd use the right sequence number on retransmit | |
| - enable patch to allow mech-specific creds delegated under spnego to be found | |
| when searching for creds | |
| - pull up latest revision of patch to reduce lockups in rsh/rshd | |
| - Turn OFD locks back on with glibc workaround | |
| - Resolves: #1274922 | |
| - Backport fix of memory use after free during libkrad cleanup | |
| - Backport support for larger RADIUS attributes in libkrad | |
| - Resolves: rhbz#2103125 | |
| - New upstream prerelease (1.16-beta1) | |
| - put the conditional back for the -devel subpackage | |
| - back down to the earlier version of the patch for #551764; the backported | |
| alternate version was incomplete | |
| - update to 1.11 alpha 1 | |
| - drop backported patch for RT #7406 | |
| - drop backported patch for RT #7407 | |
| - drop backported patch for RT #7408 | |
| - the new docs system generates PDFs, so stop including them as sources | |
| - drop backported patch to allow deltat.y to build with the usual | |
| warning flags and the current gcc | |
| - drop backported fix for disabling use of a replay cache when verifying | |
| initial credentials | |
| - drop backported fix for teaching PKINIT clients which trust the KDC's | |
| certificate directly to verify signed-data messages that are signed with | |
| the KDC's certificate, when the blobs don't include a copy of the KDC's | |
| certificate | |
| - drop backported patches to make keytab-based authentication attempts | |
| work better when the client tells the KDC that it supports a particular | |
| cipher, but doesn't have a key for it in the keytab | |
| - drop backported fix for avoiding spurious clock skew when a TGT is | |
| decrypted long after the KDC sent it to the client which decrypts it | |
| - move the cross-referenced HTML docs into the -libs package to avoid | |
| broken internal links | |
| - drop patches to fixup paths in man pages, shouldn't be needed any more | |
| - build even libdb.a with -fPIC and $RPM_OPT_FLAGS. | |
| - add bison as a BuildPrereq (#20091) | |
| - rebuild | |
| - incorporate Simo's updated backport of his updated persistent-keyring changes | |
| (more of #991148) | |
| - Fix custom build with -DDEBUG | |
| - added -lncurses to telnet and telnetd makefiles | |
| - update to 1.2.6 | |
| - New upstream release | |
| - Update selinux with RHEL hygene | |
| - Resolves: #1314096 | |
| - fix combination of --with-netlib and --enable-dns (#82176) | |
| - apply upstream patch to fix a null pointer dereference when processing | |
| TGS requests (CVE-2011-1530, #753748) | |
| - use %{_lib} for the sake of multilib systems | |
| - tell krb5kdc and kadmind to create pid files, since they can | |
| - add logrotate configuration files for krb5kdc and kadmind (#462658) | |
| - fix parsing of the pidfile option in the KDC (upstream #6750) | |
| - fix credential forwarding problem in klogind (goof in KRB5CCNAME handling) | |
| (#11588) | |
| - fix heap corruption bug in FTP client (#14301) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - fix reading of keyUsage extensions when attempting to select pkinit client | |
| certs (part of #629022, RT#6775) | |
| - fix selection of pkinit client certs when one or more don't include a | |
| subjectAltName extension (part of #629022, RT#6774) | |
| - update to 1.10 final | |
| - correctly use stdargs | |
| - Add send/receive sendto_kdc hooks and corresponding tests | |
| - Resolves: #1321135 | |
| - add in glue code to make sure that libkrb5 continues to provide a | |
| weak copy of stat() | |
| - Make krb5kdc -p affect TCP ports | |
| - fix license handling | |
| - specify dependencies on the same arch of krb5-libs by using the %{?_isa} | |
| suffix, to avoid dragging 32-bit libraries onto 64-bit systems (#980155) | |
| - Switch to using autosetup macro. | |
| - Patches come from git, so it is easiest to just make a git repo | |
| - Add build dependency on gcc | |
| - check more thoroughly for errors when resolving KEYRING ccache names of type | |
| "persistent", which should only have a numeric UID as the next part of the | |
| name (#1029110) | |
| - Skip test suite on ppc64el | |
| - Related-to: #1464381 | |
| - add fixes from MITKRB5-SA-2008-001 for use of null or dangling pointer | |
| when v4 compatibility is enabled on the KDC (CVE-2008-0062, CVE-2008-0063, | |
| - add fixes from MITKRB5-SA-2008-002 for array out-of-bounds accesses when | |
| high-numbered descriptors are used (CVE-2008-0947, #433596) | |
| - add backport bug fix for an attempt to free non-heap memory in | |
| libgssapi_krb5 (CVE-2007-5901, #415321) | |
| - add backport bug fix for a double-free in out-of-memory situations in | |
| libgssapi_krb5 (CVE-2007-5971, #415351) | |
| - move the compiled-in default ccache location from the previous default of | |
| FILE:/tmp/krb5cc_%{uid} to DIR:/run/user/%{uid}/krb5cc (part of #949588) | |
| - fix 32/64-bit bug storing and retrieving the issue_date in v4 credentials | |
| - Add support for start_realm cache config | |
| - Resolves: #1901195 | |
| - apply updated patch from MITKRB5-SA-2004-001 (revision 2004-06-02) | |
| - Support PAC with KDC extended signature and without ticket signature | |
| - Resolves: rhbz#2169477 | |
| - Pass gss_localname() through SPNEGO | |
| - Resolves: #1802334 | |
| - add patch to support "ANY" keytab type (i.e., | |
| "default_keytab_name = ANY:FILE:/etc/krb5.keytab,SRVTAB:/etc/srvtab" | |
| patch from Gerald Britton, #42551) | |
| - build with -D_FILE_OFFSET_BITS=64 to get large file I/O in ftpd (#30697) | |
| - patch ftpd to use long long and %lld format specifiers to support the SIZE | |
| command on large files (also #30697) | |
| - don't use LOG_AUTH as an option value when calling openlog() in ksu (#45965) | |
| - implement reload in krb5kdc and kadmind init scripts (#41911) | |
| - lose the krb5server init script (not using it any more) | |
| - gssapi: pull in upstream fix for a possible NULL dereference | |
| in spnego (CVE-2014-4344) | |
| - remove libdefault ticket_lifetime option from the default krb5.conf, it is | |
| ignored by libkrb5 | |
| - update to 1.11 release | |
| - suppress warnings of impending password expiration if expiration is more than | |
| seven days away when the KDC reports it via the last-req field, just as we | |
| already do when it reports expiration via the key-expiration field (#556495) | |
| - link with libtinfo rather than libncurses, when we can, in future RHEL | |
| - reintroduce ld.so.conf munging in the -libs %post | |
| - ksu: move session management calls to before we drop privileges, like | |
| su does (#596887), and don't skip the PAM account check for root or the | |
| same user (more of #540769) | |
| - Update tmpfiles dropin to use /run instead of /var/run | |
| - Resolves: #1945679 | |
| - only remove old krb5server init script links if the init script is there | |
| - disable kshell and eklogin by default | |
| - update to 1.3.1 | |
| - Continue after KRB5_CC_END in KCM cache iteration | |
| - update to 1.4.1, incorporating fixes for CAN-2005-0468 and CAN-2005-0469 | |
| - when starting the KDC or kadmind, if KRB5REALM is set via the /etc/sysconfig | |
| file for the service, pass it as an argument for the -r flag | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Convert Python tests to Python 3 | |
| - make krb5-libs obsolete the old krb5-configs package (#18351) | |
| - don't quit from the kpropd init script if there's no principal database so | |
| that you can propagate the first time without running kpropd manually | |
| - don't complain if /etc/ld.so.conf doesn't exist in the -libs %post | |
| - change back dns_lookup_kdc to the default setting (Stef Walter, #805318) | |
| - comment out example.com examples in default krb5.conf (Stef Walter, #805320) | |
| - update to 1.9 final | |
| - Fix leak of default credentials in gss_inquire_cred() | |
| Resolves: RHEL-32258 | |
| - move condrestarts to postun | |
| - make xinetd configs noreplace | |
| - add descriptions to xinetd configs | |
| - add /etc/init.d as a prereq for the -server package | |
| - patch to properly truncate $TERM in krlogind | |
| - update to 1.11 beta 2 | |
| - move the default acl_file, dict_file, and admin_keytab settings to | |
| the part of the default/example kdc.conf where they'll actually have | |
| an effect (#236417) | |
| - New upstream release | |
| - pull fix for non-compliant encoding of salt field in etype-info2 preauth | |
| data from 1.3.1 beta 1, until 1.3.1 is released. | |
| - Make docs build python3-compatible | |
| - Resolves: #1590928 | |
| - when removing -workstation, remove our files from the info index while | |
| the file is still there, in %preun, rather than %postun, and use the | |
| compressed file's name (#801035) | |
| - add and own %{_libdir}/krb5/plugins/authdata | |
| - patch to handle truncated dns responses | |
| - ksu: move account management checks to before we drop privileges, like | |
| su does (#540769) | |
| - selinux: set the user part of file creation contexts to match the current | |
| context instead of what we looked up | |
| - configure with --enable-dns-for-realm instead of --enable-dns, which isn't | |
| recognized any more | |
| - remove hesiod dependency at build-time | |
| - New upstream version (1.17) | |
| - Resolves: #1645594 | |
| - rebuild with OpenSSL 1.1.0, added backported upstream patch | |
| - add upstream patch to fix freeing an uninitialized pointer and dereferencing | |
| another uninitialized pointer in the KDC (MITKRB5-SA-2012-001, CVE-2012-1014 | |
| and CVE-2012-1015, #844779 and #844777) | |
| - fix a thinko in whether or not we mess around with devel .so symlinks on | |
| systems without a separate /usr (sbose) | |
| - use portreserve correctly -- portrelease takes the basename of the file | |
| whose entries should be released, so we need three files, not one | |
| - update to 1.11.4 | |
| - drop patch for RT#7650, obsoleted | |
| - drop patch for RT#7706, obsoleted as RT#7723 | |
| - drop patch for CVE-2013-1418/CVE-2013-6800, included in 1.11.4 | |
| - update to 1.6.2 | |
| - add "buildrequires: texinfo-tex" to get texi2pdf | |
| - Update otp patches | |
| - Merge otp patches into a single patch | |
| - Add keycheck patch | |
| - fix telnet client environment variable disclosure the same way NetKit's | |
| telnet client did (CAN-2005-0488) (#159305) | |
| - keep apps which call krb5_principal_compare() or krb5_realm_compare() with | |
| malformed or NULL principal structures from crashing outright (Thomas Biege) | |
| (#161475) | |
| - add patch for buffer overflow in kadmind4 (not used by default) | |
| - make proper use of pam_loginuid and pam_selinux in rshd and ftpd | |
| - rebuild to compress man pages. | |
| - Match Heimdal behavior for channel bindings | |
| - Code hygiene + test stability fix included | |
| - Resolves: #1840518 | |
| - incorporate Simo's backport of his persistent-keyring changes (#991148) | |
| - restore build-time default DEFCCNAME on Fedora 21 and later and EL, and | |
| instead set default_ccache_name in the default krb5.conf's [libdefaults] | |
| section (#991148) | |
| - on releases where we expect krb5.conf to be configured with a | |
| default_ccache_name, add it whenever we upgrade from an older version of | |
| the package that wouldn't have included it in its default configuration | |
| file (#991148) | |
| - fix indexing error in server sorting patch (#127336) | |
| - Allow to make AD-SIGNEDPATH optional | |
| Resolves: RHEL-10514 | |
| - Bump 1%{?dist} to 2%{?dist} to workaround RPM sort issue | |
| which would lead yum updates to treat the last alpha as newer | |
| than the final version. | |
| - added krb5.csh and krb5.sh to /etc/profile.d | |
| - update to 1.2.7 | |
| - disable use of tcl | |
| - increase the maximum name length allowed by kuserok() to the higher value | |
| used in development versions | |
| - New upstream version 1.14.3 | |
| - fix a null pointer dereference and crash introduced in our PAM patch that | |
| would happen if ftpd was given the name of a user who wasn't known to the | |
| local system, limited to being triggerable by gssapi-authenticated clients by | |
| the default xinetd config (Olivier Fourdan, #569472) | |
| - run kadmin.local correctly at startup | |
| - don't let comments intended for one scriptlet become part of the "script" | |
| that gets passed to ldconfig as part of another one (Mattias Ellert, #1005675) | |
| - add upstream patch for integer underflow during AES and RC4 decryption | |
| (CVE-2009-4212), via Tom Yu (#545015) | |
| - fix pid path in krb5kdc.service | |
| - update backport of the preauth module interface | |
| - extend PAM support to ksu: perform account and session management for the | |
| target user | |
| - pull up and merge James Leddy's changes to also set PAM_RHOST in PAM-aware | |
| network-facing services | |
| - when testing the RPC library, treat denials from the local portmapper the | |
| same as a portmapper-not-running situation, to allow other library tests | |
| to be run while building the package | |
| - Switch to %ldconfig_scriptlets | |
| - fix the kpropd init script | |
| - Fix a leak in the previous commit | |
| - Restore dist macro that was accidentally removed | |
| - Resolves: #1540939 | |
| - Enable building with bad system /etc/krb5.conf | |
| - reintroduce missing %postun for the non-split_workstation case | |
| - rebuild to pick up the current forms of various patches | |
| - fix a typo in kerberos.ldif | |
| - remove patch to set TERM in klogind which, combined with the upstream fix in | |
| 1.3.1, actually produces the bug now (#114762) | |
| - only apply the patch to autocreate /run/user/0 when we're hard-wiring the | |
| default ccache location to be under it; otherwise it's unnecessary | |
| - add LDCOMBINE=-lc to configure invocation to use libc versioning (bug #10653) | |
| - change Requires: for/in subpackages to include %{version} | |
| - apply the fix for CVE-2007-4000 instead of the experimental patch for | |
| setting ok-as-delegate flags | |
| - override INSTALL_SETUID at build-time so that ksu is installed into | |
| the buildroot with the right permissions (part of #225974) | |
| - add man pages for kerberos(1), kvno(1), .k5login(5) | |
| - add kvno to -workstation | |
| - move man pages that live in the -libs subpackage into the regular | |
| %{_mandir} tree where they'll still be found if that package is the | |
| only one installed (#529319) | |
| - Separate out the kadm5 libs | |
| - rebuild in new environment | |
| - reenable statglue | |
| - New upstream version (1.18.1) | |
| - Resolves: #1802334 | |
| - Depend on crypto-policies which provides /etc/krb5.conf.d (#1225792) | |
| - move to using pregenerated PDF docs to cure multilib conflicts (#222721) | |
| - bump release number and rebuild | |
| - switch buildrequires: and requires: on e2fsprogs-devel into | |
| buildrequires: and requires: on libss-devel, libcom_err-devel, per | |
| sandeen on fedora-devel-list | |
| - don't discard the error code from an error message received in response | |
| to a change-password request (#658871, RT#6893) | |
| - install src/krb524/README as README.krb524 in the -servers package, | |
| includes information about converting for AFS principals | |
| - update a test wrapper to properly handle things that the new libkrad does, | |
| and add python-pyrad as a build requirement so that we can run its tests | |
| - pull in patch for RT#7046: tag a ccache containing credentials obtained via | |
| S4U2Proxy with the principal name of the proxying principal (part of #761317) | |
| so that the default principal name can be set to that of the client for which | |
| it is proxying, which results in the ccache looking more normal to consumers | |
| of the ccache that don't care that there's proxying going on | |
| - pull in patch for RT#7047: allow tickets obtained via S4U2Proxy to be cached | |
| (more of #761317) | |
| - pull in patch for RT#7048: allow PAC verification to only bother trying to | |
| verify the signature with keys that it's given (still more of #761317) | |
| - fix comments in krb5-configs | |
| - Add German translation | |
| - Up-port a bunch of stuff from the el-7.3 cycle | |
| - Resolves: #1255450, #1314989 | |
| - update to 1.3.4 final | |
| - Include more test suite changes from upstream | |
| - Resolves: #1464381 | |
| - rebuild in new environment | |
| - prebuild PDF docs to reduce multilib differences (internal tooling, #884065) | |
| - drop the kerberos-iv portreserve file, and drop the rest on systemd systems | |
| - escape uses of macros in comments (more of #884065) | |
| - update to 1.3.3 | |
| - rebuild | |
| - also perform PAM session and credential management when ftpd accepts a | |
| client using strong authentication, missed earlier | |
| - also label kadmind log files and files created by the db2 plugin | |
| - Fix problem with ccache_name logic in previous build | |
| - tweak graceful start/stop logic in post and preun | |
| - Add kprop service env config file | |
| - simplify the man pages patch by only preprocessing the files we care about | |
| and moving shared configure.in logic into a shared function | |
| - catch the case of ftpd printing file sizes using %i, when they might be | |
| bigger than an int now | |
| - pull the newer F21 defaults back to F20 (sgallagh) | |
| - bump again for double-long bug on ppc(64) | |
| - pull in fix for building against tcl 8.6 (#1107061) | |
| - update to latest patch kit for MITKRB5-SA-2003-004 | |
| - rebuild | |
| - add patch from Tom Yu for exploitable bugs in rpc code used in kadmind | |
| - install kadmin header files | |
| - Add upstream lookaside cache behavior fix (RT#7082) | |
| - Patch CVE-2015-2698 | |
| - Start using crypto-policies | |
| - Move krb5-kdb-version provides from -libs to -devel | |
| - pull in keyutils as a build requirement to get the "KEYRING:" ccache type, | |
| because we've merged | |
| - update to 1.3.2 | |
| - Save other programs from worrying about CVE-2017-11462 | |
| - Resolves: #1488873 | |
| - Resolves: #1488874 | |
| - switch to the upstream patch for #707145 | |
| - switch to the simplified version of the patch for #1029110 (RT#7764) | |
| - ftp: use the correct local filename during mget when the 'case' option is | |
| enabled (#442713) | |
| - Ensure pwsize is initialized in chpass_util.c | |
| - use PICFLAGS when building code from the ktany patch | |
| - don't bail from the KDC init script if there's no database, it may be in | |
| a different location than the default (fenlason) | |
| - remove the [kdc] section from the default krb5.conf -- doesn't seem to have | |
| been applicable for a while | |
| - pull in patch from master to move the default directory which the KDC uses | |
| when computing the socket path for a local OTP daemon from the database | |
| directory (/var/kerberos/krb5kdc) to the newly-added run directory | |
| (/run/krb5kdc), in line with what we're expecting in 1.13 (RT#7859, more | |
| of #1040056 as #1063905) | |
| - add a tmpfiles.d configuration file to have /run/krb5kdc created at | |
| boot-time | |
| - own /var/run/krb5kdc | |
| - add missing shebang headers to krsh and krlogin wrapper scripts (#209238) | |
| - libgssapi: pull in patch from svn to stop returning context-expired errors | |
| when the ticket which was used to set up the context expires (#605366, | |
| upstream #6739) | |
| - pull in changes from upstream which add processing of the contents of | |
| /etc/gss/mech.d/*.conf when loading GSS modules (#1102839) | |
| - update to 1.8 | |
| - temporarily bundling the krb5-appl package (split upstream as of 1.8) | |
| until its package review is complete | |
| - profile.d scriptlets are now only needed by -workstation-clients | |
| - adjust paths in init scripts | |
| - drop upstreamed fix for KDC denial of service (CVE-2010-0283) | |
| - drop patch to check the user's password correctly using crypt(), which | |
| isn't a code path we hit when we're using PAM | |
| - skip the setfscreatecon() if fopen() is passed "rb" as the open mode (part | |
| of #819115) | |
| - rebase to master | |
| - update to beta1 | |
| - drop obsolete backport of fix for RT#7706 | |
| - rebuild | |
| - Remove duplication between subpackages | |
| - Resolves: #1250228 | |
| - fix deadlock during file transfer via rsync/krsh | |
| - thanks goes to James Antill for hint | |
| - Add krb5_db_register_keytab | |
| - Resolves: #1376812 | |
| - Fix capaths "." values on client | |
| - Resolves: 1551099 | |
| - Upstream release. No actual change from beta, just version bump | |
| - Clean up unused parts of spec file | |
| - Add fix for RedHat Bug #1164304 ("Upstream unit tests loads | |
| the installed shared libraries instead the ones from the build") | |
| - login: don't truncate passwords before passing them into crypt(), in | |
| case they're significant (#149476) | |
| - Add support to query the SSF of a context | |
| - Pick up rename of perl dependency | |
| - drop a hunk from the dnsparse patch which is actually redundant (thanks to | |
| Tom Yu) | |
| - fix double-close in keytab handling | |
| - add port of fixes for CAN-2004-0175 to krb5-aware rcp (#151612) | |
| - back out setting default_ccache_name to the new default for now, resetting | |
| it to the old default while the kernel/keyutils bits get sorted (sgallagh) | |
| - rebuild | |
| - incorporate upstream patch for remote crash of KDCs which serve multiple | |
| realms simultaneously (RT#7756, CVE-2013-1418/CVE-2013-6800, | |
| - Add SPAKE support | |
| - Improve protections on internal sensitive buffers | |
| - Improve internal hex encoding/decoding | |
| - Fix k5test prompts for Python 3 | |
| - make use of install-info more failsafe (Ville Skyttä, #223704) | |
| - preserve timestamps on shell scriptlets at %install-time | |
| - Backport fix for change password requests when using FAST (RT#7868) | |
| - Make klogind pass a clean environment to children, like NetKit's rlogind does. | |
| - on EL6, conflict with libsmbclient before 3.5.10-124, which is when it | |
| stopped linking with a symbol which we no longer export (#771687) | |
| - pull up patch for RT#7063, in which not noticing a prompt for a long | |
| time throws the client library's idea of the time difference between it | |
| and the KDC really far out of whack (#773496) | |
| - add a backport of more patches to set the client's list of supported enctypes | |
| when using a keytab to be the list of types of keys in the keytab, plus the | |
| list of other types the client supports but for which it doesn't have keys, | |
| in that order, so that KDCs have a better chance of being able to issue | |
| tickets with session keys of types that the client can use (#837855) | |
| - use portreserve to make sure the KDC can always bind to the kerberos-iv | |
| port, kpropd can always bind to the krb5_prop port, and that kadmind can | |
| always bind to the kerberos-adm port (#555279) | |
| - correct inadvertent use of macros in the changelog (rpmlint) | |
| - update backport of the preauth module interface | |
| - add proposed patches 4566, 4567 | |
| - add proposed edata reporting interface for KDC | |
| - add temporary placeholder for module global context fixes | |
| - Unify kvno option documentation | |
| - Resolves: #1869055 | |
| - Don't enable the server by default. | |
| - Compress info pages. | |
| - Add defaults for the PAM module to krb5.conf | |
| - rebuild properly when pthread_mutexattr_setrobust_np() is defined but not | |
| declared, such as with recent glibc when _GNU_SOURCE isn't being used | |
| - Use SHA-256 instead of MD5 for audit ticket IDs | |
| - New upstream release - 1.16.1 | |
| - update to 1.2.7-beta2 (internal only, not for release), dropping dnsparse | |
| and kadmind4 fixes | |
| - Backport getrandom() support | |
| - Remove patch numbering | |
| - fix link flags and permissions on shared libraries (ausil) | |
| - update to 1.2.2, which fixes some bugs relating to empty ETYPE-INFO | |
| - re-enable optimization on Alpha | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - tweak statglue.c to fix stat/stat64 aliasing problems | |
| - be cleaner in use of gcc to build shlibs | |
| - rebuild | |
| - fix a logic bug in computing key expiration times (RT#6762, #627022) | |
| - Backport kdc policy plugin, but this time with dependencies | |
| - move the rather large pile of html and pdf docs to -workstation, so | |
| that just having something that links to the libraries won't drag | |
| them onto a system, and we avoid having to sort out hard-coded paths | |
| that include %{_libdir} showing up in docs in multilib packages | |
| - actually create %{_var}/kerberos/kdc/user, so that it can be packaged | |
| - correct the list of packaged man pages | |
| - don't dummy up required tex stylesheets, require them | |
| - require pdflatex and makeindex | |
| - switch to the version of persistent-keyring that was just merged to | |
| master (RT#7711), along with related changes to kinit (RT#7689) | |
| - go back to setting default_ccache_name to a KEYRING type | |
| - add patch to build semi-useful static libraries, but don't apply it unless | |
| we need them | |
| - update to 1.6.3, dropping now-integrated patches for CVE-2007-3999 | |
| and CVE-2007-4000 (the new pkinit module is built conditionally and goes | |
| into the -pkinit-openssl package, at least for now, to make a buildreq | |
| loop with openssl avoidable) | |
| - Work around KDC client prinicipal in referrals issue (#1259844) | |
| - pass absolute path to kadm5.keytab if/when extracting keys at startup | |
| - add upstream fix for denial-of-service in SPNEGO (CVE-2010-0628, #576325) | |
| - kdc.conf: no more need to suggest keeping keys with v4-compatible salting | |
| - kadmin.service: fix #723723 again | |
| - kadmin.service,krb5kdc.service: remove optional use of $KRB5REALM in command | |
| lines, because systemd parsing doesn't handle alternate value shell variable | |
| syntax | |
| - kprop.service: add missing Type=forking so that systemd doesn't assume simple | |
| - kprop.service: expect the ACL configuration to be there, not absent | |
| - handle a harder-to-trigger assertion failure that starts cropping up when we | |
| exit the transmit loop on time (#739853) | |
| - update backport of the preauth module interface (part of #194654) | |
| - rebuild | |
| - don't forget to set the SELinux label when creating the directory for | |
| a DIR: ccache | |
| - pull in proposed fix for attempts to get initial creds, which end up | |
| following referrals, incorrectly trying to always use master KDCs if | |
| they talked to a master at any point (should fix RT#7650) | |
| - Hammer refresh around transient rawhide issue | |
| - special-case /run/user/0, attempting to create it when resolving a | |
| directory cache below it fails due to ENOENT and we find that it doesn't | |
| already exist, either, before attempting to create the directory cache | |
| (maybe helping, maybe just making things more confusing for #961235) | |
| - fix a version comparison to expect newer texlive build requirements when | |
| %{_rhel} > 6 rather than when it's > 7 | |
| - apply upstream patch to fix a null pointer dereference with the LDAP kdb | |
| backend (CVE-2011-1527, #744125), an assertion failure with multiple kdb | |
| backends (CVE-2011-1528), and a null pointer dereference with multiple kdb | |
| backends (CVE-2011-1529) (#737711) | |
| - turn off krb4 support (it won't be part of the 1.7 release, but do it now) | |
| - use triggeruns to properly shut down and disable krb524d when -server and | |
| -workstation-servers gets upgraded, because it's gone now | |
| - move the libraries to /%{_lib}, but leave --libdir alone so that plugins | |
| get installed and are searched for in the same locations (#473333) | |
| - clean up buildprereq/prereqs, explicit mktemp requires, and add the | |
| ldconfig for the -server-ldap subpackage (part of #225974) | |
| - escape possible macros in the changelog (part of #225974) | |
| - fixup summary texts (part of #225974) | |
| - take the execute bit off of the protocol docs (part of #225974) | |
| - unflag init scripts as configuration files (part of #225974) | |
| - make the kpropd init script treat 'reload' as 'restart' (part of #225974) | |
| - switch to the upstream patch for #727829 | |
| - Update includedir processing to match upstream | |
| - New upstream beta version | |
| - klist: don't trip over referral entries when invoked with -s (#707145, | |
| RT#6915) | |
| - krb5_get_init_creds_password: check opte->flags instead of options->flags | |
| when checking whether or not we get to use the prompter callback (#555875) | |
| - add upstream patch for KDC crash during referral processing (CVE-2009-3295), | |
| via Tom Yu (#545002) | |
| - update to 1.4.2, incorporating the fixes for MIT-KRB5-SA-2005-002 and | |
| MIT-KRB5-SA-2005-003 | |
| - re-enable large file support, fell out in 1.3-1 | |
| - patch rcp to use long long and %lld format specifiers when reporting file | |
| sizes on large files | |
| - backport fix for not being able to verify the list of transited realms | |
| in GSS acceptors (RT#7639, #959685) | |
| - backport fix for not being able to pass an empty password to the | |
| get-init-creds APIs and have them actually use it (RT#7642, #960001) | |
| - add backported proposed fix to use the unauthenticated server time | |
| as the basis for computing the requested credential expiration times, | |
| rather than the client's idea of the current time, which could be | |
| significantly incorrect (#961221) | |
| - fix segfault in telnet due to incorrect checking of gethostbyname_r result | |
| codes (#129059) | |
| - Omit KDC indicator check for S4U2Self requests | |
| - Resolves: #1802334 | |
| - add backport of in-development preauth module interface (#208643) | |
| - New upstream release | |
| - Add flag to disable encrypted timestamp on client | |
| - Replace _kadmin/_kprop with systemd macros | |
| - Remove traces of upstart from fedora package per policy | |
| - Resolves: #1290185 | |
| - Fix leak in KERB_AP_OPTIONS_CBT server support | |
| - Resolves: #1860831 | |
| - Fix KDC return code and set prompt types for OTP client preauth | |
| - Resolves: #1370072 | |
| - back out buildrequires: keyutils-libs-devel for now | |
| - Fix memory leak in GSSAPI interface | |
| Resolves: RHEL-27250 | |
| - Fix memory leak in PMAP RPC interface | |
| Resolves: RHEL-27244 | |
| - Make TCP waiting time configurable | |
| Resolves: RHEL-17131 | |
| - rebuild | |
| - Backport interposer fix (#1284985) | |
| - Drop workaround pwsize initialization patch (gcc has been fixed) | |
| - apply upstream patch by way of Burt Holzman to fall back to a non-referral | |
| method in cases where we might be derailed by a KDC that rejects the | |
| canonicalize option (for example, those from the RHEL 2.1 or 3 era) (#715074) | |
| - Fix RC4 blocking in FIPS mode | |
| - Resolves: #1660222 | |
| - rebuild | |
| - own the directories which are created for each package (#26342) | |
| - Update backports of certauth and corresponding test | |
| - rework file labeling patch to not depend on fragile preprocessor trickery, | |
| in another attempt at fixing #428355 and friends | |
| - provide docs in PDF format instead of as tex source (Enrico Scholz, #209943) | |
| - pull a fix from SVN to get libgssrpc clients (e.g. kadmin) authenticating | |
| using the old protocol over IPv4 again (RT#6920) | |
| - update to 1.8.2 | |
| - drop patches for CVE-2010-1320, CVE-2010-1321 | |
| - Bump release + rebuild. | |
| - pass -Wl,--warn-shared-textrel to the compiler when we're creating shared | |
| libraries | |
| - and put it back in | |
| - drop patch to add additional access() checks to ksu - they add to breakage | |
| when non-FILE: caches are in use (#1026099), shouldn't be resulting in any | |
| benefit, and clash with proposed changes to fix its cache handling | |
| - Fix upstream URLs in spec file | |
| - Resolves: #1868039 | |
| - Fix flaws in LDAP DN checking | |
| - CVE-2018-5729, CVE-2018-5730 | |
| - Ignore bad enctypes in krb5_string_to_keysalts() | |
| - Resolves: #1858322 | |
| - update to 1.7 | |
| - no need to work around build issues with ASN1BUF_OMIT_INLINE_FUNCS | |
| - configure recognizes --enable/--disable-pkinit now | |
| - configure can take --disable-rpath now | |
| - no more libdes425, krb524d, krb425.info | |
| - kadmin/k5srvutil/ktutil are user commands now | |
| - new kproplog | |
| - FAST encrypted-challenge plugin is new | |
| - drop static build logic | |
| - drop pam_krb5-specific configuration from the default krb5.conf | |
| - drop only-use-v5 flags being passed to various things started by xinetd | |
| - put %{krb5prefix}/sbin in everyone's path, too (#504525) | |
| - add patch based on one from Filip Krska to not call poll() with a negative | |
| timeout when the caller's intent is for us to just stop calling it (#838548) | |
| - fix for CVE-2015-2694 (#1216133) "requires_preauth bypass | |
| in PKINIT-enabled KDC". | |
| In MIT krb5 1.12 and later, when the KDC is configured with | |
| PKINIT support, an unauthenticated remote attacker can | |
| bypass the requires_preauth flag on a client principal and | |
| obtain a ciphertext encrypted in the principal's long-term | |
| key. This ciphertext could be used to conduct an off-line | |
| dictionary attack against the user's password. | |
| - Prevent overflow when calculating ulog block size (CVE-2025-24528) | |
| Resolves: RHEL-78248 | |
| - kdb5_util: fix DB entry flags on modification | |
| Resolves: RHEL-56060 | |
| - Do not block HMAC-MD4/5 in FIPS mode | |
| Resolves: RHEL-86786 | |
| - Don't issue RC4 session keys by default (CVE-2025-3576) | |
| Resolves: RHEL-88049 | |
| - Add PKINIT paChecksum2 from MS-PKCA v20230920 | |
| Resolves: RHEL-82648 | |
| - pull up fix for not calling a kdb plugin's check-transited-path | |
| method before calling the library's default version, which only knows | |
| how to read what's in the configuration file (RT#7709, #1013664) | |
| - fix conditional for future RHEL | |
| - rebuild | |
| - apply second set of buffer overflow fixes from Tom Yu | |
| - fix from Dirk Husung for a bug in buffer cleanups in the test suite | |
| - work around possibly broken rev binary in running test suite | |
| - move default realm configs from /var/kerberos to %{_var}/kerberos | |
| - Adjust dependency on crypto-polices to be just the file we want | |
| - Patch courtesy of lslebodn | |
| - Resolves: #1308984 | |
| - pull in fix for denial of service by injection of malformed GSSAPI tokens | |
| (CVE-2014-4341, CVE-2014-4342, #1116181) | |
| - pam_rhosts_auth.so's been gone, use pam_rhosts.so instead | |
| - fix bug in patch to make rlogind start login with a clean environment a la | |
| netkit rlogin, spotted and fixed by Scott McClung | |
| - apply kpasswd bug fixes from David Wragg | |
| - fix for potentially gzipped man pages | |
| - Fix incorrect recv() size calculation in libkrad | |
| - label all files at creation-time according to the SELinux policy (#228157) | |
| - pull a fix from SVN to try to avoid triggering a PTR lookup in getaddrinfo() | |
| during krb5_sname_to_principal(), and to let getaddrinfo() decide whether or | |
| not to ask for an IPv6 address based on the set of configured interfaces | |
| (#717378, RT#6922) | |
| - pull a fix from SVN to use AI_ADDRCONFIG more often (RT#6923) | |
| - kadmind: add upstream patch to fix free() on an invalid pointer (#696343, | |
| MITKRB5-SA-2011-004, CVE-2011-0285) | |
| - Fix krb5kdf support and add proper openssl version requirements | |
| - Resolves: #1754690 | |
| - drop not-needed-since-1.8 build dependency on rsh (ssorce) | |
| - add deadlock patch, removed old patch | |
| - when iterating over lists of interfaces which are "up" from getifaddrs(), | |
| skip over those which have no address (#113347) | |
| - Fix FTBFS by no longer working around bug in nss_wrapper | |
| - add patch to document the reject-bad-transited option in kdc.conf | |
| - New upstream release - 1.15.1 | |
| - Fix source URLs in spec file | |
| - Resolves: #1755959 | |
| - tweak server init script to automatically extract kadm5 keys if | |
| /var/kerberos/krb5kdc/kadm5.keytab doesn't exist yet | |
| - adjust package descriptions | |
| - pull up fix for importing previously-exported credential caches in the | |
| gssapi library (RT# 7706, #1019420) | |
| - kpropd hasn't bothered with -S since 1.11; stop trying to use that flag | |
| in the systemd unit file | |
| - rebuild | |
| - fix for CVE-2014-5351 (#1145425) "krb5: current keys returned when | |
| randomizing the keys for a service principal" | |
| - Remove outdated note in krb5kdc man page | |
| - convert to systemd | |
| - apply fixes from Tom Yu for MITKRB5-SA-2006-002 (CVE-2006-6143) (#218456) | |
| - apply fixes from Tom Yu for MITKRB5-SA-2006-003 (CVE-2006-6144) (#218456) | |
| - Backport fix for GSSAPI fallback realm | |
| - revert that last change for a bit while sorting out execstack when we | |
| use AES-NI (#1045699) | |
| - some init script cleanups | |
| - drop unquoted check and silent exit for "$NETWORKING" (#426852, #242502) | |
| - krb524: don't barf on missing database if it looks like we're using kldap, | |
| same as for kadmin | |
| - return non-zero status for missing files which cause startup to | |
| fail (#242502) | |
| - incorporate revised fixes from Tom Yu for CAN-2004-0642, CAN-2004-0644, | |
| CAN-2004-0772 | |
| - Fix use of KKDCPP with SNI | |
| - Resolves: #1365027 | |
| - when building with our bundled copy of libverto, package it in with -libs | |
| rather than with -server (#886049) | |
| - Add libverto-devel requires for krb5-devel | |
| - Add otp support | |
| - make PAM support for ksu also set PAM_RUSER | |
| - Fix leaks in gss_inquire_cred_by_oid() | |
| - update to 1.8.3 | |
| - drop backports of fixes for gss context expiration and error table | |
| registration/deregistration mismatch | |
| - drop patch for upstream #6750 | |
| - pull up patch to get the client libraries to correctly perform password | |
| changes over IPv6 (Sumit Bose, RT#6661) | |
| - spnego: pull in patch from master to restore preserving the OID of the | |
| mechanism the initiator requested when we have multiple OIDs for the same | |
| mechanism, so that we reply using the same mechanism OID and the initiator | |
| doesn't get confused (#1066000, RT#7858) | |
| - pull in patch from trunk to rename krb5int_pac_sign() to krb5_pac_sign() and | |
| make it public (#745533) | |
| - fix info page insertions | |
| - Add pkinit_anchors default value to krb5.conf | |
| - Reindent krb5.conf to not be terrible | |
| - Use "new" systemd macros for service handling. (Thanks vpavlin!) | |
| - Resolves: #850399 | |
| - Backport fix for chrome crash in spnego_gss_inquire_context | |
| - Resolves: #1295893 | |
| - remove setuid bit on v4rcp and ksu in case the checks previously added | |
| don't close all of the problems in ksu | |
| - apply patches from Jeffrey Schiller to fix overruns Chris Evans found | |
| - reintroduce configs subpackage for use in the errata | |
| - add PreReq: sh-utils | |
| - fix for CVE-2014-5353 (#1174543) "Fix LDAP misused policy | |
| name crash" | |
| - make profile.d scriptlets mode 644 instead of 755 (part of #225974) | |
| - fix a memory leak when acquiring credentials using a keytab (RT#7586, #911110) | |
| - cover more cases in labeling files on creation | |
| - add missing gawk build dependency | |
| - build shared libraries with partial RELRO support (#723995) | |
| - filter out potentially multiple instances of -Wl,-z,relro from krb5-config | |
| output, now that it's in the buildroot's default LDFLAGS | |
| - pull in a patch to fix losing track of the replay cache FD, from SVN by | |
| way of Kevin Coffman | |
| - mark profile.d config files noreplace (Laurent Rineau, #196447) | |
| - fix krb5-send-pr (#18932) and move it from -server to -workstation | |
| - buildprereq libtermcap-devel | |
| - temporariliy disable optimization on alphas | |
| - gettextize init scripts | |
| - fix config_subpackage logic | |
| - update to 1.10.2 | |
| - when building the new label for a file we're about to create, also mix | |
| in the current range, in addition to the current user | |
| - also package the PDF format admin, user, and install guides | |
| - drop some PDFs that no longer get built right | |
| - add a backport of Stef's patch to set the client's list of supported | |
| enctypes to match the types of keys that we have when we are using a | |
| keytab to try to get initial credentials, so that a KDC won't send us | |
| an AS reply that we can't encrypt (RT#2131, #748528) | |
| - don't shuffle around any shared libraries on releases with no-separate-/usr, | |
| since /usr/lib is the same place as /lib | |
| - add explicit buildrequires: on 'hostname', for the tests, on systems where | |
| it's in its own package, and require net-tools, which used to provide the | |
| command, everywhere | |
| - Explicitly look for python2 in configure.in | |
| - fixup some int/pointer varargs wackiness | |
| - add patch from Tom Yu to fix ftpd overflows (#37731) | |
| - build alpha with -O0 for now | |
| - own %{_var}/kerberos | |
| - make ksu and v4rcp owned by root | |
| - fix double-free in the kdc (patch merged into MIT tree) | |
| - include convert-config-files script as a documentation file | |
| - New upstream release - krb5-1.15.2 | |
| - Adjust patches as appropriate | |
| - apply patch to address MITKRB-SA-2006-001 (CVE-2006-3084) | |
| - update to 1.11.1 | |
| - drop patch for noticing negative timeouts being passed to the poll() | |
| wrapper in the client transmit functions | |
| - rebuild | |
| - rebuild | |
| - Add APIs for marshalling credentials | |
| - Resolves: #1964619 | |
| - set SS_LIB at configure-time so that libss-using apps get working readline | |
| support (#197044) | |
| - handle releases where texlive packaging wasn't yet as complicated as it | |
| is in Fedora 18 | |
| - fix an uninitialized-variable error building one of the test programs | |
| - add patch from Mark Cox for exploitable bugs in ftp client | |
| - Backport usage of SHA-256 instead of SHA-1 for PKINIT CMS digest | |
| - Resolves: #2066316 | |
| - Fix arch name (ppc64le, not ppc64el) | |
| - Related-to: #1464381 | |
| - include profile.d scriptlets in krb5-devel so that krb5-config will be in | |
| the path if krb5-workstation isn't installed, reported by Kir Kolyshkin | |
| - add an xinetd configuration file for encryption-only telnetd, parallelling | |
| the kshell/ekshell pair (#167535) | |
| - clean up quoting of command-line arguments passed to the krsh/krlogin | |
| wrapper scripts | |
| - Display an error message if ocsp pkinit is requested | |
| - Don't check for write access on /etc/krb5.conf if SELinux | |
| - add yasm as a build requirement for AES-NI support, on arches that have | |
| yasm and AES-NI | |
| - rebuilt | |
| - New rawhide, new upstream version | |
| - Drop CVE patches | |
| - Rename fix_interposer.patch to acquire_cred_interposer.patch | |
| - Update acquire_cred_interposer.patch to apply to new source | |
| - explicitly run the pdf generation script using sh (part of #225974) | |
| - generate src/include/krb5/krb5.h before building | |
| - fix conditional for sparcv9 | |
| - Add free hook to KDB; increments KDB version | |
| - Add KDB version flag | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - New upstream release (1.18.2) | |
| - Resolves: #1802334 | |
| - add some conditional logic to simplify building on older Fedora releases | |
| - Re-provide krb5-kdb-version in -devel as well (IPA wants it) | |
| - Resolves: #1645594 | |
| - add LSB-style init script info | |
| - TEMPORARILY disable usage of OFD locks as a workaround for x86 | |
| - update to 1.11 beta 1 | |
| - update to 1.13 alpha1 | |
| - drop upstreamed and backported patches | |
| - fix output of kprop's init script's "status" and "reload" commands (#588222) | |
| - add patch to correct unauthorized access via krb5-aware telnet | |
| daemon (#229782, CVE-2007-0956) | |
| - add patch to fix buffer overflow in krb5kdc and kadmind | |
| (#231528, CVE-2007-0957) | |
| - add patch to fix double-free in kadmind (#231537, CVE-2007-1216) | |
| - clean up init script for server, verify that it works [jlkatz] | |
| - clean up rotation script so that rc likes it better | |
| - add clean stanza | |
| - turn off NSS as the backend for libk5crypto for now to work around its | |
| DES string2key not working (#679012) | |
| - add revised upstream patch to fix double-free in KDC while returning | |
| typed-data with errors (MITKRB5-SA-2011-003, CVE-2011-0284, #674325) | |
| - Use full paths in krb5.sh to avoid path lookups | |
| - fix configure stuff for ia64 | |
| - Backport OID mech fix | |
| - Resolves: #1317609 | |
| - rebuilt | |
| - pull in upstream fix for an incorrect check on the value returned by a | |
| strdup() call (#1132062) | |
| - Switch to python3-sphinx for docs | |
| - Resolves: #1590928 | |
| - kadmind.init: don't fail outright if the default principal database | |
| isn't there if it looks like we might be using the kldap plugin | |
| - kadmind.init: attempt to extract the key for the host-specific kadmin | |
| service when we try to create the keytab | |
| - Use system nss_wrapper and socket_wrapper for testing. | |
| Patch by Andreas Schneider |
|
| - Zap copy of secret in RC4 string-to-key | |
| - tag a couple of other patches which we still need to be applied during | |
| %{?_rawbuild} builds (zmraz) | |
| - add buildrequires: on keyutils-libs-devel to enable use of keyring ccaches, | |
| dragging keyutils-libs in as a dependency | |
| - rebuild | |
| - rebuilt | |
| - Make krb5kdc.log not world-readable by default | |
| - Resolves: #1276484 | |
| - New upstream version (1.18) | |
| - Resolves: #1802334 | |
| - Resolves: #1820311 | |
| - Resolves: #1791062 | |
| - Resolves: #1784655 | |
| - Remove WITH_NSS macro (always false) | |
| - Remove WITH_SYSTEMD macro (always true) | |
| - Remove WITH_LDAP macro (always true) | |
| - Remove WITH_OPENSSL macro (always true) | |
| - rename the krb5 package back to krb5-libs; the previous rename caused | |
| something of an uproar | |
| - update to 1.2.3, which includes the FTP and telnetd fixes | |
| - configure without --enable-dns-for-kdc --enable-dns-for-realm, which now set | |
| the default behavior instead of enabling the feature (the feature is enabled | |
| by --enable-dns, which we still use) | |
| - reenable optimizations on Alpha | |
| - support more encryption types in the default kdc.conf (heads-up from post | |
| to comp.protocols.kerberos by Jason Heiss) | |
| - Try harder to avoid password change replay errors | |
| - Resolves: #2077563 | |
| - rebuild | |
| - test update to 1.3 beta 4 | |
| - ditch statglue build option | |
| - krb5-devel requires e2fsprogs-devel, which now provides libss and libcom_err | |
| - Drop dependency on python2-pyrad (dead upstream, broken with new python) | |
| - fix buffer underrun in unparsing certain principals (CAN-2003-0082) | |
| - Drop dependency on pax, ksh | |
| - Remove support for fedora < 20 | |
| - Add BuildRequires on python2 so we can run tests at build-time | |
| - clear fuzz out of patches, dropping a man page patch which is no longer | |
| necessary | |
| - quote %{__cc} where needed because it includes whitespace now | |
| - define ASN1BUF_OMIT_INLINE_FUNCS at compile-time (for now) to keep building | |
| - Add upstream crashfix patch (RT#7081) | |
| - fixed server package so that it works now | |
| - update to 1.8.1 | |
| - no longer need patches for #555875, #561174, #563431, RT#6661, CVE-2010-0628 | |
| - replace buildrequires on tetex-latex with one on texlive-latex, which is | |
| the package that provides it now | |
| - initial update to 1.6, pre-package-reorg | |
| - move workstation daemons to a new subpackage (#81836, #216356, #217301), and | |
| make the new subpackage require xinetd (#211885) | |
| - Fix KDC null deref on bad encrypted challenge (CVE-2021-36222) | |
| - Resolves: #1983729 | |
| - Update to krb5-1.13.1 | |
| - drop patch for CVE_2014_5353_fix_LDAP_misused_policy_name_crash, fixed in krb5-1.13.1 | |
| - drop patch for kinit -C loops (MIT/krb5 bug #243), fixed in krb5-1.13.1 | |
| - drop patch for CVEs { 2014-9421, 2014-9422, 2014-9423, 2014-5352 }, fixed in krb5-1.13.1 | |
| - Minor spec cleanup | |
| - update to 1.10.3, rolling in the fixes from MITKRB5-SA-2012-001 | |
| - Put openssl runtime requirement in the right place this time | |
| - Resolves: #1754690 | |
| - Rebuilt for gcc bug 634757 | |
| - backport the callback to use the libkrb5 prompter when we can't load PEM | |
| files for PKINIT (RT#7590, includes part of #965721/#1016690) | |
| - extract the rest of the fix #965721/#1016690 from the changes for RT#7680 | |
| - add patches from patchkit from MITKRB5-SA-2003-004 (CAN-2003-0138 and | |
| CAN-2003-0139) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
|
|
|
| libXv-1.0.11-7.el8.x86_64.rpm | - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild |
| - libXv 1.0.10 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Drop useless %defattr | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - libXv 1.0.11 | |
| - fixes CVE-2016-5407 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - libXv 1.0.9 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Use ldconfig scriptlet macros | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
|
|
|
| libasyncns-0.8-14.el8.x86_64.rpm | - New release |
| - New release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - New release | |
| - New release | |
| - Initial packaging | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
|
|
|
| libatomic-8.5.0-28.el8_10.x86_64.rpm | - update from Fedora 8.2.1-3 |
| - change the default -march on s390x to z13 with tuning for z14 (#1571124) | |
| - use --disable-multilib on s390x | |
| - backport aarch64 LSE atomics (#1821994) | |
| - avoid cycling on certain subreg reloads (PR rtl-optimization/96796, #2028798) | |
| - require docbook-style-xsl instead of docbook5-style-xsl (#2073888) | |
| - backport Default widths with -fdec-format-defaults patch (#2074614) | |
| - fix mangling of lambdas in default args (PR c++/91241, #1981822) | |
| - add a few Provides: bundled | |
| - Sync libstdc++ pretty printers to latest GTS (RHEL-50290). | |
| - remove python2 dependecy (#1595385) | |
| - fix deserialization for std::normal_distribution (#2130392, | |
| PR libstdc++/105502) | |
| - initialize std::normal_distribution::_M_saved (PR libstdc++/99536) | |
| - reject std::make_shared |
|
| - tweak gcc8-rh1668903-1.patch and gcc8-rh1668903-2.patch patches | |
| - update from GCC 8.5 release (#1946758) | |
| - this includes a fix for PR target/87839 (#1958295) | |
| - Sync libstdc++ pretty printers to latest GTS (RHEL-82506). | |
| - update from Fedora 8.3.1-3 (#1680182) | |
| - remove load and test FP splitter (#1673116) | |
| - fix *movsi_from_df (#1677652) | |
| - add missing headers | |
| - add support for live patching (#1668903) | |
| - retire gcc8-rh1612514.patch, gcc8-rh1652016.patch, gcc8-rh1652929-?.patch | |
| - fix BuildRequires of python-sphinx | |
| - avoid changing PHIs in GIMPLE split_edge (#2117838) | |
| - s390x: add support for register arguments preserving (#2168205) | |
| - aarch64: Add -mtune=neoverse-512tvb (#1845932) | |
| - fix strlen range with a flexible member array (#2137448) | |
| - backport straight-line-speculation mitigation (#2108721) | |
| - Fix nop generation in annobin plugin. (#2067150) | |
| - update from Fedora 8.3.1-4 (#1680182) | |
| - drop gcc8-pr60790.patch, gcc8-pr89629.patch, gcc8-rh1668903-4.patch | |
| - revert upstream PR85873 gcc-8 fix, apply the fix from gcc-9 (#1960701) | |
| - fix 'this' adjustment for devirtualized call (PR c++/100797, #1965951) | |
| - back out the PR97236 patch | |
| - fix shift count operand printing (#1730380) | |
| - fix tree-outof-ssa.c ICE with vector types (PR middle-end/90139, #1730454) | |
| - fix out-of-ssa with unsupported vector types (PR rtl-optimization/90756, | |
| - fix ICE with template placeholder for TTP (PR c++/86098, #1730454) | |
| - backport the -fuse-ld=lld option (#1670535) | |
| - TLS model fix (#1678555, PR c++/85400) | |
| - two small autoFDO fixes (#1686082) | |
| - libgomp update (#1707568) | |
| - member template redeclaration fix (#1652704, PR c++/86747) | |
| - turn libgcc_s.so into a linker script on i?86, x86_64, ppc64le and also on | |
| ppc and ppc64 for 64-bit multilib (#1708309) | |
| - avoid using unaligned vsx or lxvd2x/stxvd2x for memcpy/memmove inline | |
| expansion (#1666977) | |
| - fix typo in the cprop_hardreg patch (#2028609) | |
| - backport std::regex check for invalid range (#2001788) | |
| - when linking against libgcc_s, link libgcc.a too (#2022588) | |
| - guard the bit test merging code in if-combine (RHEL-11483) | |
| - rebuild for CVE-2020-11023 (RHEL-78274) | |
| - update from Fedora 8.1.1-1 | |
| - add -Wbidi-chars patch (#2008392) | |
| - Backport PPC string inlines from trunk which allow for valgrind's | |
| memcheck to work properly (#1652929) | |
| - Backport bugfix for clz pattern on s390 affecting jemalloc (#1652016) | |
| - backport workaround for broken C/C++ wrappers to LAPACK (#1711346) | |
| - update from GCC 8.4 release (#1946758) | |
| - enable hardening of binaries (#1624114) | |
| - disable libgccjit on RHEL | |
| - rebuild | |
| - enable annobin annotations (#1574936) | |
| - update from Fedora 8.2.1-1 | |
| - additional fix for the libgomp testsuite (#1707568) | |
| - update from Fedora 8.1.1-5 | |
| - Add a plugin-annobin subpackage. (#2067150) | |
| - update from GCC 8.4 release (#1868446) | |
| - remove symlinks to 32-bit versions of these static libraries: libasan.a, | |
| libitm.a, libquadmath.a, libubsan.a, libgfortran.a (#1779597) | |
| - don't reuse DEBUG_EXPRs with vector type (PR middle-end/100508, RHEL-79501) | |
| - Fix folding of BIT_NOT_EXPR for POLY_INT_CST (PR 118976, RHEL-90240) | |
| - fix bad use of VMAT_CONTIGUOUS (PR tree-optimization/97236, #1925632) | |
| - new package | |
| - Pin modification time for python files to SOURCE_DATE_EPOCH (RHEL-50290). | |
| - remove support for demangling GCC 2.x era mangling schemes (#1668394) | |
| - fix ICE in the vectorizer (RHEL-32886) | |
| - backport PCH tweaks (#2030878) | |
| - apply cprop_hardreg fix for narrow mode != lowpart targets (#2028609) | |
| - consider negative edges in cycle detection (#1817991, PR gcov-profile/91601) | |
| - fix Fortran debug info for arrays with descriptors (#1655624, | |
| PR fortran/92775) | |
| - fix wrong code emitted for movv1qi on s390x (#1784758, PR target/92950) | |
| - update from Fedora gcc-8.3.1-5 (#1747157) | |
| - use unspec_volatile for darn (PR target/91481, #1760205, CVE-2019-15847) | |
| - fix for TLSLD references (#2213753) | |
| - fix crash in dynamic_cast<>() on null pointer (PR c++/99074, #2211506) | |
| - adjust a pattern in s390.md (PR target/87723, #2214847) | |
| - fix typos in manual (#1612514) | |
| - avoid IFUNC resolver access to uninitialized data (#1559350, PR libgcc/60790) | |
| - rebuild | |
|
|
|
| libdvdnav-5.0.3-8.el8.x86_64.rpm | - update to current SVN |
| - use new external libdvdread | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - use upstream non-autotools buildsystem | |
| - build with external libdvdread for older releases | |
| - fix version.h | |
| - fix soname | |
| - fix lib paths on 64bit | |
| - add missing file to -devel | |
| - update to current snapshot | |
| - specfile cleanups | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - update to 5.0.3 | |
| - drop obsolete patches | |
| - BR libdvdread 5.0.2 | |
| - update to SVN r1226 | |
| - 0:0.1.9-0.fdr.2: incorporated bugzilla suggestions, new release | |
| - switch to new upstream | |
| - libdvdread comes from here now | |
| - apply dvdread udf-related fixes from upstream SVN | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - make sure -devel requires our version of libdvdread-devel | |
| - fix build with internal libdvdread | |
| - update to 4.1.3rc1 | |
| - require libdvdread with fixed API | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - update to 4.2.0 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - update to 5.0.1 | |
| - drop obsolete patches | |
| - update to 4.2.1 | |
| - drop obsolete/redundant specfile elements | |
| - add upstream URL | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - update to 4.1.2 | |
| - drop obsolete patches (merged upstream) | |
| - fix FTBFS due to doc files in the wrong place (#1307717) | |
| - use license macro | |
| - drop unnecessary defattr declarations | |
| - Drop Epoch completely | |
| - update to current snapshot from new upstream | |
| - clean up some specfile cruft | |
| - disable static libs | |
| - drop unnecessary explicit dependency on libdvdread | |
| - drop obsolete patch | |
| - fix FTBFS (rhbz#1106007) | |
| - Update to 0.1.10. | |
| - Disable dependency tracking to speed up the build. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - fix multilib conflict, based on a patch by Rex Dieter (rhbz#477684) | |
| - update to SVN r1184 | |
| - move TODO to devel docs | |
| - fix segfault when cell is empty, patch by Simo Sorce, bug #902037 | |
| - fix missing |
|
| - update to current SVN (pre-4.1.3) | |
| - macroize | |
| - re-enable parallel make | |
| - backport patches upstream git master to fix several known bugs | |
| (LP #1236939, #570790) | |
| - switch to new release field | |
| - drop Epoch | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - update to 4.1.3 final | |
| - 0:0.1.9-0.fdr.1: initial RPM release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Autorebuild for GCC 4.3 | |
| - add dist | |
|
|
|
| libdvdread-5.0.3-9.el8.x86_64.rpm | - resurrect package from new upstream |
| - Drop Epoch completely | |
| - Fixed the libdvdcss.so.0/1/2 problem again. | |
| - Rebuild. | |
| - Rebuilt against libdvdcss 1.0.0 (added a patch). | |
| - updated to 4.2.1 release | |
| - drop obsolete/redundant specfile elements | |
| - add upstream URL | |
| - add missing provides for bundled md5 copylib | |
| - updated to 4.2.0 release | |
| - updated to SVN r1188 (rhbz#540155) | |
| - updated to SVN r1183 | |
| - simplified multilib patch | |
| - fixed endianness issues (rhbz#442508) | |
| - added some docs | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Spec file cleanup and fixes. | |
| - Split into normal and devel package | |
| - Updated to 0.9.7 | |
| - initial version | |
| - fix multilib conflict (#477687) | |
| - We BuildConflicting libdvdcss-devel at build time | |
| - Rebuilt for Red Hat Linux 9. | |
| - Exclude .la file. | |
| - Escape macros in %changelog | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - package documentation properly | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - update to 4.9.9 release | |
| - drop obsolete patch | |
| - switch to autotools configure | |
| - fix bogus date in changelog | |
| - update to 5.0.3 | |
| - update to 5.0.2 | |
| - use https for source URL | |
| - make build more verbose | |
| - Rebuild. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - rebuild for BuildID | |
| - update license tag | |
| - Initial Fedora RPM release. | |
| - Updated to the latest cvs release. | |
| - Rebuilt for Red Hat Linux 8.0. | |
| - Updated URLs. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Update to 0.9.4. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - updated to SVN r1226 | |
| - dropped obsolete endianness check patch | |
| - Updated to version 0.9.1 | |
| - update to 4.1.3rc1 | |
| - fix include path | |
| - fix missing |
|
| - Update to 0.9.3. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Added small patch to fix the ldopen of libdvdcss | |
| - Own package doc dir, install COPYING as %license | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Updated to version 0.9.2 | |
| - update to 4.1.3 final | |
| - Fix linking with libdl on x86_64. | |
| - Don't ship static libs. | |
| - Build with dependency tracking disabled. | |
| - Convert specfile and docs to UTF-8. | |
| - Improve package descriptions. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - fix hanging on scanning title (patch by John Stebbins) | |
| - switch to new release field | |
| - drop Epoch | |
| - update to 5.0.0 release | |
| - 0.9.6. | |
| - Specfile cleanup. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Reverted back to using libdvdcss 0.0.3.ogle3 since it works MUCH better | |
| than 1.0.x. Doh! | |
| - Updated to version 0.9.0 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - add dist | |
| - Back to using libdvdcss 1.1.1, now it's all merged and fine. | |
| - Rebuilt against Red Hat Linux 7.3. | |
| - Added the %{?_smp_mflags} expansion. | |
|
|
|
| libgfortran-8.5.0-28.el8_10.x86_64.rpm | - update from Fedora 8.2.1-3 |
| - change the default -march on s390x to z13 with tuning for z14 (#1571124) | |
| - use --disable-multilib on s390x | |
| - backport aarch64 LSE atomics (#1821994) | |
| - avoid cycling on certain subreg reloads (PR rtl-optimization/96796, #2028798) | |
| - require docbook-style-xsl instead of docbook5-style-xsl (#2073888) | |
| - backport Default widths with -fdec-format-defaults patch (#2074614) | |
| - fix mangling of lambdas in default args (PR c++/91241, #1981822) | |
| - add a few Provides: bundled | |
| - Sync libstdc++ pretty printers to latest GTS (RHEL-50290). | |
| - remove python2 dependecy (#1595385) | |
| - fix deserialization for std::normal_distribution (#2130392, | |
| PR libstdc++/105502) | |
| - initialize std::normal_distribution::_M_saved (PR libstdc++/99536) | |
| - reject std::make_shared |
|
| - tweak gcc8-rh1668903-1.patch and gcc8-rh1668903-2.patch patches | |
| - update from GCC 8.5 release (#1946758) | |
| - this includes a fix for PR target/87839 (#1958295) | |
| - Sync libstdc++ pretty printers to latest GTS (RHEL-82506). | |
| - update from Fedora 8.3.1-3 (#1680182) | |
| - remove load and test FP splitter (#1673116) | |
| - fix *movsi_from_df (#1677652) | |
| - add missing headers | |
| - add support for live patching (#1668903) | |
| - retire gcc8-rh1612514.patch, gcc8-rh1652016.patch, gcc8-rh1652929-?.patch | |
| - fix BuildRequires of python-sphinx | |
| - avoid changing PHIs in GIMPLE split_edge (#2117838) | |
| - s390x: add support for register arguments preserving (#2168205) | |
| - aarch64: Add -mtune=neoverse-512tvb (#1845932) | |
| - fix strlen range with a flexible member array (#2137448) | |
| - backport straight-line-speculation mitigation (#2108721) | |
| - Fix nop generation in annobin plugin. (#2067150) | |
| - update from Fedora 8.3.1-4 (#1680182) | |
| - drop gcc8-pr60790.patch, gcc8-pr89629.patch, gcc8-rh1668903-4.patch | |
| - revert upstream PR85873 gcc-8 fix, apply the fix from gcc-9 (#1960701) | |
| - fix 'this' adjustment for devirtualized call (PR c++/100797, #1965951) | |
| - back out the PR97236 patch | |
| - fix shift count operand printing (#1730380) | |
| - fix tree-outof-ssa.c ICE with vector types (PR middle-end/90139, #1730454) | |
| - fix out-of-ssa with unsupported vector types (PR rtl-optimization/90756, | |
| - fix ICE with template placeholder for TTP (PR c++/86098, #1730454) | |
| - backport the -fuse-ld=lld option (#1670535) | |
| - TLS model fix (#1678555, PR c++/85400) | |
| - two small autoFDO fixes (#1686082) | |
| - libgomp update (#1707568) | |
| - member template redeclaration fix (#1652704, PR c++/86747) | |
| - turn libgcc_s.so into a linker script on i?86, x86_64, ppc64le and also on | |
| ppc and ppc64 for 64-bit multilib (#1708309) | |
| - avoid using unaligned vsx or lxvd2x/stxvd2x for memcpy/memmove inline | |
| expansion (#1666977) | |
| - fix typo in the cprop_hardreg patch (#2028609) | |
| - backport std::regex check for invalid range (#2001788) | |
| - when linking against libgcc_s, link libgcc.a too (#2022588) | |
| - guard the bit test merging code in if-combine (RHEL-11483) | |
| - rebuild for CVE-2020-11023 (RHEL-78274) | |
| - update from Fedora 8.1.1-1 | |
| - add -Wbidi-chars patch (#2008392) | |
| - Backport PPC string inlines from trunk which allow for valgrind's | |
| memcheck to work properly (#1652929) | |
| - Backport bugfix for clz pattern on s390 affecting jemalloc (#1652016) | |
| - backport workaround for broken C/C++ wrappers to LAPACK (#1711346) | |
| - update from GCC 8.4 release (#1946758) | |
| - enable hardening of binaries (#1624114) | |
| - disable libgccjit on RHEL | |
| - rebuild | |
| - enable annobin annotations (#1574936) | |
| - update from Fedora 8.2.1-1 | |
| - additional fix for the libgomp testsuite (#1707568) | |
| - update from Fedora 8.1.1-5 | |
| - Add a plugin-annobin subpackage. (#2067150) | |
| - update from GCC 8.4 release (#1868446) | |
| - remove symlinks to 32-bit versions of these static libraries: libasan.a, | |
| libitm.a, libquadmath.a, libubsan.a, libgfortran.a (#1779597) | |
| - don't reuse DEBUG_EXPRs with vector type (PR middle-end/100508, RHEL-79501) | |
| - Fix folding of BIT_NOT_EXPR for POLY_INT_CST (PR 118976, RHEL-90240) | |
| - fix bad use of VMAT_CONTIGUOUS (PR tree-optimization/97236, #1925632) | |
| - new package | |
| - Pin modification time for python files to SOURCE_DATE_EPOCH (RHEL-50290). | |
| - remove support for demangling GCC 2.x era mangling schemes (#1668394) | |
| - fix ICE in the vectorizer (RHEL-32886) | |
| - backport PCH tweaks (#2030878) | |
| - apply cprop_hardreg fix for narrow mode != lowpart targets (#2028609) | |
| - consider negative edges in cycle detection (#1817991, PR gcov-profile/91601) | |
| - fix Fortran debug info for arrays with descriptors (#1655624, | |
| PR fortran/92775) | |
| - fix wrong code emitted for movv1qi on s390x (#1784758, PR target/92950) | |
| - update from Fedora gcc-8.3.1-5 (#1747157) | |
| - use unspec_volatile for darn (PR target/91481, #1760205, CVE-2019-15847) | |
| - fix for TLSLD references (#2213753) | |
| - fix crash in dynamic_cast<>() on null pointer (PR c++/99074, #2211506) | |
| - adjust a pattern in s390.md (PR target/87723, #2214847) | |
| - fix typos in manual (#1612514) | |
| - avoid IFUNC resolver access to uninitialized data (#1559350, PR libgcc/60790) | |
| - rebuild | |
|
|
|
| libglvnd-gles-1.3.4-2.el8.x86_64.rpm | - Update to 20160106 snapshot |
| - Remove 10-x11glvnd | |
| - Update snapshot to 20170620 | |
| - conflict | |
| - Fix GLX_SGIX_fbconfig extension, this fixes games such as "The Binding of | |
| Isaac: Rebirth" and "Crypt of the NecroDancer" from Steam not working | |
| - Update snapshot | |
| - Update to git20160217 | |
| - Introduce --with mesa-libglvnd-default build conditional | |
| - Avoid error on make check - testglxqueryversion.sh stil fails in mock | |
| - Filter on provided libGL until glvnd support is in upstream mesa | |
| - Use upstream tarball and use autoreconf | |
| - Update RPM filters for private libraries (includes GLX, fixes RHEL 6). | |
| - Add another conflict | |
| - libglvnd 1.2.0 | |
| - Update snapshot to 20170818 | |
| - Restore hardened build | |
| - Remove ExclusiveArch | |
| - Remove some pointless Provides/Obsoletes | |
| - BuildRequires pkgconfig(xext) not pkgconfig(xv) | |
| - Update description to be a bit more confident | |
| - Dump make check errors into the build log | |
| - Update license | |
| - Fix Obsoletes/Provides to avoid self obsolete | |
| - Don't hide libraries in a subdir (rhbz#1413579) | |
| - Split up libraries to appropriate subpackages | |
| - Make the req/prov filter catch more cases | |
| - Restore libGLESv1 for ABI compliance | |
| - Update to current snapshot | |
| - Rebuilt without testssuite | |
| - Update snapshot | |
| - Fix EGL crash for KDE/Plasma (rfbz#4303) | |
| - Fix BuildRequires for /usr/bin/python3 | |
| - Resolves: #1615543 | |
| - asm enabled only for x86 - rhbz#1419944 | |
| - Update to 20160610 git commit | |
| - Go back to Requires: mesa-*, the fallout is too great (#1568881 etc) | |
| - Update snapshot to 20170607 | |
| - Default to asm and tls when available | |
| - Use the fixed tsd for armhfp and aarch64 | |
| fixed in https://github.com/NVIDIA/libglvnd/issues/116 | |
| - Update to lastest snapshot | |
| - Fix BuildRequires for python3-devel | |
| Resolves: RHEL-2239 | |
| - Bump for 20160115 | |
| - Enable make check | |
| - Description improvements | |
| - Enable libglvnd by default | |
| - Enable devel sub-package | |
| - Drop 0007-GLX-Add-GLX_SGIX_fbconfig-functions.patch the bug this works | |
| around actually is in mesa | |
| - Initial spec file | |
| - Update to 1.1.gitf7fbc4b | |
| - Fix EGL crash (rfbz#4303) | |
| - Update to 20151121 snapshot | |
| - Avoid conflicts with mesa-libGL{,ES} | |
| - Disable libGLESv1_CM | |
| - Update to 1.0.0 release | |
| - Update snapshot to 20180327 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Update snapshot to 20180226 | |
| - Update scriptlets | |
| - Add the correct License: MIT | |
| - Use Recommends: mesa-* not Requires. | |
| - (Trivially) switch the build to python3 | |
| - Update to snapshot 20150901 | |
| - rename fallback to system | |
| - Update to today snapshot | |
| - Fix license | |
| - Add another fallback GLX library name | |
| - add conflicts | |
| - more conflicts | |
| - version provides | |
| - Own %{_sysconfdir}/egl and %{_datadir}/egl dirs | |
| - Update to today snapshoot | |
| - Update to 1.3.2 release | |
| - Remove patch to enable by default | |
| - Update Python 2 dependency declarations to new packaging standards | |
| (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Epoch:1 to provide upgrade path from negativo17.org rpms | |
| - New snapshot | |
| - Add patches to fix building on ARM (from Rob Clark) | |
| - Add BuildRequires: python | |
| - Add ldconfig scriptlets for library sub-packages | |
| - Update to latest snapshot, remove upstreamed patches. | |
| - Update release to packaging guidelines format. | |
| - Make sure that for Fedora 24 and RHEL the libraries are always private. | |
| - Rebuilt with testsuite again | |
| - Rebuild due to bug in RPM (RHBZ #1468476) | |
| - Update to 2.999 version | |
| - Add EGL | |
| - Add eglexternalplatform spec. config dirs to -egl subpackage (rhbz#1415143) | |
| - Update to current snapshot | |
| - Remove unused dt-auxiliary | |
| - Add support for graphical make test | |
| - Undefine hardened build for xorg | |
| - Add conditional to disable testsuite, when needed | |
| - Update to 1.3.4 release | |
| - Enable %check for all but ppc64 and s390x, which has known but low-impact | |
| failures | |
| - Simplify %release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Fix conditionals for _without_mesa_glvnd_default | |
| - Fix other RHEL-conditionals, too | |
|
|
|
| libjose-10-2.el8_10.3.x86_64.rpm | - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild |
| - Fixes CVE-2023-50967 | |
| - New upstream release | |
| - New upstream release | |
| - New upstream release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - New upstream release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Backport fix for CVE-2024-28176 | |
| Resolves: RHEL-28719 | |
| - Fix tests on s390x | |
| Related: RHEL-29857 | |
| - Rebuild to pick up new architectures | |
| - Initial package | |
| - New upstream release | |
| - New upstream release | |
| - Add a conflicts on old versions of jansson | |
| - New upstream release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Fix build on big-endian platforms (fix already upstream) | |
|
|
|
| libkadm5-1.18.2-32.el8_10.x86_64.rpm | - Make krb5-devel depend on libkadm5 |
| - Resolves: #1364487 | |
| - Merge krb5-configs back into krb5-libs. The krb5.conf file is marked as | |
| a %config file anyway. | |
| - Make krb5.conf a noreplace config file. | |
| - Fix KCM client time offset propagation | |
| - Resolves: #1738553 | |
| - gettextize init scripts | |
| - fix for CVE-2014-5355 (#1193939) "krb5: unauthenticated | |
| denial of service in recvauth_common() and others" | |
| - add preliminary patch to fix buffer overflow in krb5kdc and kadmind | |
| (#231528, CVE-2007-0957) | |
| - add preliminary patch to fix double-free in kadmind (#231537, CVE-2007-1216) | |
| - Clean up etype display on KDC | |
| - Resolves: #1664157 | |
| - build without -g3, which gives us large static libraries in -devel | |
| - further munge krb5-config so that 'libdir=/usr/lib' is given even on 64-bit | |
| architectures, to avoid multilib conflicts; other changes will conspire to | |
| strip out the -L flag which uses this, so it should be harmless (#192692) | |
| - Correct copyright: it's exportable now, provided the proper paperwork is | |
| filed with the government. | |
| - FIPS: disable 3DES and ed25519 | |
| - Resolves: #1616326 | |
| - Fix backward check in kprop.service | |
| - apply Mike Friedman's patch to fix format string problems | |
| - don't strip off argv[0] when invoking regular rsh/rlogin | |
| - work around a compile problem with new openssl | |
| - update to 1.12 final | |
| - use (a bundled, for now, copy of) nss_wrapper to let us run some of the | |
| self-tests at build-time in more places than we could previously (#978756) | |
| - cover inconsistencies in whether or not there's a local caching nameserver | |
| that's willing to answer when the build environment doesn't have a | |
| resolver configuration, so that nss_wrapper's faking of the local | |
| hostname can be complete | |
| - update to 1.2.5 | |
| - disable statglue | |
| - Backport certauth eku security fix | |
| - rebuilt with new openssl | |
| - Backport my interposer fixes from upstream | |
| - Supersedes krb5-mechglue_inqure_attrs.patch | |
| - New upstream prerelease (1.16-beta2) | |
| - Fix use of enterprise principals with forwarding | |
| - fix for CVE-2014-5354 (#1174546) "krb5: NULL pointer | |
| dereference when using keyless entries" | |
| - Use the correct patches this time. | |
| - Resolves: #1321135 | |
| - apply fix from Tom Yu for MITKRB5-SA-2004-004 (CAN-2004-1189) | |
| - remove hashless key types from the default kdc.conf, they're not supposed to | |
| be there, noted by Sam Hartman on krbdev | |
| - properly advertise that the kpropd init script now supports force-reload | |
| (Zbysek Mraz, #630587) | |
| - update to alpha 2 | |
| - drop a couple of patches which were integrated for alpha 2 | |
| - correct some configuration file paths which the KDC_DIR patch missed | |
| - Remove "-nodes" option from make-certs scripts | |
| - patch to avoid depending on |
|
| - initial update to alpha1 | |
| - drop backport of persistent keyring support | |
| - drop backport for RT#7689 | |
| - drop obsolete patch for fixing a use-before-init in a test program | |
| - drop obsolete patch teaching config.guess/config.sub about aarch64-linux | |
| - drop backport for RT#7598 | |
| - drop backport for RT#7172 | |
| - drop backport for RT#7642 | |
| - drop backport for RT#7643 | |
| - drop patches from master to not test GSSRPC-over-UDP and to not | |
| depend on the portmapper, which are areas where our build systems | |
| often give us trouble, too; obsolete | |
| - drop backports for RT#7682 | |
| - drop backport for RT#7709 | |
| - drop backport for RT#7590 and partial backport for RT#7680 | |
| - drop OTP backport | |
| - drop backports for RT#7656 and RT#7657 | |
| - BuildRequires: libedit-devel to prefer it | |
| - BuildRequires: pkgconfig, since configure uses it | |
| - pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443, | |
| - OpenSSL has an epoch, apparently | |
| - Resolves: #1754690 | |
| - selinux: hang on to the list of selinux contexts, freeing and reloading | |
| it only when the file we read it from is modified, freeing it when the | |
| shared library is being unloaded (#845125) | |
| - In FIPS mode, add plaintext fallback for RC4 usages and taint | |
| - disable optimizations on the alpha again | |
| - pull up Simo's patch to mark the correct mechanism on imported GSSAPI | |
| contexts (RT#7592) | |
| - go back to using reconf to run autoconf and autoheader (part of #925640) | |
| - add temporary patch to use newer config.guess/config.sub (more of #925640) | |
| - Remove downloadable source signature file | |
| - Resolves: rhbz#2219654 | |
| - don't include |
|
| - debloat | |
| - Fix network service dependencies | |
| - Resolves: #1525230 | |
| - New upstream beta version | |
| - Merge duplicate subsections in profile library | |
| - Fix gitignore problem with previous patchset | |
| - patch ksu man page because the -C option never works | |
| - add access() checks and disable debug mode in ksu | |
| - modify default ksu build arguments to specify more directories in CMD_PATH | |
| and to use getusershell() | |
| - Add patch to fix Redhat Bug #1227542 ("[SELinux] AVC denials may appear | |
| when kadmind starts"). The issue was caused by an unneeded |htons()| | |
| which triggered SELinux AVC denials due to the "random" port usage. | |
| - Update from krb5-1.13-alpha1 to final krb5-1.13 | |
| - Removed patch for CVE-2014-5351 (#1145425) "krb5: current | |
| keys returned when randomizing the keys for a service principal" - | |
| now part of upstream sources | |
| - Use patch for glibc |eventfd()| prototype mismatch (#1147887) only | |
| for Fedora > 20 | |
| - force -fPIC | |
| - Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED (RT#8063) | |
| - rebuilt | |
| - specify the location of the subsystem lock when using the status() function | |
| in the kadmind and kpropd init scripts, so that we get the right error when | |
| we're dead but have a lock file - requires initscripts 8.99 (#521772) | |
| - switch man pages to being generated with the right paths in them | |
| - drop old, incomplete SELinux patch | |
| - add patch from Greg Hudson to make srvtab routines report missing-file errors | |
| at same point that keytab routines do (#241805) | |
| - incorporate fixes from Tom Yu for CAN-2004-0642, CAN-2004-0772 | |
| (MITKRB5-SA-2004-002, #130732) | |
| - incorporate fixes from Tom Yu for CAN-2004-0644 (MITKRB5-SA-2004-003, #130732) | |
| - respin with updated version of patch for RT#7650 (#969331) | |
| - silence compiler warning in kprop by using an in-memory ccache with a fixed | |
| name instead of an on-disk ccache with a name generated by tmpnam() | |
| - Remove dependency on systemd-sysv which is no longer needed for fedora > 20 | |
| This also fixes a fail-to-build issue. | |
| - Miscalaneous spec cleanup fixes | |
| - Put KDB authdata first | |
| - Resolves: #1800575 | |
| - update to 1.10.1 | |
| - drop the KDC crash fix | |
| - drop the KDC lookaside cache fix | |
| - drop the fix for kadmind RPC ACLs (CVE-2012-1012) | |
| - update to beta 1 | |
| - add currently-proposed changes to teach ksu about credential cache | |
| collections and the default_ccache_name setting (#1015559,#1026099) | |
| - Re-enable test suite on ppc64le (no other changes) | |
| - modify the deltat grammar to also tell gcc (4.7) to suppress | |
| "maybe-uninitialized" warnings in addition to the "uninitialized" warnings | |
| it's already being told to suppress (RT#7080) | |
| - change /usr/dict/words to /usr/share/dict/words in default kdc.conf (#20000) | |
| - add patch to accept keytab entries with vno==0 as matches when we're | |
| searching for an entry with a specific name/kvno (#230382/#782211,RT#3349) | |
| - mktemp was long obsoleted by coreutils | |
| - ftp: add patch to fix "runique on" case when globbing fixes applied | |
| - stop adding a redundant but harmless call to initialize the gssapi internals | |
| - fix a typo in a ksu error message (Marek Mahut) | |
| - "rev" works the way the test suite expects now, so don't disable tests | |
| that use it | |
| - undo rename from krb5-pkinit-openssl to krb5-pkinit on EL6 | |
| - version the Obsoletes: on the krb5-pkinit-openssl to krb5-pkinit rename | |
| - reintroduce the init scripts for non-systemd releases | |
| - forward-port %{?_rawbuild} annotations from EL6 packaging | |
| - Patch CVE-2015-2697, CVE-2015-2696, CVE-2015-2695 | |
| - move /etc/pam.d/ksu from krb5-workstation-servers to krb5-workstation, | |
| where it's actually needed (#538703) | |
| - Fix log file permissions patch with our selinux | |
| - Resolves: #1309421 | |
| - Enable MD5 override for FIPS RADIUS | |
| - Resolves: #1872689 | |
| - go back to not messing with library file paths on Fedora 17: it breaks | |
| file path dependencies in other packages, and since Fedora 17 is already | |
| released, breaking that is our fault | |
| - Explicitly require python2 packages | |
| - Backport upstream certauth EKU fixes | |
| - Add temporay workaround for RH bug #1204646 ("krb5-config | |
| returns wrong -specs path") which modifies krb5-config post | |
| build so that development of krb5 dependicies gets unstuck. | |
| This MUST be removed before rawhide becomes F23 ... | |
| - Fix CVE-2017-11368 (remote triggerable assertion failure) | |
| - Properly close krad sockets | |
| - Resolves: #1380836 | |
| - allocate space for the nul-terminator in the local pathname when looking up | |
| a file context, and properly free a previous context (Jose Plans, #426085) | |
| - Move kdbversion info into -server for IPA (so we can rebase) | |
| - Resolves: #1645594 | |
| - update to 1.11.2 | |
| - drop pulled in patch for RT#7586, included in this release | |
| - drop pulled in patch for RT#7592, included in this release | |
| - pull in fix for keeping track of the message type when parsing FAST requests | |
| in the KDC (RT#7605, #951843) (also #951965) | |
| - if the init script fails to start krb5kdc/kadmind/kpropd because it's already | |
| running (according to status()), return 0 (part of #521772) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - build | |
| - pull in fix from master to return a NULL pointer rather than allocating | |
| zero bytes of memory if we read a zero-length input token (RT#7794, part of | |
| - pull in fix from master to ignore an empty token from an acceptor if | |
| we've already finished authenticating (RT#7797, part of #1043962) | |
| - pull in fix from master to avoid a memory leak when a mechanism's | |
| init_sec_context function fails (RT#7803, part of #1043962) | |
| - pull in fix from master to avoid a memory leak in a couple of error | |
| cases which could occur while obtaining acceptor credentials (RT#7805, part | |
| of #1043962) | |
| - Nix /usr/share/krb5.conf.d to reduce complexity | |
| - fix for kinit -C loops (#1184629, MIT/krb5 issue 243, "Do not | |
| loop on principal unknown errors"). | |
| - Added "python-sphinx-latex" to the build requirements | |
| to fix build failures on F22 machines. | |
| - add an auth stack to ksu's PAM configuration so that pam_setcred() calls | |
| won't just fail | |
| - omit dependent libraries from the krb5-config --libs output, as using | |
| shared libraries (no more static libraries) makes them unnecessary and | |
| they're not part of the libkrb5 interface (patch by Rex Dieter, #240220) | |
| (strips out libkeyutils, libresolv, libdl) | |
| - update to 1.3.4 beta1 | |
| - remove MITKRB5-SA-2004-001, included in 1.3.4 | |
| - add patch to fix server-side crashes when principals have no | |
| components (CAN-2003-0072) | |
| - Fix argument order on strlcpy() in enctype_name() | |
| - Resolves: #1754369 | |
| - switch to the updated patch for MITKRB-SA-2006-001 | |
| - Fix setting of AS key in OTP preauth failure | |
| - rebuild | |
| - Be more careful asking for AS key in SPAKE client | |
| - Fix CVE-2016-3119 (NULL deref in LDAP module) | |
| - add patch to correct GSSAPI library null pointer dereference which could be | |
| triggered by malformed client requests (CVE-2010-1321, #582466) | |
| - rename the krb5-libs package to krb5 (naming a subpackage -libs when there | |
| is no main package is silly) | |
| - move defaults for PAM to the appdefaults section of krb5.conf -- this is | |
| the area where the krb5_appdefault_* functions look for settings) | |
| - disable statglue (warning: breaks binary compatibility with previous | |
| packages, but has to be broken at some point to work correctly with | |
| unpatched versions built with newer versions of glibc) | |
| - Fix kprop for propagating dump files larger than 4GB | |
| - Resolves: #2026462 | |
| - rebuild | |
| - pull the changing of the compiled-in default ccache location to | |
| DIR:/run/user/%{uid}/krb5cc back into F19, in line with SSSD and | |
| the most recent pam_krb5 build | |
| - hardcode pid file as option in krb5kdc.service | |
| - Fix hex conversion of PKINIT certid strings | |
| - configure --without-krb5-config so that we don't pull in the old default | |
| ccache name when we want to stop setting a default ccache name at configure- | |
| time | |
| - make krb5-config suppress CFLAGS output when called with --libs (#544391) | |
| - add more etypes (arcfour) to the default enctype list in kdc.conf | |
| - don't apply previous patch, refused upstream | |
| - fix the problem where the %license file has been a dangling symlink | |
| - fix broken dependency on awk (should be gawk, rdieter) | |
| - use %global instead of %define | |
| - pull up proposed patch for creating previously-not-there lock files for | |
| kdb databases when 'kdb5_util' is called to 'load' (#551764) | |
| - fix predictable-tempfile-name bug in krb5-send-pr (CAN-2004-0971, #140036) | |
| - move /usr/kerberos/bin to end of PATH | |
| - update to beta2 | |
| - drop obsolete backports for storing KDC time offsets and expiration times | |
| in keyring credential caches | |
| - move initscript back | |
| - rebuilt | |
| - patch mkdir/rmdir problem in ftpcmd.y | |
| - add condrestart option to init script | |
| - split the server init script into three pieces and add one for kpropd | |
| - turn on NSS as the backend for libk5crypto, adding nss-devel as a build | |
| dependency when that switch is flipped | |
| - rebuild | |
| - rebuild | |
| - pull up the change to make kpasswd's behavior better match the docs | |
| when there's no ccache (#563431) | |
| - build with -fno-strict-aliasing, which is needed because the library | |
| triggers these warnings | |
| - don't forget to label principal database lock files | |
| - fix the labeling patch so that it doesn't break bootstrapping | |
| - fix double-free of enc_part2 in krb524d | |
| - rebuild on 1.1.1 | |
| - pull in patches from master to not test GSSRPC-over-UDP and to not | |
| depend on the portmapper, which are areas where our build systems | |
| often give us trouble, too | |
| - Add PKINIT KDC support for freshness token | |
| - Add hostname-based ccselect module | |
| - Resolves: #1463665 | |
| - Include fixes for previous commit | |
| - Resolves: #1433083 | |
| - Fix typo of crypto-policies file in previous version | |
| - Exit with status 0 from kadmind | |
| - don't break during %check when the session keyring is revoked | |
| - update to 1.7.1 | |
| - don't trip AD lockout on wrong password (#542687, #554351) | |
| - incorporates fixes for CVE-2009-4212 and CVE-2009-3295 | |
| - fixes gss_krb5_copy_ccache() when SPNEGO is used | |
| - move sim_client/sim_server, gss-client/gss-server, uuclient/uuserver to | |
| the devel subpackage, better lining up with the expected krb5/krb5-appl | |
| split in 1.8 | |
| - drop kvno,kadmin,k5srvutil,ktutil from -workstation-servers, as it already | |
| depends on -workstation which also includes them | |
| - New upstream release | |
| - Update names and numbers to match external git | |
| - Rebuilt for glibc bug#747377 | |
| - update to 1.2.1 | |
| - back out Tom Yu's patch, which is a big chunk of the 1.2 -> 1.2.1 update | |
| - start using the official source tarball instead of its contents | |
| - automatic rebuild | |
| - fix globbing patch port mode (#139075) | |
| - have -server require /usr/share/dict/words, which we set as the default | |
| dict_file in kdc.conf (#817089) | |
| - refresh patch for #542868 from trunk | |
| - incorporate updated fix for CVE-2007-3999 (CVE-2007-4743) | |
| - fix incorrect call to "test" in the kadmin init script (#252322,#287291) | |
| - update to the 1.2 release | |
| - ditch a lot of our patches which went upstream | |
| - enable use of DNS to look up things at build-time | |
| - disable use of DNS to look up things at run-time in default krb5.conf | |
| - change ownership of the convert-config-files script to root.root | |
| - compress PS docs | |
| - fix some typos in the kinit man page | |
| - run condrestart in server post, and shut down in preun | |
| - back that last change out | |
| - Support config snippets in /etc/krb5.conf.d/ and /usr/share/krb5.conf.d/ | |
| (#1225792, #1146370, #1145808) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - fix summaries and descriptions | |
| - switched the default transfer protocol from PORT to PASV as proposed on | |
| bugzilla (#16134), and to match the regular ftp package's behavior | |
| - build with -fstack-protector-all instead of the default -fstack-protector, | |
| so that we add checking to more functions (i.e., all of them) (#629950) | |
| - also link binaries with -Wl,-z,relro,-z,now (part of #629950) | |
| - add some minimal description to the top of the wrapper scripts we use | |
| when starting krb5kdc and kadmind to describe why they exist (tooling) | |
| - Fix some broken tests for Python 3 | |
| - fix for CVE-2014-5352 (#1179856) "gss_process_context_token() | |
| incorrectly frees context (MITKRB5-SA-2015-001)" | |
| - fix for CVE-2014-9421 (#1179857) "kadmind doubly frees partial | |
| deserialization results (MITKRB5-SA-2015-001)" | |
| - fix for CVE-2014-9422 (#1179861) "kadmind incorrectly | |
| validates server principal name (MITKRB5-SA-2015-001)" | |
| - fix for CVE-2014-9423 (#1179863) "libgssrpc server applications | |
| leak uninitialized bytes (MITKRB5-SA-2015-001)" | |
| - automated rebuild | |
| - libgssapi_krb5: backport fix for some errors which can occur when | |
| we fail to set up the server half of a context (CVE-2009-0845) | |
| - Fix configuration of default ccache name to match file indentation | |
| - drop patch to suppress key expiration warnings sent from the KDC in | |
| the last-req field, as the KDC is expected to just be configured to either | |
| send them or not as a particular key approaches expiration (#556495) | |
| - update to 1.2.8 | |
| - Remove Zanata test glue and related workarounds | |
| - Bug #1234292 ("IPA server cannot be run in container due to incorrect /usr/sbin/_kadmind") | |
| - Bug #1234326 ("krb5-server introduces new rpm dependency on ksh") | |
| - compile with %{?_smp_mflags} (Steve Grubb) | |
| - drop the bit where we munge part of the error table header, as it's not | |
| needed any more | |
| - incorporate a fix to teach the file labeling bits about when replay caches | |
| are expunged (#576093) | |
| - New upstream release (1.16) | |
| - No changes from beta2 | |
| - Update to krb5-1.13.2 | |
| - drop patch for krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC, fixed in krb5-1.13.2 | |
| - drop patch for krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling, fixed in krb5-1.13.2 | |
| - Add script processing for upcoming Zanata l10n support | |
| - Minor spec cleanup | |
| - back out this labeling change (dwalsh): | |
| - when building the new label for a file we're about to create, also mix | |
| in the current range, in addition to the current user | |
| - Full FIPS compliance | |
| - Resolves: #1754690 | |
| - backport fixes to teach libkrb5 to use descriptors higher than FD_SETSIZE | |
| to talk to a KDC by using poll() if it's detected at compile-time (#701446, | |
| RT#6905) | |
| - refresh nss_wrapper and add socket_wrapper to the %check environment | |
| - update the PIC patch for iaesx86.s to not use ELF relocations to the version | |
| that landed upstream (RT#7815, #1045699) | |
| - use %{_infodir} to better comply with FHS | |
| - move .so files to -devel subpackage | |
| - tweak xinetd config files (bugs #11833, #11835, #11836, #11840) | |
| - fix package descriptions again | |
| - update to 1.6.1 | |
| - drop no-longer-needed patches for CVE-2007-0956,CVE-2007-0957,CVE-2007-1216 | |
| - drop patch for sendto bug in 1.6, fixed in 1.6.1 | |
| - automated rebuild | |
| - add patch included in MITKRB5-SA-2003-003 (CAN-2003-0028) | |
| - incorporate fixes for MITKRB5-SA-2007-006 (CVE-2007-3999, CVE-2007-4000) | |
| - always #include |
|
| - enable LFS on a bunch of other 32-bit arches | |
| - pull in fix to store KDC time offsets in keyring credential caches (RT#7768, | |
| - pull in fix to set expiration times on credentials stored in keyring | |
| credential caches (RT#7769, #1031724) | |
| - Guess Samba client mutual flag using ap_option | |
| - Resolves: #1370980 | |
| - add explicit build-time dependency on a version of keyutils that's new | |
| enough to include keyctl_get_persistent() (more of #991148) | |
| - Backport patch to fix mechglue for gss_inqure_attrs_for_mech() | |
| - apply patch from upstream to fix KDC denial of service (CVE-2010-0283, | |
| - make sure workstation servers are all disabled by default | |
| - clean up krb5server init script | |
| - ensure that the gssapi library's been initialized before walking the | |
| internal mechanism list in gss_release_oid(), needed if called from | |
| gss_release_name() right after a gss_import_name() (#198092) | |
| - update to 1.4 | |
| - v1.4 kadmin client requires a v1.4 kadmind on the server, or use the "-O" | |
| flag to specify that it should communicate with the server using the older | |
| protocol | |
| - new libkrb5support library | |
| - v5passwdd and kadmind4 are gone | |
| - versioned symbols | |
| - pick up $KRB5KDC_ARGS from /etc/sysconfig/krb5kdc, if it exists, and pass | |
| it on to krb5kdc | |
| - pick up $KADMIND_ARGS from /etc/sysconfig/kadmin, if it exists, and pass | |
| it on to kadmind | |
| - pick up $KRB524D_ARGS from /etc/sysconfig/krb524, if it exists, and pass | |
| it on to krb524d *instead of* "-m" | |
| - set "forwardable" in [libdefaults] in the default krb5.conf to match the | |
| default setting which we supply for pam_krb5 | |
| - set a default of 24h for "ticket_lifetime" in [libdefaults], reflecting the | |
| compiled-in default | |
| - Fix CVE-2017-15088 (Buffer overflow in get_matching_data()) | |
| - Backport KCM performance enablements | |
| - Resolves: #1956388 | |
| - Remove "python-sphinx-latex" and "tar" from the build requirements | |
| to fix build failures on F22 machines. | |
| - Minor spec cleanup | |
| - fix license tag | |
| - krb5kdc init script: prototype some changes to do a quick spot-check | |
| of the TGS and kadmind keys and warn if there aren't any non-weak keys | |
| on file for them (to flush out parts of #651466) | |
| - Fix string RPC ACLs (RT#7093); CVE-2012-1012 | |
| - update to 1.9.1: | |
| - drop no-longer-needed patches for CVE-2010-4022, CVE-2011-0281, | |
| CVE-2011-0282, CVE-2011-0283, CVE-2011-0284, CVE-2011-0285 | |
| - drop krshd patch for now | |
| - fix build failure caused by change of prototype for glibc | |
| |eventfd()| (#1147887) | |
| - rebuild | |
| - gcc 3.3 doesn't implement varargs.h, include stdarg.h instead | |
| - rebuild in new environment | |
| - Use standard trigger logic for krb5 snippet | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Patch build by disabling failing test; will fix properly soon | |
| - merge security fixes from RHSA-2007:0095 | |
| - give a little bit more information to the user when kinit gets the catch-all | |
| I/O error (#180175) | |
| - update to 1.10 alpha 1 | |
| - on newer releases where we can assume NSS >= 3.13, configure PKINIT to build | |
| using NSS | |
| - on newer releases where we build PKINIT using NSS, configure libk5crypto to | |
| build using NSS | |
| - rename krb5-pkinit-openssl to krb5-pkinit on newer releases where we're | |
| expecting to build PKINIT using NSS instead | |
| - during %check, run check in the library and kdc subdirectories, which | |
| should be able to run inside of the build system without issue | |
| - add draft fix from Tom Yu for slc_add_reply() buffer overflow (CAN-2005-0469) | |
| - add draft fix from Tom Yu for env_opt_add() buffer overflow (CAN-2005-0468) | |
| - amend the PIC patch for iaesx86.s to also save/restore ebx in the | |
| functions where we modify it, because the ELF spec says we need to | |
| - stop exporting kadmin keys to a keytab file when kadmind starts -- the | |
| daemon's been able to use the database directly for a long long time now | |
| - belatedly add aes128,aes256 to the default set of supported key types | |
| - fix a type mismatch in krb5_copy_error_message() | |
| - ftp: fix some odd use of strlen() | |
| - selinux labeling: use selabel_open() family of functions rather than | |
| matchpathcon(), bail on it if attempting to get the mutex lock fails | |
| - Backport certauth plugin and related pkinit changes | |
| - Allow verification of attributes on krb5.conf | |
| - Restrict pre-authentication fallback cases | |
| - rebuild | |
| - change a LINE_MAX to 1024, fix from Ken Raeburn | |
| - add fix for login vulnerability in case anyone rebuilds without krb4 compat | |
| - add tweaks for byte-swapping macros in krb.h, also from Ken | |
| - add xinetd config files | |
| - make rsh and rlogin quieter | |
| - build with debug to fix credential forwarding | |
| - add rsh as a build-time req because the configure scripts look for it to | |
| determine paths | |
| - incorporate patch to fix double-free in the KDC (CVE-2010-1320, #581922) | |
| - incorporate fixes for MITKRB5-SA-2007-004 (CVE-2007-2442,CVE-2007-2443) | |
| and MITKRB5-SA-2007-005 (CVE-2007-2798) | |
| - add documentation for the ticket_lifetime option (#561174) | |
| - add patch to fix telnetd vulnerability | |
| - try to make gss_krb5_copy_ccache() work correctly for spnego (#542868) | |
| - Backport soft-pkcs11 testing code | |
| - Resolves: #1734158 | |
| - disable servers by default to keep linuxconf from thinking they need to be | |
| started when they don't | |
| - Use openssl's PRNG in FIPS mode | |
| - Resolves: #1663571 | |
| - add some comments to the ksu patches for the curious | |
| - re-enable optimization on alphas | |
| - Backport kdcpolicy interface | |
| - kdc.conf: default to listening for TCP clients, too (#248415) | |
| - rebuild with keyutils 1.5.8 (part of #1012043) | |
| - prereq chkconfig for the server subpackage | |
| - move the db2 kdb plugin from -server to -libs, because a multilib libkdb | |
| might need it | |
| - change the default configured encryption type for KDC databases to the | |
| compiled-in default of des3-hmac-sha1 (#57847) | |
| - grab a more-commented version of the most recent patch from upstream | |
| master | |
| - make a guess at making the 32-bit AES-NI implementation sufficiently | |
| position-independent to not require execmod permissions for libk5crypto | |
| (more of #1045699) | |
| - Process included directories in alphabetical order | |
| - backed out ncurses and makeshlib patches | |
| - update for krb5-1.1 | |
| - add KDC rotation to rc.boot, based on ideas from Michael's C version | |
| - prevent spurious EBADF in krshd when stdin is closed by the client while | |
| the command is running (#151111) | |
| - update to 1.3 | |
| - Zap data when freeing krb5_spake_factor | |
| - make krb5-server-ldap also depend on the same version-release of krb5-libs, | |
| as the other subpackages do, if only to make it clearer than it is when we | |
| just do it through krb5-server | |
| - drop explicit linking with libtinfo for applications that use libss, now | |
| that readline itself links with libtinfo (as of readline-5.2-3, since | |
| fedora 7 or so) | |
| - go back to building without strict aliasing (compiler warnings in gssrpc) | |
| - add upstream patches to fix standalone kpropd exiting if the per-client | |
| child process exits with an error (MITKRB5-SA-2011-001), a hang or crash | |
| in the KDC when using the LDAP kdb backend, and an uninitialized pointer | |
| use in the KDC (MITKRB5-SA-2011-002) (CVE-2010-4022, #664009, | |
| CVE-2011-0281, #668719, CVE-2011-0282, #668726, CVE-2011-0283, #676126) | |
| - Fix SPAKE memory leak | |
| - update to 1.12.2 | |
| - drop patch for RT#7820, fixed in 1.12.2 | |
| - drop patch for #231147, fixed as RT#3277 in 1.12.2 | |
| - drop patch for RT#7818, fixed in 1.12.2 | |
| - drop patch for RT#7836, fixed in 1.12.2 | |
| - drop patch for RT#7858, fixed in 1.12.2 | |
| - drop patch for RT#7924, fixed in 1.12.2 | |
| - drop patch for RT#7926, fixed in 1.12.2 | |
| - drop patches for CVE-2014-4341/CVE-2014-4342, included in 1.12.2 | |
| - drop patch for CVE-2014-4343, included in 1.12.2 | |
| - drop patch for CVE-2014-4344, included in 1.12.2 | |
| - drop patch for CVE-2014-4345, included in 1.12.2 | |
| - replace older proposed changes for ksu with backports of the changes | |
| after review and merging upstream (#1015559, #1026099, #1118347) | |
| - fixup URL in a comment | |
| - when built with NSS, require 3.12.10 rather than 3.12.9 | |
| - started changelog (previous package from zedz.net) | |
| - updated existing 1.0.5 RPM from Eos Linux to krb5 1.0.6 | |
| - added --force to makeinfo commands to skip errors during build | |
| - try to merge and clean up all the large file support for ftp and rcp | |
| - ftpd no longer prints a negative length when sending a large file | |
| from a 32-bit host | |
| - prefer the kdc which last replied to a request when sending requests to kdcs | |
| - Use responder for non-preauth AS requests | |
| - Resolves: #1370622 | |
| - Set error message on KCM get_princ failure | |
| - apply patch from MITKRB5-SA-2004-001 (#125001) | |
| - Fix KDC null deref on TGS inner body null server (CVE-2021-37750) | |
| - Resolves: #1997601 | |
| - removed rpath | |
| - CVE-2024-37370 CVE-2024-37371 | |
| Fix vulnerabilities in GSS message token handling | |
| Resolves: RHEL-45398 RHEL-45386 | |
| - update to 1.3.6, which includes the previous fix | |
| - add missing dependency on newer keyutils-libs (#1012034) | |
| - pass some structures by address instead of on the stack in krb5kdc | |
| - libgssapi_krb5: properly export the acceptor subkey when creating a lucid | |
| context (Kevin Coffman, via the nfs4 mailing list) | |
| - fix bug ID in changelog | |
| - Bump release number | |
| - Fix formatting typo in kinit.1 (krb5-kinit-man-typo.patch) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Update otp backport patches (libk5radius => libkrad) | |
| - if we successfully change the user's password during an attempt to get | |
| initial credentials, but then fail to get initial creds from a non-master | |
| using the new password, retry against the master (#432334) | |
| - create and own /var/kerberos/krb5/user instead of /var/kerberos/kdc/user, | |
| since that's what the libraries actually look for | |
| - add buildrequires on nss-myhostname, in an attempt to get more of the tests | |
| to run properly during builds | |
| - pull in Simo's patch to recognize "client_keytab" as a key type which can | |
| be passed in to gss_acquire_cred_from() (RT#7598) | |
| - apply fixes from draft of MIT-KRB5-SA-2005-002 (CAN-2005-1174,CAN-2005-1175) | |
| (#157104) | |
| - apply fixes from draft of MIT-KRB5-SA-2005-003 (CAN-2005-1689) (#159755) | |
| - kadmind.init: drop the attempt to detect no-database-present errors (#723723), | |
| which is too fragile in cases where the database has been manually moved or | |
| is accessed through another kdb plugin | |
| - backport fixes to krb5_copy_context (RT#7807, #1044735/#1044739) | |
| - Fix integer overflows in PAC parsing (CVE-2022-42898) | |
| - Resolves: rhbz#2140968 | |
| - update to 1.4.3 | |
| - make ksu setuid again (#137934, others) | |
| - Gain FIPS awareness | |
| - Resolves: #1660222 | |
| - rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - pull up fix for upstream #6745, in which the gssapi library would add the | |
| wrong error table but subsequently attempt to unload the right one | |
| - use gcc to build shared libraries | |
| - update to 1.11.3 | |
| - drop patch for RT#7605, fixed in this release | |
| - drop patch for CVE-2002-2443, fixed in this release | |
| - drop patch for RT#7369, fixed in this release | |
| - pull upstream fix for breaking t_skew.py by adding the patch for #961221 | |
| - Restore accidentally dropped patch | |
| - Resolves: #1754690 | |
| - Actually bump kdbversion like I was supposed to | |
| - update to 1.5 | |
| - mark %{krb5prefix}/man so that files which are packaged within it are | |
| flagged as %doc (#168163) | |
| - update to 1.2.4 | |
| - patch around TIOCGTLC defined on alpha and remove warnings from libpty.h | |
| - add installation of info docs | |
| - remove krb4 compat patch because it doesn't fix workstation-side servers | |
| - pkinit: when verifying signed data, use the CMS APIs for better | |
| interoperability (#636985, RT#6851) | |
| - update to 1.9 beta 3 | |
| - fix trigger scriptlet's invocation of sed (#1016945) | |
| - rename krb5.sh and krb5.csh so that they don't overlap (#210623) | |
| - way-late application of added error info in kadmind.init (#65853) | |
| - pull in upstream fix to start treating a KRB5CCNAME value that begins | |
| with DIR:: the same as it would a DIR: value with just one ccache file | |
| in it (RT#7172, #965574) | |
| - pull in fix from master to make reporting of errors encountered by | |
| the SPNEGO mechanism work better (RT#7045, part of #1043962) | |
| - catch krb4 send_to_kdc cases in kdc preference patch | |
| - backport change from SVN to fix a computed-value-not-used warning in | |
| kpropd (#684065) | |
| - incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345) | |
| - override the default build rules to not delete temporary y.tab.c files, | |
| so that they can be packaged, allowing debuginfo files which point to them | |
| do so usefully (#729044) | |
| - backport patch to disable replay detection in krb5_verify_init_creds() | |
| while reading the AP-REQ that's generated in the same function (RT#7229) | |
| - change cleanup code in post to not tickle chkconfig | |
| - add grep as a Prereq: for -libs | |
| - drop a patch we weren't not applying (build tooling) | |
| - wrap kadmind and kpropd in scripts which check for the presence/absence | |
| of files which dictate particular exit codes before exec'ing the actual | |
| binaries, instead of trying to use ConditionPathExists in the unit files | |
| to accomplish that, so that we exit with failure properly when what we | |
| expect isn't actually in effect on the system (#800343) | |
| - Eliminate preprocessor-disabled dead code | |
| - rebuilt | |
| - Fix KDC null dereference on large TGS replies | |
| - revise previous patch to initialize one more element | |
| - move the package changelog to the end to match the usual style (jdennis) | |
| - scrub out references to $RPM_SOURCE_DIR (jdennis) | |
| - include a symlink to the readme with the name LICENSE so that people can | |
| find it more easily (jdennis) | |
| - tweak configuration files used during tests to try to reduce the number | |
| of conflicts encountered when builds for multiple arches land on the same | |
| builder | |
| - Drop DES3 from sample kdc.conf | |
| - Resolves: #1802334 | |
| - Automatically add includedir where not present | |
| - Try removing sleep statement to see if it is still needed | |
| - Resolves: #1433083 | |
| - fix a regression (not labeling a kdb database lock file correctly, #569902) | |
| - Fix dependicy on binfmt.service | |
| - attempt to account for UnversionedDocdirs for the -libs subpackage | |
| - tighten up default permissions on kdc.conf and kadm5.acl (#558343) | |
| - include .so.* symlinks as well as .so.*.* | |
| - rebuild | |
| - pull in upstream patch for RT#6952, confusion following referrals for | |
| cross-realm auth (#734341) | |
| - pull in build-time deps for the tests | |
| - remove rc4-hmac:norealm and rc4-hmac:onlyrealm from the default list of | |
| supported keytypes in kdc.conf -- they produce exactly the same keys as | |
| rc4-hmac:normal because rc4 string-to-key ignores salts | |
| - nuke kdcrotate -- there are better ways to balance the load on KDCs, and | |
| the SELinux policy for it would have been scary-looking | |
| - update to 1.3.5, mainly to include MITKRB5SA 2004-002 and 2004-003 | |
| - cut down the number of times we load SELinux labeling configuration from | |
| a minimum of two times to actually one (more of #845125) | |
| - update to 1.9 beta 2 | |
| - remove the krb5-appl bits (the -workstation-clients and -workstation-servers | |
| subpackages) now that krb5-appl is its own package | |
| - replace our patch for #563431 (kpasswd doesn't fall back to guessing your | |
| principal name using your user name if you don't have a ccache) with the | |
| one upstream uses | |
| - broke out configuration files | |
| - Fix pkinit_anchors path | |
| - Resolves: #1661339 | |
| - actually pull up the patch for RT#7063, and not some other ticket (#773496) | |
| - temporarily back out %post changes, fix for #143289 for security update | |
| - add preliminary patch to correct unauthorized access via krb5-aware telnet | |
| - Document -k option in kvno(1) synopsis | |
| - Resolves: #1869055 | |
| - Tom Yu's patch to fix compatibility between 1.2 kadmin and 1.1.1 kadmind | |
| - pull out 6.2 options in the spec file (sonames changing in 1.2 means it's not | |
| compatible with other stuff in 6.2, so no need) | |
| - Disable dns_canonicalize_hostname. This may break some setups. | |
| - pull down patches from trunk to implement k5login_authoritative and | |
| k5login_directory settings for krb5.conf (#539423) | |
| - Set error message on KCM get_princ failure | |
| - fix an uninitialized length value which could cause a crash when parsing | |
| key data coming from a directory server | |
| - correct a typo in the krb5.conf man page ("ldap_server"->"ldap_servers") | |
| - Log preauth names in trace output | |
| - Misc bugfixes from upstream | |
| - build alpha with -O0 for now | |
| - create and own /etc/gss (#1019937) | |
| - update to 1.12.1 | |
| - drop patch for RT#7794, included now | |
| - drop patch for RT#7797, included now | |
| - drop patch for RT#7803, included now | |
| - drop patch for RT#7805, included now | |
| - drop patch for RT#7807, included now | |
| - drop patch for RT#7045, included now | |
| - drop patches for RT#7813 and RT#7815, included now | |
| - add patch to always retrieve the KDC time offsets from keyring caches, | |
| so that we don't mistakenly interpret creds as expired before their | |
| time when our clock is ahead of the KDC's (RT#7820, #1030607) | |
| - don't forget the README | |
| - handle an assertion failure that starts cropping up when the patch for | |
| using poll (#701446) meets servers that aren't running KDCs or against | |
| which the connection fails for other reasons (#727829, #734172) | |
| - start moving to 1.9 with beta 1 | |
| - drop patches for RT#5755, RT#6762, RT#6774, RT#6775 | |
| - drop no-longer-needed backport patch for #539423 | |
| - drop no-longer-needed patch for CVE-2010-1322 | |
| - if WITH_NSS is set, built with --with-crypto-impl=nss (requires NSS 3.12.9) | |
| - pull patch from svn to undo unintentional chattiness in ftp | |
| - pull patch from svn to handle NULL krb5_get_init_creds_opt structures | |
| better in a couple of places where they're expected | |
| - add patch from Dhiru Kholia for the AES-NI implementations to allow | |
| libk5crypto to be properly marked as not needing an executable stack | |
| on arches where they're used (#1045699, and so many others) | |
| - fix a compile error in the SELinux labeling patch when -DDEBUG is used (Sumit | |
| Bose) | |
| - correct a bug in the fix for #754001 so that the file creation context is | |
| consistently reset | |
| - Fix CVE-2016-3120 | |
| - Resolves: #1361051 | |
| - Remove incorrect KDC assertion | |
| - Resolves: #1673016 | |
| - incorporate upstream patch to fix uninitialized pointer crash in the KDC's | |
| authorization data handling (CVE-2010-1322, #636335) | |
| - Fix CVE-2015-8629, CVE-2015-8630, CVE-2015-8631 | |
| - Log when non-root ksu authorization fails | |
| - Resolves: #1575771 | |
| - set "rdns = false" in the default krb5.conf (#908323,#908324) | |
| - Add recursion limit for ASN.1 indefinite lengths (CVE-2020-28196) | |
| - Resolves: #1906492 | |
| - Address some optimized-out memset() calls | |
| - Resolves: #1663503 | |
| - make krb5.conf %verify(not md5 size mtime) in addition to | |
| %config(noreplace), like /etc/nsswitch.conf (#329811) | |
| - throw in a not-applied-by-default patch to try to make pkinit debugging | |
| into a run-time boolean option named "pkinit_debug" | |
| - pull in multiple changes to allow replay caches to be added to a GSS | |
| credential store as "rcache"-type credentials (RT#7818/#7819/#7836, | |
| - add missing pam-devel build requirement, force selinux-or-fail build | |
| - Explicitly use openssl rather than builtin crypto | |
| - Resolves: #1570910 | |
| - libkrad: implement support for Message-Authenticator (CVE-2024-3596) | |
| Resolves: RHEL-50253 | |
| - Remove RSA protocol for PKINIT | |
| Resolves: RHEL-17616 | |
| - in login, allow PAM to interact with the user when they've been strongly | |
| authenticated | |
| - in login, signal PAM when we're changing an expired password that it's an | |
| expired password, so that when cracklib flags a password as being weak it's | |
| treated as an error even if we're running as root | |
| - add patches for read overflow and null pointer dereference in the | |
| implementation of the SPNEGO mechanism (CVE-2009-0844, CVE-2009-0845) | |
| - add patch for attempt to free uninitialized pointer in libkrb5 | |
| (CVE-2009-0846) | |
| - add patch to fix length validation bug in libkrb5 (CVE-2009-0847) | |
| - put the krb5-user .info file into just -workstation and not also | |
| -workstation-clients | |
| - backport a fix to allow a PKINIT client to handle SignedData from a KDC | |
| that's signed with a certificate that isn't in the SignedData, but which | |
| is available as an anchor or intermediate on the client (RT#7183) | |
| - take another stab at accounting for UnversionedDocdirs for the -libs | |
| subpackage (spotted by ssorce) | |
| - switch to just the snapshot of nss_wrapper we were using, since we | |
| no longer need to carry anything that isn't in the cwrap.org repository | |
| (ssorce) | |
| - fix bug in krb5.csh which would cause the path check to always succeed | |
| - rebuild | |
| - pull up changes to allow GSSAPI modules to provide more functions | |
| (RT#7682, #986564/#986565) | |
| - add buildprereq for autoconf | |
| - adjust the patch which removes the use of rpath to also produce a | |
| krb5-config which is okay in multilib environments (#190118) | |
| - make the name-of-the-tempfile comment which compile_et adds to error code | |
| headers always list the same file to avoid conflicts on multilib installations | |
| - strip SIZEOF_LONG out of krb5.h so that it doesn't conflict on multilib boxes | |
| - strip GSS_SIZEOF_LONG out of gssapi.h so that it doesn't conflict on mulitlib | |
| boxes | |
| - drop netdb patch | |
| - kdb_ldap: add patch to treat 'nsAccountLock: true' as an indication that | |
| the DISALLOW_ALL_TIX flag is set on an entry, for better interop with Fedora, | |
| Netscape, Red Hat Directory Server (Simo Sorce) | |
| - Ensure we can build with the new CFLAGS | |
| - Remove the git versioning in patches | |
| - gssapi: pull in proposed fix for a double free in initiators (David | |
| Woodhouse, CVE-2014-4343, #1117963) | |
| - enable patch for key-expiration reporting | |
| - enable patch to make kpasswd fall back to TCP if UDP fails (#251206) | |
| - enable patch to make kpasswd use the right sequence number on retransmit | |
| - enable patch to allow mech-specific creds delegated under spnego to be found | |
| when searching for creds | |
| - pull up latest revision of patch to reduce lockups in rsh/rshd | |
| - Turn OFD locks back on with glibc workaround | |
| - Resolves: #1274922 | |
| - Backport fix of memory use after free during libkrad cleanup | |
| - Backport support for larger RADIUS attributes in libkrad | |
| - Resolves: rhbz#2103125 | |
| - New upstream prerelease (1.16-beta1) | |
| - put the conditional back for the -devel subpackage | |
| - back down to the earlier version of the patch for #551764; the backported | |
| alternate version was incomplete | |
| - update to 1.11 alpha 1 | |
| - drop backported patch for RT #7406 | |
| - drop backported patch for RT #7407 | |
| - drop backported patch for RT #7408 | |
| - the new docs system generates PDFs, so stop including them as sources | |
| - drop backported patch to allow deltat.y to build with the usual | |
| warning flags and the current gcc | |
| - drop backported fix for disabling use of a replay cache when verifying | |
| initial credentials | |
| - drop backported fix for teaching PKINIT clients which trust the KDC's | |
| certificate directly to verify signed-data messages that are signed with | |
| the KDC's certificate, when the blobs don't include a copy of the KDC's | |
| certificate | |
| - drop backported patches to make keytab-based authentication attempts | |
| work better when the client tells the KDC that it supports a particular | |
| cipher, but doesn't have a key for it in the keytab | |
| - drop backported fix for avoiding spurious clock skew when a TGT is | |
| decrypted long after the KDC sent it to the client which decrypts it | |
| - move the cross-referenced HTML docs into the -libs package to avoid | |
| broken internal links | |
| - drop patches to fixup paths in man pages, shouldn't be needed any more | |
| - build even libdb.a with -fPIC and $RPM_OPT_FLAGS. | |
| - add bison as a BuildPrereq (#20091) | |
| - rebuild | |
| - incorporate Simo's updated backport of his updated persistent-keyring changes | |
| (more of #991148) | |
| - Fix custom build with -DDEBUG | |
| - added -lncurses to telnet and telnetd makefiles | |
| - update to 1.2.6 | |
| - New upstream release | |
| - Update selinux with RHEL hygene | |
| - Resolves: #1314096 | |
| - fix combination of --with-netlib and --enable-dns (#82176) | |
| - apply upstream patch to fix a null pointer dereference when processing | |
| TGS requests (CVE-2011-1530, #753748) | |
| - use %{_lib} for the sake of multilib systems | |
| - tell krb5kdc and kadmind to create pid files, since they can | |
| - add logrotate configuration files for krb5kdc and kadmind (#462658) | |
| - fix parsing of the pidfile option in the KDC (upstream #6750) | |
| - fix credential forwarding problem in klogind (goof in KRB5CCNAME handling) | |
| (#11588) | |
| - fix heap corruption bug in FTP client (#14301) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - fix reading of keyUsage extensions when attempting to select pkinit client | |
| certs (part of #629022, RT#6775) | |
| - fix selection of pkinit client certs when one or more don't include a | |
| subjectAltName extension (part of #629022, RT#6774) | |
| - update to 1.10 final | |
| - correctly use stdargs | |
| - Add send/receive sendto_kdc hooks and corresponding tests | |
| - Resolves: #1321135 | |
| - add in glue code to make sure that libkrb5 continues to provide a | |
| weak copy of stat() | |
| - Make krb5kdc -p affect TCP ports | |
| - fix license handling | |
| - specify dependencies on the same arch of krb5-libs by using the %{?_isa} | |
| suffix, to avoid dragging 32-bit libraries onto 64-bit systems (#980155) | |
| - Switch to using autosetup macro. | |
| - Patches come from git, so it is easiest to just make a git repo | |
| - Add build dependency on gcc | |
| - check more thoroughly for errors when resolving KEYRING ccache names of type | |
| "persistent", which should only have a numeric UID as the next part of the | |
| name (#1029110) | |
| - Skip test suite on ppc64el | |
| - Related-to: #1464381 | |
| - add fixes from MITKRB5-SA-2008-001 for use of null or dangling pointer | |
| when v4 compatibility is enabled on the KDC (CVE-2008-0062, CVE-2008-0063, | |
| - add fixes from MITKRB5-SA-2008-002 for array out-of-bounds accesses when | |
| high-numbered descriptors are used (CVE-2008-0947, #433596) | |
| - add backport bug fix for an attempt to free non-heap memory in | |
| libgssapi_krb5 (CVE-2007-5901, #415321) | |
| - add backport bug fix for a double-free in out-of-memory situations in | |
| libgssapi_krb5 (CVE-2007-5971, #415351) | |
| - move the compiled-in default ccache location from the previous default of | |
| FILE:/tmp/krb5cc_%{uid} to DIR:/run/user/%{uid}/krb5cc (part of #949588) | |
| - fix 32/64-bit bug storing and retrieving the issue_date in v4 credentials | |
| - Add support for start_realm cache config | |
| - Resolves: #1901195 | |
| - apply updated patch from MITKRB5-SA-2004-001 (revision 2004-06-02) | |
| - Support PAC with KDC extended signature and without ticket signature | |
| - Resolves: rhbz#2169477 | |
| - Pass gss_localname() through SPNEGO | |
| - Resolves: #1802334 | |
| - add patch to support "ANY" keytab type (i.e., | |
| "default_keytab_name = ANY:FILE:/etc/krb5.keytab,SRVTAB:/etc/srvtab" | |
| patch from Gerald Britton, #42551) | |
| - build with -D_FILE_OFFSET_BITS=64 to get large file I/O in ftpd (#30697) | |
| - patch ftpd to use long long and %lld format specifiers to support the SIZE | |
| command on large files (also #30697) | |
| - don't use LOG_AUTH as an option value when calling openlog() in ksu (#45965) | |
| - implement reload in krb5kdc and kadmind init scripts (#41911) | |
| - lose the krb5server init script (not using it any more) | |
| - gssapi: pull in upstream fix for a possible NULL dereference | |
| in spnego (CVE-2014-4344) | |
| - remove libdefault ticket_lifetime option from the default krb5.conf, it is | |
| ignored by libkrb5 | |
| - update to 1.11 release | |
| - suppress warnings of impending password expiration if expiration is more than | |
| seven days away when the KDC reports it via the last-req field, just as we | |
| already do when it reports expiration via the key-expiration field (#556495) | |
| - link with libtinfo rather than libncurses, when we can, in future RHEL | |
| - reintroduce ld.so.conf munging in the -libs %post | |
| - ksu: move session management calls to before we drop privileges, like | |
| su does (#596887), and don't skip the PAM account check for root or the | |
| same user (more of #540769) | |
| - Update tmpfiles dropin to use /run instead of /var/run | |
| - Resolves: #1945679 | |
| - only remove old krb5server init script links if the init script is there | |
| - disable kshell and eklogin by default | |
| - update to 1.3.1 | |
| - Continue after KRB5_CC_END in KCM cache iteration | |
| - update to 1.4.1, incorporating fixes for CAN-2005-0468 and CAN-2005-0469 | |
| - when starting the KDC or kadmind, if KRB5REALM is set via the /etc/sysconfig | |
| file for the service, pass it as an argument for the -r flag | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Convert Python tests to Python 3 | |
| - make krb5-libs obsolete the old krb5-configs package (#18351) | |
| - don't quit from the kpropd init script if there's no principal database so | |
| that you can propagate the first time without running kpropd manually | |
| - don't complain if /etc/ld.so.conf doesn't exist in the -libs %post | |
| - change back dns_lookup_kdc to the default setting (Stef Walter, #805318) | |
| - comment out example.com examples in default krb5.conf (Stef Walter, #805320) | |
| - update to 1.9 final | |
| - Fix leak of default credentials in gss_inquire_cred() | |
| Resolves: RHEL-32258 | |
| - move condrestarts to postun | |
| - make xinetd configs noreplace | |
| - add descriptions to xinetd configs | |
| - add /etc/init.d as a prereq for the -server package | |
| - patch to properly truncate $TERM in krlogind | |
| - update to 1.11 beta 2 | |
| - move the default acl_file, dict_file, and admin_keytab settings to | |
| the part of the default/example kdc.conf where they'll actually have | |
| an effect (#236417) | |
| - New upstream release | |
| - pull fix for non-compliant encoding of salt field in etype-info2 preauth | |
| data from 1.3.1 beta 1, until 1.3.1 is released. | |
| - Make docs build python3-compatible | |
| - Resolves: #1590928 | |
| - when removing -workstation, remove our files from the info index while | |
| the file is still there, in %preun, rather than %postun, and use the | |
| compressed file's name (#801035) | |
| - add and own %{_libdir}/krb5/plugins/authdata | |
| - patch to handle truncated dns responses | |
| - ksu: move account management checks to before we drop privileges, like | |
| su does (#540769) | |
| - selinux: set the user part of file creation contexts to match the current | |
| context instead of what we looked up | |
| - configure with --enable-dns-for-realm instead of --enable-dns, which isn't | |
| recognized any more | |
| - remove hesiod dependency at build-time | |
| - New upstream version (1.17) | |
| - Resolves: #1645594 | |
| - rebuild with OpenSSL 1.1.0, added backported upstream patch | |
| - add upstream patch to fix freeing an uninitialized pointer and dereferencing | |
| another uninitialized pointer in the KDC (MITKRB5-SA-2012-001, CVE-2012-1014 | |
| and CVE-2012-1015, #844779 and #844777) | |
| - fix a thinko in whether or not we mess around with devel .so symlinks on | |
| systems without a separate /usr (sbose) | |
| - use portreserve correctly -- portrelease takes the basename of the file | |
| whose entries should be released, so we need three files, not one | |
| - update to 1.11.4 | |
| - drop patch for RT#7650, obsoleted | |
| - drop patch for RT#7706, obsoleted as RT#7723 | |
| - drop patch for CVE-2013-1418/CVE-2013-6800, included in 1.11.4 | |
| - update to 1.6.2 | |
| - add "buildrequires: texinfo-tex" to get texi2pdf | |
| - Update otp patches | |
| - Merge otp patches into a single patch | |
| - Add keycheck patch | |
| - fix telnet client environment variable disclosure the same way NetKit's | |
| telnet client did (CAN-2005-0488) (#159305) | |
| - keep apps which call krb5_principal_compare() or krb5_realm_compare() with | |
| malformed or NULL principal structures from crashing outright (Thomas Biege) | |
| (#161475) | |
| - add patch for buffer overflow in kadmind4 (not used by default) | |
| - make proper use of pam_loginuid and pam_selinux in rshd and ftpd | |
| - rebuild to compress man pages. | |
| - Match Heimdal behavior for channel bindings | |
| - Code hygiene + test stability fix included | |
| - Resolves: #1840518 | |
| - incorporate Simo's backport of his persistent-keyring changes (#991148) | |
| - restore build-time default DEFCCNAME on Fedora 21 and later and EL, and | |
| instead set default_ccache_name in the default krb5.conf's [libdefaults] | |
| section (#991148) | |
| - on releases where we expect krb5.conf to be configured with a | |
| default_ccache_name, add it whenever we upgrade from an older version of | |
| the package that wouldn't have included it in its default configuration | |
| file (#991148) | |
| - fix indexing error in server sorting patch (#127336) | |
| - Allow to make AD-SIGNEDPATH optional | |
| Resolves: RHEL-10514 | |
| - Bump 1%{?dist} to 2%{?dist} to workaround RPM sort issue | |
| which would lead yum updates to treat the last alpha as newer | |
| than the final version. | |
| - added krb5.csh and krb5.sh to /etc/profile.d | |
| - update to 1.2.7 | |
| - disable use of tcl | |
| - increase the maximum name length allowed by kuserok() to the higher value | |
| used in development versions | |
| - New upstream version 1.14.3 | |
| - fix a null pointer dereference and crash introduced in our PAM patch that | |
| would happen if ftpd was given the name of a user who wasn't known to the | |
| local system, limited to being triggerable by gssapi-authenticated clients by | |
| the default xinetd config (Olivier Fourdan, #569472) | |
| - run kadmin.local correctly at startup | |
| - don't let comments intended for one scriptlet become part of the "script" | |
| that gets passed to ldconfig as part of another one (Mattias Ellert, #1005675) | |
| - add upstream patch for integer underflow during AES and RC4 decryption | |
| (CVE-2009-4212), via Tom Yu (#545015) | |
| - fix pid path in krb5kdc.service | |
| - update backport of the preauth module interface | |
| - extend PAM support to ksu: perform account and session management for the | |
| target user | |
| - pull up and merge James Leddy's changes to also set PAM_RHOST in PAM-aware | |
| network-facing services | |
| - when testing the RPC library, treat denials from the local portmapper the | |
| same as a portmapper-not-running situation, to allow other library tests | |
| to be run while building the package | |
| - Switch to %ldconfig_scriptlets | |
| - fix the kpropd init script | |
| - Fix a leak in the previous commit | |
| - Restore dist macro that was accidentally removed | |
| - Resolves: #1540939 | |
| - Enable building with bad system /etc/krb5.conf | |
| - reintroduce missing %postun for the non-split_workstation case | |
| - rebuild to pick up the current forms of various patches | |
| - fix a typo in kerberos.ldif | |
| - remove patch to set TERM in klogind which, combined with the upstream fix in | |
| 1.3.1, actually produces the bug now (#114762) | |
| - only apply the patch to autocreate /run/user/0 when we're hard-wiring the | |
| default ccache location to be under it; otherwise it's unnecessary | |
| - add LDCOMBINE=-lc to configure invocation to use libc versioning (bug #10653) | |
| - change Requires: for/in subpackages to include %{version} | |
| - apply the fix for CVE-2007-4000 instead of the experimental patch for | |
| setting ok-as-delegate flags | |
| - override INSTALL_SETUID at build-time so that ksu is installed into | |
| the buildroot with the right permissions (part of #225974) | |
| - add man pages for kerberos(1), kvno(1), .k5login(5) | |
| - add kvno to -workstation | |
| - move man pages that live in the -libs subpackage into the regular | |
| %{_mandir} tree where they'll still be found if that package is the | |
| only one installed (#529319) | |
| - Separate out the kadm5 libs | |
| - rebuild in new environment | |
| - reenable statglue | |
| - New upstream version (1.18.1) | |
| - Resolves: #1802334 | |
| - Depend on crypto-policies which provides /etc/krb5.conf.d (#1225792) | |
| - move to using pregenerated PDF docs to cure multilib conflicts (#222721) | |
| - bump release number and rebuild | |
| - switch buildrequires: and requires: on e2fsprogs-devel into | |
| buildrequires: and requires: on libss-devel, libcom_err-devel, per | |
| sandeen on fedora-devel-list | |
| - don't discard the error code from an error message received in response | |
| to a change-password request (#658871, RT#6893) | |
| - install src/krb524/README as README.krb524 in the -servers package, | |
| includes information about converting for AFS principals | |
| - update a test wrapper to properly handle things that the new libkrad does, | |
| and add python-pyrad as a build requirement so that we can run its tests | |
| - pull in patch for RT#7046: tag a ccache containing credentials obtained via | |
| S4U2Proxy with the principal name of the proxying principal (part of #761317) | |
| so that the default principal name can be set to that of the client for which | |
| it is proxying, which results in the ccache looking more normal to consumers | |
| of the ccache that don't care that there's proxying going on | |
| - pull in patch for RT#7047: allow tickets obtained via S4U2Proxy to be cached | |
| (more of #761317) | |
| - pull in patch for RT#7048: allow PAC verification to only bother trying to | |
| verify the signature with keys that it's given (still more of #761317) | |
| - fix comments in krb5-configs | |
| - Add German translation | |
| - Up-port a bunch of stuff from the el-7.3 cycle | |
| - Resolves: #1255450, #1314989 | |
| - update to 1.3.4 final | |
| - Include more test suite changes from upstream | |
| - Resolves: #1464381 | |
| - rebuild in new environment | |
| - prebuild PDF docs to reduce multilib differences (internal tooling, #884065) | |
| - drop the kerberos-iv portreserve file, and drop the rest on systemd systems | |
| - escape uses of macros in comments (more of #884065) | |
| - update to 1.3.3 | |
| - rebuild | |
| - also perform PAM session and credential management when ftpd accepts a | |
| client using strong authentication, missed earlier | |
| - also label kadmind log files and files created by the db2 plugin | |
| - Fix problem with ccache_name logic in previous build | |
| - tweak graceful start/stop logic in post and preun | |
| - Add kprop service env config file | |
| - simplify the man pages patch by only preprocessing the files we care about | |
| and moving shared configure.in logic into a shared function | |
| - catch the case of ftpd printing file sizes using %i, when they might be | |
| bigger than an int now | |
| - pull the newer F21 defaults back to F20 (sgallagh) | |
| - bump again for double-long bug on ppc(64) | |
| - pull in fix for building against tcl 8.6 (#1107061) | |
| - update to latest patch kit for MITKRB5-SA-2003-004 | |
| - rebuild | |
| - add patch from Tom Yu for exploitable bugs in rpc code used in kadmind | |
| - install kadmin header files | |
| - Add upstream lookaside cache behavior fix (RT#7082) | |
| - Patch CVE-2015-2698 | |
| - Start using crypto-policies | |
| - Move krb5-kdb-version provides from -libs to -devel | |
| - pull in keyutils as a build requirement to get the "KEYRING:" ccache type, | |
| because we've merged | |
| - update to 1.3.2 | |
| - Save other programs from worrying about CVE-2017-11462 | |
| - Resolves: #1488873 | |
| - Resolves: #1488874 | |
| - switch to the upstream patch for #707145 | |
| - switch to the simplified version of the patch for #1029110 (RT#7764) | |
| - ftp: use the correct local filename during mget when the 'case' option is | |
| enabled (#442713) | |
| - Ensure pwsize is initialized in chpass_util.c | |
| - use PICFLAGS when building code from the ktany patch | |
| - don't bail from the KDC init script if there's no database, it may be in | |
| a different location than the default (fenlason) | |
| - remove the [kdc] section from the default krb5.conf -- doesn't seem to have | |
| been applicable for a while | |
| - pull in patch from master to move the default directory which the KDC uses | |
| when computing the socket path for a local OTP daemon from the database | |
| directory (/var/kerberos/krb5kdc) to the newly-added run directory | |
| (/run/krb5kdc), in line with what we're expecting in 1.13 (RT#7859, more | |
| of #1040056 as #1063905) | |
| - add a tmpfiles.d configuration file to have /run/krb5kdc created at | |
| boot-time | |
| - own /var/run/krb5kdc | |
| - add missing shebang headers to krsh and krlogin wrapper scripts (#209238) | |
| - libgssapi: pull in patch from svn to stop returning context-expired errors | |
| when the ticket which was used to set up the context expires (#605366, | |
| upstream #6739) | |
| - pull in changes from upstream which add processing of the contents of | |
| /etc/gss/mech.d/*.conf when loading GSS modules (#1102839) | |
| - update to 1.8 | |
| - temporarily bundling the krb5-appl package (split upstream as of 1.8) | |
| until its package review is complete | |
| - profile.d scriptlets are now only needed by -workstation-clients | |
| - adjust paths in init scripts | |
| - drop upstreamed fix for KDC denial of service (CVE-2010-0283) | |
| - drop patch to check the user's password correctly using crypt(), which | |
| isn't a code path we hit when we're using PAM | |
| - skip the setfscreatecon() if fopen() is passed "rb" as the open mode (part | |
| of #819115) | |
| - rebase to master | |
| - update to beta1 | |
| - drop obsolete backport of fix for RT#7706 | |
| - rebuild | |
| - Remove duplication between subpackages | |
| - Resolves: #1250228 | |
| - fix deadlock during file transfer via rsync/krsh | |
| - thanks goes to James Antill for hint | |
| - Add krb5_db_register_keytab | |
| - Resolves: #1376812 | |
| - Fix capaths "." values on client | |
| - Resolves: 1551099 | |
| - Upstream release. No actual change from beta, just version bump | |
| - Clean up unused parts of spec file | |
| - Add fix for RedHat Bug #1164304 ("Upstream unit tests loads | |
| the installed shared libraries instead the ones from the build") | |
| - login: don't truncate passwords before passing them into crypt(), in | |
| case they're significant (#149476) | |
| - Add support to query the SSF of a context | |
| - Pick up rename of perl dependency | |
| - drop a hunk from the dnsparse patch which is actually redundant (thanks to | |
| Tom Yu) | |
| - fix double-close in keytab handling | |
| - add port of fixes for CAN-2004-0175 to krb5-aware rcp (#151612) | |
| - back out setting default_ccache_name to the new default for now, resetting | |
| it to the old default while the kernel/keyutils bits get sorted (sgallagh) | |
| - rebuild | |
| - incorporate upstream patch for remote crash of KDCs which serve multiple | |
| realms simultaneously (RT#7756, CVE-2013-1418/CVE-2013-6800, | |
| - Add SPAKE support | |
| - Improve protections on internal sensitive buffers | |
| - Improve internal hex encoding/decoding | |
| - Fix k5test prompts for Python 3 | |
| - make use of install-info more failsafe (Ville Skyttä, #223704) | |
| - preserve timestamps on shell scriptlets at %install-time | |
| - Backport fix for change password requests when using FAST (RT#7868) | |
| - Make klogind pass a clean environment to children, like NetKit's rlogind does. | |
| - on EL6, conflict with libsmbclient before 3.5.10-124, which is when it | |
| stopped linking with a symbol which we no longer export (#771687) | |
| - pull up patch for RT#7063, in which not noticing a prompt for a long | |
| time throws the client library's idea of the time difference between it | |
| and the KDC really far out of whack (#773496) | |
| - add a backport of more patches to set the client's list of supported enctypes | |
| when using a keytab to be the list of types of keys in the keytab, plus the | |
| list of other types the client supports but for which it doesn't have keys, | |
| in that order, so that KDCs have a better chance of being able to issue | |
| tickets with session keys of types that the client can use (#837855) | |
| - use portreserve to make sure the KDC can always bind to the kerberos-iv | |
| port, kpropd can always bind to the krb5_prop port, and that kadmind can | |
| always bind to the kerberos-adm port (#555279) | |
| - correct inadvertent use of macros in the changelog (rpmlint) | |
| - update backport of the preauth module interface | |
| - add proposed patches 4566, 4567 | |
| - add proposed edata reporting interface for KDC | |
| - add temporary placeholder for module global context fixes | |
| - Unify kvno option documentation | |
| - Resolves: #1869055 | |
| - Don't enable the server by default. | |
| - Compress info pages. | |
| - Add defaults for the PAM module to krb5.conf | |
| - rebuild properly when pthread_mutexattr_setrobust_np() is defined but not | |
| declared, such as with recent glibc when _GNU_SOURCE isn't being used | |
| - Use SHA-256 instead of MD5 for audit ticket IDs | |
| - New upstream release - 1.16.1 | |
| - update to 1.2.7-beta2 (internal only, not for release), dropping dnsparse | |
| and kadmind4 fixes | |
| - Backport getrandom() support | |
| - Remove patch numbering | |
| - fix link flags and permissions on shared libraries (ausil) | |
| - update to 1.2.2, which fixes some bugs relating to empty ETYPE-INFO | |
| - re-enable optimization on Alpha | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - tweak statglue.c to fix stat/stat64 aliasing problems | |
| - be cleaner in use of gcc to build shlibs | |
| - rebuild | |
| - fix a logic bug in computing key expiration times (RT#6762, #627022) | |
| - Backport kdc policy plugin, but this time with dependencies | |
| - move the rather large pile of html and pdf docs to -workstation, so | |
| that just having something that links to the libraries won't drag | |
| them onto a system, and we avoid having to sort out hard-coded paths | |
| that include %{_libdir} showing up in docs in multilib packages | |
| - actually create %{_var}/kerberos/kdc/user, so that it can be packaged | |
| - correct the list of packaged man pages | |
| - don't dummy up required tex stylesheets, require them | |
| - require pdflatex and makeindex | |
| - switch to the version of persistent-keyring that was just merged to | |
| master (RT#7711), along with related changes to kinit (RT#7689) | |
| - go back to setting default_ccache_name to a KEYRING type | |
| - add patch to build semi-useful static libraries, but don't apply it unless | |
| we need them | |
| - update to 1.6.3, dropping now-integrated patches for CVE-2007-3999 | |
| and CVE-2007-4000 (the new pkinit module is built conditionally and goes | |
| into the -pkinit-openssl package, at least for now, to make a buildreq | |
| loop with openssl avoidable) | |
| - Work around KDC client prinicipal in referrals issue (#1259844) | |
| - pass absolute path to kadm5.keytab if/when extracting keys at startup | |
| - add upstream fix for denial-of-service in SPNEGO (CVE-2010-0628, #576325) | |
| - kdc.conf: no more need to suggest keeping keys with v4-compatible salting | |
| - kadmin.service: fix #723723 again | |
| - kadmin.service,krb5kdc.service: remove optional use of $KRB5REALM in command | |
| lines, because systemd parsing doesn't handle alternate value shell variable | |
| syntax | |
| - kprop.service: add missing Type=forking so that systemd doesn't assume simple | |
| - kprop.service: expect the ACL configuration to be there, not absent | |
| - handle a harder-to-trigger assertion failure that starts cropping up when we | |
| exit the transmit loop on time (#739853) | |
| - update backport of the preauth module interface (part of #194654) | |
| - rebuild | |
| - don't forget to set the SELinux label when creating the directory for | |
| a DIR: ccache | |
| - pull in proposed fix for attempts to get initial creds, which end up | |
| following referrals, incorrectly trying to always use master KDCs if | |
| they talked to a master at any point (should fix RT#7650) | |
| - Hammer refresh around transient rawhide issue | |
| - special-case /run/user/0, attempting to create it when resolving a | |
| directory cache below it fails due to ENOENT and we find that it doesn't | |
| already exist, either, before attempting to create the directory cache | |
| (maybe helping, maybe just making things more confusing for #961235) | |
| - fix a version comparison to expect newer texlive build requirements when | |
| %{_rhel} > 6 rather than when it's > 7 | |
| - apply upstream patch to fix a null pointer dereference with the LDAP kdb | |
| backend (CVE-2011-1527, #744125), an assertion failure with multiple kdb | |
| backends (CVE-2011-1528), and a null pointer dereference with multiple kdb | |
| backends (CVE-2011-1529) (#737711) | |
| - turn off krb4 support (it won't be part of the 1.7 release, but do it now) | |
| - use triggeruns to properly shut down and disable krb524d when -server and | |
| -workstation-servers gets upgraded, because it's gone now | |
| - move the libraries to /%{_lib}, but leave --libdir alone so that plugins | |
| get installed and are searched for in the same locations (#473333) | |
| - clean up buildprereq/prereqs, explicit mktemp requires, and add the | |
| ldconfig for the -server-ldap subpackage (part of #225974) | |
| - escape possible macros in the changelog (part of #225974) | |
| - fixup summary texts (part of #225974) | |
| - take the execute bit off of the protocol docs (part of #225974) | |
| - unflag init scripts as configuration files (part of #225974) | |
| - make the kpropd init script treat 'reload' as 'restart' (part of #225974) | |
| - switch to the upstream patch for #727829 | |
| - Update includedir processing to match upstream | |
| - New upstream beta version | |
| - klist: don't trip over referral entries when invoked with -s (#707145, | |
| RT#6915) | |
| - krb5_get_init_creds_password: check opte->flags instead of options->flags | |
| when checking whether or not we get to use the prompter callback (#555875) | |
| - add upstream patch for KDC crash during referral processing (CVE-2009-3295), | |
| via Tom Yu (#545002) | |
| - update to 1.4.2, incorporating the fixes for MIT-KRB5-SA-2005-002 and | |
| MIT-KRB5-SA-2005-003 | |
| - re-enable large file support, fell out in 1.3-1 | |
| - patch rcp to use long long and %lld format specifiers when reporting file | |
| sizes on large files | |
| - backport fix for not being able to verify the list of transited realms | |
| in GSS acceptors (RT#7639, #959685) | |
| - backport fix for not being able to pass an empty password to the | |
| get-init-creds APIs and have them actually use it (RT#7642, #960001) | |
| - add backported proposed fix to use the unauthenticated server time | |
| as the basis for computing the requested credential expiration times, | |
| rather than the client's idea of the current time, which could be | |
| significantly incorrect (#961221) | |
| - fix segfault in telnet due to incorrect checking of gethostbyname_r result | |
| codes (#129059) | |
| - Omit KDC indicator check for S4U2Self requests | |
| - Resolves: #1802334 | |
| - add backport of in-development preauth module interface (#208643) | |
| - New upstream release | |
| - Add flag to disable encrypted timestamp on client | |
| - Replace _kadmin/_kprop with systemd macros | |
| - Remove traces of upstart from fedora package per policy | |
| - Resolves: #1290185 | |
| - Fix leak in KERB_AP_OPTIONS_CBT server support | |
| - Resolves: #1860831 | |
| - Fix KDC return code and set prompt types for OTP client preauth | |
| - Resolves: #1370072 | |
| - back out buildrequires: keyutils-libs-devel for now | |
| - Fix memory leak in GSSAPI interface | |
| Resolves: RHEL-27250 | |
| - Fix memory leak in PMAP RPC interface | |
| Resolves: RHEL-27244 | |
| - Make TCP waiting time configurable | |
| Resolves: RHEL-17131 | |
| - rebuild | |
| - Backport interposer fix (#1284985) | |
| - Drop workaround pwsize initialization patch (gcc has been fixed) | |
| - apply upstream patch by way of Burt Holzman to fall back to a non-referral | |
| method in cases where we might be derailed by a KDC that rejects the | |
| canonicalize option (for example, those from the RHEL 2.1 or 3 era) (#715074) | |
| - Fix RC4 blocking in FIPS mode | |
| - Resolves: #1660222 | |
| - rebuild | |
| - own the directories which are created for each package (#26342) | |
| - Update backports of certauth and corresponding test | |
| - rework file labeling patch to not depend on fragile preprocessor trickery, | |
| in another attempt at fixing #428355 and friends | |
| - provide docs in PDF format instead of as tex source (Enrico Scholz, #209943) | |
| - pull a fix from SVN to get libgssrpc clients (e.g. kadmin) authenticating | |
| using the old protocol over IPv4 again (RT#6920) | |
| - update to 1.8.2 | |
| - drop patches for CVE-2010-1320, CVE-2010-1321 | |
| - Bump release + rebuild. | |
| - pass -Wl,--warn-shared-textrel to the compiler when we're creating shared | |
| libraries | |
| - and put it back in | |
| - drop patch to add additional access() checks to ksu - they add to breakage | |
| when non-FILE: caches are in use (#1026099), shouldn't be resulting in any | |
| benefit, and clash with proposed changes to fix its cache handling | |
| - Fix upstream URLs in spec file | |
| - Resolves: #1868039 | |
| - Fix flaws in LDAP DN checking | |
| - CVE-2018-5729, CVE-2018-5730 | |
| - Ignore bad enctypes in krb5_string_to_keysalts() | |
| - Resolves: #1858322 | |
| - update to 1.7 | |
| - no need to work around build issues with ASN1BUF_OMIT_INLINE_FUNCS | |
| - configure recognizes --enable/--disable-pkinit now | |
| - configure can take --disable-rpath now | |
| - no more libdes425, krb524d, krb425.info | |
| - kadmin/k5srvutil/ktutil are user commands now | |
| - new kproplog | |
| - FAST encrypted-challenge plugin is new | |
| - drop static build logic | |
| - drop pam_krb5-specific configuration from the default krb5.conf | |
| - drop only-use-v5 flags being passed to various things started by xinetd | |
| - put %{krb5prefix}/sbin in everyone's path, too (#504525) | |
| - add patch based on one from Filip Krska to not call poll() with a negative | |
| timeout when the caller's intent is for us to just stop calling it (#838548) | |
| - fix for CVE-2015-2694 (#1216133) "requires_preauth bypass | |
| in PKINIT-enabled KDC". | |
| In MIT krb5 1.12 and later, when the KDC is configured with | |
| PKINIT support, an unauthenticated remote attacker can | |
| bypass the requires_preauth flag on a client principal and | |
| obtain a ciphertext encrypted in the principal's long-term | |
| key. This ciphertext could be used to conduct an off-line | |
| dictionary attack against the user's password. | |
| - Prevent overflow when calculating ulog block size (CVE-2025-24528) | |
| Resolves: RHEL-78248 | |
| - kdb5_util: fix DB entry flags on modification | |
| Resolves: RHEL-56060 | |
| - Do not block HMAC-MD4/5 in FIPS mode | |
| Resolves: RHEL-86786 | |
| - Don't issue RC4 session keys by default (CVE-2025-3576) | |
| Resolves: RHEL-88049 | |
| - Add PKINIT paChecksum2 from MS-PKCA v20230920 | |
| Resolves: RHEL-82648 | |
| - pull up fix for not calling a kdb plugin's check-transited-path | |
| method before calling the library's default version, which only knows | |
| how to read what's in the configuration file (RT#7709, #1013664) | |
| - fix conditional for future RHEL | |
| - rebuild | |
| - apply second set of buffer overflow fixes from Tom Yu | |
| - fix from Dirk Husung for a bug in buffer cleanups in the test suite | |
| - work around possibly broken rev binary in running test suite | |
| - move default realm configs from /var/kerberos to %{_var}/kerberos | |
| - Adjust dependency on crypto-polices to be just the file we want | |
| - Patch courtesy of lslebodn | |
| - Resolves: #1308984 | |
| - pull in fix for denial of service by injection of malformed GSSAPI tokens | |
| (CVE-2014-4341, CVE-2014-4342, #1116181) | |
| - pam_rhosts_auth.so's been gone, use pam_rhosts.so instead | |
| - fix bug in patch to make rlogind start login with a clean environment a la | |
| netkit rlogin, spotted and fixed by Scott McClung | |
| - apply kpasswd bug fixes from David Wragg | |
| - fix for potentially gzipped man pages | |
| - Fix incorrect recv() size calculation in libkrad | |
| - label all files at creation-time according to the SELinux policy (#228157) | |
| - pull a fix from SVN to try to avoid triggering a PTR lookup in getaddrinfo() | |
| during krb5_sname_to_principal(), and to let getaddrinfo() decide whether or | |
| not to ask for an IPv6 address based on the set of configured interfaces | |
| (#717378, RT#6922) | |
| - pull a fix from SVN to use AI_ADDRCONFIG more often (RT#6923) | |
| - kadmind: add upstream patch to fix free() on an invalid pointer (#696343, | |
| MITKRB5-SA-2011-004, CVE-2011-0285) | |
| - Fix krb5kdf support and add proper openssl version requirements | |
| - Resolves: #1754690 | |
| - drop not-needed-since-1.8 build dependency on rsh (ssorce) | |
| - add deadlock patch, removed old patch | |
| - when iterating over lists of interfaces which are "up" from getifaddrs(), | |
| skip over those which have no address (#113347) | |
| - Fix FTBFS by no longer working around bug in nss_wrapper | |
| - add patch to document the reject-bad-transited option in kdc.conf | |
| - New upstream release - 1.15.1 | |
| - Fix source URLs in spec file | |
| - Resolves: #1755959 | |
| - tweak server init script to automatically extract kadm5 keys if | |
| /var/kerberos/krb5kdc/kadm5.keytab doesn't exist yet | |
| - adjust package descriptions | |
| - pull up fix for importing previously-exported credential caches in the | |
| gssapi library (RT# 7706, #1019420) | |
| - kpropd hasn't bothered with -S since 1.11; stop trying to use that flag | |
| in the systemd unit file | |
| - rebuild | |
| - fix for CVE-2014-5351 (#1145425) "krb5: current keys returned when | |
| randomizing the keys for a service principal" | |
| - Remove outdated note in krb5kdc man page | |
| - convert to systemd | |
| - apply fixes from Tom Yu for MITKRB5-SA-2006-002 (CVE-2006-6143) (#218456) | |
| - apply fixes from Tom Yu for MITKRB5-SA-2006-003 (CVE-2006-6144) (#218456) | |
| - Backport fix for GSSAPI fallback realm | |
| - revert that last change for a bit while sorting out execstack when we | |
| use AES-NI (#1045699) | |
| - some init script cleanups | |
| - drop unquoted check and silent exit for "$NETWORKING" (#426852, #242502) | |
| - krb524: don't barf on missing database if it looks like we're using kldap, | |
| same as for kadmin | |
| - return non-zero status for missing files which cause startup to | |
| fail (#242502) | |
| - incorporate revised fixes from Tom Yu for CAN-2004-0642, CAN-2004-0644, | |
| CAN-2004-0772 | |
| - Fix use of KKDCPP with SNI | |
| - Resolves: #1365027 | |
| - when building with our bundled copy of libverto, package it in with -libs | |
| rather than with -server (#886049) | |
| - Add libverto-devel requires for krb5-devel | |
| - Add otp support | |
| - make PAM support for ksu also set PAM_RUSER | |
| - Fix leaks in gss_inquire_cred_by_oid() | |
| - update to 1.8.3 | |
| - drop backports of fixes for gss context expiration and error table | |
| registration/deregistration mismatch | |
| - drop patch for upstream #6750 | |
| - pull up patch to get the client libraries to correctly perform password | |
| changes over IPv6 (Sumit Bose, RT#6661) | |
| - spnego: pull in patch from master to restore preserving the OID of the | |
| mechanism the initiator requested when we have multiple OIDs for the same | |
| mechanism, so that we reply using the same mechanism OID and the initiator | |
| doesn't get confused (#1066000, RT#7858) | |
| - pull in patch from trunk to rename krb5int_pac_sign() to krb5_pac_sign() and | |
| make it public (#745533) | |
| - fix info page insertions | |
| - Add pkinit_anchors default value to krb5.conf | |
| - Reindent krb5.conf to not be terrible | |
| - Use "new" systemd macros for service handling. (Thanks vpavlin!) | |
| - Resolves: #850399 | |
| - Backport fix for chrome crash in spnego_gss_inquire_context | |
| - Resolves: #1295893 | |
| - remove setuid bit on v4rcp and ksu in case the checks previously added | |
| don't close all of the problems in ksu | |
| - apply patches from Jeffrey Schiller to fix overruns Chris Evans found | |
| - reintroduce configs subpackage for use in the errata | |
| - add PreReq: sh-utils | |
| - fix for CVE-2014-5353 (#1174543) "Fix LDAP misused policy | |
| name crash" | |
| - make profile.d scriptlets mode 644 instead of 755 (part of #225974) | |
| - fix a memory leak when acquiring credentials using a keytab (RT#7586, #911110) | |
| - cover more cases in labeling files on creation | |
| - add missing gawk build dependency | |
| - build shared libraries with partial RELRO support (#723995) | |
| - filter out potentially multiple instances of -Wl,-z,relro from krb5-config | |
| output, now that it's in the buildroot's default LDFLAGS | |
| - pull in a patch to fix losing track of the replay cache FD, from SVN by | |
| way of Kevin Coffman | |
| - mark profile.d config files noreplace (Laurent Rineau, #196447) | |
| - fix krb5-send-pr (#18932) and move it from -server to -workstation | |
| - buildprereq libtermcap-devel | |
| - temporariliy disable optimization on alphas | |
| - gettextize init scripts | |
| - fix config_subpackage logic | |
| - update to 1.10.2 | |
| - when building the new label for a file we're about to create, also mix | |
| in the current range, in addition to the current user | |
| - also package the PDF format admin, user, and install guides | |
| - drop some PDFs that no longer get built right | |
| - add a backport of Stef's patch to set the client's list of supported | |
| enctypes to match the types of keys that we have when we are using a | |
| keytab to try to get initial credentials, so that a KDC won't send us | |
| an AS reply that we can't encrypt (RT#2131, #748528) | |
| - don't shuffle around any shared libraries on releases with no-separate-/usr, | |
| since /usr/lib is the same place as /lib | |
| - add explicit buildrequires: on 'hostname', for the tests, on systems where | |
| it's in its own package, and require net-tools, which used to provide the | |
| command, everywhere | |
| - Explicitly look for python2 in configure.in | |
| - fixup some int/pointer varargs wackiness | |
| - add patch from Tom Yu to fix ftpd overflows (#37731) | |
| - build alpha with -O0 for now | |
| - own %{_var}/kerberos | |
| - make ksu and v4rcp owned by root | |
| - fix double-free in the kdc (patch merged into MIT tree) | |
| - include convert-config-files script as a documentation file | |
| - New upstream release - krb5-1.15.2 | |
| - Adjust patches as appropriate | |
| - apply patch to address MITKRB-SA-2006-001 (CVE-2006-3084) | |
| - update to 1.11.1 | |
| - drop patch for noticing negative timeouts being passed to the poll() | |
| wrapper in the client transmit functions | |
| - rebuild | |
| - rebuild | |
| - Add APIs for marshalling credentials | |
| - Resolves: #1964619 | |
| - set SS_LIB at configure-time so that libss-using apps get working readline | |
| support (#197044) | |
| - handle releases where texlive packaging wasn't yet as complicated as it | |
| is in Fedora 18 | |
| - fix an uninitialized-variable error building one of the test programs | |
| - add patch from Mark Cox for exploitable bugs in ftp client | |
| - Backport usage of SHA-256 instead of SHA-1 for PKINIT CMS digest | |
| - Resolves: #2066316 | |
| - Fix arch name (ppc64le, not ppc64el) | |
| - Related-to: #1464381 | |
| - include profile.d scriptlets in krb5-devel so that krb5-config will be in | |
| the path if krb5-workstation isn't installed, reported by Kir Kolyshkin | |
| - add an xinetd configuration file for encryption-only telnetd, parallelling | |
| the kshell/ekshell pair (#167535) | |
| - clean up quoting of command-line arguments passed to the krsh/krlogin | |
| wrapper scripts | |
| - Display an error message if ocsp pkinit is requested | |
| - Don't check for write access on /etc/krb5.conf if SELinux | |
| - add yasm as a build requirement for AES-NI support, on arches that have | |
| yasm and AES-NI | |
| - rebuilt | |
| - New rawhide, new upstream version | |
| - Drop CVE patches | |
| - Rename fix_interposer.patch to acquire_cred_interposer.patch | |
| - Update acquire_cred_interposer.patch to apply to new source | |
| - explicitly run the pdf generation script using sh (part of #225974) | |
| - generate src/include/krb5/krb5.h before building | |
| - fix conditional for sparcv9 | |
| - Add free hook to KDB; increments KDB version | |
| - Add KDB version flag | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - New upstream release (1.18.2) | |
| - Resolves: #1802334 | |
| - add some conditional logic to simplify building on older Fedora releases | |
| - Re-provide krb5-kdb-version in -devel as well (IPA wants it) | |
| - Resolves: #1645594 | |
| - add LSB-style init script info | |
| - TEMPORARILY disable usage of OFD locks as a workaround for x86 | |
| - update to 1.11 beta 1 | |
| - update to 1.13 alpha1 | |
| - drop upstreamed and backported patches | |
| - fix output of kprop's init script's "status" and "reload" commands (#588222) | |
| - add patch to correct unauthorized access via krb5-aware telnet | |
| daemon (#229782, CVE-2007-0956) | |
| - add patch to fix buffer overflow in krb5kdc and kadmind | |
| (#231528, CVE-2007-0957) | |
| - add patch to fix double-free in kadmind (#231537, CVE-2007-1216) | |
| - clean up init script for server, verify that it works [jlkatz] | |
| - clean up rotation script so that rc likes it better | |
| - add clean stanza | |
| - turn off NSS as the backend for libk5crypto for now to work around its | |
| DES string2key not working (#679012) | |
| - add revised upstream patch to fix double-free in KDC while returning | |
| typed-data with errors (MITKRB5-SA-2011-003, CVE-2011-0284, #674325) | |
| - Use full paths in krb5.sh to avoid path lookups | |
| - fix configure stuff for ia64 | |
| - Backport OID mech fix | |
| - Resolves: #1317609 | |
| - rebuilt | |
| - pull in upstream fix for an incorrect check on the value returned by a | |
| strdup() call (#1132062) | |
| - Switch to python3-sphinx for docs | |
| - Resolves: #1590928 | |
| - kadmind.init: don't fail outright if the default principal database | |
| isn't there if it looks like we might be using the kldap plugin | |
| - kadmind.init: attempt to extract the key for the host-specific kadmin | |
| service when we try to create the keytab | |
| - Use system nss_wrapper and socket_wrapper for testing. | |
| Patch by Andreas Schneider |
|
| - Zap copy of secret in RC4 string-to-key | |
| - tag a couple of other patches which we still need to be applied during | |
| %{?_rawbuild} builds (zmraz) | |
| - add buildrequires: on keyutils-libs-devel to enable use of keyring ccaches, | |
| dragging keyutils-libs in as a dependency | |
| - rebuild | |
| - rebuilt | |
| - Make krb5kdc.log not world-readable by default | |
| - Resolves: #1276484 | |
| - New upstream version (1.18) | |
| - Resolves: #1802334 | |
| - Resolves: #1820311 | |
| - Resolves: #1791062 | |
| - Resolves: #1784655 | |
| - Remove WITH_NSS macro (always false) | |
| - Remove WITH_SYSTEMD macro (always true) | |
| - Remove WITH_LDAP macro (always true) | |
| - Remove WITH_OPENSSL macro (always true) | |
| - rename the krb5 package back to krb5-libs; the previous rename caused | |
| something of an uproar | |
| - update to 1.2.3, which includes the FTP and telnetd fixes | |
| - configure without --enable-dns-for-kdc --enable-dns-for-realm, which now set | |
| the default behavior instead of enabling the feature (the feature is enabled | |
| by --enable-dns, which we still use) | |
| - reenable optimizations on Alpha | |
| - support more encryption types in the default kdc.conf (heads-up from post | |
| to comp.protocols.kerberos by Jason Heiss) | |
| - Try harder to avoid password change replay errors | |
| - Resolves: #2077563 | |
| - rebuild | |
| - test update to 1.3 beta 4 | |
| - ditch statglue build option | |
| - krb5-devel requires e2fsprogs-devel, which now provides libss and libcom_err | |
| - Drop dependency on python2-pyrad (dead upstream, broken with new python) | |
| - fix buffer underrun in unparsing certain principals (CAN-2003-0082) | |
| - Drop dependency on pax, ksh | |
| - Remove support for fedora < 20 | |
| - Add BuildRequires on python2 so we can run tests at build-time | |
| - clear fuzz out of patches, dropping a man page patch which is no longer | |
| necessary | |
| - quote %{__cc} where needed because it includes whitespace now | |
| - define ASN1BUF_OMIT_INLINE_FUNCS at compile-time (for now) to keep building | |
| - Add upstream crashfix patch (RT#7081) | |
| - fixed server package so that it works now | |
| - update to 1.8.1 | |
| - no longer need patches for #555875, #561174, #563431, RT#6661, CVE-2010-0628 | |
| - replace buildrequires on tetex-latex with one on texlive-latex, which is | |
| the package that provides it now | |
| - initial update to 1.6, pre-package-reorg | |
| - move workstation daemons to a new subpackage (#81836, #216356, #217301), and | |
| make the new subpackage require xinetd (#211885) | |
| - Fix KDC null deref on bad encrypted challenge (CVE-2021-36222) | |
| - Resolves: #1983729 | |
| - Update to krb5-1.13.1 | |
| - drop patch for CVE_2014_5353_fix_LDAP_misused_policy_name_crash, fixed in krb5-1.13.1 | |
| - drop patch for kinit -C loops (MIT/krb5 bug #243), fixed in krb5-1.13.1 | |
| - drop patch for CVEs { 2014-9421, 2014-9422, 2014-9423, 2014-5352 }, fixed in krb5-1.13.1 | |
| - Minor spec cleanup | |
| - update to 1.10.3, rolling in the fixes from MITKRB5-SA-2012-001 | |
| - Put openssl runtime requirement in the right place this time | |
| - Resolves: #1754690 | |
| - Rebuilt for gcc bug 634757 | |
| - backport the callback to use the libkrb5 prompter when we can't load PEM | |
| files for PKINIT (RT#7590, includes part of #965721/#1016690) | |
| - extract the rest of the fix #965721/#1016690 from the changes for RT#7680 | |
| - add patches from patchkit from MITKRB5-SA-2003-004 (CAN-2003-0138 and | |
| CAN-2003-0139) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
|
|
|
| libogg-1.3.2-10.el8.x86_64.rpm | - rebuild because of broken fileutils |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - rebuilt | |
| - automated rebuild | |
| - build for RHEL | |
| - automated rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - rebuild for gcc 4.0 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - fixing multilib conflict (#831414) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Some small specfile cleanups | |
| - Add smpflags to make invocation (bz 226035) | |
| - Fix epoch. | |
| - own %{_includedir}/ogg | |
| - update to 1.1 | |
| - update to 1.0rc3 | |
| - update to 1.0rc1 | |
| - Some more small specfile cleanups for merge review (bz 226035) | |
| - Don't install Makefile's as %doc, avoiding a multilib conflict (bz 342281) | |
| - rebuilt | |
| - beta4 | |
| - fixed libogg-devel-docs (BZ #510608) (By Edward Sheldrake) | |
| - rebuilt | |
| - automated rebuild | |
| - libogg 1.1.4rc1 | |
| - split devel docs to noarch subpackage | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - libogg 1.2.2 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Fix 202280 | |
| - rebuilt | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - add explicit epoch's where needed. | |
| - initial spec file created | |
| - Autorebuild for GCC 4.3 | |
| - rebuilt for new gcc4.1 snapshot and glibc changes | |
| - Update to 1.1.2 | |
| - Delete upstreamed libogg-1.1-64bit.patch | |
| - Delete upstreamed libogg-underquoted.patch | |
| - update CVS | |
| - libogg 1.1.4 | |
| - libogg 1.2.0 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - rebuilt | |
| - Package review cleanups | |
| - Don't ship a static library | |
| - rebuild | |
| - fix ogg.m4 | |
| - Rebuild for PPC toolchain bug | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - one-dot-oh | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - update to 1.0rc2 | |
| - aarch64 support (#925834) | |
| - minor spec cleaning | |
| - Upgrading to 1.3.2 | |
| - Cleaning the spec | |
| - Fixing bogus dates in the changelog | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - fix bogus group | |
| - Require automake in the -devel package | |
| - clean up specfile slightly | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Use '|' instead of '/' as pattern delimiter in sed expressions (Fix FTBFS). | |
| - remove unpackaged files from the buildroot | |
| - Rebuild for pkgconfig provides | |
| - update CVS in prep for beta4 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Switch to %ldconfig_scriptlets | |
| - Update to 1.1.3 | |
| - doc/ogg changed to doc/libogg | |
| - rebuilt | |
| - Fixed warnings in shipped m4 file. | |
| - bump again for double-long bug on ppc(64) | |
| - libogg 1.3.0 | |
|
|
|
| libquadmath-8.5.0-28.el8_10.x86_64.rpm | - update from Fedora 8.2.1-3 |
| - change the default -march on s390x to z13 with tuning for z14 (#1571124) | |
| - use --disable-multilib on s390x | |
| - backport aarch64 LSE atomics (#1821994) | |
| - avoid cycling on certain subreg reloads (PR rtl-optimization/96796, #2028798) | |
| - require docbook-style-xsl instead of docbook5-style-xsl (#2073888) | |
| - backport Default widths with -fdec-format-defaults patch (#2074614) | |
| - fix mangling of lambdas in default args (PR c++/91241, #1981822) | |
| - add a few Provides: bundled | |
| - Sync libstdc++ pretty printers to latest GTS (RHEL-50290). | |
| - remove python2 dependecy (#1595385) | |
| - fix deserialization for std::normal_distribution (#2130392, | |
| PR libstdc++/105502) | |
| - initialize std::normal_distribution::_M_saved (PR libstdc++/99536) | |
| - reject std::make_shared |
|
| - tweak gcc8-rh1668903-1.patch and gcc8-rh1668903-2.patch patches | |
| - update from GCC 8.5 release (#1946758) | |
| - this includes a fix for PR target/87839 (#1958295) | |
| - Sync libstdc++ pretty printers to latest GTS (RHEL-82506). | |
| - update from Fedora 8.3.1-3 (#1680182) | |
| - remove load and test FP splitter (#1673116) | |
| - fix *movsi_from_df (#1677652) | |
| - add missing headers | |
| - add support for live patching (#1668903) | |
| - retire gcc8-rh1612514.patch, gcc8-rh1652016.patch, gcc8-rh1652929-?.patch | |
| - fix BuildRequires of python-sphinx | |
| - avoid changing PHIs in GIMPLE split_edge (#2117838) | |
| - s390x: add support for register arguments preserving (#2168205) | |
| - aarch64: Add -mtune=neoverse-512tvb (#1845932) | |
| - fix strlen range with a flexible member array (#2137448) | |
| - backport straight-line-speculation mitigation (#2108721) | |
| - Fix nop generation in annobin plugin. (#2067150) | |
| - update from Fedora 8.3.1-4 (#1680182) | |
| - drop gcc8-pr60790.patch, gcc8-pr89629.patch, gcc8-rh1668903-4.patch | |
| - revert upstream PR85873 gcc-8 fix, apply the fix from gcc-9 (#1960701) | |
| - fix 'this' adjustment for devirtualized call (PR c++/100797, #1965951) | |
| - back out the PR97236 patch | |
| - fix shift count operand printing (#1730380) | |
| - fix tree-outof-ssa.c ICE with vector types (PR middle-end/90139, #1730454) | |
| - fix out-of-ssa with unsupported vector types (PR rtl-optimization/90756, | |
| - fix ICE with template placeholder for TTP (PR c++/86098, #1730454) | |
| - backport the -fuse-ld=lld option (#1670535) | |
| - TLS model fix (#1678555, PR c++/85400) | |
| - two small autoFDO fixes (#1686082) | |
| - libgomp update (#1707568) | |
| - member template redeclaration fix (#1652704, PR c++/86747) | |
| - turn libgcc_s.so into a linker script on i?86, x86_64, ppc64le and also on | |
| ppc and ppc64 for 64-bit multilib (#1708309) | |
| - avoid using unaligned vsx or lxvd2x/stxvd2x for memcpy/memmove inline | |
| expansion (#1666977) | |
| - fix typo in the cprop_hardreg patch (#2028609) | |
| - backport std::regex check for invalid range (#2001788) | |
| - when linking against libgcc_s, link libgcc.a too (#2022588) | |
| - guard the bit test merging code in if-combine (RHEL-11483) | |
| - rebuild for CVE-2020-11023 (RHEL-78274) | |
| - update from Fedora 8.1.1-1 | |
| - add -Wbidi-chars patch (#2008392) | |
| - Backport PPC string inlines from trunk which allow for valgrind's | |
| memcheck to work properly (#1652929) | |
| - Backport bugfix for clz pattern on s390 affecting jemalloc (#1652016) | |
| - backport workaround for broken C/C++ wrappers to LAPACK (#1711346) | |
| - update from GCC 8.4 release (#1946758) | |
| - enable hardening of binaries (#1624114) | |
| - disable libgccjit on RHEL | |
| - rebuild | |
| - enable annobin annotations (#1574936) | |
| - update from Fedora 8.2.1-1 | |
| - additional fix for the libgomp testsuite (#1707568) | |
| - update from Fedora 8.1.1-5 | |
| - Add a plugin-annobin subpackage. (#2067150) | |
| - update from GCC 8.4 release (#1868446) | |
| - remove symlinks to 32-bit versions of these static libraries: libasan.a, | |
| libitm.a, libquadmath.a, libubsan.a, libgfortran.a (#1779597) | |
| - don't reuse DEBUG_EXPRs with vector type (PR middle-end/100508, RHEL-79501) | |
| - Fix folding of BIT_NOT_EXPR for POLY_INT_CST (PR 118976, RHEL-90240) | |
| - fix bad use of VMAT_CONTIGUOUS (PR tree-optimization/97236, #1925632) | |
| - new package | |
| - Pin modification time for python files to SOURCE_DATE_EPOCH (RHEL-50290). | |
| - remove support for demangling GCC 2.x era mangling schemes (#1668394) | |
| - fix ICE in the vectorizer (RHEL-32886) | |
| - backport PCH tweaks (#2030878) | |
| - apply cprop_hardreg fix for narrow mode != lowpart targets (#2028609) | |
| - consider negative edges in cycle detection (#1817991, PR gcov-profile/91601) | |
| - fix Fortran debug info for arrays with descriptors (#1655624, | |
| PR fortran/92775) | |
| - fix wrong code emitted for movv1qi on s390x (#1784758, PR target/92950) | |
| - update from Fedora gcc-8.3.1-5 (#1747157) | |
| - use unspec_volatile for darn (PR target/91481, #1760205, CVE-2019-15847) | |
| - fix for TLSLD references (#2213753) | |
| - fix crash in dynamic_cast<>() on null pointer (PR c++/99074, #2211506) | |
| - adjust a pattern in s390.md (PR target/87723, #2214847) | |
| - fix typos in manual (#1612514) | |
| - avoid IFUNC resolver access to uninitialized data (#1559350, PR libgcc/60790) | |
| - rebuild | |
|
|
|
| librsvg2-2.42.7-5.el8.x86_64.rpm | - Fix rawhide upgrade path with librsvg3 |
| - update to 2.9.5 | |
| - Update to 2.26.1 | |
| - Update to 2.1.2 | |
| - Update to 2.42.1 | |
| - automated rebuild | |
| - Fix the .pc file to require gdk-pixbuf-2.0 | |
| - Plug a memory leak | |
| - remove libtool, automake14 buildreqs | |
| - Add missing scriptlets for librsvg3 | |
| - Fix requires for librsvg3-devel package | |
| - Update to 2.40.17 | |
| - Remove lib64 rpaths | |
| - Update to 2.2.2.1, crash fixes | |
| - PreReq gtk2 instead of just requiring it (#90697) | |
| - BuildReq libcroco-devel, seems this _can_ get picked up | |
| - update to 2.8.1 | |
| - Update to 2.32.0 | |
| - Update to 2.40.13 | |
| - Fix bogus date in changelog | |
| - Don't use the epoch, thats implicitly zero and not defined | |
| - Require gtk2 2.2.0 for the pixbuf loader (#80857) | |
| - Update to 2.40.9 | |
| - build requires gnome-libs-devel, #49509 | |
| - Update to 2.36.0 | |
| - created this thing | |
| - Update to 2.37.0 | |
| - Fix multilib issues | |
| - Update to 2.40.3 | |
| - BuildRequires libtool, libgnomeui-devel, there may be more | |
| - -devel req libcroco-devel | |
| - Update to 2.7.2 | |
| - Fix up changelog section | |
| - Add GTK3 port of the libraries | |
| - Update to 2.42.2 | |
| - Update to 2.26.3 | |
| - update version | |
| - Buildrequire libcroco | |
| - update to 2.1.3 | |
| - Update to 2.40.8 | |
| - Update to 2.34.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - bump to 2.4.0 | |
| - update to 2.6.4 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Update to 2.42.3 | |
| - BuildRequire libgsf-devel | |
| - Update to 2.40.18 | |
| - Switch to %ldconfig_scriptlets | |
| - Update to 2.22.3 | |
| - own includedir/librsvg-2 | |
| - Update to 2.36.3 | |
| - Package the librsvg Vala bindings | |
| - Update to 2.18.2 | |
| - Update to 2.40.15 | |
| - Don't let scriptlets fail (#243185) | |
| - change to separate Requires(post/postun) lines | |
| - Update to a git snapshot that builds against standalone gdk-pixbuf | |
| - Drop librsvg3 package | |
| - Drop svg theme engine | |
| - Rely on gdk-pixbuf2 file triggers | |
| - bump again for double-long bug on ppc(64) | |
| - Update to 2.40.7 | |
| - Use license macro for COPYING and COPYING.LIB | |
| - Use pkgconfig for BuildRequires | |
| - Add URL | |
| - Compile with svgz support | |
| - Update to 2.40.4 | |
| - Tighten subpackage deps with the _isa macro | |
| - Build gobject-introspection bindings | |
| - new CVS snap 1.1.0.91 | |
| - remove automake/autoconf calls | |
| - rebuilt | |
| - Update to 2.13.93 | |
| - Update to 2.26.2 | |
| - fix crash in rsvg-gobject.c:instance_dispose function | |
| (https://bugzilla.gnome.org/show_bug.cgi?id=623383) | |
| - Update to 2.18.1 | |
| - Update to 2.26.0 | |
| - Newer upstream version | |
| - Update to 2.16.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Resolves: rhbz#1804519 Add patch for CVE-2019-20446 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Add missing libs | |
| - Update to 2.18.0 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Update to 2.14.3 | |
| - Fix usage of "%{_bindir}/update-gdk-pixbuf-loaders %{_host}" | |
| to point to right place and architecture | |
| - Add manpage | |
| - Update to 2.2.0 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Don't package gdk-pixbuf.loaders, it gets generated | |
| in the %post | |
| - rebuild in different environment | |
| - Rebuild against new GTK+ | |
| - Require GTK+ 2.9.0 | |
| - Rebuild with the current rust-toolset | |
| - New upstream version | |
| - Update to 2.32.1 | |
| - rebuild | |
| - Update to 2.35.1 | |
| - rebuilt | |
| - Update to 2.13.5 | |
| - fixed the linefeed problem in multibyte environment. (Bug#49310) | |
| - Update to 2.22.1 | |
| - Fix including rsvg.h always causing a deprecated warning, as this breaks | |
| apps compiling with -Werror | |
| - Update to 2.15.0 | |
| - Don't ship static libs | |
| - Update to 2.31.0 | |
| - new version for GNOME 2.4 | |
| - Update to 2.34.0 | |
| - New upstream version | |
| - 2.2.3 | |
| - Moved engine and loaders from devel package | |
| - Split rsvg-view-3 and rsvg-convert to a -tools subpackage (#915403) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Update to 2.39.0 | |
| - Update to 2.22.0 | |
| - Update to 2.14.2 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Update to 2.15.90 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Update to 2.40.0 | |
| - BR vala instead of obsolete vala-tools subpackage | |
| - Update license field | |
| - Must use the same rpm macro for the host triplet as the | |
| gtk2 package, otherwise things can fall apart. (#137676) | |
| - Put changelog at the end | |
| - Move .so files to devel subpackage | |
| - Don't mess with ld.so.conf | |
| - Don't use %{prefix}, this isn't a relocatable package | |
| - Don't define a bad docdir | |
| - Add BuildRequires | |
| - Use %{_tmppath} | |
| - Don't define name, version etc. on top of the file (why | |
| do so many do that?) | |
| - s/Copyright/License/ | |
| - Update to 2.40.5 | |
| - Update to 2.20.0 | |
| - Update to 2.42.6 | |
| - Use bundled rust deps | |
| - Update to 2.40.1 | |
| - Update to 2.40.10 | |
| - own /usr/include/librsvg | |
| - full version in -devel requires (#102063) | |
| - rebuild to get new gtk bin age | |
| - Fix libcroco in link line. Fixes #107875. | |
| - Properly require libgsf and libcroco | |
| - Update to 2.42.7 | |
| - Update to 2.36.1 | |
| - Removed unrecognized configure options | |
| - Include the man page in the rpm | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - Fix libtool | |
| - rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Update to 1.1.3 | |
| - New upstream version | |
| - Manpage were installed in the wrong place | |
| - Update to 2.40.11 | |
| - Drop ancient librsvg3 obsoletes | |
| - Add a patch that moves the includes to librsvg-1/librsvg | |
| - in preparation for a later librsvg 2 library. | |
| - Update to 2.40.16 | |
| - Update to 2.40.20 | |
| - Properly handle updating of arch-dependent config | |
| files. (#124483) | |
| - 1.1.6 | |
| - Rebuild for build ID | |
| - rebuilt | |
| - Update to 2.22.2 | |
| - Update to 2.40.19 | |
| - Rebuilt for gobject-introspection 1.41.4 | |
| - Resolves: RHEL-635 Upgrade to procedural-masquerade 0.1.7 to fix FTBFS with newer Rust | |
| - Resolves: RHEL-636 librsvg2 is missing Provides: bundled() | |
| - Resolves: RHEL-637 Add git-core as a BR for autosetup | |
| - Update to 2.36.4 | |
| - Update dependencies (now cairo only, not libart) | |
| - automated rebuild | |
| - Put into Red Hat Build system | |
| - fix bad libart dep | |
| - Update to 2.13.3 | |
| - Rebuild against new libpng | |
| - rebuilt | |
| - Update to 2.14.0 | |
| - Rebuild with gcc4 | |
| - New upstream version | |
| - automated rebuild | |
| - rebuilt | |
| - 1.0.2 | |
| - Update to 2.16.0 | |
| - Require pkgconfig in the -devel package | |
| - Update to 2.14.1 | |
| - Rebuilt on new gcc | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - convert to librsvg2 RPM | |
| - Update to 2.40.2 | |
| - Merge-review cleanup (#226040) | |
| - Plug memory leaks | |
| - Autorebuild for GCC 4.3 | |
| - Update to 2.13.92 | |
| - 2.0.1 | |
| - Update to 2.2.1, fixes crash | |
| - Removed temporary manpage hack | |
| - Update to 2.35.0 | |
| - update to 2.6.1 | |
| - Update to 2.35.2 | |
| - Fix a crash (#603183) | |
| - put .la file back in package | |
| - Convert specfile to UTF-8. | |
| - Update to 2.40.6 | |
| - Move docs to rpm docdir | |
| - removed obsoletes from sub packages and added mozilla and | |
| trilobite subpackages | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - rebuild in different environment | |
| - Update to 2.40.12 | |
| - use system libtool (#88339) | |
|
|
|
| libsecret-0.18.6-1.el8.0.2.x86_64.rpm | - Update to 0.12 |
| - Add provides bundled(egglib) (#808025) | |
| - Use global instead of define | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Update to 0.18 | |
| - Update to 0.6 | |
| - Update to 0.18.6 | |
| - Use valgrind_arches macro instead of hardcoding valgrind arch list | |
| - BR vala instead of obsolete vala-tools subpackage | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Rebuilt for gobject-introspection 1.41.4 | |
| - Update to 0.18.4 | |
| - Update to 0.10 | |
| - Enable vala | |
| - valgrind available only on selected arches | |
| - Switch to %ldconfig_scriptlets | |
| - Update to 0.8 | |
| - Update to 0.16 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Update to 0.3 | |
| - Rebuilt for Fedora 23 Change | |
| https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code | |
| - Fix URL (#1294934) | |
| - Update to 0.15 | |
| - Update to 0.14 | |
| - Update to 0.18.3 | |
| - Use make_install macro | |
| - Update to 0.7 | |
| - Update to 0.13 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Use system valgrind headers (#1141474) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Initial RPM release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Update to 0.18.5 | |
| - Update to 0.11 | |
| - Update to 0.2 | |
| - Enable parallel make | |
| - Update to 0.18.2 | |
| - Use license macro for the COPYING file | |
|
|
|
| libsndfile-1.0.28-16.el8_10.x86_64.rpm | - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Updated to 1.0.15 | |
| - heap-based Buffer Overflow in psf_binheader_writef function (#1483140, CVE-2017-12562) | |
| - rebuilt | |
| - Updated to 1.0.20 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Fix format string bug (#149863). | |
| - Drop explicit Epoch 0. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Modernise spec | |
| - Generic 32/64bit platform detection | |
| - fix integer overflows causing CVE-2022-33065 (#RHEL-3750) | |
| - Update to 10.0.21 | |
| - Do not include the static library in the package (RHBZ#556074) | |
| - Remove BR on jack since sndfile-jackplay is not provided anymore | |
| - Removed spurious #endif in the libsndfile.h wrapper. Thx to Edward | |
| Sheldrake for finding it. Fixes #468508. | |
| - Fix build for autoconf-2.63 | |
| - Use __isa_bits macro instead of list of 64-bit architectures | |
| - updated to 1.0.27 | |
| - fix coverity scan found issues (#1602592) | |
| - fix CVE-2014-9496: 2 buffer overruns in sd2_parse_rsrc_fork (#1178840) | |
| - division by zero leading to denial of service in psf_fwrite (#1177254) | |
| - fix incomplete patch for CVE-2015-7805 | |
| - Update to 10.0.22 | |
| - Rebuilt against libtool 2.2 | |
| - Update to 10.0.23 | |
| - Add FLAC/Ogg/Vorbis support (BR: libvorbis-devel) | |
| - Make build verbose | |
| - Remove rpath | |
| - Fix ChangeLog encoding | |
| - Move the big Changelog to the devel package | |
| - fix license tag | |
| - Adding FLAC support to libsndfile courtesy of gentoo, #237575 | |
| - Fixing CVE-2007-4974. Thanks to the gentoo people for the patch, #296221 | |
| - fix support for aarch64, another part (#969831) | |
| - Updated to 1.0.14 | |
| - Dropped patch0 | |
| - rebuild (#2118285) | |
| - fix ppc64le build (#1051639) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - fix crash in ogg vorbis (#RHEL-65093) (CVE-2024-50612) | |
| - fix CVE-2018-13139 - stack-based buffer overflow in sndfile-deinterleave utility (#1598482) | |
| - Fix up previous commit | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Patch to use system libgsm instead of a bundled copy. | |
| - Make main package dep in -devel ISA qualified. | |
| - Drop -octave Provides (not actually built with octave > 3.0). | |
| - Don't build throwaway static lib. | |
| - Run test suite during build. | |
| - Do not build against Jack on RHEL | |
| - Fix the Source0: URL | |
| - Fix the licence tag | |
| - Autorebuild for GCC 4.3 | |
| - Update to 1.0.11. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - a crafted wav file could cause heap buffer overflow that allowed an arbitrary code execution(#1985028) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - fix buffer overflow in aiff (CVE-2017-6892,rhbz#1463328) | |
| - fix support for aarch64 (#925887) | |
| - Update to 1.0.25 | |
| - fixes integer overflow by processing certain PAF audio files (#721240) | |
| - fix CVE-2015-7805: Heap overflow vulnerability when parsing specially | |
| crafted AIFF header | |
| - Update to 1.0.10, update URLs, include ALSA support. | |
| - Disable dependency tracking to speed up the build. | |
| - Add missing ldconfig invocations. | |
| - Make -devel require pkgconfig. | |
| - Include developer docs in -devel. | |
| - Provide -octave in main package, own more related dirs. | |
| - Bring specfile up to date with current spec templates. | |
| - Initial build. | |
| - Updated to 1.0.16 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Update to 1.0.24 | |
| - fix prerequisit patch (#RHEL-65093) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - fix flac and pcm buffer overflows (CVE-2017-8361,CVE-2017-8362,CVE-2017-8363,CVE-2017-8365) | |
| - fix heap buffer overflow in flac (#2030507) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - fix CVE-2018-19661 and CVE-2018-19662 - buffer over-read in the function | |
| i2alaw_array in alaw (#1673085) | |
| - updated to 1.0.28 | |
| - fix possible buffer overflow when parsing crafted ID3 tags (#1440758, CVE-2017-7586) | |
| - fix possible buffer overflow when parsing crafted flac file (#1440756, CVE-2017-7585) | |
| - Split utils into a subpackage | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Fix FTBFS | |
| - Use %license | |
| - Updated to 1.0.17 | |
| - Fixed multilib conflict. #342401 | |
| - Made flac support actually work correctly. | |
|
|
|
| libsodium-1.0.18-9.el8.x86_64.rpm | - Security: `crypto_core_ed25519_is_valid_point()` now properly |
| rejects small-order points that are not in the main subgroup | |
| CVE-2025-69277 | |
|
|
|
| libsoup-2.62.3-11.el8_10.x86_64.rpm | - Backport patch for CVE-2025-14523 |
|
|
|
| libsrtp-1.5.4-8.el8.x86_64.rpm | - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild |
| - api changes between 1.4.4 and 1.5.0, bump sover to 1.0.0 | |
| - fix linking issue to make proper libsrtp.so.1 | |
| - use upstream provided .pc file (bz1313590) | |
| - update the config.h header aarch64 is a 64 bit arch though there is no multilib | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - fix shared lib generation to silence ldconfig | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Don't use '-z noexecstack' option for linker on PPC64 (EL6) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - initial package | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - rename internal functions to avoid conflicts (bz 956340) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - update to 1.5.4 | |
| - fix MIPS name collision (bz1305950 ) Thanks to Michal Toman | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - apply fix for CVE-2013-2139 from https://github.com/cisco/libsrtp/pull/27 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Update for 1.5.0 release. | |
| - use __PPC64__, not __ppc64__ which is undefined on PPC64 arch | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - fix library linking typo | |
| - handle config.h multilib (bz787537) | |
| - Port to openssl 1.1.0 | |
| - Build against openssl | |
| - Resolves: rhbz#1618747 | |
|
|
|
| libtheora-1.1.1-21.el8.x86_64.rpm | - Add patch to fix FTBFS with libpng-1.6 |
| - Fix FTBFS due to underlinked examples | |
| - rebuild | |
| - 1.1beta1 | |
| - Update to 1.0alpha5 | |
| - Remove no longer needed autoreconf call, %configure from redhat-rpm-config | |
| >= 9.1.0-42 updates config.guess and config.sub for new architecture support | |
| - rebuild | |
| - Update to 1.0alpha7 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Add BuildRequires on libvorbis-devel (134664) | |
| - Put Obsoletes/Provides theora-exp-devel in the -devel package instead of in | |
| the -tools package (oops) | |
| - Install png2theora (bz 349951) | |
| - New upstream release 1.0beta3 | |
| - bump again for double-long bug on ppc(64) | |
| - Add Epoch dependencies for future Epoch increment safety measure | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Initial build | |
| - Fix textrelocations on i386 (bz 253591) | |
| - rebuilt | |
| - libtheora 1.1.1 | |
| - Update config.guess/sub for new architecture support | |
| - Autorebuild for GCC 4.3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - rebuild with gcc 4.0 | |
| - Update to 1.0rc1 | |
| - 1.1beta3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - New upstream bugfix release 1.0beta2 | |
| - Rebuild for new libpng | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Switch to %ldconfig_scriptlets | |
| - rebuilt for new gcc4.1 snapshot and glibc changes | |
| - Apply patch to fix include path, thanks to Thomas Vander Stichele | |
| - libtheora 1.1.0 | |
| - 1.1beta2 | |
| - Update png2theora to latest svn version (bz 401681) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Fix build on x86_64 | |
| - Put development documentation in its own subpackage to fix multilib | |
| conflicts (rh 477290) | |
| - libtheora 1.1alpha1. Woo Thusnelda! | |
| - New upstream version 1.0alpha4 | |
| - Remove upstreamed patch libtheora-1.0alpha3-include.patch | |
| - Use Theora_I_spec.pdf for spec | |
| - Add in .pc file (yay! another library sees the light) | |
| - Use xz compressed upstream tarball. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - run autoreconf for aarch64 support (#925898) | |
| - add a patch from upstream fixing a crash when compiled with gcc-4.8 (#959001) | |
| - cleanup spec-file | |
| - Fix Source0 URL | |
| - Make -devel-docs noarch | |
| - 1.1alpha2 | |
| - Update to 1.0alpha8 svn (revision 13393) snapshot | |
| - support and enable bootstrap mode (ie, no docs) | |
| - Fix a directory ownership issue (#233872) | |
| - Small spec cleanups | |
| - 1.0 final release | |
| - need epoch because we were not using the special pre-release | |
| version-release scheme used now a days in Fedora :( | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Fix libtheoraenc getting build but not installed | |
| - New upstream release 1.0beta1 (bz 307571) | |
| - disable bootstrap | |
| - Add api docs to the -devel package | |
|
|
|
| libvisual-0.4.0-25.el8.x86_64.rpm | - fix build for GCC4 |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - rebuild for FC5 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - rebuild | |
| - Fix epoch use | |
| - rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - 0.5.0 beta was a bad idea. nothing else supports it. | |
| - fix format-security issue | |
| - Initial RPM release. | |
| - Autorebuild for GCC 4.3 | |
| - fix license tag | |
| - rebuilt | |
| - version 0.4.0 | |
| - drop Patch0 (applied upstream) | |
| - Fix bogus #if where #ifdef was meant | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - bump release | |
| - version 0.2.0 | |
| - drop patch | |
| - version 0.1.7 | |
| - fix dependency for modular X | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Fix multilib conflicts in lvconfig.h | |
| - Resolves: #1853155 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Apply Adrian Reber's suggestions in bug 2182 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Better Altivec detection, code from David Woodhouse | |
| - use dist tag for all-arch-rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - defining inline causes problems trying to build against libvisual headers, | |
| e.g. libvisual-plugins | |
| - spec file cleanups | |
|
|
|
| libvorbis-1.3.6-2.el8.x86_64.rpm | - Update to 1.1.2 |
| - Switch to %ldconfig_scriptlets | |
| - link to .pdf spec rather than ship redundant copy | |
| - spec cleanups | |
| - Rebuild for build ID | |
| - Fix build for https://fedoraproject.org/wiki/Changes/Harden_All_Packages | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - libvorbis 1.3.2 | |
| - libvorbis 1.2.2 | |
| - rebuilt | |
| - libvorbis-1.2.3-add-needed.patch: Fix FTBFS from --no-add-needed | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - libvorbis 1.2.3 | |
| - backport patches to fix CVE-2009-3379 (#531765) from upstream | |
| - ship documentation only in -doc subpackage and only license | |
| in -devel (#540634) - thanks to Edward Sheldrake | |
| - -devel-doc subpackage requires -devel | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - update to 1.0.1 | |
| - rebuilt | |
| - Install docs to %{_pkgdocdir} where available (#993967). | |
| - rebuilt | |
| - Update to 1.2.0 | |
| - Resolves: #250115 | |
| - rebuild to get provides pkgconfig(vorbisenc) | |
| - rebuilt | |
| - Update to 1.3.5 (#1197923) | |
| - Use license macro for COPYING | |
| - Tighten subpackage dependencies | |
| - Use make_install and make_build macros | |
| - Use pkgconfig for BuildRequires | |
| - Remove unnecessary Requires from devel subpackage | |
| - Remove obsolete Obsoletes | |
| - rebuilt for new gcc4.1 snapshot and glibc changes | |
| - remove unpackaged files from the buildroot | |
| - tell configure where ogg libs are | |
| - lib64'ize | |
| - fix CVE-2008-1420, CVE-2008-1419, CVE-2008-1423 (#446344) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Autorebuild for GCC 4.3 | |
| - rebuilt | |
| - libvorbis 1.3.1. Fixes surround. | |
| - Fix patch fuzz build failure | |
| - Fix #81026 by updating libvorbis-1.0-m4.patch | |
| - Don't include Makefile's in %doc, avoiding a multilib conflict (bz 342481) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - rebuilt | |
| - libvorbis 1.3.6 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - libvorbis 1.3.4 | |
| - libvorbis 1.3.3 (#787635) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Update to 1.1.1 | |
| - Update to 1.1.0 | |
| - Remove upstreamed patch libvorbis-underquoted.patch | |
| - Nuke -mcpu=750 from cflags for PPC, that plus -mcpu=power7 confuses gcc. | |
| - Sync with git for CVE-2017-14160, CVE-2018-10392, CVE-2018-10393 | |
| - rebuild with gcc 4.0 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Fixed warnings in shipped m4 file. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Fix typos in %description (#245471) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - add epochs to dependencies, to avoid 1.0rc3 >= 1.0 miscomparisons | |
| (#79374) | |
| - fix vorbis.m4 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - rebuild | |
| - Fix doc subpackage build (#540634) | |
| - bump again for double-long bug on ppc(64) | |
| - Run test suite during build. | |
| - Fix doc file permissions and duplicate doc dir ownership. | |
| - rpmlint warning fixes. | |
| - libvorbis 1.2.2rc1 | |
| - rebuilt | |
| - Include COPYING in base package too. | |
| - libvorbis-1.2.2-svn16228.patch: Backport a fix from pre-1.2.3 to hopefully | |
| fix small sound file playback. (#505610) | |
| - Package review cleanups | |
| - Don't ship static libraries | |
|
|
|
| libwebp-1.0.0-11.el8_10.x86_64.rpm | - Update to 0.6.0 |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Fixing endian checks (#962091) | |
| - Fixing FTPBS caused by rpath presence | |
| - Update to 1.0.0 | |
| - upstream release 0.5.1 | |
| - Backport e2affacc35f1df6cc3b1a9fa0ceff5ce2d0cce83 (CVE-2016-9085, rhbz#1389338) | |
| - rebuild due to "jpeg8-ABI" feature drop | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - upstream release 0.3.1 | |
| - upstream release 0.5.0 | |
| - Several spec improvements by Scott Tsai |
|
| - Add BuildRequires: freeglut-devel to build vwebp | |
| - Added fixes for rhbz#1956853, rhbz#1956856, rhbz#1956868, rhbz#1956917 | |
| - upstream release 0.3.0 | |
| - enable gif2webp | |
| - add build requires on giflib-devel and libtiff-devel | |
| - use make_install and hardened macros | |
| - list binaries explicitly | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Added fixes for rhbz#1956829, rhbz#1956843, rhbz#1956919 | |
| - upstream release 0.4.0 | |
| - Backport another big-endian fix | |
| - Backport upstream big-endian fix | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - upstream release 0.4.1 | |
| - enable webpdemux | |
| - Bump the release to "9" to accommodate the 9.1.0.z release bumps as | |
| libwebp-1.0.0-8.el9 < libwebp-1.0.0-8.el8_7 | |
| - More big-endian fixes | |
| - upstream release 0.4.4 | |
| - Use Requires: java-headless rebuild (#1067528) | |
| - rebuild against new libjpeg | |
| - Rebuild a package for shipping libwebp-tools in CRB | |
| - Resolves: RHEL-86884 | |
| - upstream release 0.4.3 | |
| - Added fix for CVE-2023-4863 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Update to 0.6.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Switch to %ldconfig_scriptlets | |
| - upstream release 0.4.2 | |
| - Use frename-registers cflag to fix FTBFS on aarch64 | |
| - new upstream release 0.2.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Rebuild (giflib) | |
| - Update to 0.5.2 | |
| - Fix LDFLAGS not passed when building libwebp_jni.so (#1548718) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Add fix for mzbz#1819244 | |
| - Fix tools subpackage dependency | |
| - Bump the release to "8" to accommodate the 8.7.0.z release bumps | |
| - Initial spec. Based on openSUSE one | |
|
|
|
| libxkbcommon-x11-0.9.1-1.el8.x86_64.rpm | - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - xkbcommon 0.7.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Require xkeyboard-config (#1145260) | |
| - Today's git snapshot | |
| - xkbcommon 0.2.0 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - xkbcommon 0.7.0 | |
| - xkbcommon 0.3.1 | |
| - BuildRequire xkeyboard-config-devel to get the right XKB target path (#799717) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - xkbcommon 0.6.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Today's git snap | |
| - Add patch from upstream adding XF86Keyboard and XF86RFKill keysyms | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - always build the x11 subpackage | |
| - xkbcommon 0.3.0 | |
| - make -x11 support conditional (f21+, #1000497) | |
| - --disable-silent-rules | |
| - Update to 0.4.3 | |
| - xkbcommon 0.4.0 | |
| - Add new xkbcommon-x11 and xkbcommon-x11-devel subpackages | |
| - libxkbcommon 0.9.1 (#1728801) | |
| - inital import | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - xkbcommon 0.4.2 (#1000497) | |
| - own %{_includedir}/xkbcommon/ | |
| - -x11: +ldconfig scriptlets | |
| - -devel: don't include xkbcommon-x11.h | |
| - run reautoconf in %prep (instead of %build) | |
| - tighten subpkg deps via %_isa | |
| - .spec cleanup, remove deprecated stuff | |
| - BR: pkgconfig(xcb-xkb) >= 1.10 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Update to 0.5.0 (#1154574) | |
| - Bump release to 2 to avoid confusion with non official non scratch 0.4.2-1 | |
| - libxkbcommon 0.8.0 | |
| - Today's git snapshot | |
| - libxkbcommon 0.8.2 (#1619541) | |
| - Switch to %ldconfig_scriptlets | |
|
|
|
| lvm2-2.03.14-15.el8_10.3.x86_64.rpm | - Allow integrity to use multiple segments for metadata. |
|
|
|
| lvm2-libs-2.03.14-15.el8_10.3.x86_64.rpm | - Allow integrity to use multiple segments for metadata. |
|
|
|
| net-snmp-5.8-33.el8_10.x86_64.rpm | - Python: fixed IPADDRESS size on 64-bit systems (#895357) |
| - introduce /etc/sysconfig/snmpd. Use it to specify snmpd command line options. | |
| /etc/snmp/snmpd.options is not used anymore (#431391) | |
| - strip binaries | |
| - Rebuilt for switch to libxcrypt | |
| - Added direct dependency on perl-devel with architectute in | |
| net-snmp-devel package to pull proper dependencies. | |
| - add patch so that only four bytes are returned for IP addresses on ia64 (#32244) | |
| - Final bcm5820 fix. Last one was broken. | |
| - Fixed bugzilla bug (#51960) where the binaries contained rpath references. | |
| - rebuild with new openssl | |
| - Hack to make it build on 64bit platforms with /usr/lib64 correctly. | |
| - Fixed bug #85071 (leak of open descriptors for ipv6). | |
| - fix sendmsg error code for new kernel (#2185787) | |
| - added aarch64 to multilib architectures. | |
| - rebuild against perl 5.10.1 | |
| - ucd-snmpd.init: start daemon w/o -f. | |
| - Rebuilt for new rpm | |
| - swith to new disman implementation | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - fix ethtool extension (#222268) | |
| - upgrade to 5.4 | |
| - patch cleanup | |
| - snmpd uses /var/run/snmpd.pid (#211264) | |
| - rc2 prebuilt | |
| - further tune up the distribution of files among subpackages | |
| and dependencies | |
| - Moved tmpfiles.d config file to /usr/lib | |
| - implement suggestions from Wes Hardaker. | |
| - allow disman/event-mib | |
| - fix %attr on man pages | |
| - better patch for depreciated sysctl call | |
| - Fixed file list for latest build. | |
| - Reworked the perl filelist stuff (Thanks to marius feraru). | |
| - add a *new* patch for IP address return sizes | |
| - snmpd crash with 'interfaces' directives in snmpd.conf fixed #139010 | |
| - rather dirty patch fixing conf directory for net-snmp-config | |
| - exit snmpd after snmpd -h command (#1634811) | |
| - Perl 5.26 rebuild | |
| - fixed net-snmp-create-v3-user to have the same content on all architectures | |
| - /var/lib/net-snmp/mib_indexes and cert_indexes added to net-snmp-libs | |
| (#906761) | |
| - do not link against -lelf | |
| - Perl 5.20 rebuild | |
| - net-snmp properly deals with large partitions (#153101) |
|
| - fixed unexpected length for type ASN_UNSIGNED (#151892) | |
| - fixed uptime problems on ia64 | |
| - re-introduced /etc/sysconfig files (#752821) | |
| - Perl 5.14 mass rebuild | |
| - tkmib doco had #!/usr/bin/perl55 | |
| - include snmpcheck and tkmib again (still needs some CPAN module, however). | |
| - Perl 5.16 rebuild | |
| - Update to 5.1.2 | |
| - Removed net-snmp-5.0.1-initializer patch, included upstream | |
| - fix double free or corruption error (#1726373) | |
| - Fixed the libdir problem. | |
| - Fixed problem with RUNTESTS script. | |
| - fix tcp_wrappers integration (CVE-2008-6123) | |
| - Fix build with MariaDB 10.2 | |
| - Fixed ro/rw problem with v2 and v3 request (#89612) | |
| - remove tcp_wrapper (#1518768) | |
| - use mariadb-connector instead of mysql-devel (#1339272) | |
| - rebuilt | |
| - Included BuildPrereq on lm_sensors-devel on x86 archs (#110616). | |
| - Fixed deprecated initscript options (#110618). | |
| - fixed missing requires for devel package (#155221) | |
| - net-snmp.redhat.conf: update default configuration to conform to the best practices (#1359123) | |
| - nmp_transport.c: use strtok_r for strtok to avoid a race condition (#1366282) | |
| - Perl mass rebuild | |
| - fix crash on s390x and ppc64 | |
| - Added patch to increase SMUXMAXSTRLEN. | |
| - Quite a bit of specfile cleanup from Marius FERARU. | |
| - update to Net-SNMP 5.5 | |
| - remove static libraries from -devel subpackage | |
| - Temporarily disable T200snmpv2cwalkall_simple test on ppc(64) until | |
| bug 814829 is fixed | |
| - enable libwrap (#253) | |
| - enable host module (rpm queries over SNMP!). | |
| - agentx double free error fix |
|
| - fix lib version | |
| - Add APSL 2.0 license to COPYING file | |
| - move the perl(:MODULE_COMPAT_5.10.x) require to net-snmp-libs | |
| - fix trapsink port issue (#1677192) | |
| - BR: perl(ExtUtils::Embed) | |
| - Perl mass rebuild | |
| - fix issue with flood messages (#1719350) | |
| - Perl 5.18 rebuild | |
| - Perl mass rebuild | |
| - Added bzip2-devel to BuildPreReq (#76086, #70199). | |
| - added new net-snmp-agent-libs subpackage with agent libraries | |
| -> net-snmp-libs do not need perl and lm_sensors libs | |
| - removed libsnmp.so, it's not used in Fedora (#729811) | |
| - added README.systemd | |
| - added new net-snmp-sysvinit subpackage with legacy init scripts | |
| (#718183) | |
| - Fixed ucd-snmp.redhat.conf (#78391). | |
| - Fixed snmpwalk examples in config file. | |
| - fix for s390x counter32 overflow (sachinp@in.ibm.com) | |
| - backport MemAvailable report from upstream (RHEL-21780) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - rebuilt with new openssl | |
| - Reverted removal of _includir redefiniton due to php-snmp dependancy. | |
| - Remove SO_BSDCOMPAT setsockopt() call, deprecated. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - fix snmptrapd hostname logging (#238587) | |
| - fix udpEndpointProcess remote IP address (#236551) | |
| - fix -M option of net-snmp-utils (#244784) | |
| - default snmptrapd.conf added (#243536) | |
| - fix crash when multiple exec statements have the same name | |
| (#243536) | |
| - fix ugly error message when more interfaces share | |
| one IP address (#209861) | |
| - added ucd-snmp-4.2-null.patch to correcly handle a NULL value (#35016) | |
| - Rebuilt for RPM soname bump | |
| - fix engine order of evaluation (RHEL-116089) | |
| - fix crash when configured as proxy - issue 82 (RHEL-14454) | |
| - log once truncating issue (RHEL-13597) | |
| - fix CVE-2022-24805, CVE-2022-24806, CVE-2022-24807, CVE-2022-24808, | |
| CVE-2022-24809 and CVE-2022-24810 (RHEL-26650) | |
| - fixed patch related to bug #35016 (Dell) | |
| - Included the Axioma Security Research fix for snmpnetstat from bugtraq. | |
| - enabled MySQL support in snmptrapd | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Fixed a server segfault for snmpset operation (#53640). Thanks to Josh Giles | |
| and Wes Hardaker for the patch. | |
| - Add Provides for the old name without %_isa | |
| - i18nize initscript | |
| - revert permission of config files to 600 (#1601060) | |
| - fix error message when the address specified by clientaddr option | |
| is wrong or cannot be bound (#1877375) | |
| - log error with /proc/net/if_inet6 only when IPv6 is enabled (#1824367) | |
| - fix issue with quoting empty passphrase (#1817225) | |
| - Fix issue with undefined symbol my_progname when try to load NetSNMP::TrapReceiver in perl script. (#1470004) | |
| -sparc multilib handling | |
| - fix deprecated syscall base_reachable_time (#207273) | |
| - move initscript back | |
| - Fixed problem with reload in initscript (#63526). | |
| - another release candidate | |
| - Remove rpath from net-snmp-config output (#554747) | |
| - Updated to latest released version. | |
| - added autoreconf to be able to build on aarch64 (#926223) | |
| - default config permits RO access to system group only (Wed Hardaker). | |
| - introduce /etc/sysconfig/snmptrapd. Use it to specify snmptrapd command | |
| line options. /etc/snmp/snmptrapd.options is not used anymore (#540799) | |
| - build-in ipAddressPrefixTable, ipDefaultRouterTable, ipv6ScopeZoneIndexTable, | |
| ipIfStatsTable, SCTP-MIB, RMON-MIB and Etherlike-MIBs | |
| - remove ucd5820stat helper script, it depends on get5820stats, which is not | |
| available in Fedora | |
| - move sample services ipf-mod.pl to documentation | |
| - remove logrotate config, snmpd logs into syslog | |
| - updated to net-snmp-5.6 | |
| - Rebuild | |
| - Fixed a couple of security issues: | |
| o /tmp race and setgroups() privilege problem | |
| o Various buffer overflow and format string issues. | |
| o One signedness problem in ASN handling. | |
| - Fixed an important RFE to support bcm5820 cards. (#51125) | |
| - fix tmpfiles path (#1710784) | |
| - Switch to %ldconfig_scriptlets | |
| - Rebuild (again) against newer rpm, now with proper rpm-4.9 detection | |
| - Move /var/lib/net-snmp from net-snmp to net-snmp-libs (#822508) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - fix occasional segfaults when snmpd starts | |
| - remove file due licensing issues (#1690936) | |
| - Remove .la file from net-snmp-libs (#172618) | |
| - grab new openssl | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - update to 4.0.1. | |
| - moved agentxtrap utility to net-snmp subpackage, | |
| it needs libraries provided by net-snmp-agent-libs. | |
| - Perl 5.22 rebuild | |
| - Fixed snmpstatus crashing when receiving invalid response (#1233738) | |
| - rebuilt for new python again... | |
| - fix issue with parsing of long traps (#1912242) | |
| - modify fix for #1877375 | |
| - Updated to latest upstream version 5.0.8 (bug #88580) | |
| - Updated nolibelf patch and activated it again. | |
| - initscript munging | |
| - Injected new description and group. | |
| - redistribute the perl scripts to the net-snmp package, | |
| net-snmp-utils doesn't depend on perl now (#462484) | |
| - another multilib fix. Fix also net-snmp-config script | |
| - disable failing test on sparc64 | |
| - store temporary files in /var/run/net-snmp instead of /tmp - | |
| SELinux does not like it. | |
| - update engineTime when sending traps (#1973252) | |
| - rebuild with openssl-0.9.7e | |
| - Mass rebuild with perl-5.12.0 | |
| - integrated with systemd (#718183) | |
| - upgrade to 3.6.1, fix configuration file stuff. | |
| - update to 3.5.3. | |
| - don't include snmpcheck until perl-SNMP is packaged. | |
| - fixed initscript, for reload and restart it was start then stop, | |
| fixed. (#28477) | |
| - update to 3.5. | |
| - Recompile with -Wformat (#1242766) | |
| - allow compiling without tcp_wrappers | |
| - Moved net-snmp-config into devel package (#103927) | |
| - prepare the .spec file for review | |
| - run automatic regression suite after the compilation of the package | |
| to check for obvious regressions | |
| - remove unnecessary package dependencies | |
| - document various legacy options in this spec file | |
| - rebuilt | |
| - fix init script, read .options files from /etc/snmp (#195702) | |
| - Agentx failed to send trap, fixed (#130752, #122338) | |
| - add explicit format for syslog call (#18153). | |
| - clean up deinstallation (#34168) | |
| - report gigabit Ethernet speeds using Ethtool (#152480) | |
| - Don't ship tkmib, since we don't ship the perl modules needed to run it. | |
| (Bug #4881) | |
| - Python 2 binary package renamed to python2-net-snmp | |
| See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 | |
| - fix double free or corruption error when freeing security context (#1809077) | |
| - remove deprecated CFLAG | |
| - Fixed invalid SMUX packet (#83487). | |
| - Updated to latest net-snmp-5.1 upstream version. | |
| - Tons of specfile and patch cleanup. | |
| - Cleaned up perl stuff (mib2c etc, see #107707). | |
| - Added lm_sensors support patch for x86 archs from Kaj J. Niemi (#107618). | |
| - Added support for custom mib paths and mibs to snmptrapd initscript (#102762) | |
| - fix default configuration file (#1589480 and #1594147) | |
| - modify permissions for config files (#1601060) | |
| - updated to net-snmp-5.6.1 | |
| - Change gcc Requires to BuildRequires (#1625189) | |
| - fix wrong systemd patch (#1545946) | |
| - better upstream patch for byteorder | |
| - add epoch to corespond with upstream versioning | |
| - turn off SMUX support (#110931) | |
| - add dist tag | |
| - rebuilt for new gcc4.1 snapshot and glibc changes | |
| - fix dependency on lm_sensors-devel (#229109) | |
| - spec file cleanups | |
| - update for 4.2 | |
| - fix for lm_Senors, the max is no longer a fixed value | |
| - parsing fixed for /proc/net/if_inet6 | |
| - compressed man pages. | |
| - Fixed smux compilation problems (#41452) | |
| - Fixed wrong paths displayed in manpages (#43053) | |
| - Updated RPM scriplets with latest systemd-rpm macros (#850403). | |
| - Fixed fedora-review tool complaints. | |
| - Fixed small bug in snmptrapd initscript (#126000). | |
| - Trim net-snmp-config --cflags output (#1309080) | |
| - Updated net-snmp to build against Perl 5.24 | |
| - fix divison-by-zero in cpu statistics (#501210) | |
| - Logrotate support added (#125004) | |
| - Fixed 64bit build problems when 32bit popt lib is installed. | |
| - updated to 5.7.1: | |
| - Fixed the mib-parsing-bug introduced shortly before 5.7 | |
| - fixed rounding errors for disk percentage calculations | |
| - Many other miscellaneous minor bug fixes | |
| - Added sample config to make net-snmp RFC 1213 compliant. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - require perl(:MODULE_COMPAT_5.10.x) because the package links against | |
| libperl.so | |
| - Fixed permission for net-snmp-config in net-snmp-devel | |
| - Due to rpm-devel we need elfutils-devel, too (#103982). | |
| - Rebuild for fixed rpm (#473420) | |
| - Split out libs package for multilib compatibility | |
| - Added Kaj J. Niemi that fixes ipAdEntIfIndex problem (#119106) | |
| - Added Kaj J. Niemi to shut up memshared message for 2.6 kernel (#119203) | |
| - Updated to latest version (4.2.4.pre2) | |
| - patch from CVS - kill extra carriage return (#144917) | |
| - removed patch for interface indexing - doesn't show virtual interfaces | |
| - fix parsing of /proc/diskstats | |
| - fix disman monitor crash | |
| - fix perl vendor name | |
| - fix OID lookup fail | |
| - fix ipaddr return type on 64bit machines | |
| - add Requires for versioned perl (libperl.so) | |
| - get rid of silly file Requires | |
| - don't depend on /etc/init.d so that package will work with 6.2. | |
| - perl path fiddles no longer needed. | |
| - rely on brp-compress frpm rpm to compress man pages. | |
| - patch from ucd-snmp CVS (Wes Hardaker). | |
| - configure.in needs to check for rpm libraries correctly (#23033). | |
| - add simple logrotate script (#21399). | |
| - add options to create pidfile and log with syslog with addresses (#23476). | |
| - upgrade to 5.2.2 final | |
| - add version to buildroot | |
| - rebuilt with new libraries | |
| - Fixed buffer overflow in ICMP-MIB (#1071753) | |
| - Updated to 4.2.1. Removed 2 obsolete patches (fromcvs and #18153) | |
| - Include /usr/share/snmp/snmpconf in %files | |
| - auto rebuild in the new build environment (release 3) | |
| - rebuild (missing alpha packages) | |
| - fix segfault with error on subcontainer (#2051370) | |
| - Fixed net-snmp dependency on net-snmp-agent-libs. | |
| - New prereq for net-snmp-devel | |
| - lelf check removed from configure.in (#128748) | |
| - fixed snmpd coredump when sent SIGHUP (#127314) | |
| - prevent parsing IP address twice (#1768908) | |
| - add support for digests detected from ECC certs (#1919714) | |
| - fix broken ErrorMsg at ucd-snmp (#1933150) | |
| - add support for intermediate certs (#1914656) | |
| - fix crash of certs with longer extension (#1908718) | |
| - SMUX support is still needed .. will disappear later! | |
| - static libs should be in devel not libs (#203571) | |
| - fix lm_sensors issues | |
| - package cleanup, remove unnecessary patches | |
| - move local state file from /var/net-snmp/ to /var/lib/net-snmp | |
| - temporarily disable a test failing on ppc/s390 arches | |
| - explicitly require the right version and release of net-snmp and | |
| net-snmp-libs | |
| - update to net-snmp-5.4.2.1 to fix CVE-2008-4309 | |
| - fix lm_sensors-devel Requires (#229109) | |
| - fix use after free issue (RHEL-64696) | |
| - prepare for new rpm version | |
| - Added some missing files to the %files section. | |
| - backport two memory leaks from upstream (#2134635) | |
| - compile against Python3 | |
| - add gcc requirement | |
| - remove rm buildroot | |
| - add fix for -DUCD_COMPATIBLE (#77405) | |
| - update to 3.6.2 (#3219,#3259). | |
| - add missing man pages (#3057). | |
| - proxied OIDs unspecified in proxy statement in snmpd.conf (#1658134) | |
| - UCD-SNMP-MIB::dskTable doesn't update dynamically (#1658185) | |
| - expand SNMPCONFPATH variable (#1660146) | |
| - remove file with Apple license (#1690936) | |
| - log meningful message on duplicate IP address (#1692286) | |
| - memory reporting adjustment (#1695497 and #1766521) | |
| - fix typos in man page (#1700262) | |
| - speedup ipAddressTable loading(#1700391) | |
| - fix memory leak when shut down librpm (#1763008) | |
| - services starts after network-online.target (#1775304) | |
| - add missing part of memory leak patch (#1829860) | |
| - add support for AES192 and AES256 (#1846252) | |
| - rebuilt | |
| - Added ucd5820stat to the files section. | |
| - Updated to latest version (4.2.4.pre3) | |
| - fix lib dirs in configure (#197684) | |
| - check for header files in configure | |
| - patch for SNMPv3 traps / session user creation (net-snmp bz#1374087) | |
| - add missing include files from util_funcs directory (#603243) | |
| - update to rc6, snmpnetstat changes due to license problems | |
| - persistent files in directory defined by snmp.conf persistentDir are | |
| loaded at startup | |
| - added btrfs support to hrFSTable (#965348) | |
| - fixed c++ guards in net-snmp header files (#650219) | |
| - fix missing IF-MIB::ifNumber.0 (#189007) | |
| - rebuild for autoconf | |
| - bump again for double-long bug on ppc(64) | |
| - fix overly verbose log message (#221911) | |
| - few minor tweaks for review - still not perfect | |
| - fix linking with lcrypto (#231805) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - perl dependency renamed to perl-interpreter | |
| - rebuild for new perl | |
| - add support of lm_sensors v3 | |
| - added procps to build dependencies (#380321) | |
| - removed beecrypt from dependencies | |
| - fixed crash on reading xen interfaces (#386611) | |
| - CAN-2005-1740 net-snmp insecure temporary file usage (#158770) | |
| - patch from suse.de | |
| - fixed perl linking (#742678) | |
| - session free fixed, agentx modules build fine (#157851) | |
| - fixed dependency for net-snmp libs (#156932) | |
| - update to net-snmp-5.4.2 | |
| - change %postun to %preun | |
| - switching to a different 64bit patch, hopefully 64bit problems are gone for a while | |
| - rebuild for new perl | |
| - fix invalid access to memory in tcpListenerTable (#551030) | |
| - fix compilation of the python module | |
| - Fixed problem with perl option (#102420). | |
| - Added patch for libwrap fix (#77926). | |
| - fix rpm ownership of all created directories (#473582) | |
| - fix perl SNMP::Session::set (#452131) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Added support for ppc64le architecture (#1052431) | |
| - Prevent post script failure on fresh installs | |
| - rebuilt | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - rebuilt for new gcj | |
| - upgrade to 5.3 | |
| - fix various flaws (CVE-2008-2292 CVE-2008-0960) | |
| - Patch fixing uninitalized stack variable in smux_trap_process (#130179) | |
| - bumped release and rebuilt. | |
| - rebuilt | |
| - Hacked an ugly perl hack to get rid of perl RPATH problems. | |
| - Fixed 64bit patch and applied it. ;-) | |
| - Enabled IPv6 support (RFE #47764) | |
| - Hopefully final fix of snmpwalk problem (#42153). Thanks to Douglas Warzecha | |
| for the patch and Matt Domsch for reporting the problem. | |
| - rebuild for new rpm | |
| - Fixed permission problem for debuginfo (#101456) | |
| - created the package... possibly replace cmu-snmp with this. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - use net.ipv6.neigh.lo.retrans_time_ms (#186546) | |
| - enable smux to listen only on LOCAL by default (#181667) | |
| - use correct answer adrress | |
| - remove backup file to fix perl dependencies | |
| - Rebuilt after RPM update (â„– 3) | |
| - disable failing test on s390(x) (#680697) | |
| - rebuild for new librpm | |
| - Added missing BuildPrereq to openssl-devel (#61525) | |
| - remove Group tag | |
| - remove sysvinit package and init files (no longer needed) | |
| - fix python2 references and dependencies in spec file | |
| - Fixed problem with new proc output (#98619, #89960). | |
| - re-create /var/run/net-snmp on boot using tmpfiles.d (#656637) | |
| - move snmp-bridge-mib and net-snmp-cert utilities to net-snmp-perl | |
| subpackage, net-snmp-utils subpackage does not depend on Perl now | |
| - Rebuilt for RPM soname bump | |
| - update to 5.3.1.pre2 | |
| - fix multilib issues (#192736) | |
| On system with /usr/lib64 use net-snmp-config64 and net-snmp-config64.h | |
| - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - explicitly require lm_sensor > 3 for build (#442718) | |
| - create multilib net-snmp-config on multilib architectures only | |
| - move initscript and add condrestart magic | |
| - add all relevant rpm scalars to host resources mib. | |
| - gawk added to build dependencies | |
| - fixing ipNetToMediaNetAddress to show IP address (#432780) | |
| - restore host resources mib | |
| - simplified config file | |
| - rebuild for 6.0. | |
| - rebuilt | |
| - fix sparc handling in /usr/include/net-snmp/net-snmp-config-sparc.h | |
| - init scripts made LSB compliant | |
| - Perl 5.20 rebuild | |
| - automatic rebuild | |
| - Fix strstr() crash when looking for RPM Group tag | |
| - Fix wrong usage of structure iterator | |
| - Fix issue with statistics from autofs | |
| - fix endian issues for addresses | |
| - CAN-2005-2177 new upstream version fixing DoS (#162908) | |
| - supported lm_sensors on ppc64 (#249255) | |
| - snmpconf generates config files with proper selinux context | |
| (#247462) | |
| - fix leak in udp transport (#247771) | |
| - add alpha to supported archs in net-snmp-config (#246825) | |
| - fix hrSWInst (#250237) | |
| - fix daemon crash on resend request (#1694047) | |
| - fix address assigning for IPv6 clientaddr option (#1672668) | |
| - fix discovered issues from coverity scan (#1602630) | |
| - fixed truncation of sysObjectID (#640848) | |
| - Fixed build problems on ppc64 | |
| - Fixed double packaged manpages (#102075). | |
| - all but config (especially SNMPv2p) ready for prime time | |
| - Updated the old libtool rpath patch. | |
| - update to 4.2.4 final | |
| - fix sparc handling in /usr/bin/net-snmp-config | |
| - fix udpTable indexes on big-endian systems (#543352) | |
| - fix snmptrapd init script to survive with empty /etc/sysconfig/snmptrapd | |
| - lower the default log level of snmpd to get rid of the debug messages | |
| - updated to net-snmp-5.7 | |
| - set permissions of snmpd.conf and snmptrapd conf to 0600 to prevent | |
| users from reading passwords and community strings. | |
| - Added the snmptrapd init script as per request (#49205) | |
| - Fixed the again broken rpm query stuff (#57444) | |
| - Removed all old and none-used db related stuff (libs and header checks/files) | |
| - Included generation of perl stuff. Thanks to Harald Hoyer. | |
| - add net-snmp-python | |
| - Perl 5.24 rebuild | |
| - 64bit needed some changes, was causing timeouts on 64bit archs!? | |
| - affects bugs #125432 and #132058 | |
| - License: field changed to MIT | |
| - 5.4.1 integrated | |
| - Rebuild for Python 2.6 | |
| - CVE-2018-1000116 Heap corruption in snmp_pdu_parse (#1552844) | |
| - moved agentxtrap utility to net-snmp-utils subpackage, | |
| it's an utility, not a daemon. | |
| - Rebuild against newer rpm | |
| - default config was broken (from Wes Hardaker) (#9752) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - add mibII/mta_sendmail (#207909) | |
| - Added --enable-ucd-snmp-compatibility for compatibility with older version | |
| and fixed installation thereof. | |
| - Got rid of the perl(Tk) dependancy by removing snmpcheck. | |
| - Include /usr/include/ucd-snmp in the filelist. | |
| - Fixed a problem with the ucd-snmp/version.h file. | |
| - implement force-reload command in initscripts (#523126) | |
| - Update to 4.2.3 final. | |
| - Fixed libtool/rpath buildroot pollution problem. | |
| - Fixed library naming problem. | |
| - rebuilt against tcp_wrappers-devel | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Removed tkmib from the package once again as we don't ship the Tk.pm CPAN | |
| perl module required to run it (#49363) | |
| - Added missing Provides for the .so.0 libraries as rpm doesn't seem to find | |
| those during the build anymore (it used to) (#46388) | |
| - Fixed CVE-2014-3565 | |
| - Fixed net-snmp-cert tool, now it does not depend on net-snmp-devel (#1134475) | |
| - update to release candidate 4 | |
| - Update to 5.7.3 | |
| - stateless access to rpm database. | |
| - License: field fixed to "BSD and CMU" | |
| - rebuild | |
| - rebuilt to fix broken deps | |
| - remove files from the buildroot that we don't want to ship | |
| - enabled pie (snmpd, snmptrapd) - postponed for ia64 | |
| - added --with-pic to configure call | |
| - return a usable RETVAL when running "service snmpd status" (#33571) | |
| - fix Source0 location. | |
| - fix the snmpd.conf file to use real community names. | |
| - fix rtnetlink.h/if_addr.h | |
| - actually apply ipv6 patch | |
| - Edit fix of issue with undefined symbol my_progname when try to load | |
| NetSNMP::TrapReceiver in perl script (#1470004) | |
| - Hardcoded the ETC_MNTTAB to point to "/etc/mtab". | |
| - Included 64bit fix from Mark Langsdorf (#114645). | |
| - include these tables: ip-mib/ipv4InterfaceTable | |
| ip-mib/ipv6InterfaceTable, ip-mib/ipAddressPrefixTable | |
| - fix Requires of net-snmp-devel to include lmsensors-devel on supported | |
| architectures | |
| - fix net-snmp-config strange values for --libs (#228588) | |
| - don't start snmpd unless requested | |
| - start snmpd after pcmcia. | |
| - Security fix. Bug granting write access to read-only users | |
| or communities which were configured using the "rocommunity" | |
| or "rouser" snmpd.conf tokens fixed | |
| - rebuilt | |
| - remove python package and update to the last upstream version (#1584510) | |
| - fix out of bound access (RHEL-137501) | |
| - perl modern auth enablement (RHEL-137310) | |
| - Bump version to rebuild against new RPM in Rawhide. | |
| - Fixed systemd support (#875632). | |
| - configure with --enable-reentrant and added "smux" and "agentx" to | |
| --with-mib-modules= argument (#29626) | |
| - Updated to net-snmp-5.0.7. Fixed especially the performance problem with | |
| limited trees. | |
| - properly fix failing tests on ppc/s390 (#655731) | |
| - move ldconfig post/postun to libs subrpm | |
| - add missing IETF MIB license text (BSD) | |
| - fix build on s390x which has no libsensors | |
| - Disable sysvinit subpackage on F23+ | |
| - fixed temporary filename generation in snmptrapd (#616347) | |
| - new release, fixing several issues | |
| - pointer needs to be inicialized (#146417) | |
| - Bumped release and rebuilt. | |
| - Removed all dbFOO cruft again. | |
| - Updated to 5.0.1 | |
| - Dropped --enable-reentrant as it's currently broken | |
| - package for Red Hat 7.1. | |
| - update to 4.1.2. | |
| - FHS packaging. | |
| - patch for rpm 4.0. | |
| - update to 4.1.1 | |
| - add tcp-mib (#194856) | |
| - Fixed snmpd description (#52366) | |
| - fix syntax error that crept in with condrestart | |
| - rebuild for openssl soname bump | |
| - move mib2c-update from net-snmp-utils to net-snmp-perl, where | |
| mib2c is located | |
| - add tkmib to net-snmp-gui package (#167933) | |
| - Update to latest upstream version 5.1.1 | |
| - Included updated patches from Kaj J. Niemi (#118580). | |
| - rebuild per Trond's request. | |
| - fix default snmptrapd.conf | |
| - fix to use libwrap in distro | |
| - add buildprereq: tcp_wrappers | |
| - fix read problem on stream sockets (net-snmp bz#1337534) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Fixed snmpd crashing when AgentX subagent disconnects in the middle of | |
| request processing (#1038011) | |
| - Updated to 5.7.2 | |
| - add math library in LDFLAGS (#1846252) | |
| - update to release candidate 4 | |
| - fix lib dependencies on 64bit archs | |
| - supress perl build | |
| - add Requires for tcp_wrappers-devel for -devel | |
| - fix crash with interfaces without broadcast addresses (like OpenVPN's tun0) | |
| (#544849) | |
| - rebuilt | |
| - patch adding ipv6 support to ip system stats | |
| - fix dereferencing null pointer (#2021403) | |
| - update to another prerelease (fixes perl agents) | |
| - add openssl-devel to the list of netsnmp-devel deps | |
| - another attempt to fix multilib issue. Generate dummy net-snmp-config.h file | |
| - rebuilt | |
| - release candidate 3 of net-snmp-5.2.2 | |
| - Removed snmpcheck again, needs perl(Tk) which we don't ship (#111194). | |
| - Fixed getopt definition in include file (#111209). | |
| - Included Kaj J. Niemi's patch for broken perl module (#111319). | |
| - Included Kaj J. Niemi's patch for broken async getnext perl call (#111479). | |
| - Included Kaj J. Niemi's patch for broken hr_storage (#111502). | |
| - Switch to latest stable version, 5.0 | |
| - Renamed the packate to net-snmp and obsoleted ucd-snmp. | |
| - rebuilt | |
| - fix memory leak due of proc file creating (#2105957) | |
| - fix CVE-2022-44792 and CVE-2022-44793 (#2141901) and (#2141905) | |
| - fix memory leak when ipv6 disable set to 1 (#2151537) | |
| - fix proxy timeout issue (#2160723) | |
| - fix annocheck distro flag failures (#1624151) | |
| - Removed the check for dbFOO as we don't want to add another requirement. | |
| - restored rpath in net-snmp-config output - SNMP subagent won't link | |
| with libsnmpagent.so without it, linker needs to know location | |
| of libperl.so | |
| - fixed check section to make tests pass on machine without DNS | |
| - fix CVE-2020-15862 (#1875497) | |
| - fix bulk responses for invalid PID (#1817190) | |
| - fix IPv4/IPv6 address presentation (#200255) | |
| - Updated to latest upstream version net-snmp-5.0.9 | |
| - Added patch to fix net-snmp-perl problems (#105842). | |
| - Fixed build problems for net-snmp-perl. | |
| - rebuilt in new environment | |
| - Rebuild against newer mysql | |
| - net-snmp-cert gencert create SHA512 (#1908331) | |
| - fix memleaks in ip-addr and tcpConn | |
| - net-snmp-5.2, patch clean-up | |
| - update to 5.3.1 final version, fix version number | |
| - make the default configuration less noisy, i.e. do not print "Connection from | |
| UDP:" and "Received SNMP packet(s) from UDP:" messages on each connection. | |
| (#509055) | |
| - Rebuild for new rpm | |
| - Droped obsolete lm-sensors patch and enabled lmSensors module | |
| - Marked several patches to be removed for 5.1.3 | |
| - add missing struct.h header file (#603243) | |
| - rebuilt for unwind info generation, broken in gcc-4.1.1-21 | |
| - remove README* that do not apply to Linux | |
| - trim massive ChangeLog | |
| - Extended the libwrap and bsdcompat patches | |
| - lm_sensors-devel only where avaliable | |
| - rebuild in new environment | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Add support for new version of OpenSSL library (#1423984) | |
| - Another bump required. Some more specfile changes. | |
|
|
|
| net-snmp-agent-libs-5.8-33.el8_10.x86_64.rpm | - fix out of bound access (RHEL-137501) |
| - perl modern auth enablement (RHEL-137310) | |
|
|
|
| net-snmp-libs-5.8-33.el8_10.x86_64.rpm | - fix out of bound access (RHEL-137501) |
| - perl modern auth enablement (RHEL-137310) | |
|
|
|
| net-snmp-utils-5.8-33.el8_10.x86_64.rpm | - fix out of bound access (RHEL-137501) |
| - perl modern auth enablement (RHEL-137310) | |
|
|
|
| oddjob-0.34.7-3.el8.x86_64.rpm | - rebuild with new libxml2 |
| - refer to $local_fs instead of $localfs in the init script (#802719) | |
| - install a systemd unit file instead of an init script on still-in-development | |
| releases (#820137,818963) | |
| - build binaries position-independent and marked for earliest-possible symbol | |
| resolution (#852800) | |
| - don't worry about moving things from /usr to / when they're the same (#852800) | |
| - rebuild | |
| - also tell the system message bus to reload its configuration when we install | |
| a subpackage with a new service in it | |
| - rebuild | |
| - Autorebuild for GCC 4.3 | |
| - Update Python 2 dependency declarations to new packaging standards | |
| (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) | |
| - make that last change dependent on which release we're building for | |
| - add an [Install] section containing WantedBy=sysinit.target to the systemd | |
| unit file (#963722), allowing it to actually be "enabled" | |
| - update to 0.20 | |
| - break shared libraries and modules for PAM and python into a subpackage | |
| for better behavior on multilib boxes | |
| - if we're not building a sample subpackage, include the sample files in | |
| the right locations as %doc files | |
| - make the init script exit with status 2 when given an unknown command, rather | |
| than with status 1 (#674534) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Rebuilt for gcc bug 634757 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - add some missing build-time requirements | |
| - rebuild | |
| - rebuild | |
| - fix some path mismatches in the sample configuration files | |
| - don't try to set a reconnect timeout until after we've connected | |
| - rebuild | |
| - rebuild | |
| - rebuild | |
| - update to 0.27-1: | |
| - don't attempt to subscribe to all possible messages -- the message bus | |
| will already route to us messages addressed to us, and if we try for | |
| more than that we may run afoul of SELinux policy, generating spewage | |
| - add a build dependency on pkgconfig, for the sake of FC3 | |
| - update docs and comments because D-BUS is now called D-Bus | |
| - rebuild | |
| - tweak initialization so that we set up for providing our D-Bus APIs before we | |
| register our names with the bus, so that we can handle any requests that | |
| arrive before the acknowledgement of that registration, which should make | |
| system activation a viable option | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Update dbus-send dependency for new dbus (#1170584) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - rebuild | |
| - update to 0.26-1: | |
| - don't get confused when ACL entries for introspection show up in the | |
| configuration before we add the handlers for them | |
| - export $ODDJOB_CALLING_USER to helpers | |
| - add missing requires(post) on killall, which we use to poke the message | |
| bus daemon to get it to reload its configuration, spotted by rcritten | |
| - fix the location for the sample D-BUS configuration doc file | |
| - own more created directories | |
| - don't try to "close" our shared connection to the bus when the bus | |
| hangs up on us -- at some point libdbus started abort()ing when we try | |
| that (#634356) | |
| - when the mkhomedir helper has to create intermediate directories, don't | |
| apply a umask that might have been supplied on its command line (#666418) | |
| - Always set the home directory permissions according to HOME_MODE | |
| - Resolves: rhbz#2135793 | |
| - move helpers to libexecdir, keeping pkglibdir around in the package (#237207) | |
| - use %systemd_postun_with_restart instead of plain old %systemd_postun, | |
| because we can be restarted in the %postun | |
| - unmark the init script as a %config file (part of #197182) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - rebuild | |
| - rebuild | |
| - add man(5) pages for the configuration files that we include which get | |
| included by others, just to be tidy (#884552) | |
| - documentation tweaks for man pages | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Rebuild against RHEL 8.4.0 | |
| Resolves: rhbz#1886433 | |
| - Add gating tests using idm:DL1 module stream and upstream tests | |
| Resolves: rhbz#1682457 | |
| - Upstream release 0.34.7 | |
| - Force LC_ALL=C.UTF-8 in oddjobd systemd service environment | |
| - Resolves: rhbz#1907481 - oddjob locale issue | |
| - Resolves: rhbz#1907541 - rebase oddjob to 0.34.7 | |
| - configure with --disable-dependency-tracking (Ville Skyttä, #228928) | |
| - drop the shared library and python bindings, which so far as i can tell | |
| weren't being used, obsoleting them to avoid a mess on upgrades | |
| - move the mkhomedir helper from %{_libdir}/%{name} to | |
| %{_libexecdir}/%{name} to make the multilib configuration files agree | |
| (#559232) | |
| - use %global instead of %define | |
| - rebuild | |
| - use newer systemd macros (#857375) | |
| - add recommended dependency on pkgconfig in the -devel subpackage | |
| - show that we implement force-reload and try-restart in the init script's | |
| help message (#522131) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - rebuild | |
| - prefer BuildRequires: to BuildPrereq (#176452) | |
| - require /sbin/service at uninstall-time, because we use it (#176452) | |
| - be more specific about when we require /sbin/chkconfig (#176452) | |
| - split off mkhomedir bits into a subpackage (#236820) | |
| - take a pass at new-init-ifying the init script (#247005) | |
| - try to SIGHUP the messagebus daemon at first install so that it'll | |
| let us claim our service name if it isn't restarted before we are | |
| first started (same as #636876) | |
| - fix compilation against older versions of D-BUS if the | |
| GetConnectionSELinuxSecurityContext method turns out to be available | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - update to 0.24, fixing some build errors against D-BUS 0.30-0.33 | |
| - require xmlto, because the generated HTML differs depending on whether | |
| or not we know how to enforce ACLs which include SELinux context info | |
| - build with DocBook 4.3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild | |
| - rebuild | |
| - Rebuild for Python 2.6 | |
| - fix a crasher in pam_oddjob_mkhomedir.so: remove an initialization step that | |
| should have been removed when the module was modified to accept larger | |
| replies (#1236970) | |
| - add a -t flag to oddjob_request to allow its timeout to be | |
| customized (#1085491) | |
| - update to 0.25: | |
| - add introspection for parents of objects specified in the configuration | |
| - oddjobd can reload its configuration now | |
| - add -u (umask) and -s (skeldir) flags to the mkhomedir helper (#246681) | |
| - open a connection to the bus for every service we're serving, instead of | |
| using just one for the lot of them, so that we can tell which service a | |
| client was attempting to contact if it sends a message to our unique | |
| connection address instead of a well-known name, like dbus-python does | |
| - tweak the logic for guessing which interface name is right when a request | |
| doesn't include one, so that it has a better chance of finding the right one | |
| - increase the initial size of the buffer that we pass to getpwnam_r in the | |
| pam_oddjob_mkhomedir module (#1198812) | |
| - Support HOME_MODE from /etc/login.defs | |
| Resolves: rhbz#1886433 | |
| - add that dependency to the right subpackage | |
| - when "prepend_user_name" is used, the user name is now added to the helper's | |
| command line after arguments that were specified in the helper "exec" | |
| attribute | |
| - resync with Fedora packaging | |
| - rebuild | |
| - build fixes | |
| - Upstream release 0.34.5 | |
| - Resolves: rhbz#1833289 - Rebase oddjob to 0.34.5 | |
| - Resolves: rhbz#1833052 - CVE-2020-10737 | |
| oddjob: race condition in oddjob_selinux_mkdir function in mkhomedir.c can lead to symlink attack | |
| - stop overriding the system-wide UMASK default in our default | |
| oddjobd-mkhomedir.conf file (#995097) | |
| - Drop Python 2 build-time dependency, which hasn't been used since we turned | |
| off building the python bindings years ago (#1595853, #1642502). | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - split off python subpackage, make -devel depend on -libs, let autodeps | |
| provide the main package's dependency on -libs (#228377) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - require dbus-x11 so that the tests can use dbus-launch | |
| - try to read the default umask from /etc/login.defs (more of #666418) | |
| - when we install the mkhomedir subpackage, if there's a running oddjobd, ask | |
| it to reload its configuration | |
| - fix missing bits from the namespace changes in configuration files | |
| - restart the service in %postun | |
| - Add a non-default option to revert behavior for CVE-2020-10737 fix | |
| - Resolved: rhbz#2050079 | |
| - explicitly require "dbus" at the package level (#1085450) | |
| - rebuild | |
| - rebuild | |
| - catch calls to the method invocation helper function that mistakenly | |
| didn't include the newly-required timeout value (#1089655,#1089656) | |
|
|
|
| oddjob-mkhomedir-0.34.7-3.el8.x86_64.rpm | - rebuild with new libxml2 |
| - refer to $local_fs instead of $localfs in the init script (#802719) | |
| - install a systemd unit file instead of an init script on still-in-development | |
| releases (#820137,818963) | |
| - build binaries position-independent and marked for earliest-possible symbol | |
| resolution (#852800) | |
| - don't worry about moving things from /usr to / when they're the same (#852800) | |
| - rebuild | |
| - also tell the system message bus to reload its configuration when we install | |
| a subpackage with a new service in it | |
| - rebuild | |
| - Autorebuild for GCC 4.3 | |
| - Update Python 2 dependency declarations to new packaging standards | |
| (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) | |
| - make that last change dependent on which release we're building for | |
| - add an [Install] section containing WantedBy=sysinit.target to the systemd | |
| unit file (#963722), allowing it to actually be "enabled" | |
| - update to 0.20 | |
| - break shared libraries and modules for PAM and python into a subpackage | |
| for better behavior on multilib boxes | |
| - if we're not building a sample subpackage, include the sample files in | |
| the right locations as %doc files | |
| - make the init script exit with status 2 when given an unknown command, rather | |
| than with status 1 (#674534) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Rebuilt for gcc bug 634757 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - add some missing build-time requirements | |
| - rebuild | |
| - rebuild | |
| - fix some path mismatches in the sample configuration files | |
| - don't try to set a reconnect timeout until after we've connected | |
| - rebuild | |
| - rebuild | |
| - rebuild | |
| - update to 0.27-1: | |
| - don't attempt to subscribe to all possible messages -- the message bus | |
| will already route to us messages addressed to us, and if we try for | |
| more than that we may run afoul of SELinux policy, generating spewage | |
| - add a build dependency on pkgconfig, for the sake of FC3 | |
| - update docs and comments because D-BUS is now called D-Bus | |
| - rebuild | |
| - tweak initialization so that we set up for providing our D-Bus APIs before we | |
| register our names with the bus, so that we can handle any requests that | |
| arrive before the acknowledgement of that registration, which should make | |
| system activation a viable option | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Update dbus-send dependency for new dbus (#1170584) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - rebuild | |
| - update to 0.26-1: | |
| - don't get confused when ACL entries for introspection show up in the | |
| configuration before we add the handlers for them | |
| - export $ODDJOB_CALLING_USER to helpers | |
| - add missing requires(post) on killall, which we use to poke the message | |
| bus daemon to get it to reload its configuration, spotted by rcritten | |
| - fix the location for the sample D-BUS configuration doc file | |
| - own more created directories | |
| - don't try to "close" our shared connection to the bus when the bus | |
| hangs up on us -- at some point libdbus started abort()ing when we try | |
| that (#634356) | |
| - when the mkhomedir helper has to create intermediate directories, don't | |
| apply a umask that might have been supplied on its command line (#666418) | |
| - Always set the home directory permissions according to HOME_MODE | |
| - Resolves: rhbz#2135793 | |
| - move helpers to libexecdir, keeping pkglibdir around in the package (#237207) | |
| - use %systemd_postun_with_restart instead of plain old %systemd_postun, | |
| because we can be restarted in the %postun | |
| - unmark the init script as a %config file (part of #197182) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - rebuild | |
| - rebuild | |
| - add man(5) pages for the configuration files that we include which get | |
| included by others, just to be tidy (#884552) | |
| - documentation tweaks for man pages | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Rebuild against RHEL 8.4.0 | |
| Resolves: rhbz#1886433 | |
| - Add gating tests using idm:DL1 module stream and upstream tests | |
| Resolves: rhbz#1682457 | |
| - Upstream release 0.34.7 | |
| - Force LC_ALL=C.UTF-8 in oddjobd systemd service environment | |
| - Resolves: rhbz#1907481 - oddjob locale issue | |
| - Resolves: rhbz#1907541 - rebase oddjob to 0.34.7 | |
| - configure with --disable-dependency-tracking (Ville Skyttä, #228928) | |
| - drop the shared library and python bindings, which so far as i can tell | |
| weren't being used, obsoleting them to avoid a mess on upgrades | |
| - move the mkhomedir helper from %{_libdir}/%{name} to | |
| %{_libexecdir}/%{name} to make the multilib configuration files agree | |
| (#559232) | |
| - use %global instead of %define | |
| - rebuild | |
| - use newer systemd macros (#857375) | |
| - add recommended dependency on pkgconfig in the -devel subpackage | |
| - show that we implement force-reload and try-restart in the init script's | |
| help message (#522131) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - rebuild | |
| - prefer BuildRequires: to BuildPrereq (#176452) | |
| - require /sbin/service at uninstall-time, because we use it (#176452) | |
| - be more specific about when we require /sbin/chkconfig (#176452) | |
| - split off mkhomedir bits into a subpackage (#236820) | |
| - take a pass at new-init-ifying the init script (#247005) | |
| - try to SIGHUP the messagebus daemon at first install so that it'll | |
| let us claim our service name if it isn't restarted before we are | |
| first started (same as #636876) | |
| - fix compilation against older versions of D-BUS if the | |
| GetConnectionSELinuxSecurityContext method turns out to be available | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - update to 0.24, fixing some build errors against D-BUS 0.30-0.33 | |
| - require xmlto, because the generated HTML differs depending on whether | |
| or not we know how to enforce ACLs which include SELinux context info | |
| - build with DocBook 4.3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild | |
| - rebuild | |
| - Rebuild for Python 2.6 | |
| - fix a crasher in pam_oddjob_mkhomedir.so: remove an initialization step that | |
| should have been removed when the module was modified to accept larger | |
| replies (#1236970) | |
| - add a -t flag to oddjob_request to allow its timeout to be | |
| customized (#1085491) | |
| - update to 0.25: | |
| - add introspection for parents of objects specified in the configuration | |
| - oddjobd can reload its configuration now | |
| - add -u (umask) and -s (skeldir) flags to the mkhomedir helper (#246681) | |
| - open a connection to the bus for every service we're serving, instead of | |
| using just one for the lot of them, so that we can tell which service a | |
| client was attempting to contact if it sends a message to our unique | |
| connection address instead of a well-known name, like dbus-python does | |
| - tweak the logic for guessing which interface name is right when a request | |
| doesn't include one, so that it has a better chance of finding the right one | |
| - increase the initial size of the buffer that we pass to getpwnam_r in the | |
| pam_oddjob_mkhomedir module (#1198812) | |
| - Support HOME_MODE from /etc/login.defs | |
| Resolves: rhbz#1886433 | |
| - add that dependency to the right subpackage | |
| - when "prepend_user_name" is used, the user name is now added to the helper's | |
| command line after arguments that were specified in the helper "exec" | |
| attribute | |
| - resync with Fedora packaging | |
| - rebuild | |
| - build fixes | |
| - Upstream release 0.34.5 | |
| - Resolves: rhbz#1833289 - Rebase oddjob to 0.34.5 | |
| - Resolves: rhbz#1833052 - CVE-2020-10737 | |
| oddjob: race condition in oddjob_selinux_mkdir function in mkhomedir.c can lead to symlink attack | |
| - stop overriding the system-wide UMASK default in our default | |
| oddjobd-mkhomedir.conf file (#995097) | |
| - Drop Python 2 build-time dependency, which hasn't been used since we turned | |
| off building the python bindings years ago (#1595853, #1642502). | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - split off python subpackage, make -devel depend on -libs, let autodeps | |
| provide the main package's dependency on -libs (#228377) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - require dbus-x11 so that the tests can use dbus-launch | |
| - try to read the default umask from /etc/login.defs (more of #666418) | |
| - when we install the mkhomedir subpackage, if there's a running oddjobd, ask | |
| it to reload its configuration | |
| - fix missing bits from the namespace changes in configuration files | |
| - restart the service in %postun | |
| - Add a non-default option to revert behavior for CVE-2020-10737 fix | |
| - Resolved: rhbz#2050079 | |
| - explicitly require "dbus" at the package level (#1085450) | |
| - rebuild | |
| - rebuild | |
| - catch calls to the method invocation helper function that mistakenly | |
| didn't include the newly-required timeout value (#1089655,#1089656) | |
|
|
|
| openal-soft-1.18.2-7.el8.x86_64.rpm | - Fix FTBFS on ARM (rhbz#1307818) |
| - New upstream release | |
| - Fixed broken upgrade paths. | |
| - Fixed Bug 567870 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - the used fpu control bits are x86 specific | |
| - Update to 1.9.563 + some fixes from git | |
| - This fixes: | |
| - Not having any sound in chromium-bsu | |
| - Various openal using programs hanging on exit | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - Newer git version with more Pulseaudio fixes. Have fun. | |
| - Allow pulseaudio to move openal-soft output streams (rhbz#1544381) | |
| - Fix release -4 not building (rhbz#1544012) | |
| - Drop unnecessary qt-devel BuildRequires (we also BuildRequire qt5-devel) | |
| - Fixed all warnings of rpmlint | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Fixed license and pkgconfig problem thx goes to Christoph Wickert | |
| - Fixed bug 517973 | |
| - Fixed small spec verion info. | |
| - Only enable examples using SDL_sound on fedora (#1596651) | |
| - New upstream release | |
| - Move bsincgen to -devel and altonegen to -examples | |
| - New upstream release | |
| - Add BR: qt5-devel + SDL_sound-devel | |
| - Add -examples subpackage | |
| - New Upstream Release | |
| - Own the hrtf dir | |
| - 1.13-1 | |
| - version upgrade | |
| - spec cleanup | |
| - New upstream release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Rebuilt for GCC 5 C++11 ABI change | |
| - 1.14-1 | |
| - version upgrade (rhbz#808968) | |
| - spec cleanup | |
| - New upstream release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Fixed version info | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Updatet to an newer git version because of some pulseaudio fixes. | |
| - I hope it fix bug 533501 | |
| - Fixed Version Number | |
| - New upstream release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Added Obsoletes: openal <= 0.0.9 and remove Conflicts: openal-devel | |
| - Initial release for Fedora | |
| - Add the -qt subpackage to host the alsoft-config tool | |
| - New upstream release | |
| - add default config | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Build against FluidSynth. | |
| - Newer git version that fix more problems with pulseaudio. | |
| - Remove fluidsynth and and portaudio dependencies | |
| - New upstream release | |
| - remove support for no longer supported Fedora versions (<=25) | |
| - fix: add %{_libdir}/cmake/OpenAL directory to devel | |
| - fix: s/_datarootdir/_datadir/ as this package does not uses datarootdir | |
| but datadir | |
| - fix: add %{_datadir}/openal to main package as well and to %exclude | |
| %{_datadir}/openal/{alsoftrc.sample,presets/presets.txt} as those files | |
| are not needed | |
| - removed Group fields | |
| (https://fedoraproject.org/wiki/Packaging:Guidelines#Tags_and_Sections) | |
| - add use more macros (%autosetup, %make_build, %make_install) | |
| - Switch to %ldconfig_scriptlets | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Update the SPEC and SRPM file because openal-soft-devel conflicts with | |
| openal-devel | |
| - Check for arm_neon.h only on 32bit ARM | |
| - Fixed bug 517721. Added upstream.patch | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Fixed Obsoletes: and Provides: sections | |
| - Updatet to an newer git version because of some pulseaudio fixes. | |
|
|
|
| openblas-0.3.15-6.el8.x86_64.rpm | - Fix izamax on s390x |
| resolves: #1752241 | |
| - Update to 0.2.16. | |
| - Drop arch-dependent buildrequires (BZ #1545201); no changes to package | |
| (only affects packages custom built with --with system_lapack). | |
| - add generic s390x support (#1442048) | |
| - Fix i686-x86_64 multilib difference | |
| related: #1627890 | |
| - Rebase to version 0.3.10 | |
| resolves: #1847435 | |
| - Update to 0.2.20. | |
| - Use new execstack (#1247795) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Force preprocessing of Fortran sources to make annobin record proper flags | |
| - Enable optimizations for all LAPACK sources | |
| resolves: #1624156 | |
| - Honor Fedora linker flags (BZ #1548750). | |
| - Use %__global_ldflags instead of %build_ldflags that doesn't work on | |
| all distributions. | |
| - Added LAPACKE include files. | |
| - Rebase to version 0.3.12 | |
| related: #1847435 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Rebase to version 0.3.3 | |
| resolves: #1627890 | |
| - Fix linkage of OpenMP libraries (BZ #1391491). | |
| - update for aarch64 | |
| - Simplify spec, dropping extra lib arguments. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Fixed 32-bit build, and build on EPEL 5. | |
| - Need to use -frecursive to make LAPACK thread safe. | |
| - Define %openblas_arches for dependent packages to use | |
| - Update to 0.2.13. | |
| - Fix missing header files in openblas-devel subpackage by enabling | |
| gcc-toolset-11 in %install as well | |
| related: #1983218 | |
| - Update to 0.2.8. | |
| - Fix macro used in LAPACKE_zgesvdq | |
| related: #1847435 | |
| - Set proper CFLAGS also for Rblas | |
| related: #1624156 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Disable dynamic CPU detection on aarch64 | |
| - Use gcc-toolset-12 | |
| - Resolves: #2170398 | |
| - Update to 0.2.14. | |
| - Remove optimization pragmas on ppc64le | |
| related: #1624156 | |
| - Disable LAPACKE support on distributions where it is not available due to | |
| a too old version of lapack. | |
| - Add version to bundled lapack provide. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Use system version of LAPACK. | |
| - Clean up obsolete conditionals for 64 bit builds in spec file. | |
| - Rebase to version 0.3.15 | |
| - Use gcc-toolset-11 to benefit from POWER 10 optimizations | |
| resolves: #1983218 | |
| - Add tests and enable gating | |
| related: #1752241 | |
| - Ensure object files built from assembler sources are annotated | |
| related: #1624156 | |
| - Disable CPU affinity unintentionally enabled upstream (BZ #1558091). | |
| - build a copy of openblas that thinks it is Rblas | |
| There are no code changes, except for libname and soname, it is identical to libopenblas.so.0 | |
| Unfortunately, while R itself is fine using a symlink from libopenblas.so.0 to libRblas.so | |
| the larger R ecosystem becomes unhappy in this scenario. | |
| - Actually use 8-bit integers in 64-bit interfaces (BZ #1382916). | |
| - Enable armv7hl and ppc64le architectures. | |
| - Build versions of the 64-bit libraries with an additional suffix | |
| (BZ #1287541). | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Upgrade Patch4 to hopefully fully fix the issues on PPC64LE | |
| - Update to 0.2.5. | |
| - Enable ppc64 and ppc64p7 architectures | |
| based on Dan Horák's patch (BZ #1356189). | |
| - Supply proper make flags to the tests. | |
| - Update to 0.2.10. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Include deprecated LAPACK functions. | |
| - Update to 0.2.7. | |
| - Use OpenBLAS versions of LAPACK functions, as they seem to be | |
| working now. | |
| - Rebuild for GCC 8 | |
| - Revert "minor spec cleanups" by Peter Robinson. | |
| - aarch64 has execstack in Fedora | |
| - Minor spec cleanups | |
| - Increase maximum amount of cores from 32 to 128. | |
| - Add 64-bit interface support. (BZ #1088256) | |
| - Update to 0.2.9. (BZ #1043083) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Move openblas-srpm-macros to separate package | |
| - Rebuilt for GCC-7 | |
| - Run ldconfig on 64 builds too | |
| - Bump spec due to LAPACK rebuild. | |
| - Enable dynamic cpu detection on all supported architectures | |
| related: #1983218 | |
| - Allow conditional build with or without system lapack, default to without | |
| - Update to 0.2.15. | |
| - Drop openblas-srpm-macros version requirement | |
| - Fix build on RHEL5 and ppc architecture. | |
| - Update to 0.2.12. | |
| - Include openblas.pc | |
| - Resolves: #2115722 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Fix build on s390x (#1615557) | |
| - Update to 0.2.19. | |
| - Fix out-of-bounds read in *larrv | |
| - Resolves: CVE-2021-4048 | |
| - Review fixes. | |
| - Fix detection of generic ARMv8 CPUs | |
| - Get rid of executable stack in libRblas.so | |
| related: #1624156 | |
| - First release. | |
| - Update to 0.2.17 | |
| - Add Patch4 to fix register clobbers (BZ #1417385) | |
| - Update to 0.2.11. | |
| - Detect POWER9 as POWER8 | |
| related: #1752241 | |
| - Added documentation. | |
| - Fix library suffix on ppc64le. | |
| - Don't use reference LAPACK functions that have optimized implementation. | |
| - Update to 0.2.18. | |
| - Due to long standing bug, replace all OpenBLAS LAPACK functions with | |
| generic ones, so that package can finally be released in stable. | |
|
|
|
| openblas-threads-0.3.15-6.el8.x86_64.rpm | - Fix izamax on s390x |
| resolves: #1752241 | |
| - Update to 0.2.16. | |
| - Drop arch-dependent buildrequires (BZ #1545201); no changes to package | |
| (only affects packages custom built with --with system_lapack). | |
| - add generic s390x support (#1442048) | |
| - Fix i686-x86_64 multilib difference | |
| related: #1627890 | |
| - Rebase to version 0.3.10 | |
| resolves: #1847435 | |
| - Update to 0.2.20. | |
| - Use new execstack (#1247795) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Force preprocessing of Fortran sources to make annobin record proper flags | |
| - Enable optimizations for all LAPACK sources | |
| resolves: #1624156 | |
| - Honor Fedora linker flags (BZ #1548750). | |
| - Use %__global_ldflags instead of %build_ldflags that doesn't work on | |
| all distributions. | |
| - Added LAPACKE include files. | |
| - Rebase to version 0.3.12 | |
| related: #1847435 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Rebase to version 0.3.3 | |
| resolves: #1627890 | |
| - Fix linkage of OpenMP libraries (BZ #1391491). | |
| - update for aarch64 | |
| - Simplify spec, dropping extra lib arguments. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Fixed 32-bit build, and build on EPEL 5. | |
| - Need to use -frecursive to make LAPACK thread safe. | |
| - Define %openblas_arches for dependent packages to use | |
| - Update to 0.2.13. | |
| - Fix missing header files in openblas-devel subpackage by enabling | |
| gcc-toolset-11 in %install as well | |
| related: #1983218 | |
| - Update to 0.2.8. | |
| - Fix macro used in LAPACKE_zgesvdq | |
| related: #1847435 | |
| - Set proper CFLAGS also for Rblas | |
| related: #1624156 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Disable dynamic CPU detection on aarch64 | |
| - Use gcc-toolset-12 | |
| - Resolves: #2170398 | |
| - Update to 0.2.14. | |
| - Remove optimization pragmas on ppc64le | |
| related: #1624156 | |
| - Disable LAPACKE support on distributions where it is not available due to | |
| a too old version of lapack. | |
| - Add version to bundled lapack provide. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Use system version of LAPACK. | |
| - Clean up obsolete conditionals for 64 bit builds in spec file. | |
| - Rebase to version 0.3.15 | |
| - Use gcc-toolset-11 to benefit from POWER 10 optimizations | |
| resolves: #1983218 | |
| - Add tests and enable gating | |
| related: #1752241 | |
| - Ensure object files built from assembler sources are annotated | |
| related: #1624156 | |
| - Disable CPU affinity unintentionally enabled upstream (BZ #1558091). | |
| - build a copy of openblas that thinks it is Rblas | |
| There are no code changes, except for libname and soname, it is identical to libopenblas.so.0 | |
| Unfortunately, while R itself is fine using a symlink from libopenblas.so.0 to libRblas.so | |
| the larger R ecosystem becomes unhappy in this scenario. | |
| - Actually use 8-bit integers in 64-bit interfaces (BZ #1382916). | |
| - Enable armv7hl and ppc64le architectures. | |
| - Build versions of the 64-bit libraries with an additional suffix | |
| (BZ #1287541). | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Upgrade Patch4 to hopefully fully fix the issues on PPC64LE | |
| - Update to 0.2.5. | |
| - Enable ppc64 and ppc64p7 architectures | |
| based on Dan Horák's patch (BZ #1356189). | |
| - Supply proper make flags to the tests. | |
| - Update to 0.2.10. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Include deprecated LAPACK functions. | |
| - Update to 0.2.7. | |
| - Use OpenBLAS versions of LAPACK functions, as they seem to be | |
| working now. | |
| - Rebuild for GCC 8 | |
| - Revert "minor spec cleanups" by Peter Robinson. | |
| - aarch64 has execstack in Fedora | |
| - Minor spec cleanups | |
| - Increase maximum amount of cores from 32 to 128. | |
| - Add 64-bit interface support. (BZ #1088256) | |
| - Update to 0.2.9. (BZ #1043083) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Move openblas-srpm-macros to separate package | |
| - Rebuilt for GCC-7 | |
| - Run ldconfig on 64 builds too | |
| - Bump spec due to LAPACK rebuild. | |
| - Enable dynamic cpu detection on all supported architectures | |
| related: #1983218 | |
| - Allow conditional build with or without system lapack, default to without | |
| - Update to 0.2.15. | |
| - Drop openblas-srpm-macros version requirement | |
| - Fix build on RHEL5 and ppc architecture. | |
| - Update to 0.2.12. | |
| - Include openblas.pc | |
| - Resolves: #2115722 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Fix build on s390x (#1615557) | |
| - Update to 0.2.19. | |
| - Fix out-of-bounds read in *larrv | |
| - Resolves: CVE-2021-4048 | |
| - Review fixes. | |
| - Fix detection of generic ARMv8 CPUs | |
| - Get rid of executable stack in libRblas.so | |
| related: #1624156 | |
| - First release. | |
| - Update to 0.2.17 | |
| - Add Patch4 to fix register clobbers (BZ #1417385) | |
| - Update to 0.2.11. | |
| - Detect POWER9 as POWER8 | |
| related: #1752241 | |
| - Added documentation. | |
| - Fix library suffix on ppc64le. | |
| - Don't use reference LAPACK functions that have optimized implementation. | |
| - Update to 0.2.18. | |
| - Due to long standing bug, replace all OpenBLAS LAPACK functions with | |
| generic ones, so that package can finally be released in stable. | |
|
|
|
| openssl-1.1.1k-14.el8_10.0.1.x86_64.rpm | - Fix no-ec build |
| Resolves: rhbz#2071020 | |
| - Fix CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86 | |
| Resolves: CVE-2022-2097 | |
| - Update expired certificates used in the testsuite | |
| Resolves: rhbz#2092462 | |
| - Fix CVE-2022-1292: openssl: c_rehash script allows command injection | |
| Resolves: rhbz#2090372 | |
| - Fix CVE-2022-2068: the c_rehash script allows command injection | |
| Resolves: rhbz#2098279 | |
| - Bump release | |
| - Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series | |
| (a proper fix for CVE-2020-25659) | |
| Resolves: RHEL-17694 | |
| - Backport fix SSL_select_next proto from OpenSSL 3.2 | |
| Fix CVE-2024-5535 | |
| Resolves: RHEL-45654 | |
| - Fix CVE-2023-3446: Excessive time spent checking DH keys and parameters | |
| Resolves: RHEL-14245 | |
| - Fix CVE-2023-3817: Excessive time spent checking DH q parameter value | |
| Resolves: RHEL-14239 | |
| - Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates | |
| - Resolves: rhbz#2067145 | |
| - Backport fix for Out-of-bounds read & write in RFC 3211 KEK Unwrap | |
| Fix CVE-2025-9230 | |
| Resolves: RHEL-128613 | |
| - Fix bug for ticket_lifetime_hint exceed issue | |
| Resolves: RHEL-119891 | |
| - Fixed Timing Oracle in RSA Decryption | |
| Resolves: CVE-2022-4304 | |
| - Fixed Double free after calling PEM_read_bio_ex | |
| Resolves: CVE-2022-4450 | |
| - Fixed Use-after-free following BIO_new_NDEF | |
| Resolves: CVE-2023-0215 | |
| - Fixed X.400 address type confusion in X.509 GeneralName | |
| Resolves: CVE-2023-0286 | |
| - Fix CVE-2023-5678: Generating excessively long X9.42 DH keys or checking | |
| excessively long X9.42 DH keys or parameters may be very slow | |
| Resolves: RHEL-16538 | |
| - Fixed X.400 address type confusion in X.509 GeneralName | |
| Resolves: CVE-2023-0286 | |
| - Backport fix SSL_select_next proto from OpenSSL 3.2 | |
| Fix CVE-2024-5535 | |
| Resolves: RHEL-45654 | |
| - Fixed Timing Oracle in RSA Decryption | |
| Resolves: CVE-2022-4304 | |
| - Fixed Double free after calling PEM_read_bio_ex | |
| Resolves: CVE-2022-4450 | |
| - Fixed Use-after-free following BIO_new_NDEF | |
| Resolves: CVE-2023-0215 | |
|
|
|
| openssl-libs-1.1.1k-14.el8_10.0.1.x86_64.rpm | - Fix no-ec build |
| Resolves: rhbz#2071020 | |
| - Fix CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86 | |
| Resolves: CVE-2022-2097 | |
| - Update expired certificates used in the testsuite | |
| Resolves: rhbz#2092462 | |
| - Fix CVE-2022-1292: openssl: c_rehash script allows command injection | |
| Resolves: rhbz#2090372 | |
| - Fix CVE-2022-2068: the c_rehash script allows command injection | |
| Resolves: rhbz#2098279 | |
| - Bump release | |
| - Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series | |
| (a proper fix for CVE-2020-25659) | |
| Resolves: RHEL-17694 | |
| - Backport fix SSL_select_next proto from OpenSSL 3.2 | |
| Fix CVE-2024-5535 | |
| Resolves: RHEL-45654 | |
| - Fix CVE-2023-3446: Excessive time spent checking DH keys and parameters | |
| Resolves: RHEL-14245 | |
| - Fix CVE-2023-3817: Excessive time spent checking DH q parameter value | |
| Resolves: RHEL-14239 | |
| - Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates | |
| - Resolves: rhbz#2067145 | |
| - Backport fix for Out-of-bounds read & write in RFC 3211 KEK Unwrap | |
| Fix CVE-2025-9230 | |
| Resolves: RHEL-128613 | |
| - Fix bug for ticket_lifetime_hint exceed issue | |
| Resolves: RHEL-119891 | |
| - Fixed Timing Oracle in RSA Decryption | |
| Resolves: CVE-2022-4304 | |
| - Fixed Double free after calling PEM_read_bio_ex | |
| Resolves: CVE-2022-4450 | |
| - Fixed Use-after-free following BIO_new_NDEF | |
| Resolves: CVE-2023-0215 | |
| - Fixed X.400 address type confusion in X.509 GeneralName | |
| Resolves: CVE-2023-0286 | |
| - Fix CVE-2023-5678: Generating excessively long X9.42 DH keys or checking | |
| excessively long X9.42 DH keys or parameters may be very slow | |
| Resolves: RHEL-16538 | |
| - Fixed X.400 address type confusion in X.509 GeneralName | |
| Resolves: CVE-2023-0286 | |
| - Backport fix SSL_select_next proto from OpenSSL 3.2 | |
| Fix CVE-2024-5535 | |
| Resolves: RHEL-45654 | |
| - Fixed Timing Oracle in RSA Decryption | |
| Resolves: CVE-2022-4304 | |
| - Fixed Double free after calling PEM_read_bio_ex | |
| Resolves: CVE-2022-4450 | |
| - Fixed Use-after-free following BIO_new_NDEF | |
| Resolves: CVE-2023-0215 | |
|
|
|
| opus-1.3-0.4.beta.el8.x86_64.rpm | - Update to 0.9.8 |
| - Update to 1.0.1rc3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Update to 1.0.0rc1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Official 1.0.2 release | |
| - Update to 1.2.0 RC1 | |
| - Update to 1.1-rc2 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - Update to 1.2.0 Alpha | |
| - Update to 1.2 | |
| - Use %license | |
| - Add gcc BR | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Initial packaging | |
| - Update to 1.3 beta | |
| - Add make check - fixes RHBZ # 821128 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Update to 1.1.1 RC (further ARM optimisations) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Update to 1.2.1 | |
| - Update 1.1.1 GA | |
| - Install html docs in devel package | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Update to 1.2.0 Beta | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Update to 1.1-rc | |
| - Build developer docs | |
| - Official 1.0.1 release now rfc6716 is stable | |
| - 1.1 release | |
| - Update to 1.1.1 beta (SSE, ARM, MIPS optimisations) | |
| - 1.0.3 release | |
| - Update 1.1.3 GA | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Update 1.1.2 GA | |
| - Enable extra custom modes API | |
| - Update to 1.1-rc3 | |
| - Switch to %ldconfig_scriptlets | |
| - Update to 0.9.14 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Update to 0.9.10 | |
|
|
|
| orc-0.4.28-4.el8_10.x86_64.rpm | - Do not run tests on aarch64 |
| - Fix typo rhbz#817944 | |
| - Update to 0.4.12, a bug fixing release | |
| - Add orc-bugreport to the main package (#702727) | |
| - Added removed testing libraries to package. | |
| - Update to 0.4.27 | |
| - don't run test on s390(x) | |
| - Updated subdir patch. | |
| - Update to 0.4.14 | |
| - Updated to 0.4.4: Includes bugfixes for x86_64. | |
| - Updated to 0.4.7. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Update to latest upstream release | |
| - Removed obsolete patches | |
| - Updated to 0.4.3 | |
| - Update to 0.4.25 | |
| - Docs as noarch. | |
| - Sanitize timestamps of header files. | |
| - orcc in -compiler subpackage. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Update to 0.4.23 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Running autoreconf to prevent building problems. | |
| - Added missing files to docs. | |
| - Added examples to devel docs. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Update to 0.4.26 | |
| - Initial release | |
| - Add upstream patches to fix gstreamer crash on Geode (#746185) | |
| - Rebuilt for Fedora 23 Change | |
| https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code | |
| - Update to 0.4.24 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - don't run tests on ppc, ppc64 | |
| - Fix fallback path when register allocation fails | |
| - Fixes gstreamer-1.0 crash on OLPC XO-1.75 | |
| - Update to 0.4.9, a pimarily bug fixing release. | |
| - Specfile cleanup | |
| - Removed tools subpackage | |
| - Added docs subpackage | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Add upstream patch for selinux issue with tmp files | |
| - Update to 0.4.15 | |
| - Add Fedora specific patch for tempfiles in subdirs | |
| - Update to 0.4.13, another bug fixing release | |
| - Update to 0.4.11. | |
| - More bug fixes for CPUs that do not have backends, mmx and sse. | |
| - Update to 0.4.28 | |
| - Disable regeneration of docs | |
| - Update to 0.4.16 | |
| - Fixing regression introdcued by 0.4.15 (#742534 and #734911) | |
| - Updated to 0.4.5. | |
| - Removed testing libraries from package. | |
| - Removed unused libdir | |
| - Update to 0.4.18. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Add ARM platforms to the make check exclusion | |
| - Add patch for CVE-2024-40897 | |
| - Resolves: RHEL-50710 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Update to 0.4.22 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - x86: add endbr32 and endbr64 instructions | |
| - Resolves: rhbz#1693292 | |
| - Rebuilt for glibc bug#747377 | |
| - Update to 0.4.10. | |
| - Fixes some bugs related to SELinux. | |
| - Updated to 0.4.6. | |
| - New orc-bugreport added. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Use orc as pakage name | |
| - spec-file cleanup | |
| - Added devel requirements | |
| - Removed an rpath issue | |
|
|
|
| os-prober-1.74-11.el8_10.x86_64.rpm | - 90fallback: include possible kernel parameters from grub's default file |
| - common.sh: do not resolve symbolic link on mapped device filesystems | |
| - Resolves: #RHEL-55234 | |
| - Bump release number | |
| - Resolves: #RHEL-55234 | |
|
|
|
| pcre2-utf16-10.32-3.el8_6.x86_64.rpm | - 10.30-RC1 bump |
| - Heap-based matching implementation replaced stack-based one | |
| - SELinux-friendly JIT enabled | |
| - Fix displaying a callout position in pcretest output with an escape sequence | |
| greater than \x{ff} | |
| - Fix pcrepattern(3) documentation | |
| - Fix miscopmilation of conditionals when a group name start with "R" | |
| (upstream bug #1873) | |
| - Fix internal option documentation in pcre2pattern(3) (upstream bug #1875) | |
| - Fix optimization bugs for patterns starting with lookaheads | |
| (upstream bug #1882) | |
| - fixed Release field | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Fix checking that a lookbehind assertion has a fixed length if the | |
| lookbehind assertion is used inside a lookahead assertion | |
| - Fix parsing VERSION conditions | |
| - Rebuild for readline 7.x | |
| - Fix repeated pcregrep output if -o with -M options were used and the match | |
| extended over a line boundary (upstream bug #1848) | |
| - Fix handling \K in an assertion in pcre2grep tool and documentation | |
| (upstream bug #2211) | |
| - Fix matching at a first code unit of a new line sequence if PCRE2_FIRSTLINE | |
| is enabled | |
| - Fix compiling patterns with PCRE2_NO_AUTO_CAPTURE (upstream bug #1704) | |
| - 10.20 bump | |
| - Fix a crash when doing an extended substitution for \p, \P, or \X | |
| (upstream bug #1977) | |
| - Fix a crash in substitution if starting offest was specified beyond the | |
| subject end (upstream bug #1992) | |
| - Fix faulty auto-anchoring patterns when .* is inside an assertion | |
| - Rebuild with binutils fix for ppc64le (#1475636) | |
| - PCRE2 library packaged | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Fix anchoring in conditionals with only one branch (bug #1617960) | |
| - Add support to pcre2grep for binary zeros in -f files (upstream bug #2222) | |
| - Fix compiler warnings in pcre2grep | |
| - Disable SELinux-friendly JIT allocator because it crashes after a fork | |
| (upstream bug #1749) | |
| - Fix DFA match for a possessively repeated character class (upstream bug #2086) | |
| - Use a memory allocator from the pattern if no context is supplied to | |
| pcre2_match() | |
| - Fix returning unset groups in POSIX interface if REG_STARTEND has a non-zero | |
| starting offset (upstream bug #2244) | |
| - Fix pcre2test -C to correctly show what \R matches | |
| - Fix matching repeated character classes against an 8-bit string containting | |
| multi-code-unit characters | |
| - Fix pcre2_jit_match() to properly check the pattern was JIT-compiled | |
| - Allow pcre2grep match counter to handle values larger than 2147483647, | |
| (upstream bug #2208) | |
| - Fix incorrect first matching character when a backreference with zero minimum | |
| repeat starts a pattern (upstream bug #2209) | |
| - Fix CVE-2019-20454 (a crash when \X is used without UTF mode in a JIT) | |
| (bug #1734468) | |
| - Enlarge ovector array match data structure to be large enough in all cases | |
| (oss-fuzz #5415) | |
| - Fix handling a hyphen at the end of a character class (upstream bug #2153) | |
| - Fix a typo in pcre2_study() | |
| - Document assert capture limitation (upstream bug #1887) | |
| - Ignore offset modifier in pcre2test in POSIX mode (upstream bug #1898) | |
| - 10.31 bump | |
| - 10.31-RC1 bump | |
| - Disable the JIT on riscv64. | |
| - Recognize all Unicode space characters with /x option in a pattern | |
| (bug #1617960) | |
| - Fix changing dynamic options (bug #1617960) | |
| - Fix autopossessifying a repeated negative class with no characters less than | |
| 256 that is followed by a positive class with only characters less than 255, | |
| (bug #1617960) | |
| - Fix autopossessifying a repeated negative class with no characters less than | |
| 256 that is followed by a positive class with only characters less than 256, | |
| (bug #1617960) | |
| - Fix a compiler warning in JIT code for ppc32 | |
| - Handle memmory allocation failures in pcre2test tool | |
| - Fix CVE-2017-7186 (a crash when finding a Unicode property for a character | |
| with a code point greater than 0x10ffff in UTF-32 library while UTF mode is | |
| disabled) (upstream bug #2052) | |
| - Fix a pcre2test crash on multiple push statements (upstream bug #2109) | |
| - Fix an out-of-bound read in pcre2test tool within POSIX mode | |
| (upstream bug #2008) | |
| - Fix a race in JIT locking condition | |
| - Fix an ovector check in JIT test program | |
| - Enable JIT in the pcre2grep tool | |
| - 10.20-RC1 bump | |
| - Replace dependency on glibc-headers with gcc (bug #1230479) | |
| - Preserve soname | |
| - 10.23 bump | |
| - Fix an internal error for a forward reference in a lookbehind with | |
| PCRE2_ANCHORED (oss-fuzz bug #865) | |
| - Fix a pcre2test bug for global match with zero terminated subject | |
| (upstream bug #2063) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Fix compiling a class with UCP and without UTF | |
| - 10.21 bump | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Fix global search/replace in pcre2test and pcre2_substitute() when the pattern | |
| matches an empty string, but never at the starting offset | |
| - Fix bug when \K is used in a lookbehind in a substitute pattern | |
| - Fix auto-possessification at the end of a capturing group that is called | |
| recursively (upstream bug #2232) | |
| - Close serialization file in pcre2test after any error (upstream bug #2074) | |
| - Fix a memory leak in pcre2_serialize_decode() when the input is invalid | |
| (upstream bug #2075) | |
| - Fix a potential NULL dereference in pcre2_callout_enumerate() if called with | |
| a NULL pattern pointer when Unicode support is available (upstream bug #2076) | |
| - Fix CVE-2017-8786 (32-bit error buffer size bug in pcre2test) (bug #1500717) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Fix CVE-2017-7186 in JIT mode (a crash when finding a Unicode property for | |
| a character with a code point greater than 0x10ffff in UTF-32 library while | |
| UTF mode is disabled) (bug #1434504) | |
| - Fix an incorrect cast in UTF validation (upstream bug #2090) | |
| - Adapt a test to French locale on RHEL | |
| - Package pcre2demo.c as a documentation for pcre2-devel | |
| - Fix applying local x modifier while global xx was in effect | |
| - 10.22-RC1 bump | |
| - libpcre2-posix library changed ABI | |
| - Fix register overwite in JIT when SSE2 acceleration is enabled | |
| - Correct pcre2unicode(3) documentation | |
| - Fix pcre2-config --libs-posix output (upstream bug #1924) | |
| - Fix a memory leak and a typo in a documentation (upstream bug #1973) | |
| - Fix a buffer overflow in partial match test for CRLF in an empty buffer | |
| (upstream bug #1975) | |
| - Fix a crash in pcre2test when displaying a wide character with a set locate | |
| (upstream bug #1976) | |
| - Ship README in devel as it covers API and build, not general info | |
| - Move UTF-16 and UTF-32 libraries into pcre-ut16 and pcre-32 subpackages | |
| - Report unmatched closing parantheses properly | |
| - Fix pcre2test for expressions with a callout inside a look-behind assertion | |
| (upstream bug #1783) | |
| - Fix CVE-2016-3191 (workspace overflow for (*ACCEPT) with deeply nested | |
| parentheses) (upstream bug #1791) | |
| - Fix caseless matching an extended class in JIT mode (bug #1617960) | |
| - Resolves: CVE-2022-1586 | |
| - Accept files names longer than 128 bytes in recursive mode of pcre2grep | |
| (upstream bug #2177) | |
| - Fix matching characters above 255 when a negative character type was used | |
| without enabled UCP in a positive class (upstream bug #1866) | |
| - 10.21-RC1 bump | |
| - 10.32 bump (bug #1628200) | |
| - Fix a subject buffer overread in JIT when UTF is disabled and \X or \R has | |
| a greater than 1 fixed quantifier (bug #1628200) | |
| - Fix matching a zero-repeated subroutine call at a start of a pattern | |
| (bug #1628200) | |
| - Fix heap limit checking overflow in pcre2_dfa_match() (bug #1628200) | |
| - Fix compiling classes with a negative escape and a property escape | |
| (upstream bug #1697) | |
| - Fix integer overflow for patterns whose minimum matching length is large | |
| (upstream bug #1699) | |
| - Fix multi-line matching in pcre2grep tool (upstream bug #2187) | |
| - 10.30 bump | |
| - Fix DFA matching a lookbehind assertion that has a zero-length branch | |
| (PCRE2 oss-fuzz issue 1859) | |
| - Fix returned offsets from regexec() when REG_STARTEND is used with starting offset | |
| greater than zero (upstream bug #2128) | |
| - 10.22 bump | |
| - Fix setting error offset zero for early errors in pcre2_pattern_convert() | |
| - Fix backtracking atomic groups when they are not separated by something with | |
| a backtracking point | |
| - Switch to %ldconfig_scriptlets | |
| - 10.23-RC1 bump | |
| - Backport fix for AArch64 | |
|
|
|
| pcs-0.10.18-2.el8_10.8.x86_64.rpm | - Fixed CVE-2025-67725, CVE-2025-67726 by patching bundled Tornado |
| Resolves: RHEL-136415, RHEL-136420 | |
| - Debrand PCS | |
| - Debrand PCS | |
|
|
|
| pinentry-1.1.0-2.el8.x86_64.rpm | - Rebase to latest upstream version |
| - Removing qt4 pinentry patch -- got merged upstream | |
| - New package pinentry-emacs that hosts pinentry-emacs | |
| - New dependencies on libassuan and libgpg-error (de-bundling) | |
| - Update to latest upstream version (0.8.3) | |
| - Rebase to latest upstream version | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Rebase to latest upstream version | |
| - Modify backwards compatible symlink for qt(4) | |
| - Enable pinentry-emacs since it was enabled by default in 0.9.5 | |
| - First Fedora release. | |
| - Enable libsecret, which enables password caching in pinentry-gnome3 | |
| - Resolves rhbz#1275567 | |
| - Autorebuild for GCC 4.3 | |
| - Spec cleanups. | |
| - Rebase to latest upstream version | |
| - There are no longer any moc files so there is no need to patch them | |
| - rebuild against new libcap | |
| - Fix pinentry-curses running as root by disabling capabilities (#677670) | |
| - pinentry-gtk -g segfaults on focus change (#520236) | |
| - s/qt-devel/qt3-devel/ (f9+) | |
| - Rebuilt for Fedora 23 Change | |
| https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code | |
| - Errors installing with --excludedocs (#515925) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - drop alternatives, use app-wrapper instead (borrowed from opensuse) | |
| - -qt4 experimental subpkg, -qt includes qt3 version again (#523488) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - -14 respin (to help retire ATrpms pinentry pkg) | |
| - fc6 respin | |
| - Update to 0.7.0. | |
| - Split GTK+ and QT dialogs into subpackages. | |
| - Add pinentry-gnome3 support to pinentry wrapper | |
| - Rebuilt for GCC 5 C++11 ABI change | |
| - respin (BuildID) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Update to current Fedora guidelines. | |
| - -qt: build as qt4 version, and drop qt3 support (f13+ only) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - fix license handling | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - pinentry-0.7.5 | |
| - fix FTBFS on f23/gcc5 | |
| - drop deprecated configure flags | |
| - pinentry-0.7.4 | |
| - BR: libcap-devel | |
| - 0.7.2, docs patch applied upstream. | |
| - Switch to GTK2 in -gtk. | |
| - Fine tune dependencies. | |
| - Build with dependency tracking disabled. | |
| - Clean up obsolete pre-FC2 support. | |
| - Rebase to latest upstream version | |
| - /usr/bin/pinentry should not check if stderr is opened (#787775) | |
| - respin (for ppc64) | |
| - Rebase to latest upstream version | |
| - Fix X11 even race with gtk (#589998) | |
| - Fix qt4 problems with creating window in the background (#589532) | |
| - pinentry-0.7.6 | |
| - -qt switched qt4 version, where applicable (f9+, rhel6+) | |
| - fixup scriptlets | |
| - fc6 respin | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - Build pinentry-gnome3 | |
| - Update to 0.6.9. | |
| - Smoother experience with --excludedocs. | |
| - Don't change alternative priorities on upgrade. | |
| - 1.1.0 (#1397378) | |
| - drop some old code/hacks/workarounds | |
| - -qt: use Qt5 | |
| - Updated to latest upstream version (0.8.1) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - info/dir temporary workaround | |
| - Rebuild for new libpng | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Update to 0.7.1. | |
| - fix bogus dates | |
| - upgrade pinentry-wrapper to handle corner cases better | |
| - fc5: gcc/glibc respin | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Fix up licenses for qt and qt4 subpackages (#875875) | |
| - pinentry-0.7.3 | |
| - License: GPLv2+ | |
| - Fix macros expansions so that conditionals work | |
| - Improve wrapper to fallback to curses even with DISPLAY set (#622077) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - .spec cleanup (drop support for old releases) | |
| - -gtk: Provides: pinentry-gtk2 | |
| - BuildRequires qt-devel >= 3.2. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - pinentry-0.8.0 | |
| - pinentry-gtk keyboard grab fail results in SIGABRT (#585422) | |
| - rebuilt | |
| - pinentry failed massrebuild attempt for GCC 4.3 (#434400) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
|
|
|
| platform-python-devel-3.6.8-71.el8_10.rocky.0.x86_64.rpm | - Update to version 3.6.1 final |
| - Fix test_gdb failure on ppc64le | |
| Resolves: rhbz#1095355 | |
| - Fix %py_byte_compile macro: when invoked with a Python 2 binary it also | |
| mistakenly ran py3_byte_compile | |
| - Use python3 style of calling super() without arguments in rpath | |
| patch to prevent recursion in UnixCCompiler subclasses | |
| Resolves: rhbz#1458122 | |
| - Platform-Python: Rebase implementation from RHEL8 Alpha: | |
| - Move the main executable to /usr/libexec/platform-python | |
| - Move /usr/bin/python*-config and /usr/bin/pythonX.Ym scripts to /usr/libexec/ | |
| - Provide symlink to the main executable and other scripts from /usr/bin/, | |
| these will be later shipped only in the python36 module | |
| - Drop python3 macros, require python/python3-rpm-macros | |
| - Make it build with OpenSSL-1.1.0 based on upstream patch | |
| - update to 3.1.2: http://www.python.org/download/releases/3.1.2/ | |
| - drop upstreamed patch 2 (.pyc permissions handling) | |
| - drop upstream patch 5 (fix for the test_tk and test_ttk_* selftests) | |
| - drop upstreamed patch 200 (path-fixing script) | |
| - Add --executable option to install.py command | |
| - Provide System Python packages and macros | |
| - add BR on bluez-libs-devel (rhbz#879720) | |
| - Updated .pyc 'bytecompilation with the newly installed interpreter' to also | |
| recompile optimized .pyc files | |
| - Removed .pyo 'bytecompilation with the newly installed interpreter', as .pyo | |
| files are no more | |
| - Resolves rhbz#1373635 | |
| - Switch all shebangs to point to the Platform-Python executables | |
| - Updated to Python 3.3.1. | |
| - Refreshed patches: 55 (systemtap), 111 (no static lib), 146 (hashlib fips), | |
| 153 (fix test_gdb noise), 157 (uid, gid overflow - fixed upstream, just | |
| keeping few more downstream tests) | |
| - Removed patches: 3 (audiotest.au made it to upstream tarball) | |
| - Removed workaround for http://bugs.python.org/issue14774, discussed in | |
| http: //bugs.python.org/issue15298 and fixed in revision 24d52d3060e8. | |
| - Fix CVE-2014-4650 - CGIHTTPServer URL handling | |
| Resolves: rhbz#1113529 | |
| - renumber patches to keep them in sync with python.spec | |
| - update python-gdb.py from v4 to v5 (improving performance and stability, | |
| adding commands) | |
| - Added a dependency to the devel subpackage on python3-rpm-generators which | |
| have been excised out of rpm-build | |
| - Updated notes on bootstrapping Python on top of this specfile accordingly | |
| - Involves: rhbz#1410631, rhbz#1444925 | |
| - Stop providing the `python3` and `python3-debug` names from the | |
| platform-python/-debug subpackages | |
| - The `python3` and `python3-debug` names are now provided from the python36 | |
| component | |
| - Conflict with older versions of `python3` and `python3-debug` | |
| - Related: rhbz#1619153 | |
| - Update to the latest upstream implementation of PEP 538 | |
| - Use proper patch numbering and base upstream branch for | |
| porting ssl and hashlib modules to OpenSSL 1.1.0 | |
| - Drop hashlib patch for now | |
| - Add riscv64 arch to 64bit and no-valgrind arches | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Forward arguments to the arch specific config script | |
| Resolves: rhbz#1102683 | |
| - Fix broken macro invocation and broken building of C Python extensions | |
| Resolves: rhbz#1560103 | |
| - Disable test_gdb on aarch64 (rhbz#1196181), it joins all other non x86 arches | |
| - Security fix for CVE-2020-27619: eval() call on content received via HTTP in the CJK codec tests | |
| Resolves: rhbz#1890237 | |
| - Modify the test suite to better handle disabled SSL/TLS versions and FIPS mode | |
| - Use OpenSSL's DRBG and disable os.getrandom() function in FIPS mode | |
| Resolves: rhbz#1754028, rhbz#1754027, rhbz#1754026, rhbz#1774471 | |
| - Update to Python 3.6.6 | |
| - Rename the python3 subpackage to platform-python | |
| - Provide the `python3` name for backwards compatibility until it's taken over | |
| by the python36 component | |
| - The python36 component that contains /usr/bin/python3 will Provide the | |
| name `python3` in its upcoming update | |
| - Resolves: rhbz#1619153 | |
| - Fix the "urllib FTP protocol stream injection" vulnerability | |
| Resolves: rhbz#1478916 | |
| - Don't add Werror=declaration-after-statement for extension | |
| modules through setup.py (PyBT#21121) | |
| - Obsolete and Provide python35 package | |
| - OpenSSL disabled SSLv3 in SSLv23 method | |
| - change python-3.1.1-config.patch to remove our downstream change to curses | |
| configuration in Modules/Setup.dist, so that the curses modules are built using | |
| setup.py with the downstream default (linking against libncursesw.so, rather | |
| than libncurses.so), rather than within the Makefile; add a test to %install | |
| to verify the dso files that the curses module is linked against the correct | |
| DSO (bug 539917; changes _cursesmodule.so -> _curses.so) | |
| - Disable ssl related tests for now | |
| - Move xml module to system-python-libs | |
| - Build with $RPM_LD_FLAGS (#756863). | |
| - Use xz-compressed source tarball. | |
| - Security fix for CVE-2019-5010 (rhbz#1666789) | |
| - introduce %{dynload_dir} macro | |
| - explicitly list all lib-dynload files, rather than dynamically gathering the | |
| payload into a temporary text file, so that we can be sure what we are | |
| shipping | |
| - introduce a macros.pybytecompile source file, to help with packaging python3 | |
| modules (Source3; written by Toshio) | |
| - rename "2to3-3" to "python3-2to3" to better reflect python 3 module packaging | |
| plans | |
| - New patches: 170 (gc asserts), 200 (gettext headers), | |
| 201 (gdbm memory leak) | |
| - fix test_gdb (patch 153) | |
| - use the %{_isa} macro to ensure that the python-devel dependency on python | |
| is for the correct multilib arch (#555943) | |
| - delete bundled copy of libffi to make sure we use the system one | |
| - remove config flag from /etc/rpm/macros.{python3|pybytecompile} | |
| - Remove the python3-tools package (#rhbz 1312030) | |
| - Move /usr/bin/2to3 to python3-devel | |
| - Move /usr/bin/idle and idlelib to python3-idle | |
| - Provide python3-tools from python3-idle | |
| - Security fix for CVE-2019-16935 | |
| Resolves: rhbz#1798001 | |
| - Move distutils to system-python-libs | |
| - avoid allocating thunks in ctypes unless absolutely necessary, to avoid | |
| generating SELinux denials on "import ctypes" and "import uuid" when embedding | |
| Python within httpd (patch 155; rhbz#814391) | |
| - Security fix for CVE-2022-48560 | |
| Resolves: RHEL-16707 | |
| - Fix multilib dependencies. | |
| Resolves: rhbz#1091815 | |
| - Initial package for Python 3. | |
| - rewrite of "check", introducing downstream-only hooks for skipping specific | |
| cases in an rpmbuild (patch 132), and fixing/skipping failing tests in a more | |
| fine-grained manner than before; (patches 106, 133-142 sparsely, moving | |
| patches for consistency with python.spec: 128 to 134, 126 to 135, 127 to 141) | |
| - Reduce the number of tests running during the profile guided optimizations build | |
| - Enable profile guided optimizations for all the supported architectures | |
| Resolves: rhbz#1749576 | |
| - python3-devel missing autogenerated pkgconfig() provides (#746751) | |
| - 3.2.3; refresh patch 102 (lib64); drop upstream patches 148 (gdbm magic | |
| values), 149 (__pycache__ fix); add patch 152 (test_gdb regex) | |
| - Set values of prefix and exec_prefix to /usr/local for | |
| /usr/bin/python* executables | |
| - Use new %_module_build macro | |
| - Rebuilt for gdbm | |
| - Remove /usr/bin/idle3 symlink | |
| - Resolves: rhbz#1623811 | |
| - use the gdb hooks from the upstream tarball, rather than keeping our own copy | |
| - patch Makefile.pre.in to avoid building static library (patch 6, bug 556092) | |
| - fix test_gdb.py (patch 156; rhbz#817072) | |
| - Include `-g` in the flags sent to the linker (LDFLAGS) | |
| Resolves: rhbz#1483222 | |
| - gzip the unversioned-python man page | |
| Resolves: rhbz#1665514 | |
| - Escape macros in %changelog | |
| - Rename patch files to be consistent | |
| - Run autotools to generate the configure script before building | |
| - Merge lib64 patches (104 into 102) | |
| - Skip test_bdist_rpm using test config rather than a patch (removes patch 137) | |
| - Remove patches 157 and 186, which had test changes left over after upstreaming | |
| - Remove patch 188, a temporary workaround for hashlib tests | |
| - Merge patches 180, 206, 243, 5001 (architecture naming) into new patch 274 | |
| - Move python2-tools conflicts to tools subpackage (it was wrongly in tkinter) | |
| - Remove %{pylibdir}/Tools/scripts/2to3 | |
| - add gdb hooks for easier debugging (Source 4) | |
| - Revert "Add --executable option to install.py command" | |
| This enhancement is currently not needed and it can possibly | |
| collide with `pip --editable`option | |
| - Set to work with pip version 9.0.1 | |
| - Point __os_install_post to correct brp-* files | |
| - Fix test_tarfile on ppc64 (rhbz#1639490) | |
| - Restore the PyExc_RecursionErrorInst public symbol | |
| - Skip test_startup_imports from test_site if we have a .pth file in sys.path | |
| Resolves: rhbz#1814392 | |
| - Updated to 3.4.3 | |
| - BuildPython now accepts additional build options | |
| - Temporarily disabled test_gdb on arm (rhbz#1196181) | |
| - remove executable flag from various files that shouldn't have it | |
| - fix end-of-line encodings | |
| - fix a character encoding | |
| - 3.2.1; refresh lib64 patch (102), subprocess unit test patch (129), disabling | |
| of static library build (due to Modules/_testembed; patch 6), autotool | |
| intermediates (patch 300) | |
| - remove build-time requirements on tix and tk, since we already have | |
| build-time requirements on the -devel subpackages for each of these (Thomas | |
| Spura) | |
| - replace usage of %define with %global (Thomas Spura) | |
| - remove forcing of CC=gcc as this old workaround for bug 109268 appears to | |
| longer be necessary | |
| - move various test files from the "tools"/"tkinter" subpackages to the "test" | |
| subpackage | |
| - Update to Python 3.4 beta 2. | |
| - Refreshed patches: 55 (systemtap), 146 (hashlib-fips), 154 (test_gdb noise) | |
| - Dropped patches: 114 (statvfs constants), 177 (platform unicode) | |
| - Changed Requires into Recommends for python3-pip to allow a lower RHEL8 | |
| footprint for containers and other minimal environments | |
| Resolves: rhbz#1756217 | |
| - Add macro %python3_version_nodots | |
| - Update the rewheel module | |
| - Fix test_alpn_protocols from test_ssl | |
| - Do not require rebundled setuptools dependencies | |
| - Bytecompile all *.py files properly during build (rhbz#1023607) | |
| - Build properly on MIPS | |
| - Require glibc >= 2.24.90-26 for system-python-libs (rhbz#1410644) | |
| - fix test.test_gdb.PyBtTests.test_threads on ppc64 (patch 181; rhbz#960010) | |
| - Fix build with libffi containing multilib wrapper for ffi.h (rhbz#979696). | |
| - update patch0's setup of the crypt module to link it against libcrypt | |
| - update patch0 to comment "datetimemodule" back out, so that it is built | |
| using setup.py (see Setup, option 3), thus linking it statically against | |
| timemodule.c and thus avoiding a run-time "undefined symbol: | |
| _PyTime_DoubleToTimet" failure on "import datetime" | |
| - Bump release for rebuild | |
| Resolves: rhbz#2173917 | |
| - Update to 3.5.0 | |
| - Remove Windows binaries from the source archive | |
| - Resolves: rhbz#1633219 | |
| - Add missing %license macro | |
| - add flags for statvfs.f_flag to the constant list in posixmodule (i.e. "os") | |
| (patch 105) | |
| - Change paths to bundled projects in rewheel patch | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Adding a new patch 329 that adds support for OpenSSL FIPS mode | |
| - Explicitly listing man pages in files section to fix an RPM warning | |
| Resolves: rhbz#1731424 | |
| - BuildRequire the new dependencies of setuptools when rewheel mode is enabled | |
| in order for the virtualenvs to work properly | |
| - Security fix for CVE-2025-8194 | |
| Resolves: RHEL-106333 | |
| - Update %py_byte_compile macro | |
| - Remove unused configure flags (rhbz#1374357) | |
| - 3.2.2 | |
| - Update to Python 3.6.3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Fix for CVE-2021-3177 | |
| Resolves: rhbz#1918168 | |
| - fix the URLs output by pydoc so they point at python.org's 3.1 build of the | |
| docs, rather than the 2.6 build | |
| - Refactor patch for properly fixing CVE-2016-5636 | |
| - Fix update of idle3's alternative symlink | |
| - Resolves: rhbz#1632625 | |
| - Security fix for CVE-2023-27043 | |
| Resolves: RHEL-20610 | |
| - Security fixes for CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, CVE-2024-12718, CVE-2025-4435 | |
| Resolves: RHEL-98030, RHEL-97987, RHEL-98232, RHEL-98065, RHEL-98189 | |
| - Patch 329 that adds support for OpenSSL FIPS mode has been improved and | |
| bugfixed | |
| Resolves: rhbz#1744670 rhbz#1745499 rhbz#1745685 | |
| - Security fix for CVE-2021-3737 | |
| Resolves: rhbz#1995162 | |
| - Fix for CVE-2019-10160 | |
| Resolves: rhbz#1689318 | |
| - Change shouldRollover() methods of logging.handlers to only rollover regular files | |
| Resolves: rhbz#2009200 | |
| - Rename the python3-debug subpackage to platform-python-debug | |
| - Provide the `python3-debug` name for backwards compatibility until it's taken | |
| over by the python36 component | |
| - Rename the python3-libs-devel subpackage to platform-python-devel for | |
| symmetry with the `platform-python` and `platform-python-debug` package | |
| - Add symlink /usr/libexec/platform-python-debug that was mistakenly omitted | |
| - Related: rhbz#1619153 | |
| - fix permission on find-provides-without-python-sonames.sh from 775 to 755 | |
| - Security fix for CVE-2019-9948 | |
| Resolves: rhbz#1714643 | |
| - Make test_asyncio to not depend on the current SIGHUP signal handler. | |
| - disable rAssertAlmostEqual in test_cmath on PPC (#750811) | |
| - Update to Python 3.6.0 final | |
| - Don't blow up on EL7 kernel (random generator) (rhbz#1410175) | |
| - Updated to Python 3.3.2. | |
| - Refreshed patches: 153 (gdb test noise) | |
| - Dropped patches: 175 (configure -Wformat, fixed upstream), 182 (gdb | |
| test threads) | |
| - Synced patch numbers with python.spec. | |
| - Security fix for CVE-2024-0450 | |
| Resolves: RHEL-33683 | |
| - set EXTRA_CFLAGS to our CFLAGS, rather than overriding OPT, fixing a linker | |
| error with dynamic annotations (when configured using --with-valgrind) | |
| - fix the ppc build of the debug configuration (patch 130; rhbz#661510) | |
| - Require large enough gdbm (fixup for previous bump) | |
| - Fix localeconv() encoding for LC_NUMERIC | |
| - Make sure the entire test.support module is in python3-libs | |
| Resolves: rhbz#1651215 | |
| - Dropped BuildRequires on db4-devel which was useful for Python 2 (module | |
| bsddb), however, no longer needod for Python 3 | |
| - Tested building Python 3 with and without the dependency, all tests pass and | |
| filelists of resulting RPMs are identical | |
| - Fixed undefined behaviour in faulthandler which caused test to hang on x86_64 | |
| (http://bugs.python.org/issue23433) | |
| - cleanup of BuildRequires; add comment headings to specfile sections | |
| - Update to 3.6.5 | |
| - Obsolete platform-python and it's subpackages | |
| - renumber and rename patches for consistency with python.spec (8 to 55, 106 | |
| to 104, 6 to 111, 104 to 113, 105 to 114, 125, 131, 130 to 143) | |
| - Remove old system-python Provides/Obsoletes/symlinks/patches from Fedora | |
| - Use 1024bit DH key in test_ssl | |
| - Use -O0 when compiling -debug build | |
| - Update pip version variable to the version we actually ship | |
| - Add __pycache__ directory for site-packages | |
| - Avoid infinite loop when reading specially crafted TAR files (CVE-2019-20907) | |
| Resolves: rhbz#1856481 | |
| - Resolve hash collisions for Pv4Interface and IPv6Interface (CVE-2020-14422) | |
| Resolves: rhbz#1854926 | |
| - Update PEP 538 to the latest upstream implementation | |
| - Add a sentinel value on the Hmac_members table of the fips compliant hmac module | |
| Resolves: rhbz#1800512 | |
| - Disable %check so package will build for Mass Rebuild | |
| - Related: bug#1614611 | |
| - Add Requires (/post/postun) on /usr/sbin/alternatives | |
| - Resolves: rhbz#1632625 | |
| - Do not set PHA verify flag on client side (rhbz#1725721) | |
| - Enable TLS 1.3 post-handshake authentication in http.client (rhbz#1671353) | |
| - Updated fix for CVE-2019-9636 (rhbz#1689318) | |
| - Security fix for CVE-2024-4032 | |
| Resolves: RHEL-44060 | |
| - support OpenSSL FIPS mode in _hashlib and hashlib; don't build the _md5 and | |
| _sha* modules, relying on _hashlib in hashlib (rhbz#563986; patch 146) | |
| - Security fix for CVE-2024-6232 | |
| Resolves: RHEL-57399 | |
| - Add choices for sort option of cProfile for better output | |
| Resolves: rhbz#1640151 | |
| - 3.2rc3 | |
| - regenerate autotool patch | |
| - 3.2 | |
| - drop alphatag | |
| - regenerate autotool patch | |
| - Make relocating Python by changing _prefix actually work | |
| Resolves: rhbz#1231801 | |
| - Specfile cleanup | |
| - Make the main description also applicable to the SRPM | |
| - Add audiotest.au to the test package | |
| - Skip windows specific test_get_exe_bytes test case and enable test_distutils | |
| Resolves: rhbz#1754040 | |
| - Do not generate debuginfo subpackages (#1476593) | |
| - Rebuild with binutils fix for ppc64le (#1475636) | |
| - Update to Python 3.6.0 release candidate 1 | |
| - Move test.support to core package (rhbz#596258) | |
| - Add various missing __pycache__ directories to payload | |
| - Security fix for CVE-2024-11168 | |
| Resolves: RHEL-67252 | |
| - add workaround for ENOPROTOOPT seen running selftests in Koji | |
| (rhbz#913732) | |
| - Fix syntax error in %py_byte_compile macro (rhbz#1433569) | |
| - Fix /usr/bin/env dependency from python3-tools | |
| Resolves: rhbz#1482118 | |
| - Fix error check, so that Random.seed actually uses OS randomness (rhbz#1412275) | |
| - Skip test_aead_aes_gcm during rpmbuild | |
| - disable a test that fails on arm | |
| - enable valgrind support on arm arches | |
| - Security fix for CVE-2018-14647 | |
| - Resolves: rhbz#1632096 | |
| - Do not send IP addresses in SNI TLS extension | |
| - Adjusted the postun scriptlets to enable upgrading to RHEL 9 | |
| - Resolves: rhbz#1933055 | |
| - refresh gdb hooks to v3 (reworking how they are packaged) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Update to 3.5.1 | |
| - Removed patch 199 and 207 (upstream) | |
| - re-enable gdbm (patch 148; rhbz#742242) | |
| - Use RPM built wheels of pip and setuptools in ensurepip instead of our rewheel patch | |
| - Require platform-python-setuptools from platform-python-devel to prevent packaging errors | |
| Resolves: rhbz#1701286 | |
| - Security fix for CVE-2015-20107 | |
| Resolves: rhbz#2075390 | |
| - build and install two different configurations of Python 3: debug and | |
| standard, packaging the debug build in a new "python3-debug" subpackage | |
| (patch 103) | |
| - 3.2 -> 3.3: https://fedoraproject.org/wiki/Features/Python_3.3 | |
| - 3.3.0b1: refresh patches 3, 55, 102, 111, 113, 114, 134, 157; drop upstream | |
| patch 147; regenenerate autotools patch; drop "--with-wide-unicode" from | |
| configure (PEP 393); "plat-linux2" -> "plat-linux" (upstream issue 12326); | |
| "bz2" -> "_bz2" and "crypt" -> "_crypt"; egg-info files are no longer shipped | |
| for stdlib (upstream issues 10645 and 12218); email/test moved to | |
| test/test_email; add /usr/bin/pyvenv[-3.3] and venv module (PEP 405); add | |
| _decimal and _lzma modules; make collections modules explicit in payload again | |
| (upstream issue 11085); add _testbuffer module to tests subpackage (added in | |
| upstream commit 3f9b3b6f7ff0); fix test failures (patches 160 and 161); | |
| workaround erroneously shared _sysconfigdata.py upstream issue #14774; fix | |
| distutils.sysconfig traceback (patch 162); add BuildRequires: xz-devel (for | |
| _lzma module); skip some tests within test_socket (patch 163) | |
| - Update to Python 3.4 beta 1. | |
| - Refreshed patches: 102 (lib64), 111 (no static lib), 125 (less verbose COUNT | |
| ALLOCS), 141 (fix COUNT_ALLOCS in test_module), 146 (hashlib fips), | |
| 157 (UID+GID overflows), 173 (ENOPROTOOPT in bind_port) | |
| - Removed patch 00187 (remove pthread atfork; upstreamed) | |
| - fix sysconfig to not rely on the -devel subpackage (rhbz#653058) | |
| - Reduced default build flags used to build extension modules | |
| https://fedoraproject.org/wiki/Changes/Python_Extension_Flags | |
| Resolves: rhbz#1634784 | |
| - exclude test_gdb on ppc* (rhbz#1132488) | |
| - Update to 3.4.2 | |
| - Refreshed patches: 156 (gdb autoload) | |
| - Removed: 195 (Werror declaration), 197 (CVE-2014-4650) | |
| - ensure that the compiler is invoked with "-fwrapv" (rhbz#594819) | |
| - reformat whitespace in audioop.c (patch 106) | |
| - CVE-2010-1634: fix various integer overflow checks in the audioop | |
| module (patch 107) | |
| - CVE-2010-2089: further checks within the audioop module (patch 108) | |
| - CVE-2008-5983: the new PySys_SetArgvEx entry point from r81399 (patch 109) | |
| - Remove versioned libpython from devel package | |
| - Add compatibility fixes for openssl 1.1.1 and tls 1.3 | |
| Resolves: rhbz#1610023 | |
| - Add bcond for --without optimizations | |
| - Reword package descriptions | |
| - Remove Group declarations | |
| - Skip failing test_float_with_comma | |
| - 3.2b2 | |
| - rework patch 3 (removal of mimeaudio tests), patch 6 (no static libs), | |
| patch 8 (systemtap), patch 102 (lib64) | |
| - remove patch 4 (rendered redundant by upstream r85537), patch 103 (PEP 3149), | |
| patch 110 (upstreamed expat fix), patch 111 (parallel build fix for grammar | |
| fixed upstream) | |
| - regenerate patch 300 (autotool intermediates) | |
| - workaround COUNT_ALLOCS weakref issues in test suite (patch 126, patch 127, | |
| patch 128) | |
| - stop using runtest.sh in %check (dropped by upstream), replacing with | |
| regrtest; fixup list of failing tests | |
| - introduce "pyshortver", "SOABI_optimized" and "SOABI_debug" macros | |
| - rework manifests of shared libraries to use "SOABI_" macros, reflecting | |
| PEP 3149 | |
| - drop itertools, operator and _collections modules from the manifests as py3k | |
| commit r84058 moved these inside libpython; json/tests moved to test/json_tests | |
| - move turtle code into the tkinter subpackage | |
| - Update to Python 3.6.2 | |
| - don't use --with-tsc on ppc64 debug builds (rhbz#698726) | |
| - Fix reentrant call to threading.enumerate() (rhbz#1959459) | |
| - Don't exit Python with abort() when a thread exit and there is no available | |
| file descriptor to load dynamically the libgcc_s.so.1 library (rhbz#1972293) | |
| - disable gdbm module to prepare for gdbm soname bump | |
| - Define HAVE_LONG_LONG as 1 for backwards compatibility | |
| - Rename python3.Xm-config script to arch specific. | |
| Resolves: rhbz#1091815 | |
| - 3.3.0rc1 -> 3.3.0rc2; refresh patch 55 | |
| - Enable rewheel | |
| - add a provides of "python(abi)" (see bug 532118) | |
| - fix issues identified by a.badger in package review (bug 526126, comment 39): | |
| - use "3" thoughout metadata, rather than "3.*" | |
| - remove conditional around "pkg-config openssl" | |
| - use standard cleanup of RPM_BUILD_ROOT | |
| - replace hardcoded references to /usr with _prefix macro | |
| - stop removing egg-info files | |
| - use /usr/bin/python3.1 rather than /use/bin/env python3.1 when fixing | |
| up shebang lines | |
| - stop attempting to remove no-longer-present .cvsignore files | |
| - move the post/postun sections above the "files" sections | |
| - Rename python3.Xdm-config script from -debug to be arch specific | |
| Resolves: rhbz#1179073 | |
| - Fix for CVE-2016-1000110 HTTPoxy attack | |
| - SPEC file cleanup | |
| - Disallow control chars in http URLs | |
| - Fixes CVE-2019-9740 and CVE-2019-9947 | |
| Resolves: rhbz#1704365 and rhbz#1703531 | |
| - Add filters for tarfile extraction (CVE-2007-4559, PEP-706) | |
| Resolves: rhbz#263261 | |
| - 3.2rc2 | |
| - Fix symlink handling in the fix for CVE-2007-4559 | |
| Resolves: rhbz#263261 | |
| - New options -a and -k for pathfix.py script backported from upstream | |
| Resolves: rhbz#1917691 | |
| - Fix memory corruption due to allocator mix | |
| Resolves: rhbz#1498207 | |
| - Temporarily disable tests requiring SIGHUP (rhbz#1088233) | |
| - Rebuild for readline 7.x | |
| - add ppc64p7 build target, optimized for Power7 | |
| - Remove downstream 00178-dont-duplicate-flags-in-sysconfig.patch which | |
| introduced a bug on distutils.sysconfig.get_config_var('LIBPL') | |
| (rhbz#1851090). | |
| - Add fix for gdb tests failing on arm, rhbz#951802. | |
| - Update rewheel patch with fix from https://github.com/bkabrda/rewheel/pull/1 | |
| - work around test_subprocess failure seen in koji (patch 129) | |
| - Add setuptools and pip to Requires | |
| - Update to version 3.6.4 | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - Provide the `python3` name with _isa until some packages can be rebuilt | |
| - Resolves: rhbz#1619153 | |
| - add --with-valgrind to configuration (on architectures that support this) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Fix for: CVE-2016-0772 python: smtplib StartTLS stripping attack | |
| - Raise an error when STARTTLS fails | |
| - rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647 | |
| - rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345 | |
| - Fixed upstream: https://hg.python.org/cpython/rev/d590114c2394 | |
| - Compile the debug build with -Og rather than -O0 | |
| - Resolves: rhbz#1624162 | |
| - Rebuild with wheel set to 1 | |
| - Define TLS cipher suite on build time. | |
| - Move pathfix.py to bindir, https://github.com/fedora-python/python-rpm-porting/issues/24 | |
| - Make the -devel package require redhat-rpm-config | |
| Resolves: rhbz#1496757 | |
| - Fix up shared library extension (rhbz#889784) | |
| - Security fix for CVE-2021-4189: ftplib should not use the host from the PASV response | |
| Resolves: rhbz#2036020 | |
| - update python-3.1.1-config.patch to remove downstream customization of build | |
| of pyexpat and elementtree modules | |
| - add patch adapted from upstream (patch 7) to add support for building against | |
| system expat; add --with-system-expat to "configure" invocation | |
| - remove embedded copies of expat and zlib from source tree during "prep" | |
| - aarch64 has valgrind, just list those that don't support it | |
| - add correct arch for ppc64/ppc64le to fix build failure | |
| - Fix the py_byte_compile macro to work on Python 2 | |
| - Remove the pybytecompile macro file from the flat package | |
| Resolves: rhbz#1484993 | |
| - Expat >= 2.1.0 is everywhere, remove explicit requires | |
| - Conditionalize systemtap-devel BuildRequires | |
| - For consistency, require /usr/sbin/ifconfig instead of net-tools | |
| - add aarch64 (rhbz#909783) | |
| - switched a few instances of "find |xargs" to "find -exec" for consistency. | |
| - made the description of __os_install_post more accurate. | |
| - use macro for power64 (rhbz#834653) | |
| - Switch to requiring platform-python-pip/setuptools instead of the python3- | |
| versions | |
| - Resolves: rhbz#1638836 | |
| - add %py3dir macro to macros.python3 (to be used during unified python 2/3 | |
| builds for setting up the python3 copy of the source tree) | |
| - Add support for upstream architecture names | |
| https: //fedoraproject.org/wiki/Changes/Python_Upstream_Architecture_Names | |
| Resolves: rhbz#1868003 | |
| - Fix an incompatibility between pyexpat and the system expat-2.0.1 that led to | |
| a segfault running test_pyexpat.py (patch 110; upstream issue 9054; rhbz#610312) | |
| - Provide python3-enum34 | |
| - Update to Python 3.4 alpha 4. | |
| - Refreshed patches: 55 (systemtap), 102 (lib64), 111 (no static lib), | |
| 114 (statvfs flags), 132 (unittest rpmbuild hooks), 134 (fix COUNT_ALLOCS in | |
| test_sys), 143 (tsc on ppc64), 146 (hashlib fips), 153 (test gdb noise), | |
| 157 (UID+GID overflows), 173 (ENOPROTOOPT in bind_port), 186 (dont raise | |
| from py_compile) | |
| - Removed patches: 129 (test_subprocess nonreadable dir - no longer fails in | |
| Koji), 142 (the mock issue that caused this is fixed) | |
| - Added patch 187 (remove thread atfork) - will be in next version | |
| - Refreshed script for checking pyc and pyo timestamps with new ignored files. | |
| - The fips patch is disabled for now until upstream makes a final decision | |
| what to do with sha3 implementation for 3.4.0. | |
| - Install the Makefile in its proper location (rhbz#1438219) | |
| - Properly strip the LTO bytecode from python.o | |
| Resolves: rhbz#2137707 | |
| - add a /usr/bin/python3-debug symlink within the debug subpackage | |
| - Security fix for CVE-2024-9287 | |
| Resolves: RHEL-64878 | |
| - Own systemtap dirs (#710733) | |
| - Filter out automatic /usr/bin/python3.X requirement, | |
| recommend the main package from libs instead | |
| Resolves: rhbz#1547131 | |
| - Update to Python 3.6.1 release candidate 1 | |
| - Add patch 264 to skip a known test failure on aarch64 | |
| - Use bconds for configuring the build | |
| - Reorganize the initial sections | |
| - test_ssl fixes for TLS 1.3 and OpenSSL 1.1.1 (rhbz#1639531) | |
| - rebuild | |
| - move most of the content of the core package to the libs subpackage, given | |
| that the libs aren't meaningfully usable without the standard libraries | |
| - bump release and rebuild to link with the correct tcl/tk libs on ppcle | |
| - In config script, use uname -m to write the arch | |
| - Disable test_faulthandler, test_gdb on aarch64 | |
| Resolves: rhbz#1045193 | |
| - Security fix for CVE-2022-45061 | |
| - Strip the LTO bytecode from python.o | |
| Resolves: rhbz#2144072, rhbz#2137707 | |
| - add pyfuntop.stp example (source 7) | |
| - convert usage of $$RPM_BUILD_ROOT to %{buildroot} throughout, for | |
| consistency with python.spec | |
| - Fix the `devel` subpackage to require python3, rather than python36-devel, | |
| and provide /usr/bin/python3-config itself. | |
| - Add patch for CVE-2013-2099 (rhbz#963261). | |
| - Security fix for CVE-2021-3733: Denial of service when identifying crafted invalid RFCs | |
| Resolves: rhbz#1995234 | |
| - Properly pass the -Og optimization flag to the debug build | |
| Resolves: rhbz#1712977 and rhbz#1714733 | |
| - add macros.python3 to the -devel subpackage, containing common macros for use | |
| when packaging python3 modules | |
| - Add patch to explicitly link _ctypes module with -ldl (#1537489) | |
| - Refactored patch for libxcrypt | |
| - Re-enable strict symbol checks in the link editor | |
| - disable some failing checks on PPC* (rhbz#846849) | |
| - Remove system-python, see https://fedoraproject.org/wiki/Changes/Platform_Python_Stack | |
| - add a sys._debugmallocstats() function (patch 147) | |
| - Fix build with expat with fixed CVE-2023-52425 | |
| Related: RHEL-33671 | |
| - Fix error in platform.platform() when non-ascii byte strings are decoded to | |
| unicode (rhbz#922149) | |
| - fix tapset for debug build | |
| - python3-devel: Require python-macros for version independant macros such as | |
| python_provide. See fpc#281 and fpc#534. | |
| - Fix for CVE-2021-23336 | |
| Resolves: rhbz#1928904 | |
| - Make pip and distutils in user environment install into separate location | |
| - fix the libpython.stp systemtap tapset (rhbz#697730) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - 3.3b1 -> 3.3b2; drop upstreamed patch 152; refresh patches 3, 102, 111, | |
| 134, 153, 160; regenenerate autotools patch; rework systemtap patch to work | |
| correctly when LANG=C (patch 55); importlib.test was moved to | |
| test.test_importlib upstream | |
| - add %python3_version to the rpm macros (rhbz#719082) | |
| - Create the `libs-devel` subpackage and move `devel` contents there | |
| - `devel` subpackage is only for the buildroot and requires `python36-devel` | |
| to get /usr/bin/python3{,-config} symlinks there | |
| - `devel` subpackage will not be shipped into RHEL8, only `libs-devel` will | |
| - `debug` subpackage now runtime requires `libs-devel` instead of `devel` | |
| - Release bump | |
| Resolves: rhbz#2136435 | |
| - Add patch for libxcrypt | |
| - Disable strict symbol checks in the link editor | |
| - Build Python with -O3 | |
| - https://fedoraproject.org/wiki/Changes/Python_built_with_gcc_O3 | |
| - Update to 3.6.8 | |
| Resolves: rhbz#1658271 | |
| - Raise the release of platform-python obsoletes for better maintainability | |
| - rebuild for new package of redhat-rpm-config (rhbz:564527) | |
| - use 'install -p' when running 'make install' | |
| - Modify the runtime dependency of python3-libs on system-python-libs again, | |
| because previous attempt didn't work properly with dnf resolving mechanism | |
| - Security fix for CVE-2023-24329 | |
| Resolves: rhbz#2173917 | |
| - Added patch for fixing possible integer overflow and heap corruption in zipimporter.get_data() | |
| - Enable link time optimizations | |
| - Move windows executables to the devel subpackage (rhbz#1426257) | |
| - Security fix for CVE-2022-48564 | |
| Resolves: RHEL-16674 | |
| - Skip tests failing on s390x | |
| Resolves: RHEL-19252 | |
| - Rebuilt for switch to libxcrypt | |
| - build with valgrind on ppc64le | |
| - disable test_gdb on s390(x) until rhbz#1181034 is resolved | |
| - Security fix for CVE-2021-3426: information disclosure via pydoc | |
| Resolves: rhbz#1935913 | |
| - move the -gdb.py file from %{_libdir}/INSTSONAME-gdb.py to | |
| %{_prefix}/lib/debug/%{_libdir}/INSTSONAME.debug-gdb.py to avoid noise from | |
| ldconfig (bug 562980), and which should also ensure it becomes part of the | |
| debuginfo subpackage, rather than the libs subpackage | |
| - introduce %{py_SOVERSION} and %{py_INSTSONAME} to reflect the upstream | |
| configure script, and to avoid fragile scripts that try to figure this out | |
| dynamically (e.g. for the -gdb.py change) | |
| - Fix python3-config --configdir (rhbz#1772992). | |
| - Hide the private _Py_atomic_xxx symbols from public header | |
| - reword description, based on suggestion by amcnabb | |
| - fix the test_email and test_imp selftests (patch 3 and patch 4 respectively) | |
| - fix the test_tk and test_ttk_* selftests (patch 5) | |
| - fix up the specfile's handling of shebang/perms to avoid corrupting | |
| test_httpservers.py (sed command suggested by amcnabb) | |
| - Security fix for CVE-2020-26116: Reject control chars in HTTP method in http.client | |
| Resolves: rhbz#1883257 | |
| - Use the monotonic clock for theading.Condition | |
| - Use the monotonic clock for the global interpreter lock | |
| Resolves: rhbz#2003758 | |
| - Use python3-*, not python-* runtime requires on setuptools and pip | |
| - rebuild for tcl-8.6 | |
| - don't run test_openpty and test_pty in %check | |
| - renumber autotools patch from 300 to 5000 | |
| - specfile cleanups | |
| - cherrypick fix for distutils not using __pycache__ when byte-compiling | |
| files (rhbz#722578) | |
| - update uid/gid handling to avoid int overflows seen with uid/gid | |
| values >= 2^31 on 32-bit architectures (patch 157; rhbz#697470) | |
| - re-enable and fix the --with-tsc option on ppc64, and rework it on 32-bit | |
| ppc to avoid aliasing violations (patch 130; rhbz#698726) | |
| - fix typo in libpython.stp (rhbz:575336) | |
| - update the arch list where valgrind exists - %power64 includes also | |
| ppc64le which is not supported yet | |
| - Rebuild with new LDFLAGS from redhat-rpm-config | |
| - exclude test_http_cookies when running selftests, due to hang seen on | |
| http: //koji.fedoraproject.org/koji/taskinfo?taskID=2088463 (cancelled after | |
| 11 hours) | |
| - update python-gdb.py from v5 to py3k version submitted upstream | |
| - fix missing include in uid/gid handling patch (patch 157; rhbz#830405) | |
| - Fix the compilation of the nis module. | |
| - Turn on computed-gotos. | |
| - Fix for parallel make and graminit.c | |
| - Remove 3 > 3.6 symlinks for pydoc and python manpage | |
| - Resolves: rhbz#1615727 | |
| - use "--findleaks --verbose3" when running test suite | |
| - use newly installed python for byte compiling (#787498) | |
| - Add desktop entry and appdata.xml file for IDLE 3 (rhbz#1392049) | |
| - Do not include the unversioned pyvenv binary in the rpm | |
| - move lib2to3 from -tools subpackage to main package (bug 556667) | |
| - Patch 329 (FIPS) modified: Added workaround for mod_ssl: | |
| Skip error checking in _Py_hashlib_fips_error | |
| Resolves: rhbz#1760106 | |
| - run selftests with "--verbose" | |
| - disable parts of test_io on ppc (rhbz#732998) | |
| - on 64bit "stdlib" was still "/usr/lib/python*" (modify *lib64.patch) | |
| - make find-provides-without-python-sonames.sh 64bit aware | |
| - disable invocation of brp-python-bytecompile in postprocessing, since | |
| it would be with the wrong version of python (adapted from ivazquez' | |
| python3000 specfile) | |
| - use a custom implementation of __find_provides in order to filter out bogus | |
| provides lines for the various .so modules | |
| - fixup distutils/unixccompiler.py to remove standard library path from rpath | |
| (patch 1, was Patch0 in ivazquez' python3000 specfile) | |
| - split out libraries into a -libs subpackage | |
| - update summaries and descriptions, basing content on ivazquez' specfile | |
| - fixup executable permissions on .py, .xpm and .xbm files, based on work in | |
| ivazquez's specfile | |
| - get rid of DOS batch files | |
| - fixup permissions for shared libraries from non-standard 555 to standard 755 | |
| - move /usr/bin/python*-config to the -devel subpackage | |
| - mark various directories as being documentation | |
| - add configure-time support for COUNT_ALLOCS and CALL_PROFILE debug options | |
| (patch 104); enable them and the WITH_TSC option within the debug build | |
| - Update to Python 3.6.0 beta 4 | |
| - Rebased to version 3.5.2 | |
| - Set to work with pip version 8.1.2 | |
| - Removed patches 207, 237, 241 as fixes are already contained in Python 3.5.2 | |
| - Removed arch or environment specific patches 194, 196, 203, and 208 | |
| as test builds indicate they are no longer needed | |
| - Updated patches 102, 146, and 242 to work with the new Python codebase | |
| - Removed patches 200, 201, 5000 which weren't even being applied | |
| - Security fix for CVE-2020-8492 | |
| Resolves: rhbz#1810618 | |
| - reading the timestamp counter is available only on some arches (see Python/ceval.c) | |
| - 3.2a1; add alphatag | |
| - rework %files in the light of PEP 3147 (__pycache__) | |
| - drop our configuration patch to Setup.dist (patch 0): setup.py should do a | |
| better job of things, and the %files explicitly lists our modules (r82746 | |
| appears to break the old way of doing things). This leads to various modules | |
| changing from "foomodule.so" to "foo.so". It also leads to the optimized build | |
| dropping the _sha1, _sha256 and _sha512 modules, but these are provided by | |
| _hashlib; _weakref becomes a builtin module; xxsubtype goes away (it's only for | |
| testing/devel purposes) | |
| - fixup patches 3, 4, 6, 8, 102, 103, 105, 111 for the rebase | |
| - remove upstream patches: 7 (system expat), 106, 107, 108 (audioop reformat | |
| plus CVE-2010-1634 and CVE-2010-2089), 109 (CVE-2008-5983) | |
| - add machinery for rebuilding "configure" and friends, using the correct | |
| version of autoconf (patch 300) | |
| - patch the debug build's usage of COUNT_ALLOCS to be less verbose (patch 125) | |
| - "modulator" was removed upstream | |
| - drop "-b" from patch applications affecting .py files to avoid littering the | |
| installation tree | |
| - Add patch that enables building on ppc64p7 (replace the sed, so that | |
| we get consistent with python2 spec and it's more obvious that we're doing it. | |
| - Security fix for CVE-2023-6597 | |
| Resolves: RHEL-33671 | |
| - Rebuild for reverted gdbm 1.13 on Fedora 27 | |
| - Remove Obsoletes and Provides that are not relevant for RHEL | |
| - Add explicit RPM Provides for /usr/libexec/platform-python | |
| Resolves: RHEL-48605 | |
| - 3.3.0b2 -> 3.3.0rc1; refresh patches 3, 55 | |
| - Remove sys.executable check from change-user-install-location patch | |
| Resolves: rhbz#1532287 | |
| - Update to Python 3.4.1 | |
| - 3.2rc1 | |
| - rework patch 6 (static lib removal) | |
| - remove upstreamed patch 130 (ppc debug build) | |
| - regenerate patch 300 (autotool intermediates) | |
| - updated packaging to reflect upstream rewrite of "Demo" (issue 7962) | |
| - added libpython3.so and 2to3-3.2 | |
| - Added fix for CVE-2013-4238 (rhbz#996399) | |
| - fix up indentation in arm patch | |
| - 3.3.0rc2 -> 3.3.0rc3 | |
| - Add rocky to supported dists | |
| - Use proper command line parsing in _testembed | |
| - Backport of PEP 538: Coercing the legacy C locale to a UTF-8 based locale | |
| https://fedoraproject.org/wiki/Changes/python3_c.utf-8_locale | |
| - disable some tests on sparc arches | |
| - use newly installed python for byte compiling (now for real) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Disable test_gdb for all arches and test_buffer for ppc64le in anticipation | |
| of the F28 mass rebuild | |
| - Re-enable these tests after the mass rebuild when they can be properly | |
| addressed | |
| - add explicit version requirements on expat to avoid linkage problems with | |
| XML_SetHashSalt | |
| - add %check section (thanks to Thomas Spura) | |
| - update patch 4 to use correct shebang line | |
| - get rid of stray patch file from buildroot | |
| - Add idle3 to the alternatives system | |
| - Resolves: rhbz#1632625 | |
| - Security fix for CVE-2022-0391: urlparse does not sanitize URLs containing ASCII newline and tabs | |
| - Fix the test suite support for Expat >= 2.4.5 | |
| Resolves: rhbz#2047376, rhbz#2060435 | |
| - fixup importlib/_bootstrap.py so that it correctly handles being unable to | |
| open .pyc files for writing (patch 2, upstream issue 7187) | |
| - actually apply the rpath patch (patch 1) | |
| - Have /usr/bin/2to3 (rhbz#1111275) | |
| - Provide 2to3 and idle3, list them in summary and description (rhbz#1076401) | |
| - Revert "Set values of prefix and exec_prefix to /usr/local for | |
| /usr/bin/python* executables..." to prevent build failures | |
| of packages using alternate build tools | |
| - R: gdbm-devel → R: gdbm for python3-libs | |
| - Fix test_pyexpat failure with Expat version of 2.2.0 | |
| - remove commented-away patch 51 (python-2.6-distutils_rpm.patch): the -O1 | |
| flag is used by default in the upstream code | |
| - "Makefile" and the config-32/64.h file are needed by distutils/sysconfig.py | |
| _init_posix(), so we include them in the core package, along with their parent | |
| directories (bug 531901) | |
| - Modify the runtime dependency of python3-libs on system-python-libs to use | |
| just the version and release number, but not the dist tag due to Modularity | |
| - Security fix for CVE-2018-20852 | |
| Resolves: rhbz#1741553 | |
| - Security fixes for CVE-2020-10735 and CVE-2021-28861 | |
| Resolves: rhbz#1834423, rhbz#2120642 | |
| - Security fix for CVE-2024-6923 | |
| Resolves: RHEL-53065 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Security fix for CVE-2019-16056 | |
| Resolves: rhbz#1750776 | |
| - fix gcc 4.8 incompatibility (rhbz#927358); regenerate autotool intermediates | |
| - Update to Python 3.4 final | |
| - Add patch adding the rewheel module | |
| - Merge patches from master | |
| - replace references to /usr with %{_prefix}; replace references to | |
| /usr/include with %{_includedir} (Toshio) | |
| - split configure options into multiple lines for easy of editing | |
| - add systemtap static markers (wcohen, mjw, dmalcolm; patch 8), a systemtap | |
| tapset defining "python.function.entry" and "python.function.return" to make | |
| the markers easy to use (dmalcolm; source 5), and an example of using the | |
| tapset to the docs (dmalcolm; source 6) (rhbz:545179) | |
| - Security fix for CVE-2023-40217 | |
| Resolves: RHEL-3041 | |
| - 3.3.0rc3 -> 3.3.0; drop alphatag | |
| - Make `devel` subpackage require python36-devel again | |
| (and get /usr/bin/python3 and /usr/bin/python3-config from that). | |
| - Remove /usr/bin/python3* executables | |
| - Use pip36 instead of `pip3` | |
| - Enable profile guided optimizations for x86_64 and i686 architectures | |
| - Update to a newer implementation of PEP 538 | |
| - Update description to reflect that Python 3 is now the default Python | |
| - Add -n option for pathfix.py | |
| Resolves: rhbz#1546990 | |
| - Fix test_dbm_gnu for gdbm 1.15 which fails on ppc64le | |
| Resolves: rhbz#1638710 | |
| - Security fix for CVE-2019-9636 (rhbz#1689318) | |
| - Implement `alternatives` for chosing /usr/bin/python | |
| - Provide the default `no-python` alternative | |
| - Resolves: rhbz#1632625 | |
| - Build Python with -fno-semantic-interposition for better performance | |
| - https://fedoraproject.org/wiki/Changes/PythonNoSemanticInterpositionSpeedup | |
| - Also fix test_gdb failures with Link Time Optimizations | |
| Resolves: rhbz#1724996 | |
| - update python-gdb.py from v3 to v4 (fixing infinite recursion on reference | |
| cycles and tracebacks on bytes 0x80-0xff in strings, adding handlers for sets | |
| and exceptions) | |
| - Rebuilt for Fedora 23 Change | |
| https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code | |
| - Update to 3.6.7 (rhbz#1627739) | |
| - Re-enable test_gdb (rhbz#1639536) | |
| - Re-enable test_faulthandler (rhbz#1640147) | |
|
|
|
| pulseaudio-libs-14.0-4.el8.x86_64.rpm | - respin disable_flat_volumes.patch |
| - 20141103 327-gaec81 snapshot, pulseaudio socket activation support | |
| - use bash completionsdir | |
| - pulseaudio-5.99.1 (6.0-rc1) | |
| - pulseaudio-8.99.2 | |
| - 6.99.2 (#1262579) | |
| - rebuilt for json-c-0.9-4.fc17 | |
| - alsa-mixer: Fix the analog-output-speaker-always path | |
| - pulseaudio-7.99.1 (8.0 rc1) (#1294555) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - include experiemental Intel HDMI LPE fixes (fdo#100488) | |
| - own /var/run/pulse (#1173811) | |
| - Enable webrtc-aec | |
| - pull a few more patches from upstream stable-3.x branch | |
| - pulseaudio-9.0 | |
| - artificially bump Release to 100, to ensure upgrade path | |
| - 5.0 (#1072259) | |
| - Update to git snapshot bf9b3f0 for BlueZ 5 support | |
| - Fix port to qt5. | |
| - Resolves: rhbz#1591134 | |
| - Enable pulseaudio-module-bluetooth on s390x | |
| - Add pulseaudio-daemon' Provides + Conflicts only on fedora | |
| - Resolves: rhbz#1924094 | |
| - pulseaudio-8.99.1 (#1335527) | |
| - disable webrtc support for now (waiting on #1335536) | |
| - use %license, %ldconfig_scriptlets | |
| - use better upstream patch for exit-idle-time | |
| - Remove /var/run/pulse and /var/lib/pulse, they are directories in tmpfs | |
| - use %make_build, %make_install | |
| - enable systemd socket/service activation on f28+ (and disable autospawn) | |
| - Add xauthority parameter to X11 modules | |
| - Fix compilation against newer alsa-lib | |
| - Resolves: rhbz#1723065 | |
| - Add flatpak access control | |
| - rebuild for libudev1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - New upstream release | |
| - webrtc-aec is x86 and ARM only for now | |
| - 6.99.1 (#1257770) | |
| - pulseaudio-2.0 | |
| - better autostart.patch, handle case were autospawn is disabled (or otherwise doesn't work, like for root user) | |
| - Bring in Lennart's patch from f17 | |
| - Temporary fix for CK/systemd move (#794690) | |
| - enable %check | |
| - fix bz#1345826, only start threads on activ CPUs | |
| - backport some alsa-mixer related fixes (#1492344) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - rtp-recv: fix crash on empty UDP packets (CVE-2014-3970,#1104835,#1108011) | |
| - name HDMI outputs uniquely | |
| - backport upstream fixes: memfd, qpape PyQt5 port | |
| - enable libsoxr support | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - Use the statically allocated UID and GID from /usr/share/doc/setup/uidgid (#1056656) | |
| - The pulse-rt group doesn't exist (#885020) | |
| - pulseaudio-3.99.1 (#952594) | |
| - RFE: Restore the pipe-sink and pipe-source modules (#958949) | |
| - prune (pre 1.x) changelog | |
| - skip patch93, seems to cause crashes w/headphone jacks (#1544507,#1551270,#1554035) | |
| - autostart.patch: fix stdout/stderr redirection | |
| - disable make check on PPC* (rhbz #1067470) | |
| - pulseaudio-7.1 (#1276811) | |
| - pulseaudio-3.99.2 (#966631) | |
| - always run tests, but don't fail the build on big endian arches (relates #1067470) | |
| - RFE: Disable PulseAudio's flat volumes f24+ (#1265267) | |
| - pulseaudio-11.0 | |
| - enable hardened build (#983606) | |
| - BR: automake libtool (for bootstrap.sh) | |
| - actually install new dell-dock-tb16-usb-audio.conf alsa profile (#1492344) | |
| - Move module-jackdbus-detect.so to -module-jack subpackage with the | |
| rest of the jack modules | |
| - Add patch for profile switching | |
| - Resolves: rhbz#2052011. rhbz#2073877 | |
| - default.pa: fix for renamed modules (#908117) | |
| - New 4.0 stable release | |
| - http://www.freedesktop.org/wiki/Software/PulseAudio/Notes/4.0/ | |
| - pulseaudio-2.1 | |
| - duplicate directory between pulseaudio and pulseaudio-libs (#909690) | |
| - snapshot, with wip bt headset2 patches (#1045548,#1067470) | |
| - Pulse Audio settings lost after reboot / HDMI is set as default (#1035025) | |
| - Escape macros in %changelog | |
| - fix PACKAGE_VERSION | |
| - Add patch to avoid bluez warning. | |
| - Resolves: rhbz#1969944 | |
| - experimental fixes bluetooth profile switching (f28+ only, fdo#93898) | |
| - pulseaudio-9.99.1 (#1409939) | |
| - %check: use %_smp_mflags | |
| - 4.99.2 (#1057528) | |
| - don't mark .desktop and dbus configurations as %config | |
| - apply srbchannel patch | |
| - SBC is needed only when BlueZ is used | |
| - drop Requires: kernel (per recent -devel ml thread) | |
| - pulseaudio-8.0 (#1301040) | |
| - fix resampler-related build dependencies (libsamplerate/speex) (#1239208) | |
| - Rebuild (libjson-c) | |
| - move libpulsedsp plugin to -libs, avoids -utils multilib (#891425) | |
| - pulseaudio-7.99.2 (#1297774) | |
| - 4.99.3 | |
| - Update to 10.0 | |
| - pulseaudio-5.99.3 (6.0-rc3) (#1184850) | |
| - --disable-systemd-daemon, revert to autospawn mode | |
| - handle jack/lirc modules better (#1056619) | |
| - -libs-devel: own some dirs to avoid deps on cmake/vala | |
| - -module-bluetooth: make dep arch'd for consistency | |
| - pulseaudio-3.0 | |
| - %build fix typo, explicitly --enable-tests | |
| - re-enable webrtc support (arm,x86_64 only for now) | |
| - Update to 13.99.1 | |
| - Resolves: rhbz#1817378 | |
| - Provide padsp-32, /usr/bin/padsp is native arch only (#856146) | |
| - Fixup ldconfig scriptlets | |
| - pulseaudio-11.1 | |
| - pulseaudio 6.0 breaks 5.1 network sound configuration (#1230957) | |
| - Obsoletes: padevchooser < 1.0 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Rebuilt once more for libjson-c | |
| - PulseAudio doesn't load locales (fdo#92142) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - manually package sockets.target.wants/pulseaudio.socket to help | |
| handle socket activation on upgrades | |
| - backport 'pa_sink_input_assert_ref()' crashfix (#1472285) | |
| - --disable-tcpwrap on f28+ (#1518777) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - BR: gcc-c++ | |
| - pulseaudio-5.99.2 (6.0-rc2) | |
| - [RFE] Build with libcap (#969232) | |
| - Own the %{_libdir}/pulseaudio dir. | |
| - Fix bogus %changelog dates. | |
| - backport srbchannel crasher fix | |
| - fresh snapshot | |
| - Fix dbus-python dependency | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - X-KDE-autostart-phase=1 | |
| - fix the with_webrtc condition | |
| - pulseaudio-7.0 | |
| - Fix RHEL build | |
| - Update to 14.0 | |
| - Add pulseaudio-daemon' Provides + Conflicts to support | |
| swapping with PipeWire | |
| - Resolves: rhbz#1906322 | |
| - respin disable_flat_volumes.patch harder | |
| - fixed bz#1580853, FTBFS | |
| - Rebuild with binutils fix for ppc64le (#1475636) | |
| - %check: make non-fatal, echo test-suite.log on failure (#1345826) | |
| - fix changelog | |
| - omit -gdm-hooks, moved to gdm (f28+) | |
| - 4.99.4 | |
| - Don't load the ck module in gdm, either | |
| - Fix pa crashing on Bay- and Cherry-Trail devices | |
| - pulseaudio-6.0 (#1192384) | |
| - ship a single autostart file | |
| - -qpaeq subpkg (#1002585) | |
| - Update to today's git snapshot | |
| - Backport a patch for pulseaudio crash at startup (#1000966) | |
| - PulseAudio 2.99.3 (3.0 rc3) | |
| - Use python3 version of qt5 | |
| - Resolves: rhbz#1591134 | |
| - Really add pulse-rt group when needed (bug #885020) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - -libs: Obsoletes: pulseaudio-libs-zeroconf | |
| - use versioned Obsoletes/Provides | |
| - tighten subpkg deps via %_isa | |
| - remove autoconf/libtool hackery | |
| - Fix for building with gcc 4.7 | |
| - Fix the build on RHEL | |
| - pulseaudio-10.99.1 (#1474559) | |
| - use %tests macro, enable systemd socket activation (#1265720) | |
| - exit-idle-time = 4 (#1510301) | |
| - f28+ ftbfs: memfd_create conflicts | |
| - drop getaffinity.patch (no longer needed) | |
| - enable webrtc support for all archs | |
| - make tests non-fatal on i686,s390x | |
| - Rebuilt for GCC 5 C++11 ABI change | |
|
|
|
| pulseaudio-libs-glib2-14.0-4.el8.x86_64.rpm | - respin disable_flat_volumes.patch |
| - 20141103 327-gaec81 snapshot, pulseaudio socket activation support | |
| - use bash completionsdir | |
| - pulseaudio-5.99.1 (6.0-rc1) | |
| - pulseaudio-8.99.2 | |
| - 6.99.2 (#1262579) | |
| - rebuilt for json-c-0.9-4.fc17 | |
| - alsa-mixer: Fix the analog-output-speaker-always path | |
| - pulseaudio-7.99.1 (8.0 rc1) (#1294555) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - include experiemental Intel HDMI LPE fixes (fdo#100488) | |
| - own /var/run/pulse (#1173811) | |
| - Enable webrtc-aec | |
| - pull a few more patches from upstream stable-3.x branch | |
| - pulseaudio-9.0 | |
| - artificially bump Release to 100, to ensure upgrade path | |
| - 5.0 (#1072259) | |
| - Update to git snapshot bf9b3f0 for BlueZ 5 support | |
| - Fix port to qt5. | |
| - Resolves: rhbz#1591134 | |
| - Enable pulseaudio-module-bluetooth on s390x | |
| - Add pulseaudio-daemon' Provides + Conflicts only on fedora | |
| - Resolves: rhbz#1924094 | |
| - pulseaudio-8.99.1 (#1335527) | |
| - disable webrtc support for now (waiting on #1335536) | |
| - use %license, %ldconfig_scriptlets | |
| - use better upstream patch for exit-idle-time | |
| - Remove /var/run/pulse and /var/lib/pulse, they are directories in tmpfs | |
| - use %make_build, %make_install | |
| - enable systemd socket/service activation on f28+ (and disable autospawn) | |
| - Add xauthority parameter to X11 modules | |
| - Fix compilation against newer alsa-lib | |
| - Resolves: rhbz#1723065 | |
| - Add flatpak access control | |
| - rebuild for libudev1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - New upstream release | |
| - webrtc-aec is x86 and ARM only for now | |
| - 6.99.1 (#1257770) | |
| - pulseaudio-2.0 | |
| - better autostart.patch, handle case were autospawn is disabled (or otherwise doesn't work, like for root user) | |
| - Bring in Lennart's patch from f17 | |
| - Temporary fix for CK/systemd move (#794690) | |
| - enable %check | |
| - fix bz#1345826, only start threads on activ CPUs | |
| - backport some alsa-mixer related fixes (#1492344) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - rtp-recv: fix crash on empty UDP packets (CVE-2014-3970,#1104835,#1108011) | |
| - name HDMI outputs uniquely | |
| - backport upstream fixes: memfd, qpape PyQt5 port | |
| - enable libsoxr support | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - Use the statically allocated UID and GID from /usr/share/doc/setup/uidgid (#1056656) | |
| - The pulse-rt group doesn't exist (#885020) | |
| - pulseaudio-3.99.1 (#952594) | |
| - RFE: Restore the pipe-sink and pipe-source modules (#958949) | |
| - prune (pre 1.x) changelog | |
| - skip patch93, seems to cause crashes w/headphone jacks (#1544507,#1551270,#1554035) | |
| - autostart.patch: fix stdout/stderr redirection | |
| - disable make check on PPC* (rhbz #1067470) | |
| - pulseaudio-7.1 (#1276811) | |
| - pulseaudio-3.99.2 (#966631) | |
| - always run tests, but don't fail the build on big endian arches (relates #1067470) | |
| - RFE: Disable PulseAudio's flat volumes f24+ (#1265267) | |
| - pulseaudio-11.0 | |
| - enable hardened build (#983606) | |
| - BR: automake libtool (for bootstrap.sh) | |
| - actually install new dell-dock-tb16-usb-audio.conf alsa profile (#1492344) | |
| - Move module-jackdbus-detect.so to -module-jack subpackage with the | |
| rest of the jack modules | |
| - Add patch for profile switching | |
| - Resolves: rhbz#2052011. rhbz#2073877 | |
| - default.pa: fix for renamed modules (#908117) | |
| - New 4.0 stable release | |
| - http://www.freedesktop.org/wiki/Software/PulseAudio/Notes/4.0/ | |
| - pulseaudio-2.1 | |
| - duplicate directory between pulseaudio and pulseaudio-libs (#909690) | |
| - snapshot, with wip bt headset2 patches (#1045548,#1067470) | |
| - Pulse Audio settings lost after reboot / HDMI is set as default (#1035025) | |
| - Escape macros in %changelog | |
| - fix PACKAGE_VERSION | |
| - Add patch to avoid bluez warning. | |
| - Resolves: rhbz#1969944 | |
| - experimental fixes bluetooth profile switching (f28+ only, fdo#93898) | |
| - pulseaudio-9.99.1 (#1409939) | |
| - %check: use %_smp_mflags | |
| - 4.99.2 (#1057528) | |
| - don't mark .desktop and dbus configurations as %config | |
| - apply srbchannel patch | |
| - SBC is needed only when BlueZ is used | |
| - drop Requires: kernel (per recent -devel ml thread) | |
| - pulseaudio-8.0 (#1301040) | |
| - fix resampler-related build dependencies (libsamplerate/speex) (#1239208) | |
| - Rebuild (libjson-c) | |
| - move libpulsedsp plugin to -libs, avoids -utils multilib (#891425) | |
| - pulseaudio-7.99.2 (#1297774) | |
| - 4.99.3 | |
| - Update to 10.0 | |
| - pulseaudio-5.99.3 (6.0-rc3) (#1184850) | |
| - --disable-systemd-daemon, revert to autospawn mode | |
| - handle jack/lirc modules better (#1056619) | |
| - -libs-devel: own some dirs to avoid deps on cmake/vala | |
| - -module-bluetooth: make dep arch'd for consistency | |
| - pulseaudio-3.0 | |
| - %build fix typo, explicitly --enable-tests | |
| - re-enable webrtc support (arm,x86_64 only for now) | |
| - Update to 13.99.1 | |
| - Resolves: rhbz#1817378 | |
| - Provide padsp-32, /usr/bin/padsp is native arch only (#856146) | |
| - Fixup ldconfig scriptlets | |
| - pulseaudio-11.1 | |
| - pulseaudio 6.0 breaks 5.1 network sound configuration (#1230957) | |
| - Obsoletes: padevchooser < 1.0 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Rebuilt once more for libjson-c | |
| - PulseAudio doesn't load locales (fdo#92142) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - manually package sockets.target.wants/pulseaudio.socket to help | |
| handle socket activation on upgrades | |
| - backport 'pa_sink_input_assert_ref()' crashfix (#1472285) | |
| - --disable-tcpwrap on f28+ (#1518777) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - BR: gcc-c++ | |
| - pulseaudio-5.99.2 (6.0-rc2) | |
| - [RFE] Build with libcap (#969232) | |
| - Own the %{_libdir}/pulseaudio dir. | |
| - Fix bogus %changelog dates. | |
| - backport srbchannel crasher fix | |
| - fresh snapshot | |
| - Fix dbus-python dependency | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - X-KDE-autostart-phase=1 | |
| - fix the with_webrtc condition | |
| - pulseaudio-7.0 | |
| - Fix RHEL build | |
| - Update to 14.0 | |
| - Add pulseaudio-daemon' Provides + Conflicts to support | |
| swapping with PipeWire | |
| - Resolves: rhbz#1906322 | |
| - respin disable_flat_volumes.patch harder | |
| - fixed bz#1580853, FTBFS | |
| - Rebuild with binutils fix for ppc64le (#1475636) | |
| - %check: make non-fatal, echo test-suite.log on failure (#1345826) | |
| - fix changelog | |
| - omit -gdm-hooks, moved to gdm (f28+) | |
| - 4.99.4 | |
| - Don't load the ck module in gdm, either | |
| - Fix pa crashing on Bay- and Cherry-Trail devices | |
| - pulseaudio-6.0 (#1192384) | |
| - ship a single autostart file | |
| - -qpaeq subpkg (#1002585) | |
| - Update to today's git snapshot | |
| - Backport a patch for pulseaudio crash at startup (#1000966) | |
| - PulseAudio 2.99.3 (3.0 rc3) | |
| - Use python3 version of qt5 | |
| - Resolves: rhbz#1591134 | |
| - Really add pulse-rt group when needed (bug #885020) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - -libs: Obsoletes: pulseaudio-libs-zeroconf | |
| - use versioned Obsoletes/Provides | |
| - tighten subpkg deps via %_isa | |
| - remove autoconf/libtool hackery | |
| - Fix for building with gcc 4.7 | |
| - Fix the build on RHEL | |
| - pulseaudio-10.99.1 (#1474559) | |
| - use %tests macro, enable systemd socket activation (#1265720) | |
| - exit-idle-time = 4 (#1510301) | |
| - f28+ ftbfs: memfd_create conflicts | |
| - drop getaffinity.patch (no longer needed) | |
| - enable webrtc support for all archs | |
| - make tests non-fatal on i686,s390x | |
| - Rebuilt for GCC 5 C++11 ABI change | |
|
|
|
| python-qt5-rpm-macros-5.15.0-3.el8.noarch.rpm | - rebuild (qt5) |
| - Rebuilt for GCC 5 C++11 ABI change | |
| - limit -webengine support to just primary archs (for now) | |
| - rebuild (qt5), Provides: python2-qt5 | |
| - -webengine: add ExclusiveArch (matching qt5-qtwebengine's) | |
| - Rebuild again for Python 3.6 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - pkgconfig(QtOpenGL) being satisfied by qt4 devel (#1162415) | |
| - BR: qt5-qtbase-private-devel | |
| - python3-qt5: add versioned qt5 dep (like base python-qt5 pkg has) | |
| - rebuild (qt5) | |
| - 5.9.1 | |
| - (temporarily) omit webengine support on fc26 | |
| - rebuild (sip) | |
| - wrong python release used in pyuic5 launch script (#1193107) | |
| - -doc: add qsci doc QyQt5.api content | |
| - enable Qt5WebChannel/Qt5WebSockets support | |
| - add Obsoletes for misnamed -webengine/-webkit pkgs (#1315025) | |
| - restore python3 support | |
| - PyQt-5.2.1 | |
| - restore -webengine | |
| - python3: (Build)Requires: python3-dbus | |
| - rebuild (qt5) | |
| - Rebuild with binutils fix for ppc64le (#1475636) | |
| - rebuild (sip) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - New base sub package to provide QtBase only (RHBZ#1394626) | |
| - New requirement from the main package to the base sub package | |
| - -webengine,-webkit subpkgs | |
| - Rebuild (binutils) | |
| Resolves: bz#1949066 | |
| - 5.4.1 | |
| - move -devel binaries to main pkg(s) (#1422613) | |
| - PyQt5-5.10 | |
| - Update to 5.10.1 andd rop dependency on qt5-qtwebkit and qt5-qtwebengine | |
| - rebuild (sip) | |
| - 5.11.2 + sync with Fedora | |
| - add missing -webengine/-webkit descriptions | |
| - better python3-qt5-devel description | |
| - rebuild (qt5) | |
| - PyQt5-5.8.1 | |
| - -rpm-macros subpkg | |
| - PyQt-5.2 | |
| - rebuild (qt5-qtenginio) | |
| - Drop dependency on qt5-qtenginio | |
| - rebuild (sip) | |
| - fix pyrcc5 wrapper typo | |
| - add wrappers for pyrcc5,pylupdate5 (#141116,#1415812) | |
| - update provides filtering | |
| - 5.5 | |
| - Rebuild for Python 3.6 | |
| - 5.4 | |
| - PyQt5-5.9 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - fixed bz#1348507, pyqt5 with python2 in isolated mode | |
| - python3-qt5: omit sip files inadvertantly added in 5.7.1-5 | |
| - rebuild against new qt5-qtbase-5.7.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - rebuild (qt5) | |
| - PyQt5-5.7.1 | |
| - (temp) disable -webengine support | |
| - 5.13.1 | |
| Resolves: bz#1775603 | |
| - rebuild (sip), re-enable -webengine for secondary archs | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - rebuild (qt5) | |
| - rebuild (qt5) | |
| - PyQt5-5.7 | |
| - try to determine dbus-python install paths dynamically (#1161121) | |
| - drop ppc ppc64 ppc64le, it's not supported yet | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - +macros.pyqt5 | |
| - fix python3-qt5-webkit name | |
| - BR: python2-devel, use %__python2 macro | |
| - rebuild (f21-python) | |
| - +Qt5Positioning,Qt5Sensors support | |
| - rebuild (sip) | |
| - explicitly support Qt5 newer than just 5.9.3 (+5.9.4,5.10.0,5.10.1) | |
| - Add patch to fix python3 sip installation dir (#1228432) | |
| - ensure .so modules are executable (for proper -debuginfo extraction) | |
| - 5.4.2 | |
| - PyQt-gpl-5.3 | |
| - +Qt5Bluetooth,Qt5Quick,Qt5SerialPorts support | |
| - -devel: restore dep on base pkg | |
| - Enabled QtWebEngine for Fedora >= 24 | |
| - 5.5.1 | |
| - enable qtenginio, fix pyuic5 wrapper, use %license | |
| - PyQt-gpl-5.3.2 | |
| - python3-qt5 support | |
| - rebuild (qt5-qtbase), disable -webengine (temp on f25, until fixed) | |
| - 5.9.2 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - -rpm-macros: Conflicts: python(3)-qt5 < 5.6 | |
| - fix python3-qt5-webengine name | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - python3-qt5-devel subpkg | |
| - License: GPLv3 (#1520186) | |
| - BR: sip + sync with Fedora | |
| - Build failure in sipQtWebKitWidgestQWebInspector: qprinter.h not found (#1160932) | |
| - python2_sitelib should be python2_sitearch (#1161121) | |
| - enable -webengine on f25+ | |
| - PyQt5-5.8 | |
| - 5.15.0 | |
| Resolves: bz#1949066 | |
| - Cleanup spec file conditionals | |
| - %description: mention PyQt5 | |
| - PyQt5-5.6 | |
| - explicitly set CFLAGS,CXXFLAGS,LFLAGS | |
| - Rebuild (Qt 5.15.3) | |
| Resolves: bz#2061729 | |
| - fixed bz#1348507 - Arbitrary code execution due to insecure loading | |
| of Python module from CWD | |
| - PyQt5-5.11 + sync with Fedora | |
| - Drop dependency on phonon and python2 support | |
| - restore qtwebengine support | |
| - use safer subdir builds | |
| - Provides: PyQt5 | |
| - rebuild (qt5) | |
| - python-qt5 is not built with $RPM_OPT_FLAGS (#1314998) | |
| - Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 | |
| - PyQt-gpl-5.3.1 | |
| - PyQt5-5.8.2 | |
| - Rebuild against fixed qt5-qtbase to fix -debuginfo (#1065636) | |
| - rebuild (qt5) | |
| - rebuild | |
|
|
|
| python3-augeas-0.5.0-12.el8.noarch.rpm | - Rebuild for Python 3.6 |
| - Version 0.5.0 release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - add python-ctypes dependency (rhbz#1020239) | |
| - wildcard to catch egg-info in case it is build | |
| - Rebuilt for Python3.5 rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild | |
| - new version | |
| - Added Python 3 subpackage | |
| - version 0.3.0 | |
| - version 0.2.1 | |
| - set mode of _augeas.so to 0755 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - use %global instead of %define | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Modernize spec | |
| - Fix python3 package file ownership | |
| - Run the tests during the build (RHBZ#1682268). | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - version to import in CVS (rhbz#444945) | |
| - switched to noarch, dlopen/ python bindings | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - only include egg-info, if fedora >=9 or rhel >= 6 | |
| Resolves: rhbz#661452 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - version 0.4.1 | |
| - include egg only on F-9, RHEL-6 and later | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - Rebuild for Python 2.6 | |
| - initial version | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
|
|
|
| python3-gssapi-1.5.1-5.el8.x86_64.rpm | - Fix tox dependency |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - New upstream release v1.3.0 | |
| - Python 2 binary package renamed to python2-gssapi | |
| See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 | |
| - Remove warning about collections ABCs on python3.7 | |
| - Resolves: #1594834 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Fix problem where gss_display_status can infinite loop | |
| - Move to autosetup and rpm-git-tree | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Add gating tests | |
| - Resolves: #1682269 | |
| - Initial Packaging | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - Prepare for release 1.5.0 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - New upstream version 1.2.0 | |
| - Conditionalize the python2 subpackage | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Update Python 2 dependency declarations to new packaging standards | |
| (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) | |
| - Rebuild for Python 3.6 | |
| - New minor release. | |
| - Rebuilt for Python3.5 rebuild | |
| - Add gcc to build-deps | |
| - New upstream minor release | |
| - Update spec file from Fedora | |
| - Resolves: #1715040 | |
| - Prepare for release 1.4.1 | |
| - Gating can't be bothered to check my BuildRequires | |
| - Resolves: #1715040 | |
| - New minor release. | |
| - Resolves #1254458 | |
| - Fixes a crash bug when inquiring incomplete security contexts | |
| - New upstream version 1.1.4 | |
| - Resolves #1286458 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Bump NVR to re-run our useless gating | |
| - Resolves: #1715040 | |
|
|
|
| python3-ipaclient-4.9.13-20.module+el8.10.0+2067+377bdd64.noarch.rpm | - Updated to upstream 3.0.0 GA |
| - Set minimum for samba to 4.0.0-153. | |
| - Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so | |
| plugin to /dev/null since they cannot be used when trusts are configured | |
| - Restrict krb5-server to 1.10. | |
| - Update BR for 389-ds-base to 1.3.0 | |
| - Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca | |
| - Add Requires on zip for generating FF browser extension | |
| - Update to 4.7.90-pre1 | |
| Related: RHBZ#1684528 | |
| - Removed patches 0002 to 0031 as these are upsteram and part of 4.7.90-pre1 | |
| - Added new patches 0001-revert-minssf-defaults.patch and | |
| 0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch | |
| - Require slapi-nis 0.47.7 delivering a core feature of 3.3.0 release | |
| - Use default crypto policy for TLS and enable TLS 1.3 support | |
| Resolves: RHBZ#1777809 | |
| - Covscan fixes | |
| Resolves: RHBZ#1777920 | |
| - Change pki_version to 10.8.0 | |
| Related: RHBZ#1748987 | |
| - Updated to upstream 3.0.0 beta 2 | |
| - Respin after the tarball has been re-released upstream | |
| New hash is 506c9c92dcaf9f227cba5030e999f177 | |
| - Do not add krbPwdPolicyReference for new accounts, hardcode it (#1045218) | |
| - Increase default timeout for IPA services (#1033273) | |
| - Error while running trustdomain-find (#1054376) | |
| - group-show lists SID instead of name for external groups (#1054391) | |
| - Fix IPA server NetBIOS name in samba configuration (#1030517) | |
| - dnsrecord-mod produces missing API version warning (#1054869) | |
| - Hide trust-resolve command as internal (#1052860) | |
| - Add Trust domain Web UI (#1054870) | |
| - ipasam cannot delete multiple child trusted domains (#1056120) | |
| - diffstat was missing as a build dependency causing multilib problems | |
| - kdb: Use-krb5_pac_full_sign_compat() when available | |
| Resolves: RHBZ#2176406 | |
| - OTP: fix-data-type-to-avoid-endianness-issue | |
| Resolves: RHBZ#2218293 | |
| - Upgrade: fix replica agreement | |
| Resolves: RHBZ#2216551 | |
| - Upgrade: add PKI drop-in file if missing | |
| Resolves: RHBZ#2215336 | |
| - Use the python-cryptography parser directly in cert-find | |
| Resolves: RHBZ#2164349 | |
| - Backport test updates | |
| Resolves: RHBZ#221884 | |
| - Initial rpm version | |
| - Re-enable otptoken_yubikey plugin | |
| - Resolves: #805188 [RFE] "ipa migrate-ds" ldapsearches with scope=1 | |
| - Resolves: #1019272 With 20000+ users, adding a user to a group intermittently | |
| throws Internal server error | |
| - Resolves: #1035494 Unable to add Kerberos principal via kadmin.local | |
| - Resolves: #1045153 ipa-managed-entries --list -p |
|
| DM password | |
| - Resolves: #1125950 ipa-server-install --uinstall doesn't remove port 7389 | |
| from ldap_port_t | |
| - Resolves: #1132540 [RFE] Expose service delegation rules in UI and CLI | |
| - Resolves: #1145584 ipaserver/install/cainstance.py creates pkiuser not | |
| matching uidgid | |
| - Resolves: #1176036 IDM client registration failure in a high load environment | |
| - Resolves: #1183116 Remove Requires: subscription-manager | |
| - Resolves: #1186054 permission-add does not prompt to enter --right option in | |
| interactive mode | |
| - Resolves: #1187524 Replication agreement with replica not disabled when | |
| ipa-restore done without IPA installed | |
| - Resolves: #1188195 Fax number not displayed for user-show when kinit'ed as | |
| normal user. | |
| - Resolves: #1189034 "an internal error has occurred" during ipa host-del | |
| --updatedns | |
| - Resolves: #1193554 ipa-client-automount: failing with error LDAP server | |
| returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled. | |
| - Resolves: #1193759 IPA extdom plugin fails when encountering large groups | |
| - Resolves: #1194312 [ipa-python] ipalib.errors.LDAPError: failed to decode | |
| certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. | |
| - Resolves: #1194633 Default trust view can be deleted in lower case | |
| - Resolves: #1196455 ipa-server-install step [8/27]: starting certificate | |
| server instance - confusing CA staus message on TLS error | |
| - Resolves: #1198263 Limit deadlocks between DS plugin DNA and slapi-nis | |
| - Resolves: #1199527 [RFE] Use datepicker component for datetime fields | |
| - Resolves: #1200867 [RFE] Make OTP validation window configurable | |
| - Resolves: #1200883 [RFE] Switch apache to use mod_auth_gssapi | |
| - Resolves: #1202998 CVE-2015-1827 ipa: memory corruption when using | |
| get_user_grouplist() [rhel-7.2] | |
| - Resolves: #1204637 slow group operations | |
| - Resolves: #1204642 migrate-ds: slow add o users to default group | |
| - Resolves: #1208461 IPA CA master server update stuck on checking getStatus | |
| via https | |
| - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) | |
| - Resolves: #1211708 ipa-client-install gets stuck during NTP sync | |
| - Resolves: #1215197 ipa-client-install ignores --ntp-server option during time | |
| sync | |
| - Resolves: #1215200 ipa-client-install configures IPA server as NTP source | |
| even if IPA server has not ntpd configured | |
| - Resolves: #1217009 OTP sync in UI does not work for TOTP tokens | |
| - Related: #1204809 Rebase ipa to 4.2 | |
| - Update to upstream 4.2.0.alpha1 | |
| - Rebuild against samba4 beta4 | |
| - Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to | |
| users in IdM | |
| - store certificates issued for user entries as | |
| - user-show: add --out option to save certificates to file | |
| - Resolves: #1145748 [RFE] IPA running with One Way Trust | |
| - Fix upgrade of sidgen and extdom plugins | |
| - Resolves: #1195339 ipa-client-install changes the label on various files | |
| which causes SELinux denials | |
| - Use 'mv -Z' in specfile to restore SELinux context | |
| - Resolves: #1198796 Text in UI should describe differing LDAP vs Krb behavior | |
| for combinations of "User authentication types" | |
| - webui: add LDAP vs Kerberos behavior description to user auth | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - ULC: Fix stageused-add --from-delete command | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - certprofile-import: do not require profileId in profile data | |
| - Give more info on virtual command access denial | |
| - Allow SAN extension for cert-request self-service | |
| - Add profile for DNP3 / IEC 62351-8 certificates | |
| - Work around python-nss bug on unrecognised OIDs | |
| - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality | |
| - Validate vault's file parameters | |
| - Fixed missing KRA agent cert on replica. | |
| - Resolves: #1225866 display browser config options that apply to the browser. | |
| - webui: add Kerberos configuration instructions for Chrome | |
| - Remove ico files from Makefile | |
| - Resolves: #1246342 Unapply idview raises internal error | |
| - idviews: Check for the Default Trust View only if applying the view | |
| - Resolves: #1248102 [webui] regression - incorrect/no failed auth messages | |
| - webui: fix regressions failed auth messages | |
| - Resolves: #1248396 Internal error in DomainValidator.__search_in_dc | |
| - dcerpc: Fix UnboundLocalError for ccache_name | |
| - Resolves: #1249455 ipa trust-add failed CIFS server configuration does not | |
| allow access to \\pipe\lsarpc | |
| - Fix selector of protocol for LSA RPC binding string | |
| - dcerpc: Simplify generation of LSA-RPC binding strings | |
| - Resolves: #1250192 Error in ipa trust-fecth-domains | |
| - Fix incorrect type comparison in trust-fetch-domains | |
| - Resolves: #1251553 Winsync setup fails with unexpected error | |
| - replication: Fix incorrect exception invocation | |
| - Resolves: #1251854 ipa aci plugin is not parsing aci's correctly. | |
| - ACI plugin: correctly parse bind rules enclosed in | |
| - Resolves: #1252414 Trust agent install does not detect available replicas to | |
| add to master | |
| - adtrust-install: Correctly determine 4.2 FreeIPA servers | |
| - Add ipa-rmkeytab tool | |
| - Update Requires on selinux-policy to 3.13.1-4 | |
| - Update to upstream 4.1.0 (#1109726) | |
| - Fixed weekday in 4.8.4-2 changelog date | |
| Related: RHBZ#1784003 | |
| - adtrust: print DNS records for external DNS case after role is enabled | |
| Resolves: RHBZ#1665051 | |
| - AD user without override receive InternalServerError with API | |
| Resolves: RHBZ#1782572 | |
| - ipa-client-automount fails after repeated installation/uninstallation | |
| Resolves: RHBZ#1790886 | |
| - install/updates: move external members past schema compat update | |
| Resolves: RHBZ#1803165 | |
| - kdb: make sure audit_as_req callback signature change is preserved | |
| Resolves: RHBZ#1803786 | |
| - Fix otptoken_sync plugin | |
| Resolves: RHBZ#1777811 | |
| - Create systemd-user HBAC service and rule | |
| Resolves: RHBZ#1664974 | |
| - ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned | |
| Resolves: RHBZ#1664023 | |
| - ipa-kdb: fix error handling of is_master_host() | |
| Resolves: RHBZ#2214638 | |
| - ipatests: enable firewall rule for http service on acme client | |
| Resolves: RHBZ#2230256 | |
| - User plugin: improve error related to non existing idp | |
| Resolves: RHBZ#2224572 | |
| - Prevent admin user from being deleted | |
| Resolves: RHBZ#1821181 | |
| - Fix memory leak in the OTP last token plugin | |
| Resolves: RHBZ#2227783 | |
| - Rebuild for broken deps in rawhide | |
| - Fix 389-ds-base strict dep to be 1.3.0.3 | |
| - Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos | |
| aliases) | |
| - harden the check for trust namespace overlap in new principals | |
| - Resolves: #1351142 CLI is not using session cookies for communication with | |
| IPA API | |
| - Fix session cookies | |
| - Resolves: #1353888 Fix the help for ipa otp and other topics | |
| - help: Add dnsserver commands to help topic 'dns' | |
| - Resolves: #1354406 host-del updatedns options complains about missing ptr | |
| record for host | |
| - Host-del: fix behavior of --updatedns and PTR records | |
| - Resolves: #1355718 ipa-replica-manage man page example output differs actual | |
| command output | |
| - Minor fix in ipa-replica-manage MAN page | |
| - Resolves: #1358229 Traceback message should be fixed, seen while editing | |
| winsync migrated user information in Default trust view. | |
| - baseldap: Fix MidairCollision instantiation during entry modification | |
| - Resolves: #1358849 CA replica install logs to wrong log file | |
| - unite log file name of ipa-ca-install | |
| - Resolves: #1359130 ipa-server-install command fails to install IPA server. | |
| - DNS Locations: fix update-system-records unpacking error | |
| - Resolves: #1359237 AVC on dirsrv config caused by IPA installer | |
| - Use copy when replacing files to keep SELinux context | |
| - Resolves: #1359692 ipa-client-install join fail with traceback against | |
| RHEL-6.8 ipa-server | |
| - compat: fix ping call | |
| - Resolves: #1359738 ipa-replica-install --domain= |
|
| does not work | |
| - replica-install: Fix --domain | |
| - Resolves: #1360778 Vault commands are available in CLI even when the server | |
| does not support them | |
| - Revert "Enable vault-* commands on client" | |
| - client: fix hiding of commands which lack server support | |
| - Related: #1281704 Rebase to softhsm 2.1.0 | |
| - Remove the workaround for softhsm bug #1293340 | |
| - Related: #1298288 [RFE] Improve performance in large environments. | |
| - Create indexes for krbCanonicalName attribute | |
| - Rebuild against samba4 beta8 | |
| - Require the Python interpreter directly instead of using the package name | |
| - Related: rhbz#1619153 | |
| - Require mod_nss-1.0.7-2 for mod_proxy fixes | |
| - Drop workaround for building on AArch64 (#1482244) | |
| - Temporarily reduce Requires on python-netaddr to 0.7.5-7 (#1506485) | |
| - ipa-kdb: Detect and block Bronze-Bit attacks | |
| Resolves: RHEL-9984 | |
| - Fix for CVE-2023-5455 | |
| Resolves: RHEL-12578 | |
| - Rebase to upstream release 4.9.10 | |
| Remove upstream patches 0002 to 0016 that are part of version 4.9.10 | |
| Remove patches 1101 that is part of version 4.9.10 | |
| Rename patch 0001 to 1002 as it will be used in future RHEL 8 releases | |
| Add patches 0001 and 0002 to fix build on RHEL 8.7 | |
| Resolves: RHBZ#2079466 | |
| Resolves: RHBZ#2063155 | |
| Resolves: RHBZ#1958777 | |
| Resolves: RHBZ#2068088 | |
| Resolves: RHBZ#2004646 | |
| Resolves: RHBZ#782917 | |
| Resolves: RHBZ#2059396 | |
| Resolves: RHBZ#2092015 | |
| - webui: Allow grace login limit | |
| Resolves: RHBZ#2109243 | |
| - check_repl_update: in progress is a boolean | |
| Resolves: RHBZ#2117303 | |
| - Disabling gracelimit does not prevent LDAP binds | |
| Resolves: RHBZ#2109236 | |
| - Set passwordgracelimit to match global policy on group pw policies | |
| Resolves: RHBZ#2115475 | |
| - Add missing part of backported CVE-2024-3183 fix | |
| Resolves: RHEL-29927 | |
| - Update to upstream 3.3.0 Beta 2 (#991064) | |
| - Update to upstream GA release | |
| - Automatically apply updates when the package is upgraded | |
| - Moved directory install/static to install/ui | |
| - Upstream pre release FreeIPA 4.9.0rc2 | |
| Related: RHBZ#1891832 | |
| - Synchronize spec file with upstream and Fedora | |
| Related: RHBZ#1891832 | |
| - Traceback while doing ipa-backup | |
| Resolves: RHBZ#1901068 | |
| - ipa-client-install changes system wide ssh configuration | |
| Resolves: RRBZ#1544379 | |
| - ipa-kdb: support subordinate/superior UPN suffixes | |
| Resolves: RHBZ#1891056 | |
| - KRA Transport and Storage Certificates do not renew | |
| Resolves: RHBZ#1872603 | |
| - Move where the restore state is marked during IPA server upgrade | |
| Resolves: RHBZ#1569011 | |
| - Intermittent IdM Client Registration Failures | |
| Resolves: RHBZ#1812871 | |
| - Nightly test failure in test_acme.py::TestACME::test_third_party_certs | |
| (updates-testing) | |
| Resolves: RHBZ#1903025 | |
| - Add IPA RA Agent to ACME group on the CA | |
| Resolves: RHBZ#1902727 | |
| - 4.7.1 | |
| - Fixes: rhbz#1633105 - rebase to 4.7.1 | |
| - Remove the IPA DNA plugin, use the DS one | |
| - Conditionally restart also dirsrv and httpd when upgrading | |
| - Set krb5 DAL version to 7.0 (#1580711) | |
| - Rebuild aclocal and configure during build | |
| - Remove dependency on nss_ldap/nss-pam-ldapd | |
| - The official client is sssd and that's what we use by default. | |
| - Resolve user/group names in idoverride*-find | |
| Resolves: RHBZ#1657745 | |
| - PKI database is ugraded during replica installation (#1075118) | |
| - Server install failure during client enrollment shouldn't | |
| roll back (#1023086) | |
| - nsds5ReplicaStripAttrs are not set on agreements (#1023085) | |
| - ipa-server conflicts with mod_ssl (#1018172) | |
| - Updated to current upstream state of 3.0.0 beta 2 development | |
| - Pull upstream changelog 722 | |
| - Add Conflicts mod_ssl (435360) | |
| - Resolves: #1318186 Misleading error message during external-ca IPA master | |
| install | |
| - httpinstance: make sure NSS database is backed up | |
| - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR | |
| CA certificate chain in ... incomplete" | |
| - httpinstance: make sure NSS database is backed up | |
| - Resolves: #1393726 Enumerate all available request type options in ipa | |
| cert-request help | |
| - Hide request_type doc string in cert-request help | |
| - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping | |
| - spec file: bump libsss_nss_idmap-devel BuildRequires | |
| - server: make sure we test for sss_nss_getlistbycert | |
| - Resolves: #1437378 ipa-adtrust-install produced an error and failed on | |
| starting smb when hostname is not FQDN | |
| - adtrust: make sure that runtime hostname result is consistent with the | |
| configuration | |
| - Resolves: #1437555 ipa-replica-install with DL0 fails to get annonymous | |
| keytab | |
| - Always check and create anonymous principal during KDC install | |
| - Remove duplicate functionality in upgrade | |
| - Resolves: #1437946 Upgrade to FreeIPA 4.5.0 does not configure anonymous | |
| principal for PKINIT | |
| - Upgrade: configure PKINIT after adding anonymous principal | |
| - Remove unused variable from failed anonymous PKINIT handling | |
| - Split out anonymous PKINIT test to a separate method | |
| - Ensure KDC is propery configured after upgrade | |
| - Resolves: #1437951 Remove pkinit-related options from server/replica-install | |
| on DL0 | |
| - Fix the order of cert-files check | |
| - Don't allow setting pkinit-related options on DL0 | |
| - replica-prepare man: remove pkinit option refs | |
| - Remove redundant option check for cert files | |
| - Resolves: #1438490 CA-less installation fails on publishing CA certificate | |
| - Get correct CA cert nickname in CA-less | |
| - Remove publish_ca_cert() method from NSSDatabase | |
| - Resolves: #1438838 Avoid arch-specific path in /etc/krb5.conf.d/ipa-certmap | |
| - IPA-KDB: use relative path in ipa-certmap config snippet | |
| - Resolves: #1439038 Allow erasing ipaDomainResolutionOrder attribute | |
| - Allow erasing ipaDomainResolutionOrder attribute | |
| - Improve otptoken help messages (#919228) | |
| - Ensure users exist when assigning tokens to them (#919228) | |
| - Enable QR code display by default in otptoken-add (#919228) | |
| - Show warning instead of error if CA did not start (#1158410) | |
| - CVE-2014-7850 freeipa: XSS flaw can be used to escalate privileges (#1165774) | |
| - Traceback when adding zone with long name (#1164859) | |
| - Backup & Restore mechanism (#951581) | |
| - ignoring user attributes in migrate-ds does not work if uppercase characters | |
| are returned by ldap (#1159816) | |
| - Allow ipa-getkeytab to optionally fetch existing keys (#1007367) | |
| - Failure when installing on dual stacked system with external ca (#1128380) | |
| - ipa-server should keep backup of CS.cfg (#1059135) | |
| - Tracebacks with latest build for --zonemgr cli option (#1167270) | |
| - webui: use domain name instead of domain SID in idrange adder dialog | |
| (#891984) | |
| - webui: normalize idview tab labels (#891984) | |
| - Resolves: #1442233 IPA client commands fail when pointing to replica | |
| - httpinstance: wait until the service entry is replicated | |
| - Resolves: #1456769 ipaAnchorUUID index incorrectly configured and then | |
| not indexed | |
| - Fix index definition for ipaAnchorUUID | |
| - Resolves: #1438016 gssapi errors after IPA server upgrade | |
| - Avoid possible endless recursion in RPC call | |
| - rpc: preparations for recursion fix | |
| - rpc: avoid possible recursion in create_connection | |
| - Resolves: #1446087 services entries missing krbCanonicalName attribute. | |
| - Changing cert-find to do not use only primary key to search in LDAP. | |
| - Resolves: #1452763 ipa certmaprule change not reflected in krb5kdc workers | |
| - ipa-kdb: reload certificate mapping rules periodically | |
| - Resolves: #1455541 after upgrade login from web ui breaks | |
| - kdc.key should not be visible to all | |
| - Resolves: #1435606 Add pkinit_indicator option to KDC configuration | |
| - ipa-kdb: add pkinit authentication indicator in case of a successful | |
| certauth | |
| - Resolves: #1455945 Enabling OCSP checks in mod_nss breaks certificate | |
| issuance when ipa-ca records are not resolvable | |
| - Turn off OCSP check | |
| - Resolves: #1454483 rhel73 ipa ui - cannot del server - IPA Error 903 - | |
| server_del - TypeError: 'NoneType' object is not iterable | |
| - fix incorrect suffix handling in topology checks | |
| - Upstream release FreeIPA 4.9.2 | |
| Related: RHBZ#1891832 | |
| - Remove ipa-server dependency from ipa-selinux subpackage | |
| - Related: RHBZ#1891832 | |
| - Resolves: #1249226 IPA dnssec-validation not working for AD dnsforwardzone | |
| - DNSSEC: fix forward zone forwarders checks | |
| - Resolves: #1250190 idrange is not added for sub domain | |
| - trusts: format Kerberos principal properly when fetching trust topology | |
| - Resolves: #1252334 User life cycle: missing ability to provision a stage user | |
| from a preserved user | |
| - Add user-stage command | |
| - Resolves: #1252863 After applying RHBA-2015-1554 errata, IPA service fails to | |
| start. | |
| - spec file: Add Requires(post) on selinux-policy | |
| - Resolves: #1254304 Changing vault encryption attributes | |
| - Change internal rsa_(public|private)_key variable names | |
| - Added support for changing vault encryption. | |
| - Resolves: #1256715 Executing user-del --preserve twice removes the user | |
| pernamently | |
| - improve the usability of `ipa user-del --preserve` command | |
| - Prevent multilib failures in *.pyo and *.pyc files | |
| - Set minimum pki-ca and pki-silent versions to 9.0.0 | |
| - Update to upstream 3.3.0 (#991064) | |
| - Remove release from krb5-server in strict sub-package to allow for rebuilds. | |
| - Deletion of active subdomain range should not be allowed (#1075615) | |
| - ipa-kdb: Fix double free in ipadb_reinit_mspac() | |
| Resolves: RHEL-25742 | |
| - kra: set RSA-OAEP as default wrapping algo when FIPS is enabled | |
| Resolves: RHEL-12153 | |
| - Vault: improve vault server archival/retrieval calls error handling | |
| Resolves: RHEL-12153 | |
| - Vault: add support for RSA-OAEP wrapping algo | |
| Resolves: RHEL-12153 | |
| - Add missing entry for /var/cache/ipa/kpasswd (444624) | |
| - Added patch to fix permissions problems with the Apache NSS database. | |
| - Added patch to fix problem with DNS querying where the query could be | |
| returned as the answer. | |
| - Fix spec error where patch1 was in the wrong section | |
| - Resolves: #1339233 CA installed on replica is always marked as renewal master | |
| - Related: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.3.1.201605241723GIT1b427d3 | |
| - Remove ipa-backup and ipa-restore functionality from RHEL (#1003933) | |
| - Resolves: #1378353 Replica install fails with old IPA master sometimes during | |
| replication process | |
| - spec file: bump minimal required version of 389-ds-base | |
| - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 | |
| - Fix missing file that fails DL1 replica installation | |
| - Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade | |
| - WebUI: services without canonical name are shown correctly | |
| - Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run | |
| - trustdomain-del: fix the way how subdomain is searched | |
| - Add a Requires for java-atk-wrapper until we can determine which package | |
| should be pulling it in, dogtag or tomcat. | |
| - Fix Requires for krb5-server that was missing for Fedora versions > 9 | |
| - Remove quotes around test for fedora version to package egg-info | |
| - Winsync agreement cannot be created (#1023085) | |
| - IPA extdom plugin fails when encountering large groups (#1193759) | |
| - CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() | |
| (#1202998) | |
| - CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf() | |
| Resolves: RHBZ#1767304 | |
| - CVE-2019-10195: Don't log passwords embedded in commands in calls using batch | |
| Resolves: RHBZ#1776939 | |
| - Display server name in ipa command's verbose mode (#1061703) | |
| - Remove sourcehostcategory from default HBAC rule (#1061187) | |
| - dnszone-add cannot add classless PTR zones (#1058688) | |
| - Move ipa-otpd socket directory to /var/run/krb5kdc (#1063850) | |
| - Resolves: #1339483 ipa-server-install fails with ERROR pkinit_cert_files | |
| - Fix incorrect rebase of patch 1001 | |
| - Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 | |
| - Revert "spec: add conflict with bind-chroot to freeipa-server-dns" | |
| - Resolves: #1341249 Subsequent external CA installation fails | |
| - install: fix external CA cert validation | |
| - Resolves: #1353831 ipa-server-install fails in container because of | |
| hostnamectl set-hostname | |
| - server-install: Fix --hostname option to always override api.env values | |
| - install: Call hostnamectl set-hostname only if --hostname option is used | |
| - Resolves: #1356091 ipa-cacert-manage --help and man differ | |
| - Improvements for the ipa-cacert-manage man and help | |
| - Resolves: #1360631 ipa-backup is not keeping the | |
| /etc/tmpfiles.d/dirsrv- |
|
| - ipa-backup: backup /etc/tmpfiles.d/dirsrv- |
|
| - Resolves: #1361047 ipa-replica-install --help usage line suggests the replica | |
| file is needed | |
| - Update ipa-replica-install documentation | |
| - Resolves: #1361545 ipa-client-install starts rhel-domainname.service but does | |
| not rpm-require it | |
| - client: RPM require initscripts to get *-domainname.service | |
| - Resolves: #1364197 caacl: error when instantiating rules with service | |
| principals | |
| - caacl: fix regression in rule instantiation | |
| - Resolves: #1364310 ipa otptoken-add bytes object has no attribute confirm | |
| - parameters: move the `confirm` kwarg to Param | |
| - Resolves: #1364464 Topology graph: ca and domain adders shows question marks | |
| instead of plus icon | |
| - Fix unicode characters in ca and domain adders | |
| - Resolves: #1365083 Incomplete output returned for command ipa vault-add | |
| - client: add missing output params to client-side commands | |
| - Resolves: #1365526 build fails during "make check" | |
| - ipa-kdb: Fix unit test after packaging changes in krb5 | |
| - Resolves: #1365858 ipa-ca-install fails on replica when IPA Master is | |
| installed without CA | |
| - Set up DS TLS on replica in CA-less topology | |
| - Resolves: #1398600 IPA replica install fails with dirsrv errors. | |
| - Do not configure PKI ajp redirection to use "::1" | |
| - Resolves: #1413137 CVE-2017-2590 ipa: Insufficient permission check for | |
| ca-del, ca-disable and ca-enable commands | |
| - ca: correctly authorise ca-del, ca-enable and ca-disable | |
| - Update SELinux policy to allow ipa_kpasswd to connect ldap and | |
| read /dev/urandom. (#759679) | |
| - Depend on krb5-kdb-version-devel for BuildRequires | |
| - Update nss dependency to 3.44.0-4 | |
| - Reset per-indicator Kebreros policy | |
| Resolves: RHBZ#1784761 | |
| - Resolves: #1443869 Command "openssl pkcs12 ..." failed during IPA upgrade | |
| - Fix CAInstance.import_ra_cert for empty passwords | |
| - Enforce uniqueness across krbprincipalname and krbcanonicalname | |
| ipa-kdb: enforce PAC presence on TGT for TGS-REQ | |
| ipatests: extend test for unique krbcanonicalname | |
| Resolves: RHEL-110061 | |
| - replica install failing with avc denial for custodia component | |
| Resolves: RHBZ#1857157 | |
| - Update to upstream 3.1.2 | |
| - CVE-2012-4546: Incorrect CRLs publishing | |
| - CVE-2012-5484: MITM Attack during Join process | |
| - CVE-2013-0199: Cross-Realm Trust key leak | |
| - Updated strict dependencies to 389-ds-base = 1.3.0.2 and | |
| pki-ca = 10.0.1 | |
| - Resolves: #1254689 Storing big file as a secret in vault raises traceback | |
| - vault: Limit size of data stored in vault | |
| - Resolves: #1255880 ipactl status should distinguish between different | |
| pki-tomcat services | |
| - ipactl: Do not start/stop/restart single service multiple times | |
| - ipatests: fix test_topology | |
| Resolves: RHBZ#2232351 | |
| - Installer: activate nss and pam services in sssd.conf | |
| Resolves: RHBZ#2216532 | |
| - Add ipa-idrange-fix | |
| Resolves: RHEL-56920 | |
| - Unconditionally add MS-PAC to global config on update | |
| Resolves: RHEL-49437 | |
| - ipatests: Update ipa-adtrust-install test | |
| Resolves: RHEL-40894 | |
| - Require python-qrcode version 5.3 or later | |
| Related: RHEL-15090 | |
| - CAless installation: set the perms on KDC cert file | |
| Resolves: RHBZ#1863616 | |
| - EPN: handle empty attributes | |
| Resolves: RHBZ#1866938 | |
| - IPA-EPN: enhance input validation | |
| Resolves: RHBZ#1866291 | |
| - EPN: enhance input validation | |
| Resolves: RHBZ#1863079 | |
| - Require new samba build 4.12.3-52 | |
| Related: RHBZ#1868558 | |
| - Require new selinux-policy build 3.14.3-52 | |
| Related: RHBZ#1869311 | |
| - RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible | |
| (#1169591) | |
| - CLI doesn't show SSHFP records with SHA256 added via nsupdate (regression) | |
| (#1172578) | |
| - Resolves: #1415162 ipa-exdom-extop plugin can exhaust DS worker threads | |
| - New upstream release 4.8.0 | |
| - New subpackage: freeipa-client-samba | |
| - Added command ipa-cert-fix with man page | |
| - New sysconfdir sysconfig/certmonger | |
| - Updated pki_version, certmonger_version, sssd_version and kdcproxy_version | |
| Related: RHBZ#1684528 | |
| - remove ipa-fix-CVE-2008-3274 | |
| - Resolves: #1200767 [RFE] Allow Kerberos authentication for users with | |
| certificates on smart cards (pkinit) | |
| - spec file: bump krb5 Requires for certauth fixes | |
| - Resolves: #1438729 Configure local PKINIT on DL0 or when '--no-pkinit' option | |
| is used | |
| - separate function to set ipaConfigString values on service entry | |
| - Allow for configuration of all three PKINIT variants when deploying KDC | |
| - API for retrieval of master's PKINIT status and publishing it in LDAP | |
| - Use only anonymous PKINIT to fetch armor ccache | |
| - Stop requesting anonymous keytab and purge all references of it | |
| - Use local anchor when armoring password requests | |
| - Upgrade: configure local/full PKINIT depending on the master status | |
| - Do not test anonymous PKINIT after install/upgrade | |
| - Resolves: #1442427 ipa.ipaserver.install.plugins.adtrust. | |
| update_tdo_gidnumber: ERROR Default SMB Group not found | |
| - upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is | |
| installed | |
| - Resolves: #1442932 ipa restore fails to restore IPA user | |
| - restore: restart/reload gssproxy after restore | |
| - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode | |
| - Fix CA/server cert validation in FIPS | |
| - Resolves: #1444947 Deadlock between topology and schema-compat plugins | |
| - compat-manage: behave the same for all users | |
| - Move the compat plugin setup at the end of install | |
| - compat: ignore cn=topology,cn=ipa,cn=etc subtree | |
| - Resolves: #1445358 ipa vault-add raises TypeError | |
| - vault: piped input for ipa vault-add fails | |
| - Resolves: #1445382 ipa vault-retrieve fails to retrieve data from vault | |
| - Vault: Explicitly default to 3DES CBC | |
| - Resolves: #1445432 uninstall ipa client automount failed with RuntimeWarning | |
| - automount install: fix checking of SSSD functionality on uninstall | |
| - Resolves: #1446137 pki_client_database_password is shown in | |
| ipaserver-install.log | |
| - Hide PKI Client database password in log file | |
| - Resolves: #1131907 [ipa-client-install] cannot write certificate file | |
| '/etc/ipa/ca.crt.new': must be string or buffer, not None | |
| - Resolves: #1195775 unsaved changes dialog internally inconsistent | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - Stageusedr-activate: show username instead of DN | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - Prevent to rename certprofile profile id | |
| - Resolves: #1222047 IPA to AD Trust: IPA ERROR 4016: Remote Retrieve Error | |
| - Resolves: #1224769 copy-schema-to-ca.py does not overwrites schema files | |
| - copy-schema-to-ca: allow to overwrite schema files | |
| - Resolves: #1241941 kdc component installation of IPA failed | |
| - spec file: Update minimum required version of krb5 | |
| - Resolves: #1242036 Replica install fails to update DNS records | |
| - Fix DNS records installation for replicas | |
| - Resolves: #1242884 Upgrade to 4.2.0 fails when enabling kdc proxy | |
| - Start dirsrv for kdcproxy upgrade | |
| - extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT | |
| Resolves: RHBZ#1741530 | |
| - Fix ipa-pwd-extop global configuration caching (#1187342) | |
| - group-detach does not add correct objectclasses (#1187540) | |
| - Add sssd and certmonger as a Requires on ipa-client | |
| - DNS install check: Fix overlapping DNS zone from the master itself | |
| Resolves: RHBZ#1784003 | |
| - Add OTP patches | |
| - Add patch to set KRB5CCNAME for 389-ds-base | |
| - Update to upstream 2.1.4 (CVE-2011-3636) | |
| - Refactor ipatests for unique krbcanonicalname | |
| Resolves: RHEL-110061 | |
| - Require certmonger 0.79.7-1 | |
| Related: RHBZ#1708095 | |
| - Fix wrong path in packaging freeipa-systemd-upgrade | |
| - Resolves: #1462112 ipaserver installation fails in FIPS mode: OpenSSL | |
| internal error, assertion failed: Digest MD4 forbidden in FIPS mode! | |
| - ipa-sam: replace encode_nt_key() with E_md4hash() | |
| - ipa_pwd_extop: do not generate NT hashes in FIPS mode | |
| - Resolves: #1377973 ipa-server-install fails when the provided or resolved | |
| IP address is not found on local interfaces | |
| - Fix local IP address validation | |
| - ipa-dns-install: remove check for local ip address | |
| - refactor CheckedIPAddress class | |
| - CheckedIPAddress: remove match_local param | |
| - Remove ip_netmask from option parser | |
| - replica install: add missing check for non-local IP address | |
| - Remove network and broadcast address warnings | |
| - Set minimum level of sssd to 1.1.1 to pull in required hbac fixes. | |
| - Add Requires on krb5-pkinit-openssl | |
| - Introduce upgrade script to recover existing configuration after systemd migration | |
| as user has no means to recover FreeIPA from systemd migration | |
| - Upgrade script: | |
| - recovers symlinks in Dogtag instance install | |
| - recovers systemd configuration for FreeIPA's directory server instances | |
| - recovers freeipa.service | |
| - migrates directory server and KDC configs to use proper keytabs for systemd services | |
| - Add call to /usr/sbin/upgradeconfig to post install | |
| - Handle NFS configuration file changes. nfs-utils moved the | |
| configuration file from /etc/sysconfig/nfs to /etc/nfs.conf. | |
| Resolves: RHBZ#1676981 | |
| - IPA server in debug mode fails to run because time.perf_counter_ns is | |
| Python 3.7+ | |
| Resolves: RHBZ#1974822 | |
| - Add checks to prevent assigning authentication indicators to internal IPA | |
| services | |
| Resolves: RHBZ#1979625 | |
| - Unable to set ipaUserAuthType with stageuser-add | |
| Resolves: RHBZ#1979605 | |
| - Upstream release FreeIPA 4.9.3 | |
| Resolves: RHBZ#1945038 | |
| - Update minimum selinux-policy to 3.9.16-18 | |
| - Update minimum pki-ca and pki-selinux to 9.0.7 | |
| - Update minimum 389-ds-base to 1.2.8.0-1 | |
| - Update to upstream 2.0.1 | |
| - Rebase to upstream release 4.8.4 | |
| - Removed upstream patches 0001 to 0008 that are part of version 4.8.3-3 | |
| Resolves: RHBZ#1782658 | |
| Resolves: RHBZ#1782169 | |
| Resolves: RHBZ#1783046 | |
| Related: RHBZ#1748987 | |
| - Revert DNSResolver Fix use of nameservers with ports. | |
| Related: RHBZ#2141316 | |
| - package the sessions dir /var/cache/ipa/sessions | |
| - Pull upstream changelog 597 | |
| - Trust add tries to add same value of --base-id for sub domain, | |
| causing an error (#1033068) | |
| - Improved error reporting for adding trust case (#1029856) | |
| - ipatests: Backport test fixes in python3-ipatests. | |
| Resolves: RHBZ#2057505 | |
| - Expand the token auth/sync windows (#919228) | |
| - Access is not rejected for disabled domain (#1172598) | |
| - krb5kdc crash in ldap_pvt_search (#1170695) | |
| - RHEL7.1 IPA server httpd avc denials after upgrade (#1164896) | |
| - ipa-client-automount fails with incompatibility error when installed against | |
| older IPA server (#1083108) | |
| - Resolves: #1217009 OTP sync in UI does not work for TOTP tokens | |
| - Fix an integer underflow bug in libotp | |
| - Resolves: #1262996 ipa vault internal error on replica without KRA | |
| - install: always export KRA agent PEM file | |
| - vault: select a server with KRA for vault operations | |
| - Resolves: #1269777 IPA restore overwrites /etc/passwd and /etc/group files | |
| - do not overwrite files with local users/groups when restoring authconfig | |
| - Renamed patch 1011 to 0138, as it was merged upstream | |
| - Resolve: #1455946 Provide a tooling automating the configuration | |
| of Smart Card authentication on a FreeIPA master | |
| - server certinstall: update KDC master entry | |
| - pkinit manage: introduce ipa-pkinit-manage | |
| - server upgrade: do not enable PKINIT by default | |
| - Extend the advice printing code by some useful abstractions | |
| - Prepare advise plugin for smart card auth configuration | |
| - Resolve: #1461053 allow to modify list of UPNs of a trusted forest | |
| - trust-mod: allow modifying list of UPNs of a trusted forest | |
| - WebUI: add support for changing trust UPN suffixes | |
| - Update to upstream 4.1.0 Alpha 1 (#1109726) | |
| - Updated to upstream 3.0.0 rc 2 | |
| - Include new FF configuration extension | |
| - Set minimum Requires of selinux-policy to 3.11.1-33 | |
| - Set minimum Requires dogtag to 10.0.0-0.43.b1 | |
| - Add new optional strict sub-package to allow users to limit other | |
| package upgrades. | |
| - Resolves: #1419735 ipa-replica-install fails promotecustodia.create_replica | |
| with cert errors (untrusted) | |
| - added ssl verification using IPA trust anchor | |
| - Resolves: #1428472 batch param compatibility is incorrect | |
| - compat: fix `Any` params in `batch` and `dnsrecord` | |
| - Renamed patches 1011 and 1012 to 0159 and 0157, as they were merged upstream | |
| - Resolves: #1609883 ipaserver/plugins/cert.py: Add reason to raise of | |
| errors.NotFound | |
| - Resolves: #1615765 do-not-use-RC4-in-FIPS-mode | |
| - Move fips_enabled to a common library to share across different plugins | |
| - ipasam: do not use RC4 in FIPS mode | |
| - Resolves: #1298288 [RFE] Improve performance in large environments. | |
| - cert: speed up cert-find | |
| - Resolves: #1317379 [EXPERIMENTAL][RFE] Web UI: allow Smart Card | |
| authentication | |
| - service: add flag to allow S4U2Self | |
| - Add 'trusted to auth as user' checkbox | |
| - Added new authentication method | |
| - Resolves: #1353881 ipa-replica-install suggests about | |
| non-existent --force-ntpd option | |
| - Don't show --force-ntpd option in replica install | |
| - Resolves: #1354441 DNS forwarder check is too strict: unable to add | |
| sub-domain to already-broken domain | |
| - DNS: allow to add forward zone to already broken sub-domain | |
| - Resolves: #1356146 performance regression in CLI help | |
| - schema: Speed up schema cache | |
| - frontend: Change doc, summary, topic and NO_CLI to class properties | |
| - schema: Introduce schema cache format | |
| - schema: Generate bits for help load them on request | |
| - help: Do not create instances to get information about commands and topics | |
| - schema cache: Do not reset ServerInfo dirty flag | |
| - schema cache: Do not read fingerprint and format from cache | |
| - Access data for help separately | |
| - frontent: Add summary class property to CommandOverride | |
| - schema cache: Read server info only once | |
| - schema cache: Store API schema cache in memory | |
| - client: Do not create instance just to check isinstance | |
| - schema cache: Read schema instead of rewriting it when SchemaUpToDate | |
| - Resolves: #1360769 ipa-server-certinstall couldnt unlock private key file | |
| - server install: do not prompt for cert file PIN repeatedly | |
| - Resolves: #1364113 ipa-password: ipa: ERROR: RuntimeError: Unable to create | |
| cache directory: [Errno 13] Permission denied: '/home/test_user' | |
| - schema: Speed up schema cache | |
| - Resolves: #1366604 `cert-find` crashes on invalid certificate data | |
| - cert: do not crash on invalid data in cert-find | |
| - Resolves: #1366612 Middle replica uninstallation in line topology works | |
| without '--ignore-topology-disconnect' | |
| - Fail on topology disconnect/last role removal | |
| - Resolves: #1366626 caacl-add-service: incorrect error message when service | |
| does not exists | |
| - Fix ipa-caalc-add-service error message | |
| - Resolves: #1367022 The ipa-server-upgrade command failed when named-pkcs11 | |
| does not happen to run during dnf upgrade | |
| - DNS server upgrade: do not fail when DNS server did not respond | |
| - Resolves: #1367759 [RFE] [webui] warn admin if there is only one IPA server | |
| with CA | |
| - Add warning about only one existing CA server | |
| - Set servers list as default facet in topology facet group | |
| - Resolves: #1367773 thin client ignores locale change | |
| - schema check: Check current client language against cached one | |
| - Lockout plugin crashed during ipa-server-install (#912725) | |
| - Fallback to global policy in ipa lockout plugin (#912725) | |
| - Migration does not add users to default group (#903232) | |
| - hbactest does not work for external users (#848531) | |
| - Resolves: #1296140 Remove redhat-access-plugin-ipa support | |
| - Obsolete and conflict redhat-access-plugin-ipa | |
| - Resolves: #1351119 Multiple issues while uninstalling ipa-server | |
| - server uninstall fails to remove krb principals | |
| - Resolves: #1351758 ipa commands not showing expected error messages | |
| - frontend: copy command arguments to output params on client | |
| - Show full error message for selinuxusermap-add-hostgroup | |
| - Resolves: #1352883 Traceback on adding default automember group and hostgroup | |
| set | |
| - allow 'value' output param in commands without primary key | |
| - Resolves: #1353888 Fix the help for ipa otp and other topics | |
| - schema: Fix subtopic -> topic mapping | |
| - Resolves: #1354348 ipa trustconfig-show throws internal error. | |
| - allow 'value' output param in commands without primary key | |
| - Resolves: #1354381 ipa trust-add with raw option gives internal error. | |
| - trust-add: handle `--all/--raw` options properly | |
| - Resolves: #1354493 Replica install fails with old IPA master | |
| - DNS install: Ensure that DNS servers container exists | |
| - Resolves: #1354628 ipa hostgroup-add-member does not return error message | |
| when adding itself as member | |
| - frontend: copy command arguments to output params on client | |
| - Resolves: #1355856 ipa otptoken-add --type=totp gives internal error | |
| - messages: specify message type for ResultFormattingError | |
| - Resolves: #1356063 "ipa radiusproxy-add" command needs to prompt to enter | |
| secret key | |
| - expose `--secret` option in radiusproxy-* commands | |
| - prevent search for RADIUS proxy servers by secret | |
| - Resolves: #1356099 Bug in the ipapwd plugin | |
| - Heap corruption in ipapwd plugin | |
| - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin | |
| client changes | |
| - Use server API in com.redhat.idm.trust-fetch-domains oddjob helper | |
| - Resolves: #1356964 Renaming a user removes all of his principal aliases | |
| - Preserve user principal aliases during rename operation | |
| - Add bash completion script and own /etc/bash_completion.d in case it | |
| doesn't already exist | |
| - Update to upstream version 1.1.0 | |
| - Patch for indexing memberof attribute | |
| - Patch for indexing uidnumber and gidnumber | |
| - Patch to change DNA default values for replicas | |
| - Patch to fix uninitialized variable in ipa-getkeytab | |
| - Improve server affinity for CA-less deployments | |
| Resolves: RHEL-22283 | |
| - host: update system: Manage Host Keytab permission | |
| Resolves: RHEL-22286 | |
| - adtrustinstance: make sure NetBIOS name defaults are set properly | |
| Resolves: RHEL-21938 | |
| - ipatests: Fix healthcheck report when nsslapd accesslog logbuffering is set to off | |
| Resolves: RHEL-19672 | |
| - webui IdP: Remove arrow notation due to uglify-js limitation | |
| Related: RHBZ#2141316 | |
| - Fixed share/ipa/wsgi.py so .pyc, .pyo files are included | |
| - Set minimum version of sssd to 1.5.1 | |
| - Update to upstream freeipa-2.0.0.rc1 | |
| - Move server-only binaries from admintools subpackage to server | |
| - Upstream release FreeIPA 4.9.8 | |
| Related: RHBZ#2015607 | |
| - Hardening for CVE-2020-25717 | |
| - Set minimum version of certmonger to 0.26 (to pck up #621670) | |
| - Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm) | |
| - Set minimum version of pki-ca to 1.3.6 | |
| - Set minimum version of sssd to 1.2.1 | |
| - Re-arrange doc and defattr to clean up rpmlint warnings | |
| - Remove conditionals on older releases | |
| - Move some man pages into admintools subpackage | |
| - Remove some explicit Requires in client that aren't needed | |
| - Consistent use of buildroot vs RPM_BUILD_ROOT | |
| - Resolves: #1252556 Missing CLI param and ACL for vault service operations | |
| - vault: fix private service vault creation | |
| - Resolves: #1431520 ipa cert-find runs a large number of searches, so IPA | |
| WebUI is slow to display user details page | |
| - cert: defer cert-find result post-processing | |
| - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit | |
| helper when installing replica | |
| - server-install: No double Kerberos install | |
| - Resolves: #1437502 ipa-replica-install fails with requirement to | |
| use --force-join that is a client install option. | |
| - Add the force-join option to replica install | |
| - replicainstall: better client install exception handling | |
| - Resolves: #1437953 Server CA-less impossible option check | |
| - server-install: remove broken no-pkinit check | |
| - Resolves: #1441160 FreeIPA client <= 4.4 fail to parse 4.5 cookies | |
| - Add debug log in case cookie retrieval went wrong | |
| - Resolves: #1441548 ipa server install fails with --external-ca option | |
| - ext. CA: correctly write the cert chain | |
| - Resolves: #1441718 Conversion of CA-less server to CA fails on CA instance | |
| spawn | |
| - Fix CA-less to CA-full upgrade | |
| - Resolves: #1442133 Do not link libkrad, liblber, libldap_r and | |
| libsss_nss_idmap to every binary in IPA | |
| - configure: fix AC_CHECK_LIB usage | |
| - Resolves: #1442815 Replica install fails during migration from older IPA | |
| master | |
| - Fix RA cert import during DL0 replication | |
| - Related: #1442004 Building IdM/FreeIPA internally on all architectures - | |
| filtering unsupported packages | |
| - Build all subpackages on all architectures | |
| - ipa-server-install fails if --subject parameter is other than default | |
| realm (#983075) | |
| - do not allow configuring bind-dyndb-ldap without persistent search (#967876) | |
| - Set the N-V-R so rc1 is an update to beta2. | |
| - ipa-kdb: Rework ipadb_reinit_mspac() | |
| Resolves: RHEL-25742 | |
| - ipatests: wait for replica update in test_dns_locations | |
| Resolves: RHEL-22373 | |
| - ipatests: fix tasks.wait_for_replication() method | |
| Resolves: RHEL-25708 | |
| - Upgrade: fix replica agreement, fix backported patch | |
| Related: RHBZ#2216551 | |
| - Temporarily move ipa-backup and ipa-restore functionality | |
| back to make them available in public Beta (#1003933) | |
| - Update to upstream 2.1.0 | |
| - ipa man page format the EXAMPLES section | |
| Resolves: RHBZ#2129895 | |
| - Fix canonicalization issue in Web UI | |
| Resolves: RHBZ#2127035 | |
| - Remove idnssoaserial argument from dns zone API. | |
| Resolves: RHBZ#2108630 | |
| - Warn for permissions with read/write/search/compare and no attrs | |
| Resolves: RHBZ#2098187 | |
| - Add PKINIT support to ipa-client-install | |
| Resolves: RHBZ#2075452 | |
| - Generate CNAMEs for TXT+URI location krb records | |
| Resolves: RHBZ#2104185 | |
| - Vault: fix interoperability issues with older RHEL systems | |
| Resolves: RHBZ#2144737 | |
| - Fix typo on ipaupgrade.log chmod during RPM %post snipppet | |
| Resolves: RHBZ#2140994 | |
| - Pull upstream changelog 641 | |
| - Require minimum version of krb5-server on F-7 and F-8 | |
| - Package some new files | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - [WebUI] IPA Error 3007: RequirmentError" while adding members in | |
| "User ID overrides" tab | |
| Resolves: RHBZ#1757045 | |
| - EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in | |
| freeipa-client-epn | |
| Resolves: RHBZ#1847999 | |
| - FreeIPA - Utilize 256-bit AJP connector passwords | |
| Resolves: RHBZ#1849914 | |
| - ipa: typo issue in ipanthomedirectoryrive deffinition | |
| Resolves: RHBZ#1851411 | |
| - Upstream release FreeIPA 4.9.1 | |
| Related: RHBZ#1891832 | |
| - Fix automount behavior with authselect | |
| Resolves: RHBZ#1740167 | |
| - SELinux Policy: let custodia replicate keys | |
| Resolves: RHBZ#1868432 | |
| - Missing objectclasses when empty password passed to host-add (#1052979) | |
| - sudoOrder missing in sudoers (#1052983) | |
| - Missing examples in sudorule help (#1049464) | |
| - Client automount does not uninstall when fstore is empty (#910899) | |
| - Error not clear for invalid realm given to trust-fetch-domains (#1052981) | |
| - trust-fetch-domains does not add idrange for subdomains found (#1049926) | |
| - Add option to show if an AD subdomain is enabled/disabled (#1052973) | |
| - ipa-adtrust-install still failed with long NetBIOS names (#1030517) | |
| - Error not clear for invalid relam given to trustdomain-find (#1049455) | |
| - renewed client cert not recognized during IPA CA renewal (#1033273) | |
| - Remove ipa-backup and ipa-restore functionality from RHEL (#1003933) | |
| - Fix S4U2Self regression for cross-realm requester SID buffer | |
| - Related: RHBZ#2021443 | |
| - Add missing ipa-selinux package | |
| Resolves: RHBZ#1853263 | |
| - Proxy PKI URI /ca/ee/ca/profileSubmit to enable replication with future | |
| PKI versions (#1080865) | |
| - Rebuild against samba4 beta7 | |
| - Resolves: #1477703 IPA upgrade fails for latest ipa package | |
| - Restore old version of caIPAserviceCert for upgrade only | |
| - Rebase to upstream release 4.8.2 | |
| - Removed upstream patches 0001 to 0010 that are part of version 4.8.2 | |
| - Updated branding patch | |
| Resolves: RHBZ#1748987 | |
| - Version bump for release | |
| - ipa-csreplica-manage connect fails (#1157735) | |
| - error message which is not understandable when IDNA2003 characters are | |
| present in --zonemgr (#1163849) | |
| - Fix warning message should not contain CLI commands (#1114013) | |
| - Renewing the CA signing certificate does not extend its validity period end | |
| (#1163498) | |
| - RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for | |
| httpd (#1159330) | |
| - Hardening for CVE-2020-25717 | |
| - Rebuild against samba-4.14.5-11.el8 | |
| - Resolves: RHBZ#2021443 | |
| - Fix upgrade issue with AD trust when no trust yet established | |
| Fixes: RHBZ#1708874 | |
| Related: RHBZ#1684528 | |
| - Resolves: #1438833 [ipa-replica-install] - 406 Client Error: Failed to | |
| validate message: Incorrect number of results (0) searching forpublic key for | |
| host | |
| - Make sure remote hosts have our keys | |
| - Resolves: #1442815 Replica install fails during migration from older IPA | |
| master | |
| - Refresh Dogtag RestClient.ca_host property | |
| - Remove the cachedproperty class | |
| - Resolves: #1444787 Update warning message when KRA installation fails | |
| - kra install: update installation failure message | |
| - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode | |
| - ipa-server-install with external CA: fix pkinit cert issuance | |
| - Resolves: #1445397 GET in KerberosSession.finalize_kerberos_acquisition() | |
| must use FreeIPA CA | |
| - kerberos session: use CA cert with full cert chain for obtaining cookie | |
| - Resolves: #1447375 ipa-client-install: extra space in pkinit_anchors | |
| definition | |
| - ipa-client-install: remove extra space in pkinit_anchors definition | |
| - Resolves: #1447703 Fix SELinux contex of http.keytab during upgrade | |
| - Use proper SELinux context with http.keytab | |
| - Use OpenJDK 8 to bootstrap on AArch64 until RH1482244 is resolved in | |
| buildroot | |
| - Resolves: #1470177 - Rebase IPA to latest 4.5.x version | |
| - Resolves: #1398594 ipa topologysuffix-verify should only warn about | |
| maximum number of replication agreements. | |
| - Resolves: #1404236 Web UI: Change "Host Based" and "Role Based" | |
| to "Host-Based" and "Role-Based" | |
| - Resolves: #1409786 Second phase of --external-ca ipa-server-install | |
| setup fails when dirsrv is not running | |
| - Resolves: #1451576 ipa cert-request failed to generate certificate from csr | |
| - Resolves: #1452086 Pagination Size under Customization in IPA WebUI | |
| accepts negative values | |
| - Resolves: #1458169 --force-join option is not mentioned in | |
| ipa-replica-install man page | |
| - Resolves: #1463186 IPA shouldn't allow objectclass if not all in lower case | |
| - Resolves: #1478322 user-show command fails when sizelimit is configured | |
| to number <= number of entity which is user member of | |
| - Resolves: #1496775 Enterprise principals should be able to trigger | |
| a refresh of the trusted domain data in the KDC | |
| - Resolves: #1502533 Changing cert-find to go through the proxy | |
| instead of using the port 8080 | |
| - Resolves: #1502663 pkinit-status command fails after an upgrade from | |
| a pre-4.5 IPA | |
| - Resolves: #1498168 Error when trying to modify a PTR record | |
| - Resolves: #1457876 ipa-backup fails silently | |
| - Resolves: #1493531 In case full PKINIT configuration is failing during | |
| server/replica install the error message should be more meaningful. | |
| - Resolves: #1449985 Suggest CA installation command in KRA installation | |
| warning | |
| - Use NSS protocol range API to set available TLS protocols (#1156466) | |
| - Removed python-asset based webui | |
| - Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin | |
| - man page: update ipa-server-upgrade.1 | |
| Resolves: RHBZ#1973273 | |
| - Fall back to krbprincipalname when validating host auth indicators | |
| Resolves: RHBZ#1979625 | |
| - Add dependency for sssd-winbind-idmap to server-trust-ad | |
| Resolves: RHBZ#1982211 | |
| - Resolves: #1373359 ipa-certupdate fails with "CA is not configured" | |
| - Fix regression introduced in ipa-certupdate | |
| - Mass rebuild 2013-12-27 | |
| - Pull upstream changelog 698 | |
| - Fix ownership of /var/log/ipa_error.log during install (435119) | |
| - Add pwpolicy command and man page | |
| - Resolves: #846033 [RFE] Documentation for JSONRPC IPA API | |
| - Resolves: #989091 Ability to manage IdM/IPA directly from a standard LDAP | |
| client | |
| - Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to | |
| users in IdM | |
| - Resolves: #1115294 [RFE] Add support for DNSSEC | |
| - Resolves: #1145748 [RFE] IPA running with One Way Trust | |
| - Resolves: #1199520 [RFE] Introduce single upgrade tool - ipa-server-upgrade | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - Resolves: #1200728 [RFE] Replicate PKI Profile information | |
| - Resolves: #1200735 [RFE] Allow issuing certificates for user accounts | |
| - Resolves: #1204054 SSSD database is not cleared between installs and | |
| uninstalls of ipa | |
| - Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to | |
| Trusts | |
| - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality | |
| - Resolves: #1204504 [RFE] Add access control so hosts can create their own | |
| services | |
| - Resolves: #1206534 [RFE] Offer Kerberos over HTTP (kdcproxy) by default | |
| - Resolves: #1206613 [RFE] Configure IPA to be a trust agent by default | |
| - Resolves: #1209476 package ipa-client does not require package dbus-python | |
| - Resolves: #1211589 [RFE] Add option to skip the verify_client_version | |
| - Resolves: #1211608 [RFE] Generic support for unknown DNS RR types (RFC 3597) | |
| - Resolves: #1215735 ipa-replica-prepare automatically adds a DNS zone | |
| - Resolves: #1217010 OTP Manager field is not exposed in the UI | |
| - Resolves: #1222475 krb5kdc : segfault at 0 ip 00007fa9f64d82bb sp | |
| 00007fffd68b2340 error 6 in libc-2.17.so | |
| - Related: #1204809 Rebase ipa to 4.2 | |
| - Update to upstream 4.2.0 | |
| - Move /etc/ipa/kdcproxy to the server subpackage | |
| - Fix NetBIOS name generation in CLDAP plugin (#1030517) | |
| - FreeIPA 4.8.0 tarball lacks two update files that are in git | |
| Resolves: RHBZ#1741170 | |
| - Resolves: #1257074 The KRA agent cert is stored in a PEM file that is not | |
| tracked | |
| - cert renewal: Include KRA users in Dogtag LDAP update | |
| - cert renewal: Automatically update KRA agent PEM file | |
| - Resolves: #1257163 renaming certificatte profile with --rename option leads | |
| to integrity issues | |
| - certprofile: remove 'rename' option | |
| - Resolves: #1257968 kinit stop working after ipa-restore | |
| - Backup: back up the hosts file | |
| - Resolves: #1258926 Remove 'DNSSEC is experimental' warnings | |
| - DNSSEC: remove "DNSSEC is experimental" warnings | |
| - Resolves: #1258929 Uninstallation of IPA leaves extra entry in /etc/hosts | |
| - Installer: do not modify /etc/hosts before user agreement | |
| - Resolves: #1258944 DNSSEC daemons may deadlock when processing more than 1 | |
| zone | |
| - DNSSEC: backup and restore opendnssec zone list file | |
| - DNSSEC: remove ccache and keytab of ipa-ods-exporter | |
| - DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart | |
| - DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction | |
| - DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on DNSSEC | |
| key master | |
| - DNSSEC: Fix key metadata export | |
| - DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5. | |
| - Resolves: #1258964 revert to use ldapi to add kra agent in KRA install | |
| - Using LDAPI to setup CA and KRA agents. | |
| - Resolves: #1259848 server closes connection and refuses commands after | |
| deleting user that is still logged in | |
| - ldap: Make ldap2 connection management thread-safe again | |
| - Resolves: #1259996 AttributeError: 'NameSpace' object has no attribute | |
| 'ra_certprofile' while ipa-ca-install | |
| - load RA backend plugins during standalone CA install on CA-less IPA master | |
| - Update to upstream version 1.0.0 | |
| - Resolves: #712109 "krbExtraData not allowed" is logged in DS error log while | |
| setting password for default sudo binddn. | |
| - Resolves: #747612 [RFE] IPA should support and manage DNS sites | |
| - Resolves: #768316 [RFE] ipa-getkeytab should auto-detect the ipa server name | |
| - Resolves: #825391 [RFE] Replica installation should provide a means for | |
| inheriting nssldap security access settings | |
| - Resolves: #921497 Incorrect *.py[co] files placement | |
| - Resolves: #1029640 RHEL7 IPA to add DNA Plugin config for dnaRemote support | |
| - Resolves: #1029905 389 DS cache sizes not replicated to IPA replicas | |
| - Resolves: #1196958 IPA replica installation failing with high number of users | |
| (160000). | |
| - Resolves: #1219402 IPA suggests to uninstall a client when the user needs to | |
| uninstall a replica | |
| - Resolves: #1224057 [RFE] TGS authorization decisions in KDC based on | |
| Authentication Indicator | |
| - Resolves: #1234222 [WebUI] UI error message is not appropriate for "Kerberos | |
| principal expiration" | |
| - Resolves: #1234223 [WebUI] General invalid password error message appearing | |
| for "Locked user" | |
| - Resolves: #1254267 ipa-server-install failure applying ldap updates with | |
| limits exceeded | |
| - Resolves: #1258626 realmdomains-mod --add-domain command throwing error when | |
| doamin already is in forwardzone. | |
| - Resolves: #1259020 ipa-server-adtrust-install doesn't allow | |
| NetBIOS-name=EXAMPLE-TEST.COM (dash character) | |
| - Resolves: #1260993 DNSSEC signing enablement on dnszone should throw error | |
| message when DNSSEC master not installed | |
| - Resolves: #1262747 dnssec options missing in ipa-dns-install man page | |
| - Resolves: #1265900 Fail installation immediately after dirsrv fails to | |
| install using ipa-server-install | |
| - Resolves: #1265915 idoverrideuser-find fails if any SID anchor is not | |
| resolvable anymore | |
| - Resolves: #1268027 ipa-dnskeysync-replica crash with backtrace - | |
| LimitsExceeded: limits exceeded for this query | |
| - Resolves: #1269089 Certificate of managed-by host/service fails to resubmit | |
| - Resolves: #1269200 ipa-server crashing while trying to preserve admin user | |
| - Resolves: #1271321 Reduce ioblocktimeout and idletimeout defaults | |
| - Resolves: #1271579 Automember rule expressions disappear from tables on | |
| single expression delete | |
| - Resolves: #1275816 Incomplete ports for IPA ad-trust | |
| - Resolves: #1276351 [RFE] Remove | |
| /usr/share/ipa/updates/50-lockout-policy.update file from IPA releases | |
| - Resolves: #1277109 Add tool tips for Revert, Refresh, Undo, and Undo All in | |
| the IPA UI | |
| - Resolves: #1278426 Better error message needed for invalid ca-signing-algo | |
| option | |
| - Resolves: #1279932 ipa-client-install --request-cert needs workaround in | |
| anaconda chroot | |
| - Resolves: #1282521 Creating a user w/o private group fails when doing so in | |
| WebUI | |
| - Resolves: #1283879 ipa-winsync-migrate: Traceback message should be replaced | |
| by "IPA is not configured on this system" | |
| - Resolves: #1285071 ipa-kra-install fails on replica looking for admin cert | |
| file | |
| - Resolves: #1287194 [RFE] Support of UPN for trusted domains | |
| - Resolves: #1288967 Normalize Manager entry in ipa user-add | |
| - Resolves: #1289487 Priority field missing in Password Policy detail tab | |
| - Resolves: #1291140 ipa client should configure kpasswd_server directive in | |
| krb5.conf | |
| - Resolves: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.4.0.alpha1 | |
| - Resolves: #1298848 [RFE] Centralized topology management | |
| - Resolves: #1300576 Browser setup page includes instructions for Internet | |
| Explorer | |
| - Resolves: #1301586 ipa host-del --updatedns should remove related dns | |
| entries. | |
| - Resolves: #1304618 Residual Files After IPA Server Uninstall | |
| - Resolves: #1305144 ipa-python does not require its dependencies | |
| - Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 | |
| - Resolves: #1313798 Console output post ipa-winsync-migrate command should be | |
| corrected. | |
| - Resolves: #1314786 [RFE] External Trust with Active Directory domain | |
| - Resolves: #1319023 Include description for 'status' option in man page for | |
| ipactl command. | |
| - Resolves: #1319912 ipa-server-install does not completely change hostname and | |
| named-pkcs11 fails | |
| - Resolves: #1320891 IPA Error 3009: Validation error: Invalid 'ptrrecord': | |
| Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 given | |
| - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on | |
| revocation reasons | |
| - Resolves: #1328549 "ipa-kra-install" command reports incorrect message when | |
| it is executed on server already installed with KRA. | |
| - Resolves: #1329209 ipa-nis-manage enable: change service name from 'portmap' | |
| to 'rpcbind' | |
| - Resolves: #1329275 ipa-nis-manage command should include status option | |
| - Resolves: #1330843 'man ipa' should be updated with latest commands | |
| - Resolves: #1333755 ipa cert-request causes internal server error while | |
| requesting certificate | |
| - Resolves: #1337484 EOF is not handled for ipa-client-install command | |
| - Resolves: #1338031 Insufficient 'write' privilege on some attributes for the | |
| members of the role which has "User Administrators" privilege. | |
| - Resolves: #1343142 IPA DNS should do better verification of DNS zones | |
| - Resolves: #1347928 Frontpage exposes runtime error with no cookies enabled in | |
| browser | |
| - Require samba 4.14.5-13 with IPA DC server role fixes | |
| - Related: RHBZ#2021443 | |
| - Require python-wehjit >= 0.2.2 | |
| - Resolves: #1434032 Run ipa-custodia with custom SELinux context | |
| - Require correct custodia version | |
| - Upstream final release FreeIPA 4.9.0 | |
| Related: RHBZ#1891832 | |
| - Preserve user: fix the confusing summary | |
| Resolves: RHBZ#2022028 | |
| - Only calculate LDAP password grace when the password is expired | |
| Related: RHBZ#782917 | |
| - Update dependencies for samba, 389-ds and sssd | |
| Resolves: RHBZ#1792848 | |
| - Do not fetch a principal two times, remove potential memory leak (#1070924) | |
| - Set min version of 389-ds-base to 1.2.8 | |
| - Set min version of mod_nss 1.0.8-10 | |
| - Set min version of selinux-policy to 3.9.7-27 | |
| - Add dogtag themes to Requires | |
| - Update to upstream freeipa-2.0.0.pre2 | |
| - Resolves: #1355753 adding two way non transitive(external) trust displays | |
| internal error on the console | |
| - Always fetch forest info from root DCs when establishing two-way trust | |
| - factor out `populate_remote_domain` method into module-level function | |
| - Always fetch forest info from root DCs when establishing one-way trust | |
| - Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger | |
| after `ipa-replica-install` | |
| - Track lightweight CAs on replica installation | |
| - Resolves: #1357488 ipa command stuck forever on higher versioned client with | |
| lower versioned server | |
| - compat: Save server's API version in for pre-schema servers | |
| - compat: Fix ping command call | |
| - schema cache: Store and check info for pre-schema servers | |
| - Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag | |
| - Fix man page ipa-replica-manage: remove duplicate -c option | |
| from --no-lookup | |
| - Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA | |
| when revoking certificate | |
| - cert: include CA name in cert command output | |
| - WebUI add support for sub-CAs while revoking certificates | |
| - Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI | |
| - Add support for additional options taken from table facet | |
| - WebUI: Fix showing certificates issued by sub-CA | |
| - Resolves: #1368557 dnsrecord-add does not prompt for missing record parts | |
| internactively | |
| - dns: normalize record type read interactively in dnsrecord_add | |
| - dns: prompt for missing record parts in CLI | |
| - dns: fix crash in interactive mode against old servers | |
| - Resolves: #1370519 Certificate revocation in service-del and host-del isn't | |
| aware of Sub CAs | |
| - cert: fix cert-find --certificate when the cert is not in LDAP | |
| - Make host/service cert revocation aware of lightweight CAs | |
| - Resolves: #1371901 Use OAEP padding with custodia | |
| - Use RSA-OAEP instead of RSA PKCS#1 v1.5 | |
| - Resolves: #1371915 When establishing external two-way trust, forest root | |
| Administrator account is used to fetch domain info | |
| - do not use trusted forest name to construct domain admin principal | |
| - Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in | |
| certificate request | |
| - Fix CA ACL Check on SubjectAltNames | |
| - Resolves: #1373272 CLI always sends default command version | |
| - cli: use full name when executing a command | |
| - Resolves: #1373359 ipa-certupdate fails with "CA is not configured" | |
| - Fix ipa-certupdate for CA-less installation | |
| - Resolves: #1373540 client-install with IPv6 address fails on link-local | |
| address (always) | |
| - Fix parse errors with link-local addresses | |
| - Resolves: #1398670 Check IdM Topology for broken record caused by replication | |
| conflict before upgrading it | |
| - Check for conflict entries before raising domain level | |
| - Updated to upstream 3.0.0 beta 1 | |
| - Rebase ipa to 4.9.11 | |
| Resolves: RHBZ#2141316 | |
| - updates: fix memberManager ACI to allow managers from a specified group | |
| Resolves: RHBZ#2056009 | |
| - Defer creating the final krb5.conf on clients | |
| Resolves: RHBZ#2148259 | |
| - Exclude installed policy module file from RPM verification | |
| Resolves: RHBZ#2149567 | |
| - Spec file: ipa-client depends on krb5-pkinit-openssl | |
| Resolves: RHBZ#2149889 | |
| - Use default ssh host key algorithms | |
| Resolves: RHBZ#1756432 | |
| - Do not run trust upgrade code if master lacks Samba bindings | |
| Resolves: RHBZ#1757064 | |
| - Finish group membership management UI | |
| Resolves: RHBZ#1773528 | |
| - Require 389-ds-base-legacy-tools for setup tools | |
| - Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services | |
| by abusing password policy | |
| - ipa-kdb: search for password policies globally | |
| - Renamed patches 1011 and 1012 to 0151 and 0150, as they were merged upstream | |
| - Resolves: #1455946 Provide a tooling automating the configuration | |
| of Smart Card authentication on a FreeIPA master | |
| - smart-card advises: configure systemwide NSS DB also on master | |
| - smart-card advises: add steps to store smart card signing CA cert | |
| - Allow to pass in multiple CA cert paths to the smart card advises | |
| - add a class that tracks the indentation in the generated advises | |
| - delegate the indentation handling in advises to dedicated class | |
| - advise: add an infrastructure for formatting Bash compound statements | |
| - delegate formatting of compound Bash statements to dedicated classes | |
| - Fix indentation of statements in Smart card advises | |
| - Use the compound statement formatting API for configuring PKINIT | |
| - smart card advises: use a wrapper around Bash `for` loops | |
| - smart card advise: use password when changing trust flags on HTTP cert | |
| - smart-card-advises: ensure that krb5-pkinit is installed on client | |
| - Resolves: #1475238 Use CommonNameToSANDefault in default profile | |
| (new installs only) | |
| - Add CommonNameToSANDefault to default cert profile | |
| - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s | |
| during search in cn=ad,cn=trusts,dc=example,dc=com | |
| - NULL LDAP context in call to ldap_search_ext_s during search | |
| - Prepare spec file for release | |
| - Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503 | |
| - Force to use 389-ds 1.2.10-0.8.a7 or above | |
| - Improve upgrade script to handle systemd 389-ds change | |
| - Fix freeipa to work with python-ldap 2.4.6 | |
| - Resolves: #1274524 [RFE] Qualify up to 60 IdM replicas | |
| - Resolves: #1320838 [RFE] Support IdM Client in a DNS domain controlled by AD | |
| - Related: #1356134 'kinit -E' does not work for IPA user | |
| - Support krb5 1.18 | |
| Resolves: RHBZ#1817579 | |
| - kdb: keeep ipadb_get_connection() from succeding with null LDAP context | |
| Resolves: RHEL-58453 | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - user-undel: Fix error messages. | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - Prohibit deletion of predefined profiles | |
| - Resolves: #1232819 testing ipa-restore on fresh system install fails | |
| - Backup/resore authentication control configuration | |
| - Resolves: #1243331 pkispawn fails when migrating to 4.2 server from 3.0 | |
| server | |
| - Require Dogtag PKI >= 10.2.6 | |
| - Resolves: #1245225 Asymmetric vault drops traceback when the key is not | |
| proper | |
| - Asymmetric vault: validate public key in client | |
| - Resolves: #1248399 Missing DNSSEC related files in backup | |
| - fix typo in BasePathNamespace member pointing to ods exporter config | |
| - ipa-backup: archive DNSSEC zone file and kasp.db | |
| - Resolves: #1248405 PassSync should be disabled after ipa-winsync-migrate is | |
| finished | |
| - winsync-migrate: Add warning about passsync | |
| - winsync-migrate: Expand the man page | |
| - Resolves: #1248524 User can't find any hosts using "ipa host-find $HOSTNAME" | |
| - adjust search so that it works for non-admin users | |
| - Resolves: #1250093 ipa certprofile-import accepts invalid config | |
| - Require Dogtag PKI >= 10.2.6 | |
| - Resolves: #1250107 IPA framework should not allow modifying trust on AD trust | |
| agents | |
| - trusts: Detect missing Samba instance | |
| - Resolves: #1250111 User lifecycle - preserved users can be assigned | |
| membership | |
| - ULC: Prevent preserved users from being assigned membership | |
| - Resolves: #1250145 Add permission for user to bypass caacl enforcement | |
| - Add permission for bypassing CA ACL enforcement | |
| - Resolves: #1250190 idrange is not added for sub domain | |
| - idranges: raise an error when local IPA ID range is being modified | |
| - trusts: harden trust-fetch-domains oddjobd-based script | |
| - Resolves: #1250928 Man page for ipa-server-install is out of sync | |
| - install: Fix server and replica install options | |
| - Resolves: #1251225 IPA default CAACL does not allow cert-request for services | |
| after upgrade | |
| - Fix default CA ACL added during upgrade | |
| - Resolves: #1251561 ipa vault-add Unknown option: ipavaultpublickey | |
| - validate mutually exclusive options in vault-add | |
| - Resolves: #1251579 ipa vault-add --user should set container owner equal to | |
| user on first run | |
| - Fixed vault container ownership. | |
| - Resolves: #1252517 cert-request rejects request with correct | |
| krb5PrincipalName SAN | |
| - Fix KRB5PrincipalName / UPN SAN comparison | |
| - Resolves: #1252555 ipa vault-find doesn't work for services | |
| - vault: Add container information to vault command results | |
| - Add flag to list all service and user vaults | |
| - Resolves: #1252556 Missing CLI param and ACL for vault service operations | |
| - Added CLI param and ACL for vault service operations. | |
| - Resolves: #1252557 certprofile: improve profile format documentation | |
| - certprofile-import: improve profile format documentation | |
| - certprofile: add profile format explanation | |
| - Resolves: #1253443 ipa vault-add creates vault with invalid type | |
| - vault: validate vault type | |
| - Resolves: #1253480 ipa vault-add-owner does not fail when adding an existing | |
| owner | |
| - baseldap: Allow overriding member param label in LDAPModMember | |
| - vault: Fix param labels in output of vault owner commands | |
| - Resolves: #1253511 ipa vault-find does not use criteria | |
| - vault: Fix vault-find with criteria | |
| - Resolves: #1254038 ipa-replica-install pk12util error returns exit status 10 | |
| - install: Fix replica install with custom certificates | |
| - Resolves: #1254262 ipa-dnskeysync-replica crash cannot contact kdc | |
| - improve the handling of krb5-related errors in dnssec daemons | |
| - Resolves: #1254412 when dirsrv is off ,upgrade from 7.1 to 7.2 fails with | |
| starting CA and named-pkcs11.service | |
| - Server Upgrade: Start DS before CA is started. | |
| - Resolves: #1254637 Add ACI and permission for managing user userCertificate | |
| attribute | |
| - add permission: System: Manage User Certificates | |
| - Resolves: #1254641 Remove CSR allowed-extensions restriction | |
| - cert-request: remove allowed extensions check | |
| - Resolves: #1254693 vault --service does not normalize service principal | |
| - vault: normalize service principal in service vault operations | |
| - Resolves: #1254785 ipa-client-install does not properly handle dual stacked | |
| hosts | |
| - client: Add support for multiple IP addresses during installation. | |
| - Add dependency to SSSD 1.13.1 | |
| - client: Add description of --ip-address and --all-ip-addresses to man page | |
| - Remove ipa_webgui, its functions rolled into ipa_httpd | |
| - Change Requires from fedora-ds-base to 389-ds-base | |
| - Set minimum level of 389-ds-base to 1.2.6 for the replication | |
| version plugin. | |
| - No need to create /var/log/ipa_error.log since we aren't using | |
| TurboGears any more. | |
| - Deprecate --serial-autoincrement option (#1016645) | |
| - CA installation always failed on replica (#1005446) | |
| - Re-initializing a winsync connection exited with error (#994980) | |
| - Wrong directories created on full restore (#1186398) | |
| - ipa-restore crashes if replica is unreachable (#1186396) | |
| - idoverrideuser-add option --sshpubkey does not work (#1185410) | |
| - Fix postin scriplet for F-15/F-16 | |
| - Fix breakage caused by python-kerberos update to 1.1 | |
| - Fixed: rhbz#1643445 - External CA step 2 fails with pki_client_database_dir is missing | |
| - Fixed: rhbz#1642834 - Smart card advise script uses hard-coded Python interpreter | |
| - Update to upstream 3.3.2 (#991064) | |
| - Add delegation info to MS-PAC (#915799) | |
| - Warn about incompatibility with AD when IPA realm and domain | |
| differs (#1009044) | |
| - Allow PKCS#12 files with empty password in install tools (#1002639) | |
| - Privilege "SELinux User Map Administrators" did not list | |
| permissions (#997085) | |
| - SSH key upload broken when client joins an older server (#1009024) | |
| - Update to upstream 3.3.3 (#991064) | |
| - Resolves: #1416454 replication race condition prevents IPA to install | |
| - wait_for_entry: use only DN as parameter | |
| - Wait until HTTPS principal entry is replicated to replica | |
| - Use proper logging for error messages | |
| - Allow insecure binds for migration | |
| Resolves: RHBZ#1731963 | |
| - Updated to upstream 3.0.0 rc 1 | |
| - Update BR for 389-ds-base to 1.2.11.14 | |
| - Update BR for krb5 to 1.10 | |
| - Update BR for samba4-devel to 4.0.0-139 (rc1) | |
| - Add BR for python-polib | |
| - Update BR and Requires on sssd to 1.9.0 | |
| - Update Requires on policycoreutils to 2.1.12-5 | |
| - Update Requires on 389-ds-base to 1.2.11.14 | |
| - Update Requires on selinux-policy to 3.11.1-21 | |
| - Update Requires on dogtag to 10.0.0-0.33.a1 | |
| - Update Requires on certmonger to 0.60 | |
| - Update Requires on tomcat to 7.0.29 | |
| - Update minimum version of bind to 9.9.1-10.P3 | |
| - Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1 | |
| - Remove Requires on authconfig from python sub-package | |
| - Add redhat-access-plugin-ipa dependency | |
| - Require platform-python-setuptools instead of python3-setuptools | |
| - Resolves: rhbz#1650139 | |
| - Add a- heck into ipa-cert-fix tool to avoid updating certs if CA is close to expire | |
| Resolves: RHEL-4941 | |
| - Fix rpminspect's 'patches' warnings | |
| Resolves: RHEL-22497 | |
| - Added patch to fix problem reported by ldapmodify | |
| - Installer did not detect different server and IPA domain (#1026845) | |
| - Allow kernel keyring CCACHE when supported (#1026861) | |
| - Abstracted client class to work directly or over RPC | |
| - Reinstalling ipa server hangs when configuring certificate | |
| server (#1018804) | |
| - rpcserver: validate Kerberos principal name before running kinit | |
| Resolves: RHEL-26153 | |
| - Vault: add additional fallback to RSA-OAEP wrapping algo | |
| Resolves: RHEL-28259 | |
| - "an internal error has occurred" during ipa host-del --updatedns (#1198431) | |
| - Renamed patch 1013 to 0114, as it was merged upstream | |
| - Fax number not displayed for user-show when kinit'ed as normal user. | |
| (#1198430) | |
| - Replication agreement with replica not disabled when ipa-restore done without | |
| IPA installed (#1199060) | |
| - Limit deadlocks between DS plugin DNA and slapi-nis (#1199128) | |
| - Updated to upstream 2.2.0 GA | |
| - Update minimum n-v-r of certmonger to 0.53 | |
| - Update minimum n-v-r of slapi-nis to 0.40 | |
| - Add Requires in client to oddjob-mkhomedir and python-krbV | |
| - Update minimum selinux-policy to 3.10.0-110 | |
| - Convert to autotools-based build | |
| - Pull upstream changelog 678 | |
| - Add new subpackage, ipa-server-selinux | |
| - Add Requires: authconfig to ipa-python (bz #433747) | |
| - Package i18n files | |
| - Resolves: #837369 [RFE] Switch to client promotion to replica model | |
| - Resolves: #1199516 [RFE] Move replication topology to the shared tree | |
| - Resolves: #1206588 [RFE] Visualize FreeIPA server replication topology | |
| - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) | |
| - Resolves: #1212713 ipa-csreplica-manage: it could be nice to have also | |
| list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend | |
| - Resolves: #1267206 ipa-server-install uninstall should warn if no | |
| installation found | |
| - Resolves: #1295865 The Domain option is not correctly set in idmapd.conf when | |
| ipa-client-automount is executed. | |
| - Resolves: #1327092 URI details missing and OCSP-URI details are incorrectly | |
| displayed when certificate generated using IPA on RHEL 7.2up2. | |
| - Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install | |
| because of missing dependencies | |
| - Related: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.3.1.201605191449GITf8edf37 | |
| - selinux don't audit rules deny fetching trust topology | |
| Resolves: RHBZ#1845596 | |
| - fix iPAddress cert issuance for >1 host/service | |
| Resolves: RHBZ#1846352 | |
| - Specify cert_paths when calling PKIConnection | |
| Resolves: RHBZ#1849155 | |
| - Update crypto policy to allow AD-SUPPORT when installing IPA | |
| Resolves: RHBZ#1851139 | |
| - Add version to ipa-idoverride-memberof obsoletes | |
| Related: RHBZ#1846434 | |
| - Resolves: #1081561 CA not start during ipa server install in pure IPv6 env | |
| - Fix ipa-server-install in pure IPv6 environment | |
| - Resolves: #1318169 Tree-root domains in a trusted AD forest aren't marked as | |
| reachable via the forest root | |
| - trust: make sure ID range is created for the child domain even if it exists | |
| - ipa-kdb: simplify trusted domain parent search | |
| - Resolves: #1335567 Update Warning in IdM Web UI API browser | |
| - WebUI: add API browser is tech preview warning | |
| - Resolves: #1348560 Mulitple domain Active Directory Trust conflict | |
| - ipaserver/dcerpc: reformat to make the code closer to pep8 | |
| - trust: automatically resolve DNS trust conflicts for triangle trusts | |
| - Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in | |
| certificate revocation | |
| - cert-revoke: fix permission check bypass (CVE-2016-5404) | |
| - Resolves: #1353936 custodia.conf and server.keys file is world-readable. | |
| - Remove Custodia server keys from LDAP | |
| - Secure permissions of Custodia server.keys | |
| - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is | |
| converted from CA-less to CA-full | |
| - custodia: include known CA certs in the PKCS#12 file for Dogtag | |
| - custodia: force reconnect before retrieving CA certs from LDAP | |
| - Resolves: #1362333 ipa vault container owner cannot add vault | |
| - Fix: container owner should be able to add vault | |
| - Resolves: #1365546 External trust with root domain is transitive | |
| - trust: make sure external trust topology is correctly rendered | |
| - Resolves: #1365572 IPA server broken after upgrade | |
| - Require pki-core-10.3.3-7 | |
| - Resolves: #1367864 Server assumes latest version of command instead of | |
| version 1 for old / 3rd party clients | |
| - rpcserver: assume version 1 for unversioned command calls | |
| - rpcserver: fix crash in XML-RPC system commands | |
| - Resolves: #1367773 thin client ignores locale change | |
| - schema cache: Fallback to 'en_us' when locale is not available | |
| - Resolves: #1368754 ipa server uninstall fails with Python "Global Name error" | |
| - Fail on topology disconnect/last role removal | |
| - Resolves: #1368981 ipa otptoken-add --type=hotp --key creates wrong OTP | |
| - otptoken, permission: Convert custom type parameters on server | |
| - Resolves: #1369414 ipa server-del fails with Python stack trace | |
| - Handled empty hostname in server-del command | |
| - Resolves: #1369761 ipa-server must depend on a version of httpd that support | |
| mod_proxy with UDS | |
| - Require httpd 2.4.6-31 with mod_proxy Unix socket support | |
| - Resolves: #1370512 Received ACIError instead of DuplicatedError in | |
| stageuser_tests | |
| - Raise DuplicatedEnrty error when user exists in delete_container | |
| - Resolves: #1371479 cert-find --all does not show information about revocation | |
| - cert: add missing param values to cert-find output | |
| - Renamed patch 1011 to 0100, as it was merged upstream | |
| - Resolves: #1452216 Replica installation grants HTTP principal | |
| access in WebUI | |
| - Make sure we check ccaches in all rpcserver paths | |
| - Replica installation fails for RHEL 6.4 master (#1004680) | |
| - Server uninstallation crashes if DS is not available (#998069) | |
| - Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to | |
| handle PKINIT certificates/anchors | |
| - certdb: add named trust flag constants | |
| - certdb, certs: make trust flags argument mandatory | |
| - certdb: use custom object for trust flags | |
| - install: trust IPA CA for PKINIT | |
| - client install: fix client PKINIT configuration | |
| - install: introduce generic Kerberos Augeas lens | |
| - server install: fix KDC PKINIT configuration | |
| - ipapython.ipautil.run: Add option to set umask before executing command | |
| - certs: do not export keys world-readable in install_key_from_p12 | |
| - certs: do not export CA certs in install_pem_from_p12 | |
| - server install: fix KDC certificate validation in CA-less | |
| - replica install: respect --pkinit-cert-file | |
| - cacert manage: support PKINIT | |
| - server certinstall: support PKINIT | |
| - Resolves: #1444432 CA-less pkinit not installable with --pkinit-cert-file | |
| option | |
| - certs: do not export CA certs in install_pem_from_p12 | |
| - server install: fix KDC certificate validation in CA-less | |
| - Resolves: #1451228 ipa-kra-install fails when primary KRA server has been | |
| decommissioned | |
| - ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname | |
| - Resolves: #1451712 KRA installation fails on server that was originally | |
| installed as CA-less | |
| - ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt | |
| - Resolves: #1441499 ipa cert-show does not raise error if no file name | |
| specified | |
| - ca/cert-show: check certificate_out in options | |
| - Resolves: #1449522 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+ | |
| - Remove pkinit-anonymous command | |
| - Resolves: #1449523 Provide an API command to retrieve PKINIT status | |
| in the FreeIPA topology | |
| - Allow for multivalued server attributes | |
| - Refactor the role/attribute member reporting code | |
| - Add an attribute reporting client PKINIT-capable servers | |
| - Add the list of PKINIT servers as a virtual attribute to global config | |
| - Add `pkinit-status` command | |
| - test_serverroles: Get rid of MockLDAP and use ldap2 instead | |
| - Resolves: #1452216 Replica installation grants HTTP principal access in WebUI | |
| - Fix rare race condition with missing ccache file | |
| - Resolves: #1455045 Simple service uninstallers must be able to handle | |
| missing service files gracefully | |
| - only stop/disable simple service if it is installed | |
| - Resolves: #1455541 after upgrade login from web ui breaks | |
| - krb5: make sure KDC certificate is readable | |
| - Resolves: #1455862 "ipa: ERROR: an internal error has occurred" on executing | |
| command "ipa cert-request --add" after upgrade | |
| - Change python-cryptography to python2-cryptography | |
| - Resolves: #1449189 ipa-kra-install timeouts on replica | |
| - ipa-kra-install: fix check_host_keys | |
| - Fix --external-ca-profile not passed to CSR | |
| Resolves: RHBZ#1731813 | |
| - Resolves: #1373910 IPA server upgrade fails with DNS timed out errors. | |
| - Resolves: #1375269 ipa trust-fetch-domains throws internal error | |
| - sudo rule for "admins" members should be created by default (#1609873) | |
| - Added Require mod_wsgi, added share/ipa/wsgi.py | |
| - Rebuild to samba 4.17.2. | |
| Related: RHBZ#2132051 | |
| - Use java-1.8.0-openjdk-devel | |
| - Hardening for CVE-2020-25717 | |
| - Harden processing of trusted domains' users in S4U operations | |
| - Resolves: RHBZ#2021443 | |
| - Update to upstream 2.2.0 alpha 1 (2.1.90.pre1) | |
| - Resolves: #1277696 IPA certificate auto renewal fail with "Invalid | |
| Credential" | |
| - cert renewal: make renewal of ipaCert atomic | |
| - Resolves: #1278330 installer options are not validated at the beginning of | |
| installation | |
| - install: fix command line option validation | |
| - Resolves: #1282845 sshd_config change on ipa-client-install can prevent sshd | |
| from starting up | |
| - client install: do not corrupt OpenSSH config with Match sections | |
| - Resolves: #1282935 ipa upgrade causes vault internal error | |
| - install: export KRA agent PEM file in ipa-kra-install | |
| - Resolves: #1283429 Default CA ACL rule is not created during | |
| ipa-replica-install | |
| - TLS and Dogtag HTTPS request logging improvements | |
| - Avoid race condition caused by profile delete and recreate | |
| - Do not erroneously reinit NSS in Dogtag interface | |
| - Add profiles and default CA ACL on migration | |
| - disconnect ldap2 backend after adding default CA ACL profiles | |
| - do not disconnect when using existing connection to check default CA ACLs | |
| - Resolves: #1283430 ipa-kra-install: fails to apply updates | |
| - suppress errors arising from adding existing LDAP entries during KRA | |
| install | |
| - Resolves: #1283748 Caching of ipaconfig does not work in framework | |
| - fix caching in get_ipa_config | |
| - Resolves: #1283943 IPA DNS Zone/DNS Forward Zone details missing after | |
| upgrade from RHEL 7.0 to RHEL 7.2 | |
| - upgrade: fix migration of old dns forward zones | |
| - Fix upgrade of forwardzones when zone is in realmdomains | |
| - Resolves: #1284413 ipa-cacert-manage renew fails on nonexistent ldap | |
| connection | |
| - ipa-cacert-renew: Fix connection to ldap. | |
| - Resolves: #1284414 ipa-otptoken-import fails on nonexistent ldap connection | |
| - ipa-otptoken-import: Fix connection to ldap. | |
| - Resolves: #1286635 IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using | |
| "yum update ipa* sssd" | |
| - Set minimal required version for openssl | |
| - Resolves: #1286781 ipa-nis-manage does not update ldap with all NIS maps | |
| - Upgrade: Fix upgrade of NIS Server configuration | |
| - Resolves: #1289311 umask setting causes named-pkcs11 issue with directory | |
| permissions on /var/lib/ipa/dnssec | |
| - DNS: fix file permissions | |
| - Explicitly call chmod on newly created directories | |
| - Fix: replace mkdir with chmod | |
| - Resolves: #1290142 Broken 7.2.0 to 7.2.z upgrade - flawed version comparison | |
| - Fix version comparison | |
| - use FFI call to rpmvercmp function for version comparison | |
| - Resolves: #1292595 In IPA-AD trust environment some secondary IPA based Posix | |
| groups are missing | |
| - ipa-kdb: map_groups() consider all results | |
| - Resolves: #1293870 User should be notified for wrong password in password | |
| reset page | |
| - Fixed login error message box in LoginScreen page | |
| - Resolves: #1296196 Sysrestore did not restore state if a key is specified in | |
| mixed case | |
| - Allow to used mixed case for sysrestore | |
| - Resolves: #1296214 DNSSEC key purging is not handled properly | |
| - DNSSEC: Improve error reporting from ipa-ods-exporter | |
| - DNSSEC: Make sure that current state in OpenDNSSEC matches key state in | |
| LDAP | |
| - DNSSEC: Make sure that current key state in LDAP matches key state in BIND | |
| - DNSSEC: remove obsolete TODO note | |
| - DNSSEC: add debug mode to ldapkeydb.py | |
| - DNSSEC: logging improvements in ipa-ods-exporter | |
| - DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP | |
| - DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP | |
| - DNSSEC: ipa-ods-exporter: add ldap-cleanup command | |
| - DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal | |
| - DNSSEC: Log debug messages at log level DEBUG | |
| - Resolves: #1296216 ipa-server-upgrade fails if certmonger is not running | |
| - prevent crash of CA-less server upgrade due to absent certmonger | |
| - always start certmonger during IPA server configuration upgrade | |
| - Resolves: #1297811 The ipa -e skip_version_check=1 still issues | |
| incompatibility error when called against RHEL 6 server | |
| - ipalib: assume version 2.0 when skip_version_check is enabled | |
| - Resolves: #1298289 install fails when locale is "fr_FR.UTF-8" | |
| - Do not decode HTTP reason phrase from Dogtag | |
| - Resolves: #1300252 shared certificateProfiles container is missing on a | |
| freshly installed RHEL7.2 system | |
| - upgrade: unconditional import of certificate profiles into LDAP | |
| - Resolves: #1301674 --setup-dns and other options is forgotten for using an | |
| external PKI | |
| - installer: Propagate option values from components instead of copying them. | |
| - installer: Fix logic of reading option values from cache. | |
| - Resolves: #1301687 issues with migration from RHEL 6 self-signed to RHEL 7 CA | |
| IPA setup | |
| - ipa-ca-install: print more specific errors when CA is already installed | |
| - cert renewal: import all external CA certs on IPA CA cert renewal | |
| - CA install: explicitly set dogtag_version to 10 | |
| - fix standalone installation of externally signed CA on IPA master | |
| - replica install: validate DS and HTTP server certificates | |
| - replica install: improvements in the handling of CA-related IPA config | |
| entries | |
| - Resolves: #1301901 [RFE] compat tree: show AD members of IPA groups | |
| - slapi-nis: update configuration to allow external members of IPA groups | |
| - Resolves: #1305533 ipa trust-add succeded but after that ipa trust-find | |
| returns "0 trusts matched" | |
| - upgrade: fix config of sidgen and extdom plugins | |
| - trusts: use ipaNTTrustPartner attribute to detect trust entries | |
| - Warn user if trust is broken | |
| - fix upgrade: wait for proper DS socket after DS restart | |
| - Insure the admin_conn is disconnected on stop | |
| - Fix connections to DS during installation | |
| - Fix broken trust warnings | |
| - Resolves: #1321092 Installers fail when there are multiple versions of the | |
| same certificate | |
| - certdb: never use the -r option of certutil | |
| - Related: #1317381 Crash during IPA upgrade due to slapd | |
| - spec file: update minimum required version of slapi-nis | |
| - Related: #1322691 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 | |
| CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 samba: various flaws | |
| [rhel-7.3] | |
| - Rebuild against newer Samba version | |
| - Config plugin: return EmptyModlist when no change is applied. | |
| Resolves: RHBZ#2031825 | |
| - Custodia: use a stronger encryption algo when exporting keys. | |
| Resolves: RHBZ#2032806 | |
| - ipa-kdb: do not remove keys for hardened auth-enabled users. | |
| Resolves: RHBZ#2033342 | |
| - ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus | |
| Resolves: RHBZ#2049167 | |
| - Backport latest test fxes in python3 ipatests. | |
| Resolves: RHBZ#2048509 | |
| - Removed unused patch files that were part of 4.9.8 rebase. | |
| - Fix replica installation failing on certificate subject (#983075) | |
| - Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1 | |
| Any type | |
| - New command automember-find-orphans to find and remove orphan automemeber | |
| rules has been added | |
| Resolves: RHBZ#1638373 | |
| - Moved ipa/idm logos and background to redhat-logos-ipa-80.4: | |
| header-logo.png, login-screen-background.jpg, login-screen-logo.png, | |
| product-name.png | |
| New requirement to redhat-logos-ipa >= 80.4 in ipa-server-common | |
| Resolves: RHBZ#1626507 | |
| - Resolves: #1353829 traceback message seen in ipaserver-uninstall.log file. | |
| - Do not initialize API in ipa-client-automount uninstall | |
| - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin | |
| client changes | |
| - idrange: fix unassigned global variable | |
| - Resolves: #1360792 Migrating users doesn't update krbCanonicalName | |
| - re-set canonical principal name on migrated users | |
| - Resolves: #1362012 ipa hbactest produces error about cannot concatenate 'str' | |
| and 'bool' objects | |
| - Fix ipa hbactest output | |
| - Resolves: #1362260 ipa vault-mod no longer allows defining salt | |
| - vault: add missing salt option to vault_mod | |
| - Resolves: #1362312 ipa vault-retrieve internal error when using the wrong | |
| public key | |
| - vault: Catch correct exception in decrypt | |
| - Resolves: #1362537 ipa-server-install fails to create symlink from | |
| /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ | |
| - Correct path to HTTPD's systemd service directory | |
| - Resolves: #1363756 Increase length of passwords generated by installer | |
| - Increase default length of auto generated passwords | |
| - When IdM server trusts multiple AD forests, IPA client returns invalid group | |
| membership info (#1079498) | |
| - Remove ipa-server-selinux obsoletes as upgrades from version prior to | |
| 3.3.0 are not allowed | |
| - Wrap server-trust-ad subpackage description better | |
| - Add (noreplace) flag for %{_sysconfdir}/tmpfiles.d/ipa.conf | |
| - Change permissions on default_encoding_utf8.so to fix ipa-python Provides | |
| - Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum | |
| version to 1.0.7-4 so we pick up the NSS fixes. | |
| - Add selinux-policy-base(post) to Requires (446496) | |
| - Resolves: #1449189 ipa-kra-install timeouts on replica | |
| - kra: promote: Get ticket before calling custodia | |
| - ipa-replica-install never checks for 7389 port (#1075165) | |
| - Non-terminated string may be passed to LDAP search (#1075091) | |
| - ipa-sam may fail to translate group SID into GID (#1073829) | |
| - Excessive LDAP calls by ipa-sam during Samba FS operations (#1075132) | |
| - ipatests: remove additional check for failed units. | |
| Resolves: RHBZ#2053024 | |
| - ipa-cldap: fix memory leak. | |
| Resolves: RHBZ#2032738 | |
| - ipatests: Update ipa-adtrust-install test | |
| Resolves: RHEL-40894 | |
| - IPA Replicate creation fails with error "Update failed! Status: [10 Total | |
| update abortedLDAP error: Referral]" (#1166265) | |
| - running ipa-server-install --setup-dns results in a crash (#1072502) | |
| - DNS zones are not migrated into forward zones if 4.0+ replica is added | |
| (#1175384) | |
| - gid is overridden by uid in default trust view (#1168904) | |
| - When migrating warn user if compat is enabled (#1177133) | |
| - Clean up debug log for trust-add (#1168376) | |
| - No error message thrown on restore(full kind) on replica from full backup | |
| taken on master (#1175287) | |
| - ipa-restore proceed even IPA not configured (#1175326) | |
| - Data replication not working as expected after data restore from full backup | |
| (#1175277) | |
| - IPA externally signed CA cert expiration warning missing from log (#1178128) | |
| - ipa-upgradeconfig fails in CA-less installs (#1181767) | |
| - IPA certs fail to autorenew simultaneouly (#1173207) | |
| - More validation required on ipa-restore's options (#1176034) | |
| - 2.1.3 | |
| - Resolves: #1388135 [RFE] limit the retro changelog to dns subtree. | |
| - ldap: limit the retro changelog to dns subtree | |
| - Resolves: #1427798 Use X509v3 Basic Constraints "CA:TRUE" instead | |
| of "CA:FALSE" IPA CA CSR | |
| - Include the CA basic constraint in CSRs when renewing a CA | |
| - Resolves: #1493145 ipa-replica-install might fail because of an already | |
| existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX | |
| - Checks if replica-s4u2proxy.ldif should be applied | |
| - Resolves: #1493150 [RFE] set nsslapd-ignore-time-skew: on by default | |
| - ds: ignore time skew during initial replication step | |
| - ipa-replica-manage: implicitly ignore initial time skew in force-sync | |
| - Resolves: #1500218 Replica installation at domain-level 0 fails against | |
| upgraded ipa-server | |
| - Fix ipa-replica-conncheck when called with --principal | |
| - Resolves: #1506188 server-del doesn't remove dns-server configuration | |
| from ldap | |
| - Make sure ipa-server depends on krb5-kdb-version to pick up | |
| right MIT Kerberos KDB ABI | |
| Related: RHBZ#1700121 | |
| - User field separator uses '$$' within ipaSELInuxUserMapOrder | |
| Fixes: RHBZ#1729099 | |
| - ipa-server-install crashes when AD subpackage is not installed (#1026434) | |
| - Allow Web-based migration to work with tightened SE Linux policy (#769440) | |
| - Rebuild slapi plugins against re-enterant version of libldap | |
| - Add ipa init script | |
| - Fix mapping of BUILTIN\Guests to 'nobody' group during upgrade | |
| to not use generated Samba config at this point | |
| - Related: rhbz#1623895 | |
| - Resolves: #1614301 Remove --no-sssd and --noac options | |
| - Resolves: #1613879 Disable Domain Level 0 | |
| - New patch sets to disable domain level 0 | |
| - New adapted patch to disable DL0 specific tests (pytest_ipa vs. | |
| pytest_plugins) | |
| - Adapted branding patch in ipa-replica-install.1 due to DL0 removal | |
| - Removed python-cherrypy from BuildRequires and Requires | |
| - Added Requires python-assets, python-wehjit | |
| - Resolves: #1356102 Server uninstall does not stop tracking lightweight sub-CA | |
| with certmonger | |
| - uninstall: untrack lightweight CA certs | |
| - Resolves: #1351807 ipa-nis-manage config.get_dn missing | |
| - ipa-nis-manage: Use server API to retrieve plugin status | |
| - Resolves: #1353452 ipa-compat-manage command failed, | |
| exception: NotImplementedError: config.get_dn() | |
| - ipa-compat-manage: use server API to retrieve plugin status | |
| - Resolves: #1353899 ipa-advise: object of type 'type' has no len() | |
| - ipa-advise: correct handling of plugin namespace iteration | |
| - Resolves: #1356134 'kinit -E' does not work for IPA user | |
| - kdb: check for local realm in enterprise principals | |
| - Resolves: #1353072 ipa unknown command vault-add | |
| - Enable vault-* commands on client | |
| - vault-add: set the default vault type on the client side if none was given | |
| - Resolves: #1353995 Default CA can be used without a CA ACL | |
| - caacl: expand plugin documentation | |
| - Resolves: #1356144 host-find should not print SSH keys by default, only | |
| SSH fingerprints | |
| - host-find: do not show SSH key by default | |
| - Resolves: #1353506 ipa migrate-ds command fails for IPA in RHEL 7.3 | |
| - Removed unused method parameter from migrate-ds | |
| - Resolves: #1262996 ipa vault internal error on replica without KRA | |
| - upgrade: make sure ldap2 is connected in export_kra_agent_pem | |
| - Resolves: #1270608 IPA upgrade fails for server with CA cert signed by | |
| external CA | |
| - schema: do not derive ipaVaultPublicKey from ipaPublicKey | |
| - Resolves: #1361119 UPN-based search for AD users does not match an entry in | |
| slapi-nis map cache | |
| - support multiple uid values in schema compatibility tree | |
| - Included LICENSE and README in all packages for documentation | |
| - Move user-modifiable content to /etc/ipa and linked back to | |
| /usr/share/ipa/html | |
| - Changed some references to /usr to the {_usr} macro and /etc | |
| to {_sysconfdir} | |
| - Added popt-devel to BuildRequires for Fedora 8 and higher and | |
| popt for Fedora 7 | |
| - Package the egg-info for Fedora 9 and higher for ipa-python | |
| - Add ipa-host-net-manage script | |
| - Add Requires: python-nss to ipa-python sub-package | |
| - Adopt to samba4 beta6 (libsecurity -> libsamba-security) | |
| - Add dependency to samba4-winbind | |
| - Bump up minimum version of python-nss to pick up nss_is_initialize() API | |
| - Resolves: #800545 [RFE] Support SUDO command rename | |
| - Reworked the renaming mechanism | |
| - Allow renaming of the sudorule objects | |
| - Resolves: #872671 IPA WebUI login for AD Trusted User fails | |
| - WebUI: check principals in lowercase | |
| - WebUI: add method for disabling item in user dropdown menu | |
| - WebUI: Add support for login for AD users | |
| - Resolves: #1200767 [RFE] Allow Kerberos authentication for users with | |
| certificates on smart cards (pkinit) | |
| - ipa-kdb: add ipadb_fetch_principals_with_extra_filter() | |
| - IPA certauth plugin | |
| - ipa-kdb: do not depend on certauth_plugin.h | |
| - spec file: bump krb5-devel BuildRequires for certauth | |
| - Resolves: #1264370 RFE: disable last successful authentication by default in | |
| ipa. | |
| - Set "KDC:Disable Last Success" by default | |
| - Resolves: #1318186 Misleading error message during external-ca IPA master | |
| install | |
| - certs: do not implicitly create DS pin.txt | |
| - httpinstance: clean up /etc/httpd/alias on uninstall | |
| - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR | |
| CA certificate chain in ... incomplete" | |
| - certs: do not implicitly create DS pin.txt | |
| - httpinstance: clean up /etc/httpd/alias on uninstall | |
| - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication | |
| - configure: fix --disable-server with certauth plugin | |
| - rpcserver.login_x509: Actually return reply from __call__ method | |
| - spec file: Bump requires to make Certificate Login in WebUI work | |
| - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping | |
| - extdom: do reverse search for domain separator | |
| - extdom: improve cert request | |
| - Resolves: #1430363 [RFE] HBAC rule names command rename | |
| - Reworked the renaming mechanism | |
| - Allow renaming of the HBAC rule objects | |
| - Resolves: #1433082 systemctl daemon-reload needs to be called after | |
| httpd.service.d/ipa.conf is manipulated | |
| - tasks: run `systemctl daemon-reload` after httpd.service.d updates | |
| - Resolves: #1434032 Run ipa-custodia with custom SELinux context | |
| - Use Custodia 0.3.1 features | |
| - Resolves: #1434384 RPC client should use HTTP persistent connection | |
| - Use connection keep-alive | |
| - Add debug logging for keep-alive | |
| - Increase Apache HTTPD's default keep alive timeout | |
| - Resolves: #1434729 man ipa-cacert-manage install needs clarification | |
| - man ipa-cacert-manage install needs clarification | |
| - Resolves: #1434910 replica install against IPA v3 master fails with ACIError | |
| - Fixing replica install: fix ldap connection in domlvl 0 | |
| - Resolves: #1435394 Ipa-kra-install fails with weird output when backspace is | |
| used during typing Directory Manager password | |
| - ipapython.ipautil.nolog_replace: Do not replace empty value | |
| - Resolves: #1435397 ipa-replica-install can't install replica file produced by | |
| ipa-replica-prepare on 4.5 | |
| - replica prepare: fix wrong IPA CA nickname in replica file | |
| - Resolves: #1435599 WebUI: in self-service Vault menu item is shown even if | |
| KRA is not installed | |
| - WebUI: Fix showing vault in selfservice view | |
| - Resolves: #1435718 As a ID user I cannot call a command with --rights option | |
| - ldap2: use LDAP whoami operation to retrieve bind DN for current connection | |
| - Resolves: #1436319 "Truncated search results" pop-up appears in user details | |
| in WebUI | |
| - WebUI: Add support for suppressing warnings | |
| - WebUI: suppress truncation warning in select widget | |
| - Resolves: #1436333 Uninstall fails with No such file or directory: | |
| '/var/run/ipa/services.list' | |
| - Create temporaty directories at the begining of uninstall | |
| - Resolves: #1436334 WebUI: Adding certificate mapping data using certificate | |
| fails | |
| - WebUI: Allow to add certs to certmapping with CERT LINES around | |
| - Resolves: #1436338 CLI doesn't work after ipa-restore | |
| - Backup ipa-specific httpd unit-file | |
| - Backup CA cert from kerberos folder | |
| - Resolves: #1436342 Bump samba version, required for FIPS mode and privilege | |
| separation | |
| - Bump samba version for FIPS and priv. separation | |
| - Resolves: #1436642 [ipalib/rpc.py] - "maximum recursion depth exceeded" with | |
| ipa vault commands | |
| - Avoid growing FILE ccaches unnecessarily | |
| - Handle failed authentication via cookie | |
| - Work around issues fetching session data | |
| - Prevent churn on ccaches | |
| - Resolves: #1436657 Add workaround for pki_pin for FIPS | |
| - Generate PIN for PKI to help Dogtag in FIPS | |
| - Resolves: #1436714 [vault] cache KRA transport cert | |
| - Simplify KRA transport cert cache | |
| - Resolves: #1436723 cert-find does not find all certificates without | |
| sizelimit=0 | |
| - cert: do not limit internal searches in cert-find | |
| - Resolves: #1436724 Renewal of IPA RA fails on replica | |
| - dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function | |
| - Resolves: #1436753 Master tree fails to install | |
| - httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not | |
| available | |
| - ipatests: fix TestOTPToken::test_check_otpd_after_idle_timeout | |
| Related: RHBZ#2053024 | |
| - Remove unnecessary moving of v1 CA serial number file in post script | |
| - Add Obsoletes for server-selinxu subpackage | |
| - Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da | |
| - Pull upstream changelog 608 which renamed several files | |
| - clean up spec | |
| - Depend on sssd >= 1.6.2 for better user experience | |
| - Update slapi-nis dependency to pull 0.54-2 (#891984) | |
| - ipa-restore: Don't crash if AD trust is not installed (#951581) | |
| - Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type (#1138791) | |
| - Trust setting not restored for CA cert with ipa-restore command (#1159011) | |
| - ipa-server-install fails when restarting named (#1162340) | |
| - Resolves: #1228671 pkispawn fails in ipa-ca-install and ipa-kra-install | |
| - Related: #1204809 Rebase ipa to 4.2 | |
| - Fix minimum version of slapi-nis | |
| - Require python-sss and python-sss-murmur (provided by sssd-1.13.0) | |
| - Fix: DNS installer adds invalid zonemgr email (#1056202) | |
| - ipaplatform: Use the dirsrv service, not target (#951581) | |
| - Fix: DNS policy upgrade raises asertion error (#1161128) | |
| - Fix upgrade referint plugin (#1161128) | |
| - Upgrade: fix trusts objectclass violationi (#1161128) | |
| - group-add doesn't accept gid parameter (#1149124) | |
| - ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL | |
| Resolves: RHBZ#1982956 | |
| - Unable to remove replica by ipa-replica-manage (#1001662) | |
| - Before uninstalling a server, warn about active replicas (#998069) | |
| - Fix Fedora package changelog after merging systemd changes | |
| - ipaclient-install: chmod needs octal permissions (#1609880) | |
| - Move ipalib to ipa-python subpackage | |
| - Bump minimum version of slapi-nis to 0.15 | |
| - Ensure that /etc/ipa exists before moving user-modifiable html files there | |
| - Put html files into /etc/ipa/html instead of /etc/ipa | |
| - Added auto* BuildRequires | |
| - New upstream release 1.2.1 | |
| - Rely on sssd-krb5 to include SSSD-generated krb5 configuration | |
| Resolves: RHBZ#2214563 | |
| - Add end to end integration tests for external IdP | |
| Resolves: RHBZ#2106346 | |
| - Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install | |
| because of missing dependencies | |
| - Rebuild with krb5-1.14.1 | |
| - schema update on RHEL-6.6 using latest copy-schema-to-ca.py from RHEL-7.1 | |
| build fails (#1167196) | |
| - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) | |
| - "ipa trust-add ... " cmd says : (Trust status: Established and verified) | |
| while in the logs we see "WERR_ACCESS_DENIED" during verification step. | |
| (#1144121) | |
| - POODLE: force using safe ciphers (non-SSLv3) in IPA client and server | |
| (#1156466) | |
| - Add support/hooks for a one-time password system like SecureID in IPA | |
| (#919228) | |
| - Tracebacks with latest build for --zonemgr cli option (#1167270) | |
| - ID Views: Support migration from the sync solution to the trust solution | |
| (#891984) | |
| - Mass rebuild 2014-01-24 | |
| - Move initialization of Guests mapping after cifs/ principal is created | |
| - Related: rhbz#1623895 | |
| - Preverse mode on ipa-keytab-util | |
| - Version bump for relase and rpm name change | |
| - Updated upstream pull (596) to fix bug in ipa_webgui that was causing the | |
| UI to not start. | |
| - Update to upstream 4.7.0 GA | |
| - Fixed License in specfile | |
| - Include files from /usr/lib/python*/site-packages/ipaserver | |
| - Allow ipa-tests to work with older version (1.7.7) of python-paramiko | |
| - Fixed kdcproxy_version to 0.4-3 | |
| - Fixed krb5_version to 1.17-7 | |
| Related: RHBZ#1684528 | |
| - Remove "Listen 443 http" hack from deployed nss.conf (#1029046) | |
| - Re-adding existing trust fails (#1033216) | |
| - IPA uninstall exits with a samba error (#1033075) | |
| - Added RELRO hardening on /usr/libexec/ipa-otpd (#1026260) | |
| - Fixed ownership of /usr/share/ipa/ui/js (#1026260) | |
| - ipa-tests: support external names for hosts (#1032668) | |
| - ipa-client-install fail due fail to obtain host TGT (#1029354) | |
| - Update to upstream 4.0.3 (#1109726) | |
| - Server installation fails using external signed certificates with | |
| "IndexError: list index out of range" (#1111320) | |
| - Add rhino to BuildRequires to fix Web UI build error | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Set krbCanonicalName admin@REALM on the admin user | |
| Resolves: RHEL-89895 | |
| - Handle new samba exception types. | |
| Resolves: RHEL-17623 | |
| - Fix for CVE-2008-3274 | |
| - Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface | |
| - Add fix for bug #453185 | |
| - Rebuild against openldap libraries, mozldap ones do not work properly | |
| - TurboGears is currently broken in rawhide. Added patch to not build | |
| the UI locales and removed them from the ipa-server files section. | |
| - ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older | |
| Resolves: RHEL-12198 | |
| - Update dependency for bind-dndb-ldap to 11.2-2 | |
| Related: RHBZ#1762813 | |
| - Drop requires on python-configobj (not used any more) | |
| - Drop ipa-ldap-updater message, upgrades are done differently now | |
| - Update Requires on pki-ca to 10.1.2-4 (#1129558) | |
| - build: increase java stack size for all arches | |
| - Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides (#891984) | |
| - Fix dns zonemgr validation regression (#1056202) | |
| - Handle profile changes in dogtag-ipa-ca-renew-agent (#886645) | |
| - Do not wait for new CA certificate to appear in LDAP in ipa-certupdate | |
| (#886645) | |
| - Add bind-dyndb-ldap working dir to IPA specfile | |
| - Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage | |
| (#886645) | |
| - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) | |
| - Deadlock in schema compat plugin (#1161131) | |
| - ipactl stop should stop dirsrv last (#1161129) | |
| - Upgrade 3.3.5 to 4.1 failed (#1161128) | |
| - CVE-2014-7828 freeipa: password not required when OTP in use (#1160877) | |
| - Remove ipa-idoverride-memberof as superceded by ipa-server 4.8.7 | |
| Resolves: RHBZ#1846434 | |
| - Require python-wehjit >= 0.2.0 | |
| - Replica CA installation: ignore skew during initial replication | |
| Resolves RHEL-80995 | |
| - Revert bind-pkcs11-utils configuration in freeipa.spec. | |
| Resolves: RHBZ#2026732 | |
| - Configure CA replication to use TLS instead of SSL | |
| - Update to upstream 3.2.0 Beta 1 | |
| - Added support for libipa-dna-plugin | |
| - Remove posixAccount from service_find search filter | |
| Resolves: RHBZ#1731437 | |
| - Fix repeated uninstallation of ipa-client-samba crashes | |
| Resolves: RHBZ#1732529 | |
| - WebUI: Add PKINIT status field to 'Configuration' page | |
| Resolves: RHBZ#1518153 | |
| - Resolves: #1461177 ipa-otptoken-import - XML file is missing PBKDF2 | |
| parameters! | |
| - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during | |
| search in cn=ad, cn=trusts,dc=example,dc=com | |
| - Resolves: #1467887 iommu platform support for ipxe | |
| - Resolves: #1477178 [ipa-replica-install] - 406 Client Error: Failed to | |
| validate message: Incorrect number of results (0) searching forpublic key for | |
| host | |
| - Resolves: #1478251 IPA WebUI does not work after upgrade from IPA 4.4 to | |
| 4.5 | |
| - Resolves: #1480102 ipa-server-upgrade failes with "This entry already | |
| exists" | |
| - Resolves: #1482802 Unable to set ca renewal master on replica | |
| - Resolves: #1484428 Updating from RHEL 7.3 fails with Server-Cert not found | |
| (ipa-server-upgrade) | |
| - Resolves: #1484826 FreeIPA/IdM installations which were upgraded from | |
| versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and | |
| thus startup of Web UI fails | |
| - Resolves: #1486283 TypeError in renew_ca_cert prevents from swiching back | |
| to self-signed CA | |
| - Resolves: #1469246 Replica install fails to configure IPA-specific | |
| temporary files/directories | |
| - Resolves: #1469480 bind package is not automatically updated during | |
| ipa-server upgrade process | |
| - Resolves: #1475238 Use CommonNameToSANDefault in default profile (new | |
| installs only) | |
| - Resolves: #1477703 IPA upgrade fails for latest ipa package | |
| - Throw zonemgr error message before installation proceeds (#1163849) | |
| - Winsync: Setup is broken due to incorrect import of certificate (#1169867) | |
| - Enable last token deletion when password auth type is configured (#919228) | |
| - ipa-otp-lasttoken loads all user's tokens on every mod/del (#1166641) | |
| - add --hosts and --hostgroup options to allow/retrieve keytab methods | |
| (#1007367) | |
| - Extend host-show to add the view attribute in set of default attributes | |
| (#1168916) | |
| - Prefer TCP connections to UDP in krb5 clients (#919228) | |
| - [WebUI] Not able to unprovisioning service in IPA 4.1 (#1168214) | |
| - webui: increase notification duration (#1171089) | |
| - RHEL7.1 ipa automatic CA cert renewal stuck in submitting state (#1166931) | |
| - RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert | |
| (#1170003) | |
| - Improve validation of --instance and --backend options in ipa-restore | |
| (#951581) | |
| - RHEL7.1 ipa replica unable to replicate to rhel6 master (#1167964) | |
| - Disable TLS 1.2 in nss.conf until mod_nss supports it (#1156466) | |
| - Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to | |
| Trusts | |
| - winsync-migrate: Convert entity names to posix friendly strings | |
| - winsync-migrate: Properly handle collisions in the names of external groups | |
| - Resolves: #1261074 Adjust Firefox configuration to new extension signing | |
| policy | |
| - webui: use manual Firefox configuration for Firefox >= 40 | |
| - Resolves: #1263337 IPA Restore failed with installed KRA | |
| - ipa-backup: Add mechanism to store empty directory structure | |
| - Resolves: #1264793 CVE-2015-5284 ipa: ipa-kra-install includes certificate | |
| and private key in world readable file [rhel-7.2] | |
| - install: fix KRA agent PEM file permissions | |
| - Resolves: #1265086 Mark IdM API Browser as experimental | |
| - WebUI: add API browser is experimental warning | |
| - Resolves: #1265277 Fix kdcproxy user creation | |
| - install: create kdcproxy user during server install | |
| - platform: add option to create home directory when adding user | |
| - install: fix kdcproxy user home directory | |
| - Resolves: #1265559 GSS failure after ipa-restore | |
| - destroy httpd ccache after stopping the service | |
| - Remove redundat Requires versions that are already in Fedora 17 | |
| - Replace python-crypto Requires with m2crypto | |
| - Add missing Requires(post) for client and server-trust-ad subpackages | |
| - Restart httpd service when server-trust-ad subpackage is installed | |
| - Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes | |
| - trustdomain-find with pkey-only fails (#1068611) | |
| - Invalid credential cache in trust-add (#1069182) | |
| - ipa-replica-install prints unexpected error (#1069722) | |
| - Too big font in input fields in details facet in Firefox (#1069720) | |
| - trust-add for POSIX AD does not fetch trustdomains (#1070925) | |
| - Misleading trust-add error message in some cases (#1070926) | |
| - Access is not rejected for disabled domain (#1070924) | |
| - Rebuild for broken deps | |
| - Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1 | |
| - Resolves: #1377973 ipa-server-install fails when the provided or resolved | |
| IP address is not found on local interfaces | |
| - Only warn when specified server IP addresses don't match intf | |
| - Resolves: #1438016 gssapi errors after IPA server upgrade | |
| - Bump version of python-gssapi | |
| - Resolves: #1457942 certauth: use canonical principal for lookups | |
| - ipa-kdb: use canonical principal in certauth plugin | |
| - Resolves: #1459153 Do not send Max-Age in ipa_session cookie to avoid | |
| breaking older clients | |
| - Add code to be able to set default kinit lifetime | |
| - Revert setting sessionMaxAge for old clients | |
| - Rebase to security release 4.8.3 (CVE-2019-14867, CVE-2019-10195) | |
| Resolves: RHBZ#1767304 | |
| Resolves: RHBZ#1776939 | |
| - Support KDC ticket policies for authentication indicators | |
| Resolves: RHBZ#1777564 | |
| - Added support for ipa_kpasswd and ipa_pwd_extop | |
| - Backport latest test fixes in python3-ipatests | |
| Resolves: RHBZ#2060841 | |
| - extdom: user getorigby{user|group}name if available | |
| Resolves: RHBZ#2062379 | |
| - Set the mode on ipaupgrade.log during RPM post snipppet | |
| Resolves: RHBZ#2061957 | |
| - test_krbtpolicy: skip SPAKE-related tests in FIPS mode | |
| Resolves: RHBZ#1909630 | |
| - Remove radius subpackages | |
| - Don't always override the port in import_included_profiles | |
| Fixes: RHBZ#2022483 | |
| - Remove ipa-join errors from behind the debug option | |
| Fixes: RHBZ#2048558 | |
| - Enable the ccache sweep timer during installation | |
| Fixes: RHBZ#2051575 | |
| - Set 0.14 as minimum version for slapi-nis | |
| - Marked with wrong license. IPA is GPLv2. | |
| - Update to upstream 3.2.1 | |
| - Drop dogtag-pki-server-theme requires, it won't be build for RHEL-7.0 | |
| - Fix bug #702633 | |
| - Resolves: #1451804 "AttributeError: 'tuple' object has no attribute 'append'" | |
| error observed during ipa upgrade with latest package. | |
| - ipa-server-install: fix uninstall | |
| - Resolves: #1445390 ipa-[ca|kra]-install with invalid DM password break | |
| replica | |
| - ca install: merge duplicated code for DM password | |
| - installutils: add DM password validator | |
| - ca, kra install: validate DM password | |
| - Fix status trust-add command status message (#910453) | |
| - NetBIOS was not trimmed at 15 characters (#1030517) | |
| - Harden CA subsystem certificate renewal on CA clones (#1040018) | |
| - Replace TurboGears requirement with python-cherrypy | |
| - Resolves: #1382812 Creation of replica for disconnected environment is | |
| failing with CA issuance errors; Need good steps. | |
| - gracefully handle setting replica bind dn group on old masters | |
| - Resolves: #1397439 ipa-ca-install on promoted replica hangs on creating a | |
| temporary CA admin | |
| - replication: ensure bind DN group check interval is set on replica config | |
| - add missing attribute to ipaca replica during CA topology update | |
| - Resolves: #1401088 IPA upgrade of replica without DNS fails during restart of | |
| named-pkcs11 | |
| - bindinstance: use data in named.conf to determine configuration status | |
| - Unable to add trust successfully with --trust-secret (#1075704) | |
| - Fix krb5-kdb-server -> krb5-kdb-version | |
| Related: RHBZ#1700121 | |
| - Resolves: #1477367 ipa-server-upgrade timeouts on wait_for_open ports | |
| expecting IPA services listening on IPv6 ports | |
| - Make sure upgrade also checks for IPv6 stack | |
| - control logging of host_port_open from caller | |
| - log progress of wait_for_open_ports | |
| - Resolves: #1477243 ipa help command returns traceback when no cache | |
| is present | |
| - Store help in Schema before writing to disk | |
| - Disable pylint in get_help function because of type confusion. | |
| - Update to upstream version 1.2.0 | |
| - Set fedora-ds-base minimum version to 1.1.3 for winsync header | |
| - Set the minimum version for SELinux policy | |
| - Remove references to Fedora 7 | |
| - Resolves: #828866 [RFE] enhance --subject option for ipa-server-install | |
| - Resolves: #1160555 ipa-server-install: Cannot handle double hyphen "--" in | |
| hostname | |
| - Resolves: #1286288 Insufficient 'write' privilege to the 'ipaExternalMember' | |
| attribute | |
| - Resolves: #1321652 ipa-server-install fails when using external certificates | |
| that encapsulate RDN components in double quotes | |
| - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on | |
| revocation reasons | |
| - Resolves: #1340880 ipa-server-install: improve prompt on interactive | |
| installation | |
| - Resolves: #1353841 ipa-replica-install fails to install when resolv.conf | |
| incomplete entries | |
| - Resolves: #1356104 cert-show command does not display Subject Alternative | |
| Names | |
| - Resolves: #1357511 Traceback message seen when ipa is provided with invalid | |
| configuration file name | |
| - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is | |
| converted from CA-less to CA-full | |
| - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication | |
| - Resolves: #1367572 improve error message in ipa migrate-ds: mention ipa | |
| config-mod --enable-migration=TRUE | |
| - Resolves: #1367868 Add options to retrieve lightweight CA certificate/chain | |
| - Resolves: #1371927 Implement ca-enable/disable commands. | |
| - Resolves: #1372202 Add Users into User Group editors fails to show Full names | |
| - Resolves: #1373091 Adding an auth indicator from the CLI creates an extra | |
| check box in the UI | |
| - Resolves: #1375596 Ipa-server WebUI - long user/group name show wrong error | |
| message | |
| - Resolves: #1375905 "Normal" group type in the UI is confusing | |
| - Resolves: #1376040 IPA client ipv6 - invalid --ip-address shows traceback | |
| - Resolves: #1376630 IDM admin password gets written to | |
| /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf | |
| - Resolves: #1376729 ipa-server-install script option --no_hbac_allow should | |
| match other options | |
| - Resolves: #1378461 IPA Allows Password Reuse with History value defined when | |
| admin resets the password. | |
| - Resolves: #1379029 conncheck failing intermittently during single step | |
| replica installs | |
| - Resolves: #1379858 [RFE] better debugging for ipa-replica-conncheck | |
| - Resolves: #1384310 ipa dnsrecord-add fails with Keyerror stack trace | |
| - Resolves: #1392778 Update man page for ipa-adtrust-install by | |
| removing --no-msdcs option | |
| - Resolves: #1392858 Rebase to FreeIPA 4.5+ | |
| - Rebase to 4.5.0 | |
| - Resolves: #1399133 Delete option shouldn't be available for hosts applied to | |
| view. | |
| - Resolves: #1399190 [RFE] Certificates issued by externally signed IdM CA | |
| should contain full trust chain | |
| - Resolves: #1400416 RFE: Provide option to take backup of IPA server before | |
| uninstalling IPA server | |
| - Resolves: #1400529 cert-request is not aware of Kerberos principal aliases | |
| - Resolves: #1401526 IPA WebUI certificates are grayed out on overview page but | |
| not on details page | |
| - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping | |
| - Resolves: #1404750 ipa-client-install fails to get CA cert via LDAP when | |
| non-FQDN name of IPA server is first in /etc/hosts | |
| - Resolves: #1409628 [RFE] Semi-automatic integration with external DNS using | |
| nsupdate | |
| - Resolves: #1413742 Backport request for bug/issue Change IP address | |
| validation errors to warnings | |
| - Resolves: #1415652 IPA replica install log shows password in plain text | |
| - Resolves: #1427897 different behavior regarding system wide certs in master | |
| and replica. | |
| - Resolves: #1430314 The ipa-managed-entries command failed, exception: | |
| AttributeError: ldap2 | |
| - Unified spec file | |
| - Fix SELinux code | |
| - Allow the admin user to be disabled | |
| Resolves: RHEL-34756 | |
| - ipa-otptoken-import: open the key file in binary mode | |
| Resolves: RHEL-39616 | |
| - ipa-crlgen-manage: manage the cert status task execution time | |
| Resolves: RHEL-30280 | |
| - idrange-add: add a warning because 389ds restart is required | |
| Resolves: RHEL-28996 | |
| - PKINIT certificate: fix renewal on hidden replica | |
| Resolves: RHEL-4913, RHEL-45908 | |
| - [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: | |
| (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312) | |
| - Resolves: #1348948 IPA server install fails with build | |
| ipa-server-4.4.0-0.el7.1.alpha1 | |
| - Revert "Increased mod_wsgi socket-timeout" | |
| - Add mod_auth_kerb and cyrus-sasl-gssapi to Requires | |
| - Remove references to admin server in ipa-server-setupssl | |
| - Generate a client certificate for the XML-RPC server to connect to LDAP with | |
| - Create a keytab for Apache | |
| - Create an ldif with a test user | |
| - Provide a certmap.conf for doing SSL client authentication | |
| - Remove strict dependencies to krb5-server version in order to allow | |
| update of krb5 to 1.17 and change dependency to KDB DAL version. | |
| Resolves: RHBZ#1700121 | |
| - kdb: apply combinatorial logic for ticket flags (CVE-2024-3183) | |
| Resolves: RHEL-29927 | |
| - kdb: fix vulnerability in GCD rules handling (CVE-2024-2698) | |
| Resolves: RHEL-29692 | |
| - Update Requires on krb5-server to 1.11 | |
| - Upstream release FreeIPA 4.9.6 | |
| Related: RHBZ#1945038 | |
| - Revise PKINIT upgrade code | |
| Resolves: RHBZ#1886837 | |
| - ipa-cert-fix man page: add note about certmonger renewal | |
| Resolves: RHBZ#1780317 | |
| - Certificate Serial Number issue | |
| Resolves: RHBZ#1919384 | |
| - Update to upstream 3.3.1 (#991064) | |
| - Update minimum version of bind-dyndb-ldap to 3.5 | |
| - Rebuild for Python 2.6 | |
| - Load ipa_dogtag.pp in post install | |
| - Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services | |
| by abusing password policy | |
| - password policy: Add explicit default password policy for hosts and | |
| services | |
| - Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in | |
| certprofile-mod | |
| - certprofile-mod: correctly authorise config update | |
| - Fix systemd-user HBAC rule | |
| Resolves: RHBZ#1664974 | |
| - dcerpc: invalidate forest trust intfo cache when filtering out realm domains | |
| Resolves: RHEL-28559 | |
| - Backport latests test fixes in python3-tests | |
| ipatests: add xfail for autoprivate group test with override | |
| ipatests: remove xfail thanks to sssd 2.9.4 | |
| ipatests: adapt for new automembership fixup behavior | |
| ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation testcases | |
| test_xmlrpc: adopt to automember plugin message changes in 389-ds | |
| Resolves: RHEL-29908 | |
| - Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations | |
| Resolves: RHBZ#1870202 | |
| - Do not check if port 8443 is available in step 2 of external CA install | |
| (#1129481) | |
| - Rebuilt for glibc bug#747377 | |
| - Resolves: #1260663 crash of ipa-dnskeysync-replica component during | |
| ipa-restore | |
| - IPA Restore: allows to specify files that should be removed | |
| - Resolves: #1261806 Installing ipa-server package breaks httpd | |
| - Handle timeout error in ipa-httpd-kdcproxy | |
| - Resolves: #1262322 Failed to backup CS.cfg message in upgrade. | |
| - Server Upgrade: backup CS.cfg when dogtag is turned off | |
| - Resolves: #1477178 - [ipa-replica-install] - 406 Client Error: Failed to | |
| validate message: Incorrect number of results (0) searching forpublic | |
| key for host | |
| - Always check peer has keys before connecting | |
| - Resolves: #1482802 - Unable to set ca renewal master on replica | |
| - Fix ipa config-mod --ca-renewal-master | |
| - Resolves: #1486283 - TypeError in renew_ca_cert prevents from swiching | |
| back to self-signed CA | |
| - Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca) | |
| - Resolves: #1480102 - ipa-server-upgrade failes with "This entry already exists" | |
| - Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already exists | |
| - Resolves: #1484826 - FreeIPA/IdM installations which were upgraded from | |
| versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and | |
| thus startup of Web UI fails | |
| - Adds whoami DS plugin in case that plugin is missing | |
| - Resolves: #1478251 - IPA WebUI does not work after upgrade from IPA 4.4 to 4.5 | |
| - Fixing how sssd.conf is updated when promoting a client to replica | |
| - Resolves: #1461177 - ipa-otptoken-import - XML file is missing PBKDF2 | |
| parameters! | |
| - ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace | |
| - Resolves: #1484428 - Updating from RHEL 7.3 fails with Server-Cert not found | |
| (ipa-server-upgrade) | |
| - Backport 4-5: Fix ipa-server-upgrade with server cert tracking | |
| - Add explicit dependency for libvert-libev | |
| Resolves: RHBZ#2104929 | |
| - Add versioned dependency of samba-client-libs to ipa-server | |
| - Related: RHBZ#2021443 | |
| - Version bump for release | |
| - PKI service restart after CA renewal failed (#1040018) | |
| - Resolves: #1469246 Replica install fails to configure IPA-specific | |
| temporary files/directories | |
| - replica install: drop-in IPA specific config to tmpfiles.d | |
| - Resolves: #1469480 bind package is not automatically updated during | |
| ipa-server upgrade process | |
| - Bumped Required version of bind-dyndb-ldap and bind package | |
| - Add dependency for python-krbV | |
| - Remove client-epn left over files for ONLY_CLIENT | |
| Related: RHBZ#1847999 | |
| - Drop Requires of python-krbV on ipa-client | |
| - Upstream release FreeIPA 4.9.5 | |
| Related: RHBZ#1945038 | |
| - IPA to allow setting a new range type | |
| Resolves: RHBZ#1688267 | |
| - ipa-server-install displays debug output when --debug output is not | |
| specified. | |
| Resolves: RHBZ#1943151 | |
| - ACME fails to generate a cert on migrated RHEL8.4 server | |
| Resolves: RHBZ#1934991 | |
| - Switch ipa-client to use the JSON API | |
| Resolves: RHBZ#1937856 | |
| - IDM - Allow specifying permanent logging settings for BIND | |
| Resolves: RHBZ#1951511 | |
| - Cache LDAP data within a request | |
| Resolves: RHBZ#1953656 | |
| - ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4 | |
| Resolves: RHBZ#1957768 | |
| - Upstream release FreeIPA 4.8.6 | |
| - New SELinux sub package to provide own module | |
| - Depend on selinux-policy-devel 3.14.3-43 for build due to a makefile issue in | |
| SELinux external policy support | |
| Related: RHBZ#1818765 | |
| - Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf | |
| - Upstream pre release FreeIPA 4.9.0rc1 | |
| Resolves: RHBZ#1891832 | |
| - Requirements and design for libpwquality integration | |
| Resolves: RHBZ#1340463 | |
| - When parsing options require name/value pairs | |
| Resolves: RHBZ#1357495 | |
| - WebUI: Fix issue with opening links in new tab/window | |
| Resolves: RHBZ#1484088 | |
| - Use a state to determine if a 389-ds upgrade is in progress | |
| Resolves: RHBZ#1569011 | |
| - Unlock user accounts after a password reset and replicate that unlock to | |
| all IdM servers | |
| Resolves: RHBZ#1784657 | |
| - Set the certmonger subject with a string, not an object | |
| Resolves: RHBZ#1810148 | |
| - Implement ACME certificate enrolment | |
| Resolves: RHBZ#1851835 | |
| - [WebUI] Backport jQuery patches from newer versions of the library (e.g. | |
| 3.5.0) | |
| Resolves: RHBZ#1859249 | |
| - It is not possible to edit KDC database when the FreeIPA server is running | |
| Resolves: RHBZ#1875001 | |
| - Fix nsslapd-db-lock tuning of BDB backend | |
| Resolves: RHBZ#1882340 | |
| - ipa-kdb: support subordinate/superior UPN suffixes | |
| Resolves: RHBZ#1891056 | |
| - wgi/plugins.py: ignore empty plugin directories | |
| Resolves: RHBZ#1894800 | |
| - Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit | |
| Resolves: RHBZ#1790663 | |
| - Rebase ipa to 4.9.12 | |
| Resolves: RHBZ#2196425 | |
| - user or group name: explain the supported format | |
| Resolves: RHBZ#2150217 | |
| - PassSync does not sync passwords due to missing ACIs (#1181093) | |
| - ipa-replica-manage list does not list synced domain (#1181010) | |
| - Do not assume certmonger is running in httpinstance (#1181767) | |
| - ipa-replica-manage disconnect fails without password (#1183279) | |
| - Put LDIF files to their original location in ipa-restore (#1175277) | |
| - DUA profile not available anonymously (#1184149) | |
| - IPA replica missing data after master upgraded (#1176995) | |
| - Resolves: #1258965 ipa vault: set owner of vault container | |
| - baseldap: make subtree deletion optional in LDAPDelete | |
| - vault: add vault container commands | |
| - vault: set owner to current user on container creation | |
| - vault: update access control | |
| - vault: add permissions and administrator privilege | |
| - install: support KRA update | |
| - Resolves: #1261586 ipa config-mod addattr fails for ipauserobjectclasses | |
| - config: allow user/host attributes with tagging options | |
| - Resolves: #1262315 Unable to establish winsync replication | |
| - winsync: Add inetUser objectclass to the passsync sysaccount | |
| - Hardening for CVE-2020-25717 | |
| - Related: RHBZ#2019668 | |
| - Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca | |
| - Keep NSS trust flags of existing certificates | |
| - Resolves: #1360813 ipa-server-certinstall does not update all certificate | |
| stores and doesn't set proper trust permissions | |
| - Add cert checks in ipa-server-certinstall | |
| - Resolves: #1371479 cert-find --all does not show information about revocation | |
| - cert: add revocation reason back to cert-find output | |
| - Resolves: #1375133 WinSync users who have First.Last casing creates users who | |
| can have their password set | |
| - ipa passwd: use correct normalizer for user principals | |
| - Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers | |
| - Properly handle LDAP socket closures in ipa-otpd | |
| - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 | |
| - Make httpd publish its CA certificate on DL1 | |
| - Use the OpenSSL certificate parser in cert-find | |
| Resolves: RHBZ#2209947 | |
| - Resolves: #1170770 [AD TRUST]IPA should detect inconsistent realm domains | |
| that conflicts with AD DC | |
| - trusts: Check for AD root domain among our trusted domains | |
| - Resolves: #1195339 ipa-client-install changes the label on various files | |
| which causes SELinux denials | |
| - sysrestore: copy files instead of moving them to avoind SELinux issues | |
| - Resolves: #1196656 [ipa-client][rhel71] enable debugging for spawned | |
| commands / ntpd -qgc $tmpfile hangs | |
| - enable debugging of ntpd during client installation | |
| - Resolves: #1205264 Migration UI Does Not Work When Anonymous Bind is Disabled | |
| - migration: Use api.env variables. | |
| - Resolves: #1212719 abort-clean-ruv subcommand should allow | |
| replica-certifyall: no | |
| - Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand | |
| - Resolves: #1216935 ipa trust-add shows ipa: ERROR: an internal error has | |
| occurred | |
| - dcerpc: Expand explanation for WERR_ACCESS_DENIED | |
| - dcerpc: Fix UnboundLocalError for ccache_name | |
| - Resolves: #1222778 idoverride group-del can delete user and user-del can | |
| delete group | |
| - dcerpc: Add get_trusted_domain_object_type method | |
| - idviews: Restrict anchor to name and name to anchor conversions | |
| - idviews: Enforce objectclass check in idoverride*-del | |
| - Resolves: #1234919 Be able to request certificates without certmonger service | |
| running | |
| - cermonger: Use private unix socket when DBus SystemBus is not available. | |
| - ipa-client-install: Do not (re)start certmonger and DBus daemons. | |
| - Resolves: #1240939 Please add dependency on bind-pkcs11 | |
| - Create server-dns sub-package. | |
| - ipaplatform: Add constants submodule | |
| - DNS: check if DNS package is installed | |
| - Resolves: #1242914 Bump minimal selinux-policy and add booleans to allow | |
| calling out oddjobd-activated services | |
| - selinux: enable httpd_run_ipa to allow communicating with oddjobd services | |
| - Resolves: #1243261 non-admin users cannot search hbac rules | |
| - fix hbac rule search for non-admin users | |
| - fix selinuxusermap search for non-admin users | |
| - Resolves: #1243652 Client has missing dependency on memcache | |
| - do not import memcache on client | |
| - Resolves: #1243835 [webui] user change password dialog does not work | |
| - webui: fix user reset password dialog | |
| - Resolves: #1244802 spec: selinux denial during kdcproxy user creation | |
| - Fix selinux denial during kdcproxy user creation | |
| - Resolves: #1246132 trust-fetch-domains: Do not chown keytab to the sssd user | |
| - oddjob: avoid chown keytab to sssd if sssd user does not exist | |
| - Resolves: #1246136 Adding a privilege to a permission avoids validation | |
| - Validate adding privilege to a permission | |
| - Resolves: #1246141 DNS Administrators cannot search in zones | |
| - DNS: Consolidate DNS RR types in API and schema | |
| - Resolves: #1246143 User plugin - user-find doesn't work properly with manager | |
| option | |
| - fix broken search for users by their manager | |
| - Updated to upstream 3.1.0 GA | |
| - Set minimum for sssd to 1.9.2 | |
| - Set minimum for pki-ca to 10.0.0-1 | |
| - Set minimum for 389-ds-base to 1.3.0 | |
| - Set minimum for selinux-policy to 3.11.1-60 | |
| - Remove unneeded dogtag package requires | |
| - Allow longer dirsrv startup with systemd: | |
| - IPAdmin class will wait until dirsrv instance is available up to 10 seconds | |
| - Helps with restarts during upgrade for ipa-ldap-updater | |
| - Fix pylint warnings from F16 and Rawhide | |
| - Update to upstream 2.2.0 beta 1 (2.1.90.rc1) | |
| - Set minimum n-v-r for pki-ca and pki-silent to 9.0.18. | |
| - Add Conflicts on mod_ssl | |
| - Update minimum n-v-r of 389-ds-base to 1.2.10.4 | |
| - Update minimum n-v-r of sssd to 1.8.0 | |
| - Update minimum n-v-r of slapi-nis to 0.38 | |
| - Update minimum n-v-r of pki-* to 9.0.18 | |
| - Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1 | |
| - Update conflicts on bind to < 9.9.0-1 | |
| - Drop requires on krb5-server-ldap | |
| - Add patch to remove escaping arguments to pkisilent | |
| - Resolves: #1475238 Use CommonNameToSANDefault in default profile | |
| (new installs only) | |
| - Restore old version of caIPAserviceCert for upgrade only | |
| - Default to systemd for Fedora 16 and onwards | |
| - Remove duplicate %files entries on share/ipa/static | |
| - Add python default encoding shared library | |
| - webui: Do not allow empty pagination size | |
| Resolves: RHBZ#2094672 | |
| - Fix requirement for python3-kdcproxy, add no autoreqprov for ipatests sub | |
| package | |
| Related: RHBZ#1891832 | |
| - Require krb5 release 1.18.2-25 or later | |
| Resolves: RHBZ#2234711 | |
| - Resolves: #1382053 Need to have validation for idrange names | |
| - idrange-add: properly handle empty --dom-name option | |
| - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit | |
| helper when installing replica | |
| - dsinstance: reconnect ldap2 after DS is restarted by certmonger | |
| - httpinstance: avoid httpd restart during certificate request | |
| - dsinstance, httpinstance: consolidate certificate request code | |
| - install: request service certs after host keytab is set up | |
| - renew agent: revert to host keytab authentication | |
| - renew agent, restart scripts: connect to LDAP after kinit | |
| - Resolves: #1436987 ipasam: gidNumber attribute is not created in the trusted | |
| domain entry | |
| - ipa-sam: create the gidNumber attribute in the trusted domain entry | |
| - Upgrade: add gidnumber to trusted domain entry | |
| - Resolves: #1438679 [ipa-replica-install] - IncorrectPasswordException: | |
| Incorrect client security database password | |
| - Add pki_pin only when needed | |
| - Resolves: #1438348 Console output message while adding trust should be | |
| mapped with texts changed in Samba. | |
| - ipaserver/dcerpc: unify error processing | |
| - Resolves: #1438366 ipa trust-fetch-domains: ValidationError: invalid | |
| 'Credentials': Missing credentials for cross-forest communication | |
| - trust: always use oddjobd helper for fetching trust information | |
| - Resolves: #1441192 Add the name of URL parameter which will be check for | |
| username during cert login | |
| - WebUI: cert login: Configure name of parameter used to pass username | |
| - Resolves: #1437879 [copr] Replica install failing | |
| - Create system users for FreeIPA services during package installation | |
| - Resolves: #1441316 WebUI cert auth fails after ipa-adtrust-install | |
| - Fix s4u2self with adtrust | |
| - Update to upstream 4.6.90.pre1 | |
| - Fix misleading errors during client install rollback | |
| Resolves: RHBZ#1658283 | |
| - ipa-advise: update url of cacerdir_rehash tool | |
| Resolves: RHBZ#1658287 | |
| - Handle NTP configuration in a replica server installation | |
| Resolves: RHBZ#1651679 | |
| - Fix defects found by static analysis | |
| Resolves: RHBZ#1658182 | |
| - ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad | |
| Resolves: RHBZ#1658294 | |
| - ipaldap: invalid modlist when attribute encoding can vary | |
| Resolves: RHBZ#1658302 | |
| - Allow ipaapi and Apache user to access SSSD IFP | |
| Resolves: RHBZ#1639910 | |
| - Add sysadm_r to default SELinux user map order | |
| Resolves: RHBZ#1658303 | |
| - certdb: ensure non-empty Subject Key Identifier and validate server cert sig | |
| Resolves: RHBZ#1641988 | |
| - ipa-replica-install: password and admin-password options mutually exclusive | |
| Resolves: RHBZ#1658309 | |
| - ipa upgrade: handle double-encoded certificates | |
| Resolves: RHBZ#1658310 | |
| - PKINIT: fix ipa-pkinit-manage enable|disable | |
| Resolves: RHBZ#1658313 | |
| - Enable LDAP debug output in client to display TLS errors in join | |
| Resolves: RHBZ#1658316 | |
| - rpc: always read response | |
| Resolves: RHBZ#1639890 | |
| - ipa vault-retrieve: fix internal error | |
| Resolves: RHBZ#1658485 | |
| - Move ipa's systemd tmpfiles from /var/run to /run | |
| Resolves: RHBZ#1658487 | |
| - Fix authselect invocations to work with 1.0.2 | |
| Resolves: RHBZ#1654291 | |
| - ipa-client-automount and NFS unit name changes | |
| Resolves: RHBZ#1645501 | |
| - Fix compile issue with new 389-ds | |
| Resolves: RHBZ#1659448 | |
| - Update to upstream 3.2.0 Prerelease 1 | |
| - Use upstream reference spec file as a base for Fedora spec file | |
| - Add dep for freeipa-admintools and acl | |
| - Drop conflicts on mod_nss | |
| - Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847) | |
| - Drop a slew of conditionals on older Fedora releases (< 12) | |
| - Add a few conditionals against RHEL 6 | |
| - Add Requires of nss-tools on ipa-client | |
| - Require samba packages instead of obsoleted samba4 packages | |
| - Upstream release FreeIPA 4.8.7 | |
| - Require new samba build 4.12.3-0 | |
| Related: RHBZ#1818765 | |
| - New client-epn sub package | |
| Resolves: RHBZ#913799 | |
| - Fix ipa-replica-install crashes | |
| - Fix ipa-server-install and ipa-dns-install logging | |
| - Set minimum version of pki-ca to 9.0.17 to fix sslget problem | |
| caused by FEDORA-2011-17400 update (#771357) | |
| - Added httpd SELinux policy so CRLs can be read | |
| - Build radius separately | |
| - Fix a few minor issues | |
| - rebuild with new openssl | |
| - Update to upstream 3.2.2 | |
| - Drop ipa-server-selinux subpackage | |
| - Drop redundant directory /var/cache/ipa/sessions | |
| - Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost | |
| - Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency | |
| issues when there are still old parts of software (like entitlements plugin) | |
| - [WebUI] IPA Error 3007: RequirmentError" while adding members in | |
| "User ID overrides" tab (updated) | |
| Resolves: RHBZ#1757045 | |
| - ipa-client-install: use the authselect backup during uninstall | |
| Resolves: RHBZ#1810179 | |
| - Replace SSLCertVerificationError with CertificateError for py36 | |
| Resolves: RHBZ#1858318 | |
| - Fix AVC denial during ipa-adtrust-install --add-agents | |
| Resolves: RHBZ#1859213 | |
| - Update to upstream 3.2.0 GA | |
| - ipa-client-install fails if /etc/ipa does not exist (#961483) | |
| - Certificate status is not visible in Service and Host page (#956718) | |
| - ipa-client-install removes needed options from ldap.conf (#953991) | |
| - Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957) | |
| - Add triggerin scriptlet to support OpenSSH 6.2 (#953617) | |
| - Require nss 3.14.3-12.0 to address certutil certificate import | |
| errors (#953485) | |
| - Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6 | |
| environments. (#953464) | |
| - ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453) | |
| - ipa-server-install --uninstall doesn't stop dirsrv instances (#953432) | |
| - Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for | |
| socket based connections (#960222) | |
| - Require libsss_nss_idmap-python | |
| - Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to | |
| member is now done automatically and having it in the config file raises | |
| an error. | |
| - Add backup and restore tools, directory. | |
| - require at least systemd 38 which provides the journal (we no longer | |
| need to require syslog.target) | |
| - Update Requires on policycoreutils to 2.1.14-37 | |
| - Update Requires on selinux-policy to 3.12.1-42 | |
| - Update Requires on 389-ds-base to 1.3.1.0 | |
| - Remove a Requires for java-atk-wrapper | |
| - Re-add accidentally removed patches for #1170695 and #1164896 | |
| - Broke invididual Requires and BuildRequires onto separate lines and | |
| reordered them | |
| - Added python-tgexpandingformwidget as a dependency | |
| - Require at least fedora-ds-base 1.1 | |
| - Resolves: #1432630 python2-jinja2 needed for python2-ipaclient | |
| - Remove csrgen | |
| - Resolves: #1432903 Set GssProxy options to enable caching of ldap tickets | |
| - Add options to allow ticket caching | |
| - Drop BuildRequires on mozldap-devel | |
| - Resolves: #747612 [RFE] IPA should support and manage DNS sites | |
| - Resolves: #826790 Disabling password expiration (--maxlife=0 and --minlife=0) | |
| in the default global_policy in IPA sets user's password expiration | |
| (krbPasswordExpiration) to be 90 days | |
| - Resolves: #896699 ipa-replica-manage -H does not delete DNS SRV records | |
| - Resolves: #1084018 [RFE] Add IdM user password change support for legacy | |
| client compat tree | |
| - Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos | |
| aliases) | |
| - Fix incorrect check for principal type when evaluating CA ACLs | |
| - Resolves: #1146860 [RFE] Offer OTP generation for host enrollment in the UI | |
| - Resolves: #1238190 ipasam unable to lookup group in directory yet manual | |
| search works | |
| - Resolves: #1250110 search by users which don't have read rights for all attrs | |
| in search_attributes fails | |
| - Resolves: #1263764 Show Certificate displays in useless format | |
| - Resolves: #1272491 [WebUI] Certificate action dropdown does not display all | |
| the options after adding new certificate | |
| - Resolves: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.4.0 | |
| - Resolves: #1294503 IPA fails to issue 3rd party certs | |
| - Resolves: #1298242 [RFE] API compatibility - compatibility of clients | |
| - Resolves: #1298848 [RFE] Centralized topology management | |
| - Resolves: #1298966 [RFE] Extend Smart Card support | |
| - Resolves: #1315146 Multiple clients cannot join domain simultaneously: | |
| /var/run/httpd/ipa/clientcaches race condition? | |
| - Resolves: #1318903 ipa server install failing when SUBCA signs the cert | |
| - Resolves: #1319003 ipa-winsync-migrate: Traceback should be fixed with proper | |
| console output | |
| - Resolves: #1324055 IPA always qualify requests for admin | |
| - Resolves: #1328552 [RFE] Allow users to authenticate with alternative names | |
| - Resolves: #1334582 Inconsistent UI and CLI options for removing certificate | |
| hold | |
| - Resolves: #1346321 Exclude o=ipaca subtree from Retro Changelog (syncrepl) | |
| - Resolves: #1349281 Fix `Conflicts` with ipa-python | |
| - Resolves: #1350695 execution of copy-schema script fails | |
| - Resolves: #1351118 upgrade failed for RHEL-7.3 from RHEL-7.2.z | |
| - Resolves: #1351153 AVC seen on Replica during ipa-server upgrade test | |
| execution to 7.3 | |
| - Resolves: #1351276 ipa-server-install with dns cannot resolve itself to | |
| create ipa-ca entry | |
| - Related: #1343422 [RFE] Add GssapiImpersonate option | |
| - Upstream pre release FreeIPA 4.9.0rc3 | |
| Related: RHBZ#1891832 | |
| - kdb: PAC generator: do not fail if canonical principal is missing | |
| Resolves: RHEL-23630 | |
| - ipa-kdb: Fix memory leak during PAC verification | |
| Resolves: RHEL-22644 | |
| - Fix session cookie access | |
| Resolves: RHEL-23622 | |
| - Do not ignore staged users in sidgen plugin | |
| Resovlves: RHEL-23626 | |
| - ipa-kdb: Disable Bronze-Bit check if PAC not available | |
| Resolves: RHEL-22313 | |
| - krb5kdc: Fix start when pkinit and otp auth type are enabled | |
| Resolves: RHEL-4874 | |
| - hbactest was not collecting or returning messages | |
| Resolves: RHEL-12780 | |
| - Update to upstream freeipa-2.0.0.rc2 | |
| - Set minimum version of python-nss to 0.11 to make sure IPv6 support is in | |
| - Set minimum version of sssd to 1.5.1 | |
| - Patch to include SuiteSpotGroup when setting up 389-ds instances | |
| - Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled | |
| - Rebase ipa to 4.9.13 | |
| Resolves: RHEL-16936 | |
| - Add BuildRequires for authconfig | |
| - Move ipa-tests package to separate srpm (#1032668) | |
| - Remove dependency on python-paramiko (#1002884) | |
| - Broken redirection when deleting last entry of DNS resource | |
| record (#1006360) | |
| - Resolves: #1256840 [webui] majority of required fields is no longer marked as | |
| required | |
| - fix missing information in object metadata | |
| - Resolves: #1256842 [webui] no option to choose trust type when creating a | |
| trust | |
| - webui: add option to establish bidirectional trust | |
| - Resolves: #1256853 Clear text passwords in KRA install log | |
| - Removed clear text passwords from KRA install log. | |
| - Resolves: #1257072 The "Standard Vault" MUST not be the default and must be | |
| discouraged | |
| - vault: change default vault type to symmetric | |
| - Resolves: #1257163 renaming certificatte profile with --rename option leads | |
| to integrity issues | |
| - certprofile: prevent rename (modrdn) | |
| - Resolves: #1447284 Upgrade from ipa-4.1 fails when enabling KDC proxy | |
| - python2-ipalib: add missing python dependency | |
| - installer service: fix typo in service entry | |
| - upgrade: add missing suffix to http instance | |
| - Resolves: #1444791 Update man page of ipa-kra-install | |
| - ipa-kra-install manpage: document domain-level 1 | |
| - Resolves: #1441493 ipa cert-show raises stack traces when | |
| --certificate-out=/tmp | |
| - cert-show: writable files does not mean dirs | |
| - Resolves: #1441192 Add the name of URL parameter which will be check for | |
| username during cert login | |
| - Bump version of ipa.conf file | |
| - Resolves: #1378797 Web UI must check OCSP and CRL during smartcard login | |
| - Turn on NSSOCSP check in mod_nss conf | |
| - Resolves: #1322963 Errors from AD when trying to sign ipa.csr, conflicting | |
| template on | |
| - renew agent: respect CA renewal master setting | |
| - server upgrade: always fix certmonger tracking request | |
| - cainstance: use correct profile for lightweight CA certificates | |
| - renew agent: allow reusing existing certs | |
| - renew agent: always export CSR on IPA CA certificate renewal | |
| - renew agent: get rid of virtual profiles | |
| - ipa-cacert-manage: add --external-ca-type | |
| - Resolves: #1441593 error adding authenticator indicators to host | |
| - Fixing adding authenticator indicators to host | |
| - Resolves: #1449525 Set directory ownership in spec file | |
| - Added plugins directory to ipaclient subpackages | |
| - ipaclient: fix missing RPM ownership | |
| - Resolves: #1451279 otptoken-add-yubikey KeyError: 'ipatokenotpdigits' | |
| - otptoken-add-yubikey: When --digits not provided use default value | |
|
|
|
| python3-ipalib-4.9.13-20.module+el8.10.0+2067+377bdd64.noarch.rpm | - Updated to upstream 3.0.0 GA |
| - Set minimum for samba to 4.0.0-153. | |
| - Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so | |
| plugin to /dev/null since they cannot be used when trusts are configured | |
| - Restrict krb5-server to 1.10. | |
| - Update BR for 389-ds-base to 1.3.0 | |
| - Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca | |
| - Add Requires on zip for generating FF browser extension | |
| - Update to 4.7.90-pre1 | |
| Related: RHBZ#1684528 | |
| - Removed patches 0002 to 0031 as these are upsteram and part of 4.7.90-pre1 | |
| - Added new patches 0001-revert-minssf-defaults.patch and | |
| 0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch | |
| - Require slapi-nis 0.47.7 delivering a core feature of 3.3.0 release | |
| - Use default crypto policy for TLS and enable TLS 1.3 support | |
| Resolves: RHBZ#1777809 | |
| - Covscan fixes | |
| Resolves: RHBZ#1777920 | |
| - Change pki_version to 10.8.0 | |
| Related: RHBZ#1748987 | |
| - Updated to upstream 3.0.0 beta 2 | |
| - Respin after the tarball has been re-released upstream | |
| New hash is 506c9c92dcaf9f227cba5030e999f177 | |
| - Do not add krbPwdPolicyReference for new accounts, hardcode it (#1045218) | |
| - Increase default timeout for IPA services (#1033273) | |
| - Error while running trustdomain-find (#1054376) | |
| - group-show lists SID instead of name for external groups (#1054391) | |
| - Fix IPA server NetBIOS name in samba configuration (#1030517) | |
| - dnsrecord-mod produces missing API version warning (#1054869) | |
| - Hide trust-resolve command as internal (#1052860) | |
| - Add Trust domain Web UI (#1054870) | |
| - ipasam cannot delete multiple child trusted domains (#1056120) | |
| - diffstat was missing as a build dependency causing multilib problems | |
| - kdb: Use-krb5_pac_full_sign_compat() when available | |
| Resolves: RHBZ#2176406 | |
| - OTP: fix-data-type-to-avoid-endianness-issue | |
| Resolves: RHBZ#2218293 | |
| - Upgrade: fix replica agreement | |
| Resolves: RHBZ#2216551 | |
| - Upgrade: add PKI drop-in file if missing | |
| Resolves: RHBZ#2215336 | |
| - Use the python-cryptography parser directly in cert-find | |
| Resolves: RHBZ#2164349 | |
| - Backport test updates | |
| Resolves: RHBZ#221884 | |
| - Initial rpm version | |
| - Re-enable otptoken_yubikey plugin | |
| - Resolves: #805188 [RFE] "ipa migrate-ds" ldapsearches with scope=1 | |
| - Resolves: #1019272 With 20000+ users, adding a user to a group intermittently | |
| throws Internal server error | |
| - Resolves: #1035494 Unable to add Kerberos principal via kadmin.local | |
| - Resolves: #1045153 ipa-managed-entries --list -p |
|
| DM password | |
| - Resolves: #1125950 ipa-server-install --uinstall doesn't remove port 7389 | |
| from ldap_port_t | |
| - Resolves: #1132540 [RFE] Expose service delegation rules in UI and CLI | |
| - Resolves: #1145584 ipaserver/install/cainstance.py creates pkiuser not | |
| matching uidgid | |
| - Resolves: #1176036 IDM client registration failure in a high load environment | |
| - Resolves: #1183116 Remove Requires: subscription-manager | |
| - Resolves: #1186054 permission-add does not prompt to enter --right option in | |
| interactive mode | |
| - Resolves: #1187524 Replication agreement with replica not disabled when | |
| ipa-restore done without IPA installed | |
| - Resolves: #1188195 Fax number not displayed for user-show when kinit'ed as | |
| normal user. | |
| - Resolves: #1189034 "an internal error has occurred" during ipa host-del | |
| --updatedns | |
| - Resolves: #1193554 ipa-client-automount: failing with error LDAP server | |
| returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled. | |
| - Resolves: #1193759 IPA extdom plugin fails when encountering large groups | |
| - Resolves: #1194312 [ipa-python] ipalib.errors.LDAPError: failed to decode | |
| certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. | |
| - Resolves: #1194633 Default trust view can be deleted in lower case | |
| - Resolves: #1196455 ipa-server-install step [8/27]: starting certificate | |
| server instance - confusing CA staus message on TLS error | |
| - Resolves: #1198263 Limit deadlocks between DS plugin DNA and slapi-nis | |
| - Resolves: #1199527 [RFE] Use datepicker component for datetime fields | |
| - Resolves: #1200867 [RFE] Make OTP validation window configurable | |
| - Resolves: #1200883 [RFE] Switch apache to use mod_auth_gssapi | |
| - Resolves: #1202998 CVE-2015-1827 ipa: memory corruption when using | |
| get_user_grouplist() [rhel-7.2] | |
| - Resolves: #1204637 slow group operations | |
| - Resolves: #1204642 migrate-ds: slow add o users to default group | |
| - Resolves: #1208461 IPA CA master server update stuck on checking getStatus | |
| via https | |
| - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) | |
| - Resolves: #1211708 ipa-client-install gets stuck during NTP sync | |
| - Resolves: #1215197 ipa-client-install ignores --ntp-server option during time | |
| sync | |
| - Resolves: #1215200 ipa-client-install configures IPA server as NTP source | |
| even if IPA server has not ntpd configured | |
| - Resolves: #1217009 OTP sync in UI does not work for TOTP tokens | |
| - Related: #1204809 Rebase ipa to 4.2 | |
| - Update to upstream 4.2.0.alpha1 | |
| - Rebuild against samba4 beta4 | |
| - Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to | |
| users in IdM | |
| - store certificates issued for user entries as | |
| - user-show: add --out option to save certificates to file | |
| - Resolves: #1145748 [RFE] IPA running with One Way Trust | |
| - Fix upgrade of sidgen and extdom plugins | |
| - Resolves: #1195339 ipa-client-install changes the label on various files | |
| which causes SELinux denials | |
| - Use 'mv -Z' in specfile to restore SELinux context | |
| - Resolves: #1198796 Text in UI should describe differing LDAP vs Krb behavior | |
| for combinations of "User authentication types" | |
| - webui: add LDAP vs Kerberos behavior description to user auth | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - ULC: Fix stageused-add --from-delete command | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - certprofile-import: do not require profileId in profile data | |
| - Give more info on virtual command access denial | |
| - Allow SAN extension for cert-request self-service | |
| - Add profile for DNP3 / IEC 62351-8 certificates | |
| - Work around python-nss bug on unrecognised OIDs | |
| - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality | |
| - Validate vault's file parameters | |
| - Fixed missing KRA agent cert on replica. | |
| - Resolves: #1225866 display browser config options that apply to the browser. | |
| - webui: add Kerberos configuration instructions for Chrome | |
| - Remove ico files from Makefile | |
| - Resolves: #1246342 Unapply idview raises internal error | |
| - idviews: Check for the Default Trust View only if applying the view | |
| - Resolves: #1248102 [webui] regression - incorrect/no failed auth messages | |
| - webui: fix regressions failed auth messages | |
| - Resolves: #1248396 Internal error in DomainValidator.__search_in_dc | |
| - dcerpc: Fix UnboundLocalError for ccache_name | |
| - Resolves: #1249455 ipa trust-add failed CIFS server configuration does not | |
| allow access to \\pipe\lsarpc | |
| - Fix selector of protocol for LSA RPC binding string | |
| - dcerpc: Simplify generation of LSA-RPC binding strings | |
| - Resolves: #1250192 Error in ipa trust-fecth-domains | |
| - Fix incorrect type comparison in trust-fetch-domains | |
| - Resolves: #1251553 Winsync setup fails with unexpected error | |
| - replication: Fix incorrect exception invocation | |
| - Resolves: #1251854 ipa aci plugin is not parsing aci's correctly. | |
| - ACI plugin: correctly parse bind rules enclosed in | |
| - Resolves: #1252414 Trust agent install does not detect available replicas to | |
| add to master | |
| - adtrust-install: Correctly determine 4.2 FreeIPA servers | |
| - Add ipa-rmkeytab tool | |
| - Update Requires on selinux-policy to 3.13.1-4 | |
| - Update to upstream 4.1.0 (#1109726) | |
| - Fixed weekday in 4.8.4-2 changelog date | |
| Related: RHBZ#1784003 | |
| - adtrust: print DNS records for external DNS case after role is enabled | |
| Resolves: RHBZ#1665051 | |
| - AD user without override receive InternalServerError with API | |
| Resolves: RHBZ#1782572 | |
| - ipa-client-automount fails after repeated installation/uninstallation | |
| Resolves: RHBZ#1790886 | |
| - install/updates: move external members past schema compat update | |
| Resolves: RHBZ#1803165 | |
| - kdb: make sure audit_as_req callback signature change is preserved | |
| Resolves: RHBZ#1803786 | |
| - Fix otptoken_sync plugin | |
| Resolves: RHBZ#1777811 | |
| - Create systemd-user HBAC service and rule | |
| Resolves: RHBZ#1664974 | |
| - ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned | |
| Resolves: RHBZ#1664023 | |
| - ipa-kdb: fix error handling of is_master_host() | |
| Resolves: RHBZ#2214638 | |
| - ipatests: enable firewall rule for http service on acme client | |
| Resolves: RHBZ#2230256 | |
| - User plugin: improve error related to non existing idp | |
| Resolves: RHBZ#2224572 | |
| - Prevent admin user from being deleted | |
| Resolves: RHBZ#1821181 | |
| - Fix memory leak in the OTP last token plugin | |
| Resolves: RHBZ#2227783 | |
| - Rebuild for broken deps in rawhide | |
| - Fix 389-ds-base strict dep to be 1.3.0.3 | |
| - Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos | |
| aliases) | |
| - harden the check for trust namespace overlap in new principals | |
| - Resolves: #1351142 CLI is not using session cookies for communication with | |
| IPA API | |
| - Fix session cookies | |
| - Resolves: #1353888 Fix the help for ipa otp and other topics | |
| - help: Add dnsserver commands to help topic 'dns' | |
| - Resolves: #1354406 host-del updatedns options complains about missing ptr | |
| record for host | |
| - Host-del: fix behavior of --updatedns and PTR records | |
| - Resolves: #1355718 ipa-replica-manage man page example output differs actual | |
| command output | |
| - Minor fix in ipa-replica-manage MAN page | |
| - Resolves: #1358229 Traceback message should be fixed, seen while editing | |
| winsync migrated user information in Default trust view. | |
| - baseldap: Fix MidairCollision instantiation during entry modification | |
| - Resolves: #1358849 CA replica install logs to wrong log file | |
| - unite log file name of ipa-ca-install | |
| - Resolves: #1359130 ipa-server-install command fails to install IPA server. | |
| - DNS Locations: fix update-system-records unpacking error | |
| - Resolves: #1359237 AVC on dirsrv config caused by IPA installer | |
| - Use copy when replacing files to keep SELinux context | |
| - Resolves: #1359692 ipa-client-install join fail with traceback against | |
| RHEL-6.8 ipa-server | |
| - compat: fix ping call | |
| - Resolves: #1359738 ipa-replica-install --domain= |
|
| does not work | |
| - replica-install: Fix --domain | |
| - Resolves: #1360778 Vault commands are available in CLI even when the server | |
| does not support them | |
| - Revert "Enable vault-* commands on client" | |
| - client: fix hiding of commands which lack server support | |
| - Related: #1281704 Rebase to softhsm 2.1.0 | |
| - Remove the workaround for softhsm bug #1293340 | |
| - Related: #1298288 [RFE] Improve performance in large environments. | |
| - Create indexes for krbCanonicalName attribute | |
| - Rebuild against samba4 beta8 | |
| - Require the Python interpreter directly instead of using the package name | |
| - Related: rhbz#1619153 | |
| - Require mod_nss-1.0.7-2 for mod_proxy fixes | |
| - Drop workaround for building on AArch64 (#1482244) | |
| - Temporarily reduce Requires on python-netaddr to 0.7.5-7 (#1506485) | |
| - ipa-kdb: Detect and block Bronze-Bit attacks | |
| Resolves: RHEL-9984 | |
| - Fix for CVE-2023-5455 | |
| Resolves: RHEL-12578 | |
| - Rebase to upstream release 4.9.10 | |
| Remove upstream patches 0002 to 0016 that are part of version 4.9.10 | |
| Remove patches 1101 that is part of version 4.9.10 | |
| Rename patch 0001 to 1002 as it will be used in future RHEL 8 releases | |
| Add patches 0001 and 0002 to fix build on RHEL 8.7 | |
| Resolves: RHBZ#2079466 | |
| Resolves: RHBZ#2063155 | |
| Resolves: RHBZ#1958777 | |
| Resolves: RHBZ#2068088 | |
| Resolves: RHBZ#2004646 | |
| Resolves: RHBZ#782917 | |
| Resolves: RHBZ#2059396 | |
| Resolves: RHBZ#2092015 | |
| - webui: Allow grace login limit | |
| Resolves: RHBZ#2109243 | |
| - check_repl_update: in progress is a boolean | |
| Resolves: RHBZ#2117303 | |
| - Disabling gracelimit does not prevent LDAP binds | |
| Resolves: RHBZ#2109236 | |
| - Set passwordgracelimit to match global policy on group pw policies | |
| Resolves: RHBZ#2115475 | |
| - Add missing part of backported CVE-2024-3183 fix | |
| Resolves: RHEL-29927 | |
| - Update to upstream 3.3.0 Beta 2 (#991064) | |
| - Update to upstream GA release | |
| - Automatically apply updates when the package is upgraded | |
| - Moved directory install/static to install/ui | |
| - Upstream pre release FreeIPA 4.9.0rc2 | |
| Related: RHBZ#1891832 | |
| - Synchronize spec file with upstream and Fedora | |
| Related: RHBZ#1891832 | |
| - Traceback while doing ipa-backup | |
| Resolves: RHBZ#1901068 | |
| - ipa-client-install changes system wide ssh configuration | |
| Resolves: RRBZ#1544379 | |
| - ipa-kdb: support subordinate/superior UPN suffixes | |
| Resolves: RHBZ#1891056 | |
| - KRA Transport and Storage Certificates do not renew | |
| Resolves: RHBZ#1872603 | |
| - Move where the restore state is marked during IPA server upgrade | |
| Resolves: RHBZ#1569011 | |
| - Intermittent IdM Client Registration Failures | |
| Resolves: RHBZ#1812871 | |
| - Nightly test failure in test_acme.py::TestACME::test_third_party_certs | |
| (updates-testing) | |
| Resolves: RHBZ#1903025 | |
| - Add IPA RA Agent to ACME group on the CA | |
| Resolves: RHBZ#1902727 | |
| - 4.7.1 | |
| - Fixes: rhbz#1633105 - rebase to 4.7.1 | |
| - Remove the IPA DNA plugin, use the DS one | |
| - Conditionally restart also dirsrv and httpd when upgrading | |
| - Set krb5 DAL version to 7.0 (#1580711) | |
| - Rebuild aclocal and configure during build | |
| - Remove dependency on nss_ldap/nss-pam-ldapd | |
| - The official client is sssd and that's what we use by default. | |
| - Resolve user/group names in idoverride*-find | |
| Resolves: RHBZ#1657745 | |
| - PKI database is ugraded during replica installation (#1075118) | |
| - Server install failure during client enrollment shouldn't | |
| roll back (#1023086) | |
| - nsds5ReplicaStripAttrs are not set on agreements (#1023085) | |
| - ipa-server conflicts with mod_ssl (#1018172) | |
| - Updated to current upstream state of 3.0.0 beta 2 development | |
| - Pull upstream changelog 722 | |
| - Add Conflicts mod_ssl (435360) | |
| - Resolves: #1318186 Misleading error message during external-ca IPA master | |
| install | |
| - httpinstance: make sure NSS database is backed up | |
| - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR | |
| CA certificate chain in ... incomplete" | |
| - httpinstance: make sure NSS database is backed up | |
| - Resolves: #1393726 Enumerate all available request type options in ipa | |
| cert-request help | |
| - Hide request_type doc string in cert-request help | |
| - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping | |
| - spec file: bump libsss_nss_idmap-devel BuildRequires | |
| - server: make sure we test for sss_nss_getlistbycert | |
| - Resolves: #1437378 ipa-adtrust-install produced an error and failed on | |
| starting smb when hostname is not FQDN | |
| - adtrust: make sure that runtime hostname result is consistent with the | |
| configuration | |
| - Resolves: #1437555 ipa-replica-install with DL0 fails to get annonymous | |
| keytab | |
| - Always check and create anonymous principal during KDC install | |
| - Remove duplicate functionality in upgrade | |
| - Resolves: #1437946 Upgrade to FreeIPA 4.5.0 does not configure anonymous | |
| principal for PKINIT | |
| - Upgrade: configure PKINIT after adding anonymous principal | |
| - Remove unused variable from failed anonymous PKINIT handling | |
| - Split out anonymous PKINIT test to a separate method | |
| - Ensure KDC is propery configured after upgrade | |
| - Resolves: #1437951 Remove pkinit-related options from server/replica-install | |
| on DL0 | |
| - Fix the order of cert-files check | |
| - Don't allow setting pkinit-related options on DL0 | |
| - replica-prepare man: remove pkinit option refs | |
| - Remove redundant option check for cert files | |
| - Resolves: #1438490 CA-less installation fails on publishing CA certificate | |
| - Get correct CA cert nickname in CA-less | |
| - Remove publish_ca_cert() method from NSSDatabase | |
| - Resolves: #1438838 Avoid arch-specific path in /etc/krb5.conf.d/ipa-certmap | |
| - IPA-KDB: use relative path in ipa-certmap config snippet | |
| - Resolves: #1439038 Allow erasing ipaDomainResolutionOrder attribute | |
| - Allow erasing ipaDomainResolutionOrder attribute | |
| - Improve otptoken help messages (#919228) | |
| - Ensure users exist when assigning tokens to them (#919228) | |
| - Enable QR code display by default in otptoken-add (#919228) | |
| - Show warning instead of error if CA did not start (#1158410) | |
| - CVE-2014-7850 freeipa: XSS flaw can be used to escalate privileges (#1165774) | |
| - Traceback when adding zone with long name (#1164859) | |
| - Backup & Restore mechanism (#951581) | |
| - ignoring user attributes in migrate-ds does not work if uppercase characters | |
| are returned by ldap (#1159816) | |
| - Allow ipa-getkeytab to optionally fetch existing keys (#1007367) | |
| - Failure when installing on dual stacked system with external ca (#1128380) | |
| - ipa-server should keep backup of CS.cfg (#1059135) | |
| - Tracebacks with latest build for --zonemgr cli option (#1167270) | |
| - webui: use domain name instead of domain SID in idrange adder dialog | |
| (#891984) | |
| - webui: normalize idview tab labels (#891984) | |
| - Resolves: #1442233 IPA client commands fail when pointing to replica | |
| - httpinstance: wait until the service entry is replicated | |
| - Resolves: #1456769 ipaAnchorUUID index incorrectly configured and then | |
| not indexed | |
| - Fix index definition for ipaAnchorUUID | |
| - Resolves: #1438016 gssapi errors after IPA server upgrade | |
| - Avoid possible endless recursion in RPC call | |
| - rpc: preparations for recursion fix | |
| - rpc: avoid possible recursion in create_connection | |
| - Resolves: #1446087 services entries missing krbCanonicalName attribute. | |
| - Changing cert-find to do not use only primary key to search in LDAP. | |
| - Resolves: #1452763 ipa certmaprule change not reflected in krb5kdc workers | |
| - ipa-kdb: reload certificate mapping rules periodically | |
| - Resolves: #1455541 after upgrade login from web ui breaks | |
| - kdc.key should not be visible to all | |
| - Resolves: #1435606 Add pkinit_indicator option to KDC configuration | |
| - ipa-kdb: add pkinit authentication indicator in case of a successful | |
| certauth | |
| - Resolves: #1455945 Enabling OCSP checks in mod_nss breaks certificate | |
| issuance when ipa-ca records are not resolvable | |
| - Turn off OCSP check | |
| - Resolves: #1454483 rhel73 ipa ui - cannot del server - IPA Error 903 - | |
| server_del - TypeError: 'NoneType' object is not iterable | |
| - fix incorrect suffix handling in topology checks | |
| - Upstream release FreeIPA 4.9.2 | |
| Related: RHBZ#1891832 | |
| - Remove ipa-server dependency from ipa-selinux subpackage | |
| - Related: RHBZ#1891832 | |
| - Resolves: #1249226 IPA dnssec-validation not working for AD dnsforwardzone | |
| - DNSSEC: fix forward zone forwarders checks | |
| - Resolves: #1250190 idrange is not added for sub domain | |
| - trusts: format Kerberos principal properly when fetching trust topology | |
| - Resolves: #1252334 User life cycle: missing ability to provision a stage user | |
| from a preserved user | |
| - Add user-stage command | |
| - Resolves: #1252863 After applying RHBA-2015-1554 errata, IPA service fails to | |
| start. | |
| - spec file: Add Requires(post) on selinux-policy | |
| - Resolves: #1254304 Changing vault encryption attributes | |
| - Change internal rsa_(public|private)_key variable names | |
| - Added support for changing vault encryption. | |
| - Resolves: #1256715 Executing user-del --preserve twice removes the user | |
| pernamently | |
| - improve the usability of `ipa user-del --preserve` command | |
| - Prevent multilib failures in *.pyo and *.pyc files | |
| - Set minimum pki-ca and pki-silent versions to 9.0.0 | |
| - Update to upstream 3.3.0 (#991064) | |
| - Remove release from krb5-server in strict sub-package to allow for rebuilds. | |
| - Deletion of active subdomain range should not be allowed (#1075615) | |
| - ipa-kdb: Fix double free in ipadb_reinit_mspac() | |
| Resolves: RHEL-25742 | |
| - kra: set RSA-OAEP as default wrapping algo when FIPS is enabled | |
| Resolves: RHEL-12153 | |
| - Vault: improve vault server archival/retrieval calls error handling | |
| Resolves: RHEL-12153 | |
| - Vault: add support for RSA-OAEP wrapping algo | |
| Resolves: RHEL-12153 | |
| - Add missing entry for /var/cache/ipa/kpasswd (444624) | |
| - Added patch to fix permissions problems with the Apache NSS database. | |
| - Added patch to fix problem with DNS querying where the query could be | |
| returned as the answer. | |
| - Fix spec error where patch1 was in the wrong section | |
| - Resolves: #1339233 CA installed on replica is always marked as renewal master | |
| - Related: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.3.1.201605241723GIT1b427d3 | |
| - Remove ipa-backup and ipa-restore functionality from RHEL (#1003933) | |
| - Resolves: #1378353 Replica install fails with old IPA master sometimes during | |
| replication process | |
| - spec file: bump minimal required version of 389-ds-base | |
| - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 | |
| - Fix missing file that fails DL1 replica installation | |
| - Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade | |
| - WebUI: services without canonical name are shown correctly | |
| - Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run | |
| - trustdomain-del: fix the way how subdomain is searched | |
| - Add a Requires for java-atk-wrapper until we can determine which package | |
| should be pulling it in, dogtag or tomcat. | |
| - Fix Requires for krb5-server that was missing for Fedora versions > 9 | |
| - Remove quotes around test for fedora version to package egg-info | |
| - Winsync agreement cannot be created (#1023085) | |
| - IPA extdom plugin fails when encountering large groups (#1193759) | |
| - CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() | |
| (#1202998) | |
| - CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf() | |
| Resolves: RHBZ#1767304 | |
| - CVE-2019-10195: Don't log passwords embedded in commands in calls using batch | |
| Resolves: RHBZ#1776939 | |
| - Display server name in ipa command's verbose mode (#1061703) | |
| - Remove sourcehostcategory from default HBAC rule (#1061187) | |
| - dnszone-add cannot add classless PTR zones (#1058688) | |
| - Move ipa-otpd socket directory to /var/run/krb5kdc (#1063850) | |
| - Resolves: #1339483 ipa-server-install fails with ERROR pkinit_cert_files | |
| - Fix incorrect rebase of patch 1001 | |
| - Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 | |
| - Revert "spec: add conflict with bind-chroot to freeipa-server-dns" | |
| - Resolves: #1341249 Subsequent external CA installation fails | |
| - install: fix external CA cert validation | |
| - Resolves: #1353831 ipa-server-install fails in container because of | |
| hostnamectl set-hostname | |
| - server-install: Fix --hostname option to always override api.env values | |
| - install: Call hostnamectl set-hostname only if --hostname option is used | |
| - Resolves: #1356091 ipa-cacert-manage --help and man differ | |
| - Improvements for the ipa-cacert-manage man and help | |
| - Resolves: #1360631 ipa-backup is not keeping the | |
| /etc/tmpfiles.d/dirsrv- |
|
| - ipa-backup: backup /etc/tmpfiles.d/dirsrv- |
|
| - Resolves: #1361047 ipa-replica-install --help usage line suggests the replica | |
| file is needed | |
| - Update ipa-replica-install documentation | |
| - Resolves: #1361545 ipa-client-install starts rhel-domainname.service but does | |
| not rpm-require it | |
| - client: RPM require initscripts to get *-domainname.service | |
| - Resolves: #1364197 caacl: error when instantiating rules with service | |
| principals | |
| - caacl: fix regression in rule instantiation | |
| - Resolves: #1364310 ipa otptoken-add bytes object has no attribute confirm | |
| - parameters: move the `confirm` kwarg to Param | |
| - Resolves: #1364464 Topology graph: ca and domain adders shows question marks | |
| instead of plus icon | |
| - Fix unicode characters in ca and domain adders | |
| - Resolves: #1365083 Incomplete output returned for command ipa vault-add | |
| - client: add missing output params to client-side commands | |
| - Resolves: #1365526 build fails during "make check" | |
| - ipa-kdb: Fix unit test after packaging changes in krb5 | |
| - Resolves: #1365858 ipa-ca-install fails on replica when IPA Master is | |
| installed without CA | |
| - Set up DS TLS on replica in CA-less topology | |
| - Resolves: #1398600 IPA replica install fails with dirsrv errors. | |
| - Do not configure PKI ajp redirection to use "::1" | |
| - Resolves: #1413137 CVE-2017-2590 ipa: Insufficient permission check for | |
| ca-del, ca-disable and ca-enable commands | |
| - ca: correctly authorise ca-del, ca-enable and ca-disable | |
| - Update SELinux policy to allow ipa_kpasswd to connect ldap and | |
| read /dev/urandom. (#759679) | |
| - Depend on krb5-kdb-version-devel for BuildRequires | |
| - Update nss dependency to 3.44.0-4 | |
| - Reset per-indicator Kebreros policy | |
| Resolves: RHBZ#1784761 | |
| - Resolves: #1443869 Command "openssl pkcs12 ..." failed during IPA upgrade | |
| - Fix CAInstance.import_ra_cert for empty passwords | |
| - Enforce uniqueness across krbprincipalname and krbcanonicalname | |
| ipa-kdb: enforce PAC presence on TGT for TGS-REQ | |
| ipatests: extend test for unique krbcanonicalname | |
| Resolves: RHEL-110061 | |
| - replica install failing with avc denial for custodia component | |
| Resolves: RHBZ#1857157 | |
| - Update to upstream 3.1.2 | |
| - CVE-2012-4546: Incorrect CRLs publishing | |
| - CVE-2012-5484: MITM Attack during Join process | |
| - CVE-2013-0199: Cross-Realm Trust key leak | |
| - Updated strict dependencies to 389-ds-base = 1.3.0.2 and | |
| pki-ca = 10.0.1 | |
| - Resolves: #1254689 Storing big file as a secret in vault raises traceback | |
| - vault: Limit size of data stored in vault | |
| - Resolves: #1255880 ipactl status should distinguish between different | |
| pki-tomcat services | |
| - ipactl: Do not start/stop/restart single service multiple times | |
| - ipatests: fix test_topology | |
| Resolves: RHBZ#2232351 | |
| - Installer: activate nss and pam services in sssd.conf | |
| Resolves: RHBZ#2216532 | |
| - Add ipa-idrange-fix | |
| Resolves: RHEL-56920 | |
| - Unconditionally add MS-PAC to global config on update | |
| Resolves: RHEL-49437 | |
| - ipatests: Update ipa-adtrust-install test | |
| Resolves: RHEL-40894 | |
| - Require python-qrcode version 5.3 or later | |
| Related: RHEL-15090 | |
| - CAless installation: set the perms on KDC cert file | |
| Resolves: RHBZ#1863616 | |
| - EPN: handle empty attributes | |
| Resolves: RHBZ#1866938 | |
| - IPA-EPN: enhance input validation | |
| Resolves: RHBZ#1866291 | |
| - EPN: enhance input validation | |
| Resolves: RHBZ#1863079 | |
| - Require new samba build 4.12.3-52 | |
| Related: RHBZ#1868558 | |
| - Require new selinux-policy build 3.14.3-52 | |
| Related: RHBZ#1869311 | |
| - RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible | |
| (#1169591) | |
| - CLI doesn't show SSHFP records with SHA256 added via nsupdate (regression) | |
| (#1172578) | |
| - Resolves: #1415162 ipa-exdom-extop plugin can exhaust DS worker threads | |
| - New upstream release 4.8.0 | |
| - New subpackage: freeipa-client-samba | |
| - Added command ipa-cert-fix with man page | |
| - New sysconfdir sysconfig/certmonger | |
| - Updated pki_version, certmonger_version, sssd_version and kdcproxy_version | |
| Related: RHBZ#1684528 | |
| - remove ipa-fix-CVE-2008-3274 | |
| - Resolves: #1200767 [RFE] Allow Kerberos authentication for users with | |
| certificates on smart cards (pkinit) | |
| - spec file: bump krb5 Requires for certauth fixes | |
| - Resolves: #1438729 Configure local PKINIT on DL0 or when '--no-pkinit' option | |
| is used | |
| - separate function to set ipaConfigString values on service entry | |
| - Allow for configuration of all three PKINIT variants when deploying KDC | |
| - API for retrieval of master's PKINIT status and publishing it in LDAP | |
| - Use only anonymous PKINIT to fetch armor ccache | |
| - Stop requesting anonymous keytab and purge all references of it | |
| - Use local anchor when armoring password requests | |
| - Upgrade: configure local/full PKINIT depending on the master status | |
| - Do not test anonymous PKINIT after install/upgrade | |
| - Resolves: #1442427 ipa.ipaserver.install.plugins.adtrust. | |
| update_tdo_gidnumber: ERROR Default SMB Group not found | |
| - upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is | |
| installed | |
| - Resolves: #1442932 ipa restore fails to restore IPA user | |
| - restore: restart/reload gssproxy after restore | |
| - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode | |
| - Fix CA/server cert validation in FIPS | |
| - Resolves: #1444947 Deadlock between topology and schema-compat plugins | |
| - compat-manage: behave the same for all users | |
| - Move the compat plugin setup at the end of install | |
| - compat: ignore cn=topology,cn=ipa,cn=etc subtree | |
| - Resolves: #1445358 ipa vault-add raises TypeError | |
| - vault: piped input for ipa vault-add fails | |
| - Resolves: #1445382 ipa vault-retrieve fails to retrieve data from vault | |
| - Vault: Explicitly default to 3DES CBC | |
| - Resolves: #1445432 uninstall ipa client automount failed with RuntimeWarning | |
| - automount install: fix checking of SSSD functionality on uninstall | |
| - Resolves: #1446137 pki_client_database_password is shown in | |
| ipaserver-install.log | |
| - Hide PKI Client database password in log file | |
| - Resolves: #1131907 [ipa-client-install] cannot write certificate file | |
| '/etc/ipa/ca.crt.new': must be string or buffer, not None | |
| - Resolves: #1195775 unsaved changes dialog internally inconsistent | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - Stageusedr-activate: show username instead of DN | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - Prevent to rename certprofile profile id | |
| - Resolves: #1222047 IPA to AD Trust: IPA ERROR 4016: Remote Retrieve Error | |
| - Resolves: #1224769 copy-schema-to-ca.py does not overwrites schema files | |
| - copy-schema-to-ca: allow to overwrite schema files | |
| - Resolves: #1241941 kdc component installation of IPA failed | |
| - spec file: Update minimum required version of krb5 | |
| - Resolves: #1242036 Replica install fails to update DNS records | |
| - Fix DNS records installation for replicas | |
| - Resolves: #1242884 Upgrade to 4.2.0 fails when enabling kdc proxy | |
| - Start dirsrv for kdcproxy upgrade | |
| - extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT | |
| Resolves: RHBZ#1741530 | |
| - Fix ipa-pwd-extop global configuration caching (#1187342) | |
| - group-detach does not add correct objectclasses (#1187540) | |
| - Add sssd and certmonger as a Requires on ipa-client | |
| - DNS install check: Fix overlapping DNS zone from the master itself | |
| Resolves: RHBZ#1784003 | |
| - Add OTP patches | |
| - Add patch to set KRB5CCNAME for 389-ds-base | |
| - Update to upstream 2.1.4 (CVE-2011-3636) | |
| - Refactor ipatests for unique krbcanonicalname | |
| Resolves: RHEL-110061 | |
| - Require certmonger 0.79.7-1 | |
| Related: RHBZ#1708095 | |
| - Fix wrong path in packaging freeipa-systemd-upgrade | |
| - Resolves: #1462112 ipaserver installation fails in FIPS mode: OpenSSL | |
| internal error, assertion failed: Digest MD4 forbidden in FIPS mode! | |
| - ipa-sam: replace encode_nt_key() with E_md4hash() | |
| - ipa_pwd_extop: do not generate NT hashes in FIPS mode | |
| - Resolves: #1377973 ipa-server-install fails when the provided or resolved | |
| IP address is not found on local interfaces | |
| - Fix local IP address validation | |
| - ipa-dns-install: remove check for local ip address | |
| - refactor CheckedIPAddress class | |
| - CheckedIPAddress: remove match_local param | |
| - Remove ip_netmask from option parser | |
| - replica install: add missing check for non-local IP address | |
| - Remove network and broadcast address warnings | |
| - Set minimum level of sssd to 1.1.1 to pull in required hbac fixes. | |
| - Add Requires on krb5-pkinit-openssl | |
| - Introduce upgrade script to recover existing configuration after systemd migration | |
| as user has no means to recover FreeIPA from systemd migration | |
| - Upgrade script: | |
| - recovers symlinks in Dogtag instance install | |
| - recovers systemd configuration for FreeIPA's directory server instances | |
| - recovers freeipa.service | |
| - migrates directory server and KDC configs to use proper keytabs for systemd services | |
| - Add call to /usr/sbin/upgradeconfig to post install | |
| - Handle NFS configuration file changes. nfs-utils moved the | |
| configuration file from /etc/sysconfig/nfs to /etc/nfs.conf. | |
| Resolves: RHBZ#1676981 | |
| - IPA server in debug mode fails to run because time.perf_counter_ns is | |
| Python 3.7+ | |
| Resolves: RHBZ#1974822 | |
| - Add checks to prevent assigning authentication indicators to internal IPA | |
| services | |
| Resolves: RHBZ#1979625 | |
| - Unable to set ipaUserAuthType with stageuser-add | |
| Resolves: RHBZ#1979605 | |
| - Upstream release FreeIPA 4.9.3 | |
| Resolves: RHBZ#1945038 | |
| - Update minimum selinux-policy to 3.9.16-18 | |
| - Update minimum pki-ca and pki-selinux to 9.0.7 | |
| - Update minimum 389-ds-base to 1.2.8.0-1 | |
| - Update to upstream 2.0.1 | |
| - Rebase to upstream release 4.8.4 | |
| - Removed upstream patches 0001 to 0008 that are part of version 4.8.3-3 | |
| Resolves: RHBZ#1782658 | |
| Resolves: RHBZ#1782169 | |
| Resolves: RHBZ#1783046 | |
| Related: RHBZ#1748987 | |
| - Revert DNSResolver Fix use of nameservers with ports. | |
| Related: RHBZ#2141316 | |
| - package the sessions dir /var/cache/ipa/sessions | |
| - Pull upstream changelog 597 | |
| - Trust add tries to add same value of --base-id for sub domain, | |
| causing an error (#1033068) | |
| - Improved error reporting for adding trust case (#1029856) | |
| - ipatests: Backport test fixes in python3-ipatests. | |
| Resolves: RHBZ#2057505 | |
| - Expand the token auth/sync windows (#919228) | |
| - Access is not rejected for disabled domain (#1172598) | |
| - krb5kdc crash in ldap_pvt_search (#1170695) | |
| - RHEL7.1 IPA server httpd avc denials after upgrade (#1164896) | |
| - ipa-client-automount fails with incompatibility error when installed against | |
| older IPA server (#1083108) | |
| - Resolves: #1217009 OTP sync in UI does not work for TOTP tokens | |
| - Fix an integer underflow bug in libotp | |
| - Resolves: #1262996 ipa vault internal error on replica without KRA | |
| - install: always export KRA agent PEM file | |
| - vault: select a server with KRA for vault operations | |
| - Resolves: #1269777 IPA restore overwrites /etc/passwd and /etc/group files | |
| - do not overwrite files with local users/groups when restoring authconfig | |
| - Renamed patch 1011 to 0138, as it was merged upstream | |
| - Resolve: #1455946 Provide a tooling automating the configuration | |
| of Smart Card authentication on a FreeIPA master | |
| - server certinstall: update KDC master entry | |
| - pkinit manage: introduce ipa-pkinit-manage | |
| - server upgrade: do not enable PKINIT by default | |
| - Extend the advice printing code by some useful abstractions | |
| - Prepare advise plugin for smart card auth configuration | |
| - Resolve: #1461053 allow to modify list of UPNs of a trusted forest | |
| - trust-mod: allow modifying list of UPNs of a trusted forest | |
| - WebUI: add support for changing trust UPN suffixes | |
| - Update to upstream 4.1.0 Alpha 1 (#1109726) | |
| - Updated to upstream 3.0.0 rc 2 | |
| - Include new FF configuration extension | |
| - Set minimum Requires of selinux-policy to 3.11.1-33 | |
| - Set minimum Requires dogtag to 10.0.0-0.43.b1 | |
| - Add new optional strict sub-package to allow users to limit other | |
| package upgrades. | |
| - Resolves: #1419735 ipa-replica-install fails promotecustodia.create_replica | |
| with cert errors (untrusted) | |
| - added ssl verification using IPA trust anchor | |
| - Resolves: #1428472 batch param compatibility is incorrect | |
| - compat: fix `Any` params in `batch` and `dnsrecord` | |
| - Renamed patches 1011 and 1012 to 0159 and 0157, as they were merged upstream | |
| - Resolves: #1609883 ipaserver/plugins/cert.py: Add reason to raise of | |
| errors.NotFound | |
| - Resolves: #1615765 do-not-use-RC4-in-FIPS-mode | |
| - Move fips_enabled to a common library to share across different plugins | |
| - ipasam: do not use RC4 in FIPS mode | |
| - Resolves: #1298288 [RFE] Improve performance in large environments. | |
| - cert: speed up cert-find | |
| - Resolves: #1317379 [EXPERIMENTAL][RFE] Web UI: allow Smart Card | |
| authentication | |
| - service: add flag to allow S4U2Self | |
| - Add 'trusted to auth as user' checkbox | |
| - Added new authentication method | |
| - Resolves: #1353881 ipa-replica-install suggests about | |
| non-existent --force-ntpd option | |
| - Don't show --force-ntpd option in replica install | |
| - Resolves: #1354441 DNS forwarder check is too strict: unable to add | |
| sub-domain to already-broken domain | |
| - DNS: allow to add forward zone to already broken sub-domain | |
| - Resolves: #1356146 performance regression in CLI help | |
| - schema: Speed up schema cache | |
| - frontend: Change doc, summary, topic and NO_CLI to class properties | |
| - schema: Introduce schema cache format | |
| - schema: Generate bits for help load them on request | |
| - help: Do not create instances to get information about commands and topics | |
| - schema cache: Do not reset ServerInfo dirty flag | |
| - schema cache: Do not read fingerprint and format from cache | |
| - Access data for help separately | |
| - frontent: Add summary class property to CommandOverride | |
| - schema cache: Read server info only once | |
| - schema cache: Store API schema cache in memory | |
| - client: Do not create instance just to check isinstance | |
| - schema cache: Read schema instead of rewriting it when SchemaUpToDate | |
| - Resolves: #1360769 ipa-server-certinstall couldnt unlock private key file | |
| - server install: do not prompt for cert file PIN repeatedly | |
| - Resolves: #1364113 ipa-password: ipa: ERROR: RuntimeError: Unable to create | |
| cache directory: [Errno 13] Permission denied: '/home/test_user' | |
| - schema: Speed up schema cache | |
| - Resolves: #1366604 `cert-find` crashes on invalid certificate data | |
| - cert: do not crash on invalid data in cert-find | |
| - Resolves: #1366612 Middle replica uninstallation in line topology works | |
| without '--ignore-topology-disconnect' | |
| - Fail on topology disconnect/last role removal | |
| - Resolves: #1366626 caacl-add-service: incorrect error message when service | |
| does not exists | |
| - Fix ipa-caalc-add-service error message | |
| - Resolves: #1367022 The ipa-server-upgrade command failed when named-pkcs11 | |
| does not happen to run during dnf upgrade | |
| - DNS server upgrade: do not fail when DNS server did not respond | |
| - Resolves: #1367759 [RFE] [webui] warn admin if there is only one IPA server | |
| with CA | |
| - Add warning about only one existing CA server | |
| - Set servers list as default facet in topology facet group | |
| - Resolves: #1367773 thin client ignores locale change | |
| - schema check: Check current client language against cached one | |
| - Lockout plugin crashed during ipa-server-install (#912725) | |
| - Fallback to global policy in ipa lockout plugin (#912725) | |
| - Migration does not add users to default group (#903232) | |
| - hbactest does not work for external users (#848531) | |
| - Resolves: #1296140 Remove redhat-access-plugin-ipa support | |
| - Obsolete and conflict redhat-access-plugin-ipa | |
| - Resolves: #1351119 Multiple issues while uninstalling ipa-server | |
| - server uninstall fails to remove krb principals | |
| - Resolves: #1351758 ipa commands not showing expected error messages | |
| - frontend: copy command arguments to output params on client | |
| - Show full error message for selinuxusermap-add-hostgroup | |
| - Resolves: #1352883 Traceback on adding default automember group and hostgroup | |
| set | |
| - allow 'value' output param in commands without primary key | |
| - Resolves: #1353888 Fix the help for ipa otp and other topics | |
| - schema: Fix subtopic -> topic mapping | |
| - Resolves: #1354348 ipa trustconfig-show throws internal error. | |
| - allow 'value' output param in commands without primary key | |
| - Resolves: #1354381 ipa trust-add with raw option gives internal error. | |
| - trust-add: handle `--all/--raw` options properly | |
| - Resolves: #1354493 Replica install fails with old IPA master | |
| - DNS install: Ensure that DNS servers container exists | |
| - Resolves: #1354628 ipa hostgroup-add-member does not return error message | |
| when adding itself as member | |
| - frontend: copy command arguments to output params on client | |
| - Resolves: #1355856 ipa otptoken-add --type=totp gives internal error | |
| - messages: specify message type for ResultFormattingError | |
| - Resolves: #1356063 "ipa radiusproxy-add" command needs to prompt to enter | |
| secret key | |
| - expose `--secret` option in radiusproxy-* commands | |
| - prevent search for RADIUS proxy servers by secret | |
| - Resolves: #1356099 Bug in the ipapwd plugin | |
| - Heap corruption in ipapwd plugin | |
| - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin | |
| client changes | |
| - Use server API in com.redhat.idm.trust-fetch-domains oddjob helper | |
| - Resolves: #1356964 Renaming a user removes all of his principal aliases | |
| - Preserve user principal aliases during rename operation | |
| - Add bash completion script and own /etc/bash_completion.d in case it | |
| doesn't already exist | |
| - Update to upstream version 1.1.0 | |
| - Patch for indexing memberof attribute | |
| - Patch for indexing uidnumber and gidnumber | |
| - Patch to change DNA default values for replicas | |
| - Patch to fix uninitialized variable in ipa-getkeytab | |
| - Improve server affinity for CA-less deployments | |
| Resolves: RHEL-22283 | |
| - host: update system: Manage Host Keytab permission | |
| Resolves: RHEL-22286 | |
| - adtrustinstance: make sure NetBIOS name defaults are set properly | |
| Resolves: RHEL-21938 | |
| - ipatests: Fix healthcheck report when nsslapd accesslog logbuffering is set to off | |
| Resolves: RHEL-19672 | |
| - webui IdP: Remove arrow notation due to uglify-js limitation | |
| Related: RHBZ#2141316 | |
| - Fixed share/ipa/wsgi.py so .pyc, .pyo files are included | |
| - Set minimum version of sssd to 1.5.1 | |
| - Update to upstream freeipa-2.0.0.rc1 | |
| - Move server-only binaries from admintools subpackage to server | |
| - Upstream release FreeIPA 4.9.8 | |
| Related: RHBZ#2015607 | |
| - Hardening for CVE-2020-25717 | |
| - Set minimum version of certmonger to 0.26 (to pck up #621670) | |
| - Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm) | |
| - Set minimum version of pki-ca to 1.3.6 | |
| - Set minimum version of sssd to 1.2.1 | |
| - Re-arrange doc and defattr to clean up rpmlint warnings | |
| - Remove conditionals on older releases | |
| - Move some man pages into admintools subpackage | |
| - Remove some explicit Requires in client that aren't needed | |
| - Consistent use of buildroot vs RPM_BUILD_ROOT | |
| - Resolves: #1252556 Missing CLI param and ACL for vault service operations | |
| - vault: fix private service vault creation | |
| - Resolves: #1431520 ipa cert-find runs a large number of searches, so IPA | |
| WebUI is slow to display user details page | |
| - cert: defer cert-find result post-processing | |
| - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit | |
| helper when installing replica | |
| - server-install: No double Kerberos install | |
| - Resolves: #1437502 ipa-replica-install fails with requirement to | |
| use --force-join that is a client install option. | |
| - Add the force-join option to replica install | |
| - replicainstall: better client install exception handling | |
| - Resolves: #1437953 Server CA-less impossible option check | |
| - server-install: remove broken no-pkinit check | |
| - Resolves: #1441160 FreeIPA client <= 4.4 fail to parse 4.5 cookies | |
| - Add debug log in case cookie retrieval went wrong | |
| - Resolves: #1441548 ipa server install fails with --external-ca option | |
| - ext. CA: correctly write the cert chain | |
| - Resolves: #1441718 Conversion of CA-less server to CA fails on CA instance | |
| spawn | |
| - Fix CA-less to CA-full upgrade | |
| - Resolves: #1442133 Do not link libkrad, liblber, libldap_r and | |
| libsss_nss_idmap to every binary in IPA | |
| - configure: fix AC_CHECK_LIB usage | |
| - Resolves: #1442815 Replica install fails during migration from older IPA | |
| master | |
| - Fix RA cert import during DL0 replication | |
| - Related: #1442004 Building IdM/FreeIPA internally on all architectures - | |
| filtering unsupported packages | |
| - Build all subpackages on all architectures | |
| - ipa-server-install fails if --subject parameter is other than default | |
| realm (#983075) | |
| - do not allow configuring bind-dyndb-ldap without persistent search (#967876) | |
| - Set the N-V-R so rc1 is an update to beta2. | |
| - ipa-kdb: Rework ipadb_reinit_mspac() | |
| Resolves: RHEL-25742 | |
| - ipatests: wait for replica update in test_dns_locations | |
| Resolves: RHEL-22373 | |
| - ipatests: fix tasks.wait_for_replication() method | |
| Resolves: RHEL-25708 | |
| - Upgrade: fix replica agreement, fix backported patch | |
| Related: RHBZ#2216551 | |
| - Temporarily move ipa-backup and ipa-restore functionality | |
| back to make them available in public Beta (#1003933) | |
| - Update to upstream 2.1.0 | |
| - ipa man page format the EXAMPLES section | |
| Resolves: RHBZ#2129895 | |
| - Fix canonicalization issue in Web UI | |
| Resolves: RHBZ#2127035 | |
| - Remove idnssoaserial argument from dns zone API. | |
| Resolves: RHBZ#2108630 | |
| - Warn for permissions with read/write/search/compare and no attrs | |
| Resolves: RHBZ#2098187 | |
| - Add PKINIT support to ipa-client-install | |
| Resolves: RHBZ#2075452 | |
| - Generate CNAMEs for TXT+URI location krb records | |
| Resolves: RHBZ#2104185 | |
| - Vault: fix interoperability issues with older RHEL systems | |
| Resolves: RHBZ#2144737 | |
| - Fix typo on ipaupgrade.log chmod during RPM %post snipppet | |
| Resolves: RHBZ#2140994 | |
| - Pull upstream changelog 641 | |
| - Require minimum version of krb5-server on F-7 and F-8 | |
| - Package some new files | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - [WebUI] IPA Error 3007: RequirmentError" while adding members in | |
| "User ID overrides" tab | |
| Resolves: RHBZ#1757045 | |
| - EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in | |
| freeipa-client-epn | |
| Resolves: RHBZ#1847999 | |
| - FreeIPA - Utilize 256-bit AJP connector passwords | |
| Resolves: RHBZ#1849914 | |
| - ipa: typo issue in ipanthomedirectoryrive deffinition | |
| Resolves: RHBZ#1851411 | |
| - Upstream release FreeIPA 4.9.1 | |
| Related: RHBZ#1891832 | |
| - Fix automount behavior with authselect | |
| Resolves: RHBZ#1740167 | |
| - SELinux Policy: let custodia replicate keys | |
| Resolves: RHBZ#1868432 | |
| - Missing objectclasses when empty password passed to host-add (#1052979) | |
| - sudoOrder missing in sudoers (#1052983) | |
| - Missing examples in sudorule help (#1049464) | |
| - Client automount does not uninstall when fstore is empty (#910899) | |
| - Error not clear for invalid realm given to trust-fetch-domains (#1052981) | |
| - trust-fetch-domains does not add idrange for subdomains found (#1049926) | |
| - Add option to show if an AD subdomain is enabled/disabled (#1052973) | |
| - ipa-adtrust-install still failed with long NetBIOS names (#1030517) | |
| - Error not clear for invalid relam given to trustdomain-find (#1049455) | |
| - renewed client cert not recognized during IPA CA renewal (#1033273) | |
| - Remove ipa-backup and ipa-restore functionality from RHEL (#1003933) | |
| - Fix S4U2Self regression for cross-realm requester SID buffer | |
| - Related: RHBZ#2021443 | |
| - Add missing ipa-selinux package | |
| Resolves: RHBZ#1853263 | |
| - Proxy PKI URI /ca/ee/ca/profileSubmit to enable replication with future | |
| PKI versions (#1080865) | |
| - Rebuild against samba4 beta7 | |
| - Resolves: #1477703 IPA upgrade fails for latest ipa package | |
| - Restore old version of caIPAserviceCert for upgrade only | |
| - Rebase to upstream release 4.8.2 | |
| - Removed upstream patches 0001 to 0010 that are part of version 4.8.2 | |
| - Updated branding patch | |
| Resolves: RHBZ#1748987 | |
| - Version bump for release | |
| - ipa-csreplica-manage connect fails (#1157735) | |
| - error message which is not understandable when IDNA2003 characters are | |
| present in --zonemgr (#1163849) | |
| - Fix warning message should not contain CLI commands (#1114013) | |
| - Renewing the CA signing certificate does not extend its validity period end | |
| (#1163498) | |
| - RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for | |
| httpd (#1159330) | |
| - Hardening for CVE-2020-25717 | |
| - Rebuild against samba-4.14.5-11.el8 | |
| - Resolves: RHBZ#2021443 | |
| - Fix upgrade issue with AD trust when no trust yet established | |
| Fixes: RHBZ#1708874 | |
| Related: RHBZ#1684528 | |
| - Resolves: #1438833 [ipa-replica-install] - 406 Client Error: Failed to | |
| validate message: Incorrect number of results (0) searching forpublic key for | |
| host | |
| - Make sure remote hosts have our keys | |
| - Resolves: #1442815 Replica install fails during migration from older IPA | |
| master | |
| - Refresh Dogtag RestClient.ca_host property | |
| - Remove the cachedproperty class | |
| - Resolves: #1444787 Update warning message when KRA installation fails | |
| - kra install: update installation failure message | |
| - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode | |
| - ipa-server-install with external CA: fix pkinit cert issuance | |
| - Resolves: #1445397 GET in KerberosSession.finalize_kerberos_acquisition() | |
| must use FreeIPA CA | |
| - kerberos session: use CA cert with full cert chain for obtaining cookie | |
| - Resolves: #1447375 ipa-client-install: extra space in pkinit_anchors | |
| definition | |
| - ipa-client-install: remove extra space in pkinit_anchors definition | |
| - Resolves: #1447703 Fix SELinux contex of http.keytab during upgrade | |
| - Use proper SELinux context with http.keytab | |
| - Use OpenJDK 8 to bootstrap on AArch64 until RH1482244 is resolved in | |
| buildroot | |
| - Resolves: #1470177 - Rebase IPA to latest 4.5.x version | |
| - Resolves: #1398594 ipa topologysuffix-verify should only warn about | |
| maximum number of replication agreements. | |
| - Resolves: #1404236 Web UI: Change "Host Based" and "Role Based" | |
| to "Host-Based" and "Role-Based" | |
| - Resolves: #1409786 Second phase of --external-ca ipa-server-install | |
| setup fails when dirsrv is not running | |
| - Resolves: #1451576 ipa cert-request failed to generate certificate from csr | |
| - Resolves: #1452086 Pagination Size under Customization in IPA WebUI | |
| accepts negative values | |
| - Resolves: #1458169 --force-join option is not mentioned in | |
| ipa-replica-install man page | |
| - Resolves: #1463186 IPA shouldn't allow objectclass if not all in lower case | |
| - Resolves: #1478322 user-show command fails when sizelimit is configured | |
| to number <= number of entity which is user member of | |
| - Resolves: #1496775 Enterprise principals should be able to trigger | |
| a refresh of the trusted domain data in the KDC | |
| - Resolves: #1502533 Changing cert-find to go through the proxy | |
| instead of using the port 8080 | |
| - Resolves: #1502663 pkinit-status command fails after an upgrade from | |
| a pre-4.5 IPA | |
| - Resolves: #1498168 Error when trying to modify a PTR record | |
| - Resolves: #1457876 ipa-backup fails silently | |
| - Resolves: #1493531 In case full PKINIT configuration is failing during | |
| server/replica install the error message should be more meaningful. | |
| - Resolves: #1449985 Suggest CA installation command in KRA installation | |
| warning | |
| - Use NSS protocol range API to set available TLS protocols (#1156466) | |
| - Removed python-asset based webui | |
| - Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin | |
| - man page: update ipa-server-upgrade.1 | |
| Resolves: RHBZ#1973273 | |
| - Fall back to krbprincipalname when validating host auth indicators | |
| Resolves: RHBZ#1979625 | |
| - Add dependency for sssd-winbind-idmap to server-trust-ad | |
| Resolves: RHBZ#1982211 | |
| - Resolves: #1373359 ipa-certupdate fails with "CA is not configured" | |
| - Fix regression introduced in ipa-certupdate | |
| - Mass rebuild 2013-12-27 | |
| - Pull upstream changelog 698 | |
| - Fix ownership of /var/log/ipa_error.log during install (435119) | |
| - Add pwpolicy command and man page | |
| - Resolves: #846033 [RFE] Documentation for JSONRPC IPA API | |
| - Resolves: #989091 Ability to manage IdM/IPA directly from a standard LDAP | |
| client | |
| - Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to | |
| users in IdM | |
| - Resolves: #1115294 [RFE] Add support for DNSSEC | |
| - Resolves: #1145748 [RFE] IPA running with One Way Trust | |
| - Resolves: #1199520 [RFE] Introduce single upgrade tool - ipa-server-upgrade | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - Resolves: #1200728 [RFE] Replicate PKI Profile information | |
| - Resolves: #1200735 [RFE] Allow issuing certificates for user accounts | |
| - Resolves: #1204054 SSSD database is not cleared between installs and | |
| uninstalls of ipa | |
| - Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to | |
| Trusts | |
| - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality | |
| - Resolves: #1204504 [RFE] Add access control so hosts can create their own | |
| services | |
| - Resolves: #1206534 [RFE] Offer Kerberos over HTTP (kdcproxy) by default | |
| - Resolves: #1206613 [RFE] Configure IPA to be a trust agent by default | |
| - Resolves: #1209476 package ipa-client does not require package dbus-python | |
| - Resolves: #1211589 [RFE] Add option to skip the verify_client_version | |
| - Resolves: #1211608 [RFE] Generic support for unknown DNS RR types (RFC 3597) | |
| - Resolves: #1215735 ipa-replica-prepare automatically adds a DNS zone | |
| - Resolves: #1217010 OTP Manager field is not exposed in the UI | |
| - Resolves: #1222475 krb5kdc : segfault at 0 ip 00007fa9f64d82bb sp | |
| 00007fffd68b2340 error 6 in libc-2.17.so | |
| - Related: #1204809 Rebase ipa to 4.2 | |
| - Update to upstream 4.2.0 | |
| - Move /etc/ipa/kdcproxy to the server subpackage | |
| - Fix NetBIOS name generation in CLDAP plugin (#1030517) | |
| - FreeIPA 4.8.0 tarball lacks two update files that are in git | |
| Resolves: RHBZ#1741170 | |
| - Resolves: #1257074 The KRA agent cert is stored in a PEM file that is not | |
| tracked | |
| - cert renewal: Include KRA users in Dogtag LDAP update | |
| - cert renewal: Automatically update KRA agent PEM file | |
| - Resolves: #1257163 renaming certificatte profile with --rename option leads | |
| to integrity issues | |
| - certprofile: remove 'rename' option | |
| - Resolves: #1257968 kinit stop working after ipa-restore | |
| - Backup: back up the hosts file | |
| - Resolves: #1258926 Remove 'DNSSEC is experimental' warnings | |
| - DNSSEC: remove "DNSSEC is experimental" warnings | |
| - Resolves: #1258929 Uninstallation of IPA leaves extra entry in /etc/hosts | |
| - Installer: do not modify /etc/hosts before user agreement | |
| - Resolves: #1258944 DNSSEC daemons may deadlock when processing more than 1 | |
| zone | |
| - DNSSEC: backup and restore opendnssec zone list file | |
| - DNSSEC: remove ccache and keytab of ipa-ods-exporter | |
| - DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart | |
| - DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction | |
| - DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on DNSSEC | |
| key master | |
| - DNSSEC: Fix key metadata export | |
| - DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5. | |
| - Resolves: #1258964 revert to use ldapi to add kra agent in KRA install | |
| - Using LDAPI to setup CA and KRA agents. | |
| - Resolves: #1259848 server closes connection and refuses commands after | |
| deleting user that is still logged in | |
| - ldap: Make ldap2 connection management thread-safe again | |
| - Resolves: #1259996 AttributeError: 'NameSpace' object has no attribute | |
| 'ra_certprofile' while ipa-ca-install | |
| - load RA backend plugins during standalone CA install on CA-less IPA master | |
| - Update to upstream version 1.0.0 | |
| - Resolves: #712109 "krbExtraData not allowed" is logged in DS error log while | |
| setting password for default sudo binddn. | |
| - Resolves: #747612 [RFE] IPA should support and manage DNS sites | |
| - Resolves: #768316 [RFE] ipa-getkeytab should auto-detect the ipa server name | |
| - Resolves: #825391 [RFE] Replica installation should provide a means for | |
| inheriting nssldap security access settings | |
| - Resolves: #921497 Incorrect *.py[co] files placement | |
| - Resolves: #1029640 RHEL7 IPA to add DNA Plugin config for dnaRemote support | |
| - Resolves: #1029905 389 DS cache sizes not replicated to IPA replicas | |
| - Resolves: #1196958 IPA replica installation failing with high number of users | |
| (160000). | |
| - Resolves: #1219402 IPA suggests to uninstall a client when the user needs to | |
| uninstall a replica | |
| - Resolves: #1224057 [RFE] TGS authorization decisions in KDC based on | |
| Authentication Indicator | |
| - Resolves: #1234222 [WebUI] UI error message is not appropriate for "Kerberos | |
| principal expiration" | |
| - Resolves: #1234223 [WebUI] General invalid password error message appearing | |
| for "Locked user" | |
| - Resolves: #1254267 ipa-server-install failure applying ldap updates with | |
| limits exceeded | |
| - Resolves: #1258626 realmdomains-mod --add-domain command throwing error when | |
| doamin already is in forwardzone. | |
| - Resolves: #1259020 ipa-server-adtrust-install doesn't allow | |
| NetBIOS-name=EXAMPLE-TEST.COM (dash character) | |
| - Resolves: #1260993 DNSSEC signing enablement on dnszone should throw error | |
| message when DNSSEC master not installed | |
| - Resolves: #1262747 dnssec options missing in ipa-dns-install man page | |
| - Resolves: #1265900 Fail installation immediately after dirsrv fails to | |
| install using ipa-server-install | |
| - Resolves: #1265915 idoverrideuser-find fails if any SID anchor is not | |
| resolvable anymore | |
| - Resolves: #1268027 ipa-dnskeysync-replica crash with backtrace - | |
| LimitsExceeded: limits exceeded for this query | |
| - Resolves: #1269089 Certificate of managed-by host/service fails to resubmit | |
| - Resolves: #1269200 ipa-server crashing while trying to preserve admin user | |
| - Resolves: #1271321 Reduce ioblocktimeout and idletimeout defaults | |
| - Resolves: #1271579 Automember rule expressions disappear from tables on | |
| single expression delete | |
| - Resolves: #1275816 Incomplete ports for IPA ad-trust | |
| - Resolves: #1276351 [RFE] Remove | |
| /usr/share/ipa/updates/50-lockout-policy.update file from IPA releases | |
| - Resolves: #1277109 Add tool tips for Revert, Refresh, Undo, and Undo All in | |
| the IPA UI | |
| - Resolves: #1278426 Better error message needed for invalid ca-signing-algo | |
| option | |
| - Resolves: #1279932 ipa-client-install --request-cert needs workaround in | |
| anaconda chroot | |
| - Resolves: #1282521 Creating a user w/o private group fails when doing so in | |
| WebUI | |
| - Resolves: #1283879 ipa-winsync-migrate: Traceback message should be replaced | |
| by "IPA is not configured on this system" | |
| - Resolves: #1285071 ipa-kra-install fails on replica looking for admin cert | |
| file | |
| - Resolves: #1287194 [RFE] Support of UPN for trusted domains | |
| - Resolves: #1288967 Normalize Manager entry in ipa user-add | |
| - Resolves: #1289487 Priority field missing in Password Policy detail tab | |
| - Resolves: #1291140 ipa client should configure kpasswd_server directive in | |
| krb5.conf | |
| - Resolves: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.4.0.alpha1 | |
| - Resolves: #1298848 [RFE] Centralized topology management | |
| - Resolves: #1300576 Browser setup page includes instructions for Internet | |
| Explorer | |
| - Resolves: #1301586 ipa host-del --updatedns should remove related dns | |
| entries. | |
| - Resolves: #1304618 Residual Files After IPA Server Uninstall | |
| - Resolves: #1305144 ipa-python does not require its dependencies | |
| - Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 | |
| - Resolves: #1313798 Console output post ipa-winsync-migrate command should be | |
| corrected. | |
| - Resolves: #1314786 [RFE] External Trust with Active Directory domain | |
| - Resolves: #1319023 Include description for 'status' option in man page for | |
| ipactl command. | |
| - Resolves: #1319912 ipa-server-install does not completely change hostname and | |
| named-pkcs11 fails | |
| - Resolves: #1320891 IPA Error 3009: Validation error: Invalid 'ptrrecord': | |
| Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 given | |
| - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on | |
| revocation reasons | |
| - Resolves: #1328549 "ipa-kra-install" command reports incorrect message when | |
| it is executed on server already installed with KRA. | |
| - Resolves: #1329209 ipa-nis-manage enable: change service name from 'portmap' | |
| to 'rpcbind' | |
| - Resolves: #1329275 ipa-nis-manage command should include status option | |
| - Resolves: #1330843 'man ipa' should be updated with latest commands | |
| - Resolves: #1333755 ipa cert-request causes internal server error while | |
| requesting certificate | |
| - Resolves: #1337484 EOF is not handled for ipa-client-install command | |
| - Resolves: #1338031 Insufficient 'write' privilege on some attributes for the | |
| members of the role which has "User Administrators" privilege. | |
| - Resolves: #1343142 IPA DNS should do better verification of DNS zones | |
| - Resolves: #1347928 Frontpage exposes runtime error with no cookies enabled in | |
| browser | |
| - Require samba 4.14.5-13 with IPA DC server role fixes | |
| - Related: RHBZ#2021443 | |
| - Require python-wehjit >= 0.2.2 | |
| - Resolves: #1434032 Run ipa-custodia with custom SELinux context | |
| - Require correct custodia version | |
| - Upstream final release FreeIPA 4.9.0 | |
| Related: RHBZ#1891832 | |
| - Preserve user: fix the confusing summary | |
| Resolves: RHBZ#2022028 | |
| - Only calculate LDAP password grace when the password is expired | |
| Related: RHBZ#782917 | |
| - Update dependencies for samba, 389-ds and sssd | |
| Resolves: RHBZ#1792848 | |
| - Do not fetch a principal two times, remove potential memory leak (#1070924) | |
| - Set min version of 389-ds-base to 1.2.8 | |
| - Set min version of mod_nss 1.0.8-10 | |
| - Set min version of selinux-policy to 3.9.7-27 | |
| - Add dogtag themes to Requires | |
| - Update to upstream freeipa-2.0.0.pre2 | |
| - Resolves: #1355753 adding two way non transitive(external) trust displays | |
| internal error on the console | |
| - Always fetch forest info from root DCs when establishing two-way trust | |
| - factor out `populate_remote_domain` method into module-level function | |
| - Always fetch forest info from root DCs when establishing one-way trust | |
| - Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger | |
| after `ipa-replica-install` | |
| - Track lightweight CAs on replica installation | |
| - Resolves: #1357488 ipa command stuck forever on higher versioned client with | |
| lower versioned server | |
| - compat: Save server's API version in for pre-schema servers | |
| - compat: Fix ping command call | |
| - schema cache: Store and check info for pre-schema servers | |
| - Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag | |
| - Fix man page ipa-replica-manage: remove duplicate -c option | |
| from --no-lookup | |
| - Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA | |
| when revoking certificate | |
| - cert: include CA name in cert command output | |
| - WebUI add support for sub-CAs while revoking certificates | |
| - Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI | |
| - Add support for additional options taken from table facet | |
| - WebUI: Fix showing certificates issued by sub-CA | |
| - Resolves: #1368557 dnsrecord-add does not prompt for missing record parts | |
| internactively | |
| - dns: normalize record type read interactively in dnsrecord_add | |
| - dns: prompt for missing record parts in CLI | |
| - dns: fix crash in interactive mode against old servers | |
| - Resolves: #1370519 Certificate revocation in service-del and host-del isn't | |
| aware of Sub CAs | |
| - cert: fix cert-find --certificate when the cert is not in LDAP | |
| - Make host/service cert revocation aware of lightweight CAs | |
| - Resolves: #1371901 Use OAEP padding with custodia | |
| - Use RSA-OAEP instead of RSA PKCS#1 v1.5 | |
| - Resolves: #1371915 When establishing external two-way trust, forest root | |
| Administrator account is used to fetch domain info | |
| - do not use trusted forest name to construct domain admin principal | |
| - Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in | |
| certificate request | |
| - Fix CA ACL Check on SubjectAltNames | |
| - Resolves: #1373272 CLI always sends default command version | |
| - cli: use full name when executing a command | |
| - Resolves: #1373359 ipa-certupdate fails with "CA is not configured" | |
| - Fix ipa-certupdate for CA-less installation | |
| - Resolves: #1373540 client-install with IPv6 address fails on link-local | |
| address (always) | |
| - Fix parse errors with link-local addresses | |
| - Resolves: #1398670 Check IdM Topology for broken record caused by replication | |
| conflict before upgrading it | |
| - Check for conflict entries before raising domain level | |
| - Updated to upstream 3.0.0 beta 1 | |
| - Rebase ipa to 4.9.11 | |
| Resolves: RHBZ#2141316 | |
| - updates: fix memberManager ACI to allow managers from a specified group | |
| Resolves: RHBZ#2056009 | |
| - Defer creating the final krb5.conf on clients | |
| Resolves: RHBZ#2148259 | |
| - Exclude installed policy module file from RPM verification | |
| Resolves: RHBZ#2149567 | |
| - Spec file: ipa-client depends on krb5-pkinit-openssl | |
| Resolves: RHBZ#2149889 | |
| - Use default ssh host key algorithms | |
| Resolves: RHBZ#1756432 | |
| - Do not run trust upgrade code if master lacks Samba bindings | |
| Resolves: RHBZ#1757064 | |
| - Finish group membership management UI | |
| Resolves: RHBZ#1773528 | |
| - Require 389-ds-base-legacy-tools for setup tools | |
| - Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services | |
| by abusing password policy | |
| - ipa-kdb: search for password policies globally | |
| - Renamed patches 1011 and 1012 to 0151 and 0150, as they were merged upstream | |
| - Resolves: #1455946 Provide a tooling automating the configuration | |
| of Smart Card authentication on a FreeIPA master | |
| - smart-card advises: configure systemwide NSS DB also on master | |
| - smart-card advises: add steps to store smart card signing CA cert | |
| - Allow to pass in multiple CA cert paths to the smart card advises | |
| - add a class that tracks the indentation in the generated advises | |
| - delegate the indentation handling in advises to dedicated class | |
| - advise: add an infrastructure for formatting Bash compound statements | |
| - delegate formatting of compound Bash statements to dedicated classes | |
| - Fix indentation of statements in Smart card advises | |
| - Use the compound statement formatting API for configuring PKINIT | |
| - smart card advises: use a wrapper around Bash `for` loops | |
| - smart card advise: use password when changing trust flags on HTTP cert | |
| - smart-card-advises: ensure that krb5-pkinit is installed on client | |
| - Resolves: #1475238 Use CommonNameToSANDefault in default profile | |
| (new installs only) | |
| - Add CommonNameToSANDefault to default cert profile | |
| - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s | |
| during search in cn=ad,cn=trusts,dc=example,dc=com | |
| - NULL LDAP context in call to ldap_search_ext_s during search | |
| - Prepare spec file for release | |
| - Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503 | |
| - Force to use 389-ds 1.2.10-0.8.a7 or above | |
| - Improve upgrade script to handle systemd 389-ds change | |
| - Fix freeipa to work with python-ldap 2.4.6 | |
| - Resolves: #1274524 [RFE] Qualify up to 60 IdM replicas | |
| - Resolves: #1320838 [RFE] Support IdM Client in a DNS domain controlled by AD | |
| - Related: #1356134 'kinit -E' does not work for IPA user | |
| - Support krb5 1.18 | |
| Resolves: RHBZ#1817579 | |
| - kdb: keeep ipadb_get_connection() from succeding with null LDAP context | |
| Resolves: RHEL-58453 | |
| - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities | |
| - user-undel: Fix error messages. | |
| - Resolves: #1200694 [RFE] Support for multiple cert profiles | |
| - Prohibit deletion of predefined profiles | |
| - Resolves: #1232819 testing ipa-restore on fresh system install fails | |
| - Backup/resore authentication control configuration | |
| - Resolves: #1243331 pkispawn fails when migrating to 4.2 server from 3.0 | |
| server | |
| - Require Dogtag PKI >= 10.2.6 | |
| - Resolves: #1245225 Asymmetric vault drops traceback when the key is not | |
| proper | |
| - Asymmetric vault: validate public key in client | |
| - Resolves: #1248399 Missing DNSSEC related files in backup | |
| - fix typo in BasePathNamespace member pointing to ods exporter config | |
| - ipa-backup: archive DNSSEC zone file and kasp.db | |
| - Resolves: #1248405 PassSync should be disabled after ipa-winsync-migrate is | |
| finished | |
| - winsync-migrate: Add warning about passsync | |
| - winsync-migrate: Expand the man page | |
| - Resolves: #1248524 User can't find any hosts using "ipa host-find $HOSTNAME" | |
| - adjust search so that it works for non-admin users | |
| - Resolves: #1250093 ipa certprofile-import accepts invalid config | |
| - Require Dogtag PKI >= 10.2.6 | |
| - Resolves: #1250107 IPA framework should not allow modifying trust on AD trust | |
| agents | |
| - trusts: Detect missing Samba instance | |
| - Resolves: #1250111 User lifecycle - preserved users can be assigned | |
| membership | |
| - ULC: Prevent preserved users from being assigned membership | |
| - Resolves: #1250145 Add permission for user to bypass caacl enforcement | |
| - Add permission for bypassing CA ACL enforcement | |
| - Resolves: #1250190 idrange is not added for sub domain | |
| - idranges: raise an error when local IPA ID range is being modified | |
| - trusts: harden trust-fetch-domains oddjobd-based script | |
| - Resolves: #1250928 Man page for ipa-server-install is out of sync | |
| - install: Fix server and replica install options | |
| - Resolves: #1251225 IPA default CAACL does not allow cert-request for services | |
| after upgrade | |
| - Fix default CA ACL added during upgrade | |
| - Resolves: #1251561 ipa vault-add Unknown option: ipavaultpublickey | |
| - validate mutually exclusive options in vault-add | |
| - Resolves: #1251579 ipa vault-add --user should set container owner equal to | |
| user on first run | |
| - Fixed vault container ownership. | |
| - Resolves: #1252517 cert-request rejects request with correct | |
| krb5PrincipalName SAN | |
| - Fix KRB5PrincipalName / UPN SAN comparison | |
| - Resolves: #1252555 ipa vault-find doesn't work for services | |
| - vault: Add container information to vault command results | |
| - Add flag to list all service and user vaults | |
| - Resolves: #1252556 Missing CLI param and ACL for vault service operations | |
| - Added CLI param and ACL for vault service operations. | |
| - Resolves: #1252557 certprofile: improve profile format documentation | |
| - certprofile-import: improve profile format documentation | |
| - certprofile: add profile format explanation | |
| - Resolves: #1253443 ipa vault-add creates vault with invalid type | |
| - vault: validate vault type | |
| - Resolves: #1253480 ipa vault-add-owner does not fail when adding an existing | |
| owner | |
| - baseldap: Allow overriding member param label in LDAPModMember | |
| - vault: Fix param labels in output of vault owner commands | |
| - Resolves: #1253511 ipa vault-find does not use criteria | |
| - vault: Fix vault-find with criteria | |
| - Resolves: #1254038 ipa-replica-install pk12util error returns exit status 10 | |
| - install: Fix replica install with custom certificates | |
| - Resolves: #1254262 ipa-dnskeysync-replica crash cannot contact kdc | |
| - improve the handling of krb5-related errors in dnssec daemons | |
| - Resolves: #1254412 when dirsrv is off ,upgrade from 7.1 to 7.2 fails with | |
| starting CA and named-pkcs11.service | |
| - Server Upgrade: Start DS before CA is started. | |
| - Resolves: #1254637 Add ACI and permission for managing user userCertificate | |
| attribute | |
| - add permission: System: Manage User Certificates | |
| - Resolves: #1254641 Remove CSR allowed-extensions restriction | |
| - cert-request: remove allowed extensions check | |
| - Resolves: #1254693 vault --service does not normalize service principal | |
| - vault: normalize service principal in service vault operations | |
| - Resolves: #1254785 ipa-client-install does not properly handle dual stacked | |
| hosts | |
| - client: Add support for multiple IP addresses during installation. | |
| - Add dependency to SSSD 1.13.1 | |
| - client: Add description of --ip-address and --all-ip-addresses to man page | |
| - Remove ipa_webgui, its functions rolled into ipa_httpd | |
| - Change Requires from fedora-ds-base to 389-ds-base | |
| - Set minimum level of 389-ds-base to 1.2.6 for the replication | |
| version plugin. | |
| - No need to create /var/log/ipa_error.log since we aren't using | |
| TurboGears any more. | |
| - Deprecate --serial-autoincrement option (#1016645) | |
| - CA installation always failed on replica (#1005446) | |
| - Re-initializing a winsync connection exited with error (#994980) | |
| - Wrong directories created on full restore (#1186398) | |
| - ipa-restore crashes if replica is unreachable (#1186396) | |
| - idoverrideuser-add option --sshpubkey does not work (#1185410) | |
| - Fix postin scriplet for F-15/F-16 | |
| - Fix breakage caused by python-kerberos update to 1.1 | |
| - Fixed: rhbz#1643445 - External CA step 2 fails with pki_client_database_dir is missing | |
| - Fixed: rhbz#1642834 - Smart card advise script uses hard-coded Python interpreter | |
| - Update to upstream 3.3.2 (#991064) | |
| - Add delegation info to MS-PAC (#915799) | |
| - Warn about incompatibility with AD when IPA realm and domain | |
| differs (#1009044) | |
| - Allow PKCS#12 files with empty password in install tools (#1002639) | |
| - Privilege "SELinux User Map Administrators" did not list | |
| permissions (#997085) | |
| - SSH key upload broken when client joins an older server (#1009024) | |
| - Update to upstream 3.3.3 (#991064) | |
| - Resolves: #1416454 replication race condition prevents IPA to install | |
| - wait_for_entry: use only DN as parameter | |
| - Wait until HTTPS principal entry is replicated to replica | |
| - Use proper logging for error messages | |
| - Allow insecure binds for migration | |
| Resolves: RHBZ#1731963 | |
| - Updated to upstream 3.0.0 rc 1 | |
| - Update BR for 389-ds-base to 1.2.11.14 | |
| - Update BR for krb5 to 1.10 | |
| - Update BR for samba4-devel to 4.0.0-139 (rc1) | |
| - Add BR for python-polib | |
| - Update BR and Requires on sssd to 1.9.0 | |
| - Update Requires on policycoreutils to 2.1.12-5 | |
| - Update Requires on 389-ds-base to 1.2.11.14 | |
| - Update Requires on selinux-policy to 3.11.1-21 | |
| - Update Requires on dogtag to 10.0.0-0.33.a1 | |
| - Update Requires on certmonger to 0.60 | |
| - Update Requires on tomcat to 7.0.29 | |
| - Update minimum version of bind to 9.9.1-10.P3 | |
| - Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1 | |
| - Remove Requires on authconfig from python sub-package | |
| - Add redhat-access-plugin-ipa dependency | |
| - Require platform-python-setuptools instead of python3-setuptools | |
| - Resolves: rhbz#1650139 | |
| - Add a- heck into ipa-cert-fix tool to avoid updating certs if CA is close to expire | |
| Resolves: RHEL-4941 | |
| - Fix rpminspect's 'patches' warnings | |
| Resolves: RHEL-22497 | |
| - Added patch to fix problem reported by ldapmodify | |
| - Installer did not detect different server and IPA domain (#1026845) | |
| - Allow kernel keyring CCACHE when supported (#1026861) | |
| - Abstracted client class to work directly or over RPC | |
| - Reinstalling ipa server hangs when configuring certificate | |
| server (#1018804) | |
| - rpcserver: validate Kerberos principal name before running kinit | |
| Resolves: RHEL-26153 | |
| - Vault: add additional fallback to RSA-OAEP wrapping algo | |
| Resolves: RHEL-28259 | |
| - "an internal error has occurred" during ipa host-del --updatedns (#1198431) | |
| - Renamed patch 1013 to 0114, as it was merged upstream | |
| - Fax number not displayed for user-show when kinit'ed as normal user. | |
| (#1198430) | |
| - Replication agreement with replica not disabled when ipa-restore done without | |
| IPA installed (#1199060) | |
| - Limit deadlocks between DS plugin DNA and slapi-nis (#1199128) | |
| - Updated to upstream 2.2.0 GA | |
| - Update minimum n-v-r of certmonger to 0.53 | |
| - Update minimum n-v-r of slapi-nis to 0.40 | |
| - Add Requires in client to oddjob-mkhomedir and python-krbV | |
| - Update minimum selinux-policy to 3.10.0-110 | |
| - Convert to autotools-based build | |
| - Pull upstream changelog 678 | |
| - Add new subpackage, ipa-server-selinux | |
| - Add Requires: authconfig to ipa-python (bz #433747) | |
| - Package i18n files | |
| - Resolves: #837369 [RFE] Switch to client promotion to replica model | |
| - Resolves: #1199516 [RFE] Move replication topology to the shared tree | |
| - Resolves: #1206588 [RFE] Visualize FreeIPA server replication topology | |
| - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) | |
| - Resolves: #1212713 ipa-csreplica-manage: it could be nice to have also | |
| list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend | |
| - Resolves: #1267206 ipa-server-install uninstall should warn if no | |
| installation found | |
| - Resolves: #1295865 The Domain option is not correctly set in idmapd.conf when | |
| ipa-client-automount is executed. | |
| - Resolves: #1327092 URI details missing and OCSP-URI details are incorrectly | |
| displayed when certificate generated using IPA on RHEL 7.2up2. | |
| - Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install | |
| because of missing dependencies | |
| - Related: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.3.1.201605191449GITf8edf37 | |
| - selinux don't audit rules deny fetching trust topology | |
| Resolves: RHBZ#1845596 | |
| - fix iPAddress cert issuance for >1 host/service | |
| Resolves: RHBZ#1846352 | |
| - Specify cert_paths when calling PKIConnection | |
| Resolves: RHBZ#1849155 | |
| - Update crypto policy to allow AD-SUPPORT when installing IPA | |
| Resolves: RHBZ#1851139 | |
| - Add version to ipa-idoverride-memberof obsoletes | |
| Related: RHBZ#1846434 | |
| - Resolves: #1081561 CA not start during ipa server install in pure IPv6 env | |
| - Fix ipa-server-install in pure IPv6 environment | |
| - Resolves: #1318169 Tree-root domains in a trusted AD forest aren't marked as | |
| reachable via the forest root | |
| - trust: make sure ID range is created for the child domain even if it exists | |
| - ipa-kdb: simplify trusted domain parent search | |
| - Resolves: #1335567 Update Warning in IdM Web UI API browser | |
| - WebUI: add API browser is tech preview warning | |
| - Resolves: #1348560 Mulitple domain Active Directory Trust conflict | |
| - ipaserver/dcerpc: reformat to make the code closer to pep8 | |
| - trust: automatically resolve DNS trust conflicts for triangle trusts | |
| - Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in | |
| certificate revocation | |
| - cert-revoke: fix permission check bypass (CVE-2016-5404) | |
| - Resolves: #1353936 custodia.conf and server.keys file is world-readable. | |
| - Remove Custodia server keys from LDAP | |
| - Secure permissions of Custodia server.keys | |
| - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is | |
| converted from CA-less to CA-full | |
| - custodia: include known CA certs in the PKCS#12 file for Dogtag | |
| - custodia: force reconnect before retrieving CA certs from LDAP | |
| - Resolves: #1362333 ipa vault container owner cannot add vault | |
| - Fix: container owner should be able to add vault | |
| - Resolves: #1365546 External trust with root domain is transitive | |
| - trust: make sure external trust topology is correctly rendered | |
| - Resolves: #1365572 IPA server broken after upgrade | |
| - Require pki-core-10.3.3-7 | |
| - Resolves: #1367864 Server assumes latest version of command instead of | |
| version 1 for old / 3rd party clients | |
| - rpcserver: assume version 1 for unversioned command calls | |
| - rpcserver: fix crash in XML-RPC system commands | |
| - Resolves: #1367773 thin client ignores locale change | |
| - schema cache: Fallback to 'en_us' when locale is not available | |
| - Resolves: #1368754 ipa server uninstall fails with Python "Global Name error" | |
| - Fail on topology disconnect/last role removal | |
| - Resolves: #1368981 ipa otptoken-add --type=hotp --key creates wrong OTP | |
| - otptoken, permission: Convert custom type parameters on server | |
| - Resolves: #1369414 ipa server-del fails with Python stack trace | |
| - Handled empty hostname in server-del command | |
| - Resolves: #1369761 ipa-server must depend on a version of httpd that support | |
| mod_proxy with UDS | |
| - Require httpd 2.4.6-31 with mod_proxy Unix socket support | |
| - Resolves: #1370512 Received ACIError instead of DuplicatedError in | |
| stageuser_tests | |
| - Raise DuplicatedEnrty error when user exists in delete_container | |
| - Resolves: #1371479 cert-find --all does not show information about revocation | |
| - cert: add missing param values to cert-find output | |
| - Renamed patch 1011 to 0100, as it was merged upstream | |
| - Resolves: #1452216 Replica installation grants HTTP principal | |
| access in WebUI | |
| - Make sure we check ccaches in all rpcserver paths | |
| - Replica installation fails for RHEL 6.4 master (#1004680) | |
| - Server uninstallation crashes if DS is not available (#998069) | |
| - Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to | |
| handle PKINIT certificates/anchors | |
| - certdb: add named trust flag constants | |
| - certdb, certs: make trust flags argument mandatory | |
| - certdb: use custom object for trust flags | |
| - install: trust IPA CA for PKINIT | |
| - client install: fix client PKINIT configuration | |
| - install: introduce generic Kerberos Augeas lens | |
| - server install: fix KDC PKINIT configuration | |
| - ipapython.ipautil.run: Add option to set umask before executing command | |
| - certs: do not export keys world-readable in install_key_from_p12 | |
| - certs: do not export CA certs in install_pem_from_p12 | |
| - server install: fix KDC certificate validation in CA-less | |
| - replica install: respect --pkinit-cert-file | |
| - cacert manage: support PKINIT | |
| - server certinstall: support PKINIT | |
| - Resolves: #1444432 CA-less pkinit not installable with --pkinit-cert-file | |
| option | |
| - certs: do not export CA certs in install_pem_from_p12 | |
| - server install: fix KDC certificate validation in CA-less | |
| - Resolves: #1451228 ipa-kra-install fails when primary KRA server has been | |
| decommissioned | |
| - ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname | |
| - Resolves: #1451712 KRA installation fails on server that was originally | |
| installed as CA-less | |
| - ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt | |
| - Resolves: #1441499 ipa cert-show does not raise error if no file name | |
| specified | |
| - ca/cert-show: check certificate_out in options | |
| - Resolves: #1449522 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+ | |
| - Remove pkinit-anonymous command | |
| - Resolves: #1449523 Provide an API command to retrieve PKINIT status | |
| in the FreeIPA topology | |
| - Allow for multivalued server attributes | |
| - Refactor the role/attribute member reporting code | |
| - Add an attribute reporting client PKINIT-capable servers | |
| - Add the list of PKINIT servers as a virtual attribute to global config | |
| - Add `pkinit-status` command | |
| - test_serverroles: Get rid of MockLDAP and use ldap2 instead | |
| - Resolves: #1452216 Replica installation grants HTTP principal access in WebUI | |
| - Fix rare race condition with missing ccache file | |
| - Resolves: #1455045 Simple service uninstallers must be able to handle | |
| missing service files gracefully | |
| - only stop/disable simple service if it is installed | |
| - Resolves: #1455541 after upgrade login from web ui breaks | |
| - krb5: make sure KDC certificate is readable | |
| - Resolves: #1455862 "ipa: ERROR: an internal error has occurred" on executing | |
| command "ipa cert-request --add" after upgrade | |
| - Change python-cryptography to python2-cryptography | |
| - Resolves: #1449189 ipa-kra-install timeouts on replica | |
| - ipa-kra-install: fix check_host_keys | |
| - Fix --external-ca-profile not passed to CSR | |
| Resolves: RHBZ#1731813 | |
| - Resolves: #1373910 IPA server upgrade fails with DNS timed out errors. | |
| - Resolves: #1375269 ipa trust-fetch-domains throws internal error | |
| - sudo rule for "admins" members should be created by default (#1609873) | |
| - Added Require mod_wsgi, added share/ipa/wsgi.py | |
| - Rebuild to samba 4.17.2. | |
| Related: RHBZ#2132051 | |
| - Use java-1.8.0-openjdk-devel | |
| - Hardening for CVE-2020-25717 | |
| - Harden processing of trusted domains' users in S4U operations | |
| - Resolves: RHBZ#2021443 | |
| - Update to upstream 2.2.0 alpha 1 (2.1.90.pre1) | |
| - Resolves: #1277696 IPA certificate auto renewal fail with "Invalid | |
| Credential" | |
| - cert renewal: make renewal of ipaCert atomic | |
| - Resolves: #1278330 installer options are not validated at the beginning of | |
| installation | |
| - install: fix command line option validation | |
| - Resolves: #1282845 sshd_config change on ipa-client-install can prevent sshd | |
| from starting up | |
| - client install: do not corrupt OpenSSH config with Match sections | |
| - Resolves: #1282935 ipa upgrade causes vault internal error | |
| - install: export KRA agent PEM file in ipa-kra-install | |
| - Resolves: #1283429 Default CA ACL rule is not created during | |
| ipa-replica-install | |
| - TLS and Dogtag HTTPS request logging improvements | |
| - Avoid race condition caused by profile delete and recreate | |
| - Do not erroneously reinit NSS in Dogtag interface | |
| - Add profiles and default CA ACL on migration | |
| - disconnect ldap2 backend after adding default CA ACL profiles | |
| - do not disconnect when using existing connection to check default CA ACLs | |
| - Resolves: #1283430 ipa-kra-install: fails to apply updates | |
| - suppress errors arising from adding existing LDAP entries during KRA | |
| install | |
| - Resolves: #1283748 Caching of ipaconfig does not work in framework | |
| - fix caching in get_ipa_config | |
| - Resolves: #1283943 IPA DNS Zone/DNS Forward Zone details missing after | |
| upgrade from RHEL 7.0 to RHEL 7.2 | |
| - upgrade: fix migration of old dns forward zones | |
| - Fix upgrade of forwardzones when zone is in realmdomains | |
| - Resolves: #1284413 ipa-cacert-manage renew fails on nonexistent ldap | |
| connection | |
| - ipa-cacert-renew: Fix connection to ldap. | |
| - Resolves: #1284414 ipa-otptoken-import fails on nonexistent ldap connection | |
| - ipa-otptoken-import: Fix connection to ldap. | |
| - Resolves: #1286635 IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using | |
| "yum update ipa* sssd" | |
| - Set minimal required version for openssl | |
| - Resolves: #1286781 ipa-nis-manage does not update ldap with all NIS maps | |
| - Upgrade: Fix upgrade of NIS Server configuration | |
| - Resolves: #1289311 umask setting causes named-pkcs11 issue with directory | |
| permissions on /var/lib/ipa/dnssec | |
| - DNS: fix file permissions | |
| - Explicitly call chmod on newly created directories | |
| - Fix: replace mkdir with chmod | |
| - Resolves: #1290142 Broken 7.2.0 to 7.2.z upgrade - flawed version comparison | |
| - Fix version comparison | |
| - use FFI call to rpmvercmp function for version comparison | |
| - Resolves: #1292595 In IPA-AD trust environment some secondary IPA based Posix | |
| groups are missing | |
| - ipa-kdb: map_groups() consider all results | |
| - Resolves: #1293870 User should be notified for wrong password in password | |
| reset page | |
| - Fixed login error message box in LoginScreen page | |
| - Resolves: #1296196 Sysrestore did not restore state if a key is specified in | |
| mixed case | |
| - Allow to used mixed case for sysrestore | |
| - Resolves: #1296214 DNSSEC key purging is not handled properly | |
| - DNSSEC: Improve error reporting from ipa-ods-exporter | |
| - DNSSEC: Make sure that current state in OpenDNSSEC matches key state in | |
| LDAP | |
| - DNSSEC: Make sure that current key state in LDAP matches key state in BIND | |
| - DNSSEC: remove obsolete TODO note | |
| - DNSSEC: add debug mode to ldapkeydb.py | |
| - DNSSEC: logging improvements in ipa-ods-exporter | |
| - DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP | |
| - DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP | |
| - DNSSEC: ipa-ods-exporter: add ldap-cleanup command | |
| - DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal | |
| - DNSSEC: Log debug messages at log level DEBUG | |
| - Resolves: #1296216 ipa-server-upgrade fails if certmonger is not running | |
| - prevent crash of CA-less server upgrade due to absent certmonger | |
| - always start certmonger during IPA server configuration upgrade | |
| - Resolves: #1297811 The ipa -e skip_version_check=1 still issues | |
| incompatibility error when called against RHEL 6 server | |
| - ipalib: assume version 2.0 when skip_version_check is enabled | |
| - Resolves: #1298289 install fails when locale is "fr_FR.UTF-8" | |
| - Do not decode HTTP reason phrase from Dogtag | |
| - Resolves: #1300252 shared certificateProfiles container is missing on a | |
| freshly installed RHEL7.2 system | |
| - upgrade: unconditional import of certificate profiles into LDAP | |
| - Resolves: #1301674 --setup-dns and other options is forgotten for using an | |
| external PKI | |
| - installer: Propagate option values from components instead of copying them. | |
| - installer: Fix logic of reading option values from cache. | |
| - Resolves: #1301687 issues with migration from RHEL 6 self-signed to RHEL 7 CA | |
| IPA setup | |
| - ipa-ca-install: print more specific errors when CA is already installed | |
| - cert renewal: import all external CA certs on IPA CA cert renewal | |
| - CA install: explicitly set dogtag_version to 10 | |
| - fix standalone installation of externally signed CA on IPA master | |
| - replica install: validate DS and HTTP server certificates | |
| - replica install: improvements in the handling of CA-related IPA config | |
| entries | |
| - Resolves: #1301901 [RFE] compat tree: show AD members of IPA groups | |
| - slapi-nis: update configuration to allow external members of IPA groups | |
| - Resolves: #1305533 ipa trust-add succeded but after that ipa trust-find | |
| returns "0 trusts matched" | |
| - upgrade: fix config of sidgen and extdom plugins | |
| - trusts: use ipaNTTrustPartner attribute to detect trust entries | |
| - Warn user if trust is broken | |
| - fix upgrade: wait for proper DS socket after DS restart | |
| - Insure the admin_conn is disconnected on stop | |
| - Fix connections to DS during installation | |
| - Fix broken trust warnings | |
| - Resolves: #1321092 Installers fail when there are multiple versions of the | |
| same certificate | |
| - certdb: never use the -r option of certutil | |
| - Related: #1317381 Crash during IPA upgrade due to slapd | |
| - spec file: update minimum required version of slapi-nis | |
| - Related: #1322691 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 | |
| CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 samba: various flaws | |
| [rhel-7.3] | |
| - Rebuild against newer Samba version | |
| - Config plugin: return EmptyModlist when no change is applied. | |
| Resolves: RHBZ#2031825 | |
| - Custodia: use a stronger encryption algo when exporting keys. | |
| Resolves: RHBZ#2032806 | |
| - ipa-kdb: do not remove keys for hardened auth-enabled users. | |
| Resolves: RHBZ#2033342 | |
| - ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus | |
| Resolves: RHBZ#2049167 | |
| - Backport latest test fxes in python3 ipatests. | |
| Resolves: RHBZ#2048509 | |
| - Removed unused patch files that were part of 4.9.8 rebase. | |
| - Fix replica installation failing on certificate subject (#983075) | |
| - Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1 | |
| Any type | |
| - New command automember-find-orphans to find and remove orphan automemeber | |
| rules has been added | |
| Resolves: RHBZ#1638373 | |
| - Moved ipa/idm logos and background to redhat-logos-ipa-80.4: | |
| header-logo.png, login-screen-background.jpg, login-screen-logo.png, | |
| product-name.png | |
| New requirement to redhat-logos-ipa >= 80.4 in ipa-server-common | |
| Resolves: RHBZ#1626507 | |
| - Resolves: #1353829 traceback message seen in ipaserver-uninstall.log file. | |
| - Do not initialize API in ipa-client-automount uninstall | |
| - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin | |
| client changes | |
| - idrange: fix unassigned global variable | |
| - Resolves: #1360792 Migrating users doesn't update krbCanonicalName | |
| - re-set canonical principal name on migrated users | |
| - Resolves: #1362012 ipa hbactest produces error about cannot concatenate 'str' | |
| and 'bool' objects | |
| - Fix ipa hbactest output | |
| - Resolves: #1362260 ipa vault-mod no longer allows defining salt | |
| - vault: add missing salt option to vault_mod | |
| - Resolves: #1362312 ipa vault-retrieve internal error when using the wrong | |
| public key | |
| - vault: Catch correct exception in decrypt | |
| - Resolves: #1362537 ipa-server-install fails to create symlink from | |
| /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ | |
| - Correct path to HTTPD's systemd service directory | |
| - Resolves: #1363756 Increase length of passwords generated by installer | |
| - Increase default length of auto generated passwords | |
| - When IdM server trusts multiple AD forests, IPA client returns invalid group | |
| membership info (#1079498) | |
| - Remove ipa-server-selinux obsoletes as upgrades from version prior to | |
| 3.3.0 are not allowed | |
| - Wrap server-trust-ad subpackage description better | |
| - Add (noreplace) flag for %{_sysconfdir}/tmpfiles.d/ipa.conf | |
| - Change permissions on default_encoding_utf8.so to fix ipa-python Provides | |
| - Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum | |
| version to 1.0.7-4 so we pick up the NSS fixes. | |
| - Add selinux-policy-base(post) to Requires (446496) | |
| - Resolves: #1449189 ipa-kra-install timeouts on replica | |
| - kra: promote: Get ticket before calling custodia | |
| - ipa-replica-install never checks for 7389 port (#1075165) | |
| - Non-terminated string may be passed to LDAP search (#1075091) | |
| - ipa-sam may fail to translate group SID into GID (#1073829) | |
| - Excessive LDAP calls by ipa-sam during Samba FS operations (#1075132) | |
| - ipatests: remove additional check for failed units. | |
| Resolves: RHBZ#2053024 | |
| - ipa-cldap: fix memory leak. | |
| Resolves: RHBZ#2032738 | |
| - ipatests: Update ipa-adtrust-install test | |
| Resolves: RHEL-40894 | |
| - IPA Replicate creation fails with error "Update failed! Status: [10 Total | |
| update abortedLDAP error: Referral]" (#1166265) | |
| - running ipa-server-install --setup-dns results in a crash (#1072502) | |
| - DNS zones are not migrated into forward zones if 4.0+ replica is added | |
| (#1175384) | |
| - gid is overridden by uid in default trust view (#1168904) | |
| - When migrating warn user if compat is enabled (#1177133) | |
| - Clean up debug log for trust-add (#1168376) | |
| - No error message thrown on restore(full kind) on replica from full backup | |
| taken on master (#1175287) | |
| - ipa-restore proceed even IPA not configured (#1175326) | |
| - Data replication not working as expected after data restore from full backup | |
| (#1175277) | |
| - IPA externally signed CA cert expiration warning missing from log (#1178128) | |
| - ipa-upgradeconfig fails in CA-less installs (#1181767) | |
| - IPA certs fail to autorenew simultaneouly (#1173207) | |
| - More validation required on ipa-restore's options (#1176034) | |
| - 2.1.3 | |
| - Resolves: #1388135 [RFE] limit the retro changelog to dns subtree. | |
| - ldap: limit the retro changelog to dns subtree | |
| - Resolves: #1427798 Use X509v3 Basic Constraints "CA:TRUE" instead | |
| of "CA:FALSE" IPA CA CSR | |
| - Include the CA basic constraint in CSRs when renewing a CA | |
| - Resolves: #1493145 ipa-replica-install might fail because of an already | |
| existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX | |
| - Checks if replica-s4u2proxy.ldif should be applied | |
| - Resolves: #1493150 [RFE] set nsslapd-ignore-time-skew: on by default | |
| - ds: ignore time skew during initial replication step | |
| - ipa-replica-manage: implicitly ignore initial time skew in force-sync | |
| - Resolves: #1500218 Replica installation at domain-level 0 fails against | |
| upgraded ipa-server | |
| - Fix ipa-replica-conncheck when called with --principal | |
| - Resolves: #1506188 server-del doesn't remove dns-server configuration | |
| from ldap | |
| - Make sure ipa-server depends on krb5-kdb-version to pick up | |
| right MIT Kerberos KDB ABI | |
| Related: RHBZ#1700121 | |
| - User field separator uses '$$' within ipaSELInuxUserMapOrder | |
| Fixes: RHBZ#1729099 | |
| - ipa-server-install crashes when AD subpackage is not installed (#1026434) | |
| - Allow Web-based migration to work with tightened SE Linux policy (#769440) | |
| - Rebuild slapi plugins against re-enterant version of libldap | |
| - Add ipa init script | |
| - Fix mapping of BUILTIN\Guests to 'nobody' group during upgrade | |
| to not use generated Samba config at this point | |
| - Related: rhbz#1623895 | |
| - Resolves: #1614301 Remove --no-sssd and --noac options | |
| - Resolves: #1613879 Disable Domain Level 0 | |
| - New patch sets to disable domain level 0 | |
| - New adapted patch to disable DL0 specific tests (pytest_ipa vs. | |
| pytest_plugins) | |
| - Adapted branding patch in ipa-replica-install.1 due to DL0 removal | |
| - Removed python-cherrypy from BuildRequires and Requires | |
| - Added Requires python-assets, python-wehjit | |
| - Resolves: #1356102 Server uninstall does not stop tracking lightweight sub-CA | |
| with certmonger | |
| - uninstall: untrack lightweight CA certs | |
| - Resolves: #1351807 ipa-nis-manage config.get_dn missing | |
| - ipa-nis-manage: Use server API to retrieve plugin status | |
| - Resolves: #1353452 ipa-compat-manage command failed, | |
| exception: NotImplementedError: config.get_dn() | |
| - ipa-compat-manage: use server API to retrieve plugin status | |
| - Resolves: #1353899 ipa-advise: object of type 'type' has no len() | |
| - ipa-advise: correct handling of plugin namespace iteration | |
| - Resolves: #1356134 'kinit -E' does not work for IPA user | |
| - kdb: check for local realm in enterprise principals | |
| - Resolves: #1353072 ipa unknown command vault-add | |
| - Enable vault-* commands on client | |
| - vault-add: set the default vault type on the client side if none was given | |
| - Resolves: #1353995 Default CA can be used without a CA ACL | |
| - caacl: expand plugin documentation | |
| - Resolves: #1356144 host-find should not print SSH keys by default, only | |
| SSH fingerprints | |
| - host-find: do not show SSH key by default | |
| - Resolves: #1353506 ipa migrate-ds command fails for IPA in RHEL 7.3 | |
| - Removed unused method parameter from migrate-ds | |
| - Resolves: #1262996 ipa vault internal error on replica without KRA | |
| - upgrade: make sure ldap2 is connected in export_kra_agent_pem | |
| - Resolves: #1270608 IPA upgrade fails for server with CA cert signed by | |
| external CA | |
| - schema: do not derive ipaVaultPublicKey from ipaPublicKey | |
| - Resolves: #1361119 UPN-based search for AD users does not match an entry in | |
| slapi-nis map cache | |
| - support multiple uid values in schema compatibility tree | |
| - Included LICENSE and README in all packages for documentation | |
| - Move user-modifiable content to /etc/ipa and linked back to | |
| /usr/share/ipa/html | |
| - Changed some references to /usr to the {_usr} macro and /etc | |
| to {_sysconfdir} | |
| - Added popt-devel to BuildRequires for Fedora 8 and higher and | |
| popt for Fedora 7 | |
| - Package the egg-info for Fedora 9 and higher for ipa-python | |
| - Add ipa-host-net-manage script | |
| - Add Requires: python-nss to ipa-python sub-package | |
| - Adopt to samba4 beta6 (libsecurity -> libsamba-security) | |
| - Add dependency to samba4-winbind | |
| - Bump up minimum version of python-nss to pick up nss_is_initialize() API | |
| - Resolves: #800545 [RFE] Support SUDO command rename | |
| - Reworked the renaming mechanism | |
| - Allow renaming of the sudorule objects | |
| - Resolves: #872671 IPA WebUI login for AD Trusted User fails | |
| - WebUI: check principals in lowercase | |
| - WebUI: add method for disabling item in user dropdown menu | |
| - WebUI: Add support for login for AD users | |
| - Resolves: #1200767 [RFE] Allow Kerberos authentication for users with | |
| certificates on smart cards (pkinit) | |
| - ipa-kdb: add ipadb_fetch_principals_with_extra_filter() | |
| - IPA certauth plugin | |
| - ipa-kdb: do not depend on certauth_plugin.h | |
| - spec file: bump krb5-devel BuildRequires for certauth | |
| - Resolves: #1264370 RFE: disable last successful authentication by default in | |
| ipa. | |
| - Set "KDC:Disable Last Success" by default | |
| - Resolves: #1318186 Misleading error message during external-ca IPA master | |
| install | |
| - certs: do not implicitly create DS pin.txt | |
| - httpinstance: clean up /etc/httpd/alias on uninstall | |
| - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR | |
| CA certificate chain in ... incomplete" | |
| - certs: do not implicitly create DS pin.txt | |
| - httpinstance: clean up /etc/httpd/alias on uninstall | |
| - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication | |
| - configure: fix --disable-server with certauth plugin | |
| - rpcserver.login_x509: Actually return reply from __call__ method | |
| - spec file: Bump requires to make Certificate Login in WebUI work | |
| - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping | |
| - extdom: do reverse search for domain separator | |
| - extdom: improve cert request | |
| - Resolves: #1430363 [RFE] HBAC rule names command rename | |
| - Reworked the renaming mechanism | |
| - Allow renaming of the HBAC rule objects | |
| - Resolves: #1433082 systemctl daemon-reload needs to be called after | |
| httpd.service.d/ipa.conf is manipulated | |
| - tasks: run `systemctl daemon-reload` after httpd.service.d updates | |
| - Resolves: #1434032 Run ipa-custodia with custom SELinux context | |
| - Use Custodia 0.3.1 features | |
| - Resolves: #1434384 RPC client should use HTTP persistent connection | |
| - Use connection keep-alive | |
| - Add debug logging for keep-alive | |
| - Increase Apache HTTPD's default keep alive timeout | |
| - Resolves: #1434729 man ipa-cacert-manage install needs clarification | |
| - man ipa-cacert-manage install needs clarification | |
| - Resolves: #1434910 replica install against IPA v3 master fails with ACIError | |
| - Fixing replica install: fix ldap connection in domlvl 0 | |
| - Resolves: #1435394 Ipa-kra-install fails with weird output when backspace is | |
| used during typing Directory Manager password | |
| - ipapython.ipautil.nolog_replace: Do not replace empty value | |
| - Resolves: #1435397 ipa-replica-install can't install replica file produced by | |
| ipa-replica-prepare on 4.5 | |
| - replica prepare: fix wrong IPA CA nickname in replica file | |
| - Resolves: #1435599 WebUI: in self-service Vault menu item is shown even if | |
| KRA is not installed | |
| - WebUI: Fix showing vault in selfservice view | |
| - Resolves: #1435718 As a ID user I cannot call a command with --rights option | |
| - ldap2: use LDAP whoami operation to retrieve bind DN for current connection | |
| - Resolves: #1436319 "Truncated search results" pop-up appears in user details | |
| in WebUI | |
| - WebUI: Add support for suppressing warnings | |
| - WebUI: suppress truncation warning in select widget | |
| - Resolves: #1436333 Uninstall fails with No such file or directory: | |
| '/var/run/ipa/services.list' | |
| - Create temporaty directories at the begining of uninstall | |
| - Resolves: #1436334 WebUI: Adding certificate mapping data using certificate | |
| fails | |
| - WebUI: Allow to add certs to certmapping with CERT LINES around | |
| - Resolves: #1436338 CLI doesn't work after ipa-restore | |
| - Backup ipa-specific httpd unit-file | |
| - Backup CA cert from kerberos folder | |
| - Resolves: #1436342 Bump samba version, required for FIPS mode and privilege | |
| separation | |
| - Bump samba version for FIPS and priv. separation | |
| - Resolves: #1436642 [ipalib/rpc.py] - "maximum recursion depth exceeded" with | |
| ipa vault commands | |
| - Avoid growing FILE ccaches unnecessarily | |
| - Handle failed authentication via cookie | |
| - Work around issues fetching session data | |
| - Prevent churn on ccaches | |
| - Resolves: #1436657 Add workaround for pki_pin for FIPS | |
| - Generate PIN for PKI to help Dogtag in FIPS | |
| - Resolves: #1436714 [vault] cache KRA transport cert | |
| - Simplify KRA transport cert cache | |
| - Resolves: #1436723 cert-find does not find all certificates without | |
| sizelimit=0 | |
| - cert: do not limit internal searches in cert-find | |
| - Resolves: #1436724 Renewal of IPA RA fails on replica | |
| - dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function | |
| - Resolves: #1436753 Master tree fails to install | |
| - httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not | |
| available | |
| - ipatests: fix TestOTPToken::test_check_otpd_after_idle_timeout | |
| Related: RHBZ#2053024 | |
| - Remove unnecessary moving of v1 CA serial number file in post script | |
| - Add Obsoletes for server-selinxu subpackage | |
| - Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da | |
| - Pull upstream changelog 608 which renamed several files | |
| - clean up spec | |
| - Depend on sssd >= 1.6.2 for better user experience | |
| - Update slapi-nis dependency to pull 0.54-2 (#891984) | |
| - ipa-restore: Don't crash if AD trust is not installed (#951581) | |
| - Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type (#1138791) | |
| - Trust setting not restored for CA cert with ipa-restore command (#1159011) | |
| - ipa-server-install fails when restarting named (#1162340) | |
| - Resolves: #1228671 pkispawn fails in ipa-ca-install and ipa-kra-install | |
| - Related: #1204809 Rebase ipa to 4.2 | |
| - Fix minimum version of slapi-nis | |
| - Require python-sss and python-sss-murmur (provided by sssd-1.13.0) | |
| - Fix: DNS installer adds invalid zonemgr email (#1056202) | |
| - ipaplatform: Use the dirsrv service, not target (#951581) | |
| - Fix: DNS policy upgrade raises asertion error (#1161128) | |
| - Fix upgrade referint plugin (#1161128) | |
| - Upgrade: fix trusts objectclass violationi (#1161128) | |
| - group-add doesn't accept gid parameter (#1149124) | |
| - ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL | |
| Resolves: RHBZ#1982956 | |
| - Unable to remove replica by ipa-replica-manage (#1001662) | |
| - Before uninstalling a server, warn about active replicas (#998069) | |
| - Fix Fedora package changelog after merging systemd changes | |
| - ipaclient-install: chmod needs octal permissions (#1609880) | |
| - Move ipalib to ipa-python subpackage | |
| - Bump minimum version of slapi-nis to 0.15 | |
| - Ensure that /etc/ipa exists before moving user-modifiable html files there | |
| - Put html files into /etc/ipa/html instead of /etc/ipa | |
| - Added auto* BuildRequires | |
| - New upstream release 1.2.1 | |
| - Rely on sssd-krb5 to include SSSD-generated krb5 configuration | |
| Resolves: RHBZ#2214563 | |
| - Add end to end integration tests for external IdP | |
| Resolves: RHBZ#2106346 | |
| - Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install | |
| because of missing dependencies | |
| - Rebuild with krb5-1.14.1 | |
| - schema update on RHEL-6.6 using latest copy-schema-to-ca.py from RHEL-7.1 | |
| build fails (#1167196) | |
| - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) | |
| - "ipa trust-add ... " cmd says : (Trust status: Established and verified) | |
| while in the logs we see "WERR_ACCESS_DENIED" during verification step. | |
| (#1144121) | |
| - POODLE: force using safe ciphers (non-SSLv3) in IPA client and server | |
| (#1156466) | |
| - Add support/hooks for a one-time password system like SecureID in IPA | |
| (#919228) | |
| - Tracebacks with latest build for --zonemgr cli option (#1167270) | |
| - ID Views: Support migration from the sync solution to the trust solution | |
| (#891984) | |
| - Mass rebuild 2014-01-24 | |
| - Move initialization of Guests mapping after cifs/ principal is created | |
| - Related: rhbz#1623895 | |
| - Preverse mode on ipa-keytab-util | |
| - Version bump for relase and rpm name change | |
| - Updated upstream pull (596) to fix bug in ipa_webgui that was causing the | |
| UI to not start. | |
| - Update to upstream 4.7.0 GA | |
| - Fixed License in specfile | |
| - Include files from /usr/lib/python*/site-packages/ipaserver | |
| - Allow ipa-tests to work with older version (1.7.7) of python-paramiko | |
| - Fixed kdcproxy_version to 0.4-3 | |
| - Fixed krb5_version to 1.17-7 | |
| Related: RHBZ#1684528 | |
| - Remove "Listen 443 http" hack from deployed nss.conf (#1029046) | |
| - Re-adding existing trust fails (#1033216) | |
| - IPA uninstall exits with a samba error (#1033075) | |
| - Added RELRO hardening on /usr/libexec/ipa-otpd (#1026260) | |
| - Fixed ownership of /usr/share/ipa/ui/js (#1026260) | |
| - ipa-tests: support external names for hosts (#1032668) | |
| - ipa-client-install fail due fail to obtain host TGT (#1029354) | |
| - Update to upstream 4.0.3 (#1109726) | |
| - Server installation fails using external signed certificates with | |
| "IndexError: list index out of range" (#1111320) | |
| - Add rhino to BuildRequires to fix Web UI build error | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Set krbCanonicalName admin@REALM on the admin user | |
| Resolves: RHEL-89895 | |
| - Handle new samba exception types. | |
| Resolves: RHEL-17623 | |
| - Fix for CVE-2008-3274 | |
| - Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface | |
| - Add fix for bug #453185 | |
| - Rebuild against openldap libraries, mozldap ones do not work properly | |
| - TurboGears is currently broken in rawhide. Added patch to not build | |
| the UI locales and removed them from the ipa-server files section. | |
| - ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older | |
| Resolves: RHEL-12198 | |
| - Update dependency for bind-dndb-ldap to 11.2-2 | |
| Related: RHBZ#1762813 | |
| - Drop requires on python-configobj (not used any more) | |
| - Drop ipa-ldap-updater message, upgrades are done differently now | |
| - Update Requires on pki-ca to 10.1.2-4 (#1129558) | |
| - build: increase java stack size for all arches | |
| - Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides (#891984) | |
| - Fix dns zonemgr validation regression (#1056202) | |
| - Handle profile changes in dogtag-ipa-ca-renew-agent (#886645) | |
| - Do not wait for new CA certificate to appear in LDAP in ipa-certupdate | |
| (#886645) | |
| - Add bind-dyndb-ldap working dir to IPA specfile | |
| - Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage | |
| (#886645) | |
| - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) | |
| - Deadlock in schema compat plugin (#1161131) | |
| - ipactl stop should stop dirsrv last (#1161129) | |
| - Upgrade 3.3.5 to 4.1 failed (#1161128) | |
| - CVE-2014-7828 freeipa: password not required when OTP in use (#1160877) | |
| - Remove ipa-idoverride-memberof as superceded by ipa-server 4.8.7 | |
| Resolves: RHBZ#1846434 | |
| - Require python-wehjit >= 0.2.0 | |
| - Replica CA installation: ignore skew during initial replication | |
| Resolves RHEL-80995 | |
| - Revert bind-pkcs11-utils configuration in freeipa.spec. | |
| Resolves: RHBZ#2026732 | |
| - Configure CA replication to use TLS instead of SSL | |
| - Update to upstream 3.2.0 Beta 1 | |
| - Added support for libipa-dna-plugin | |
| - Remove posixAccount from service_find search filter | |
| Resolves: RHBZ#1731437 | |
| - Fix repeated uninstallation of ipa-client-samba crashes | |
| Resolves: RHBZ#1732529 | |
| - WebUI: Add PKINIT status field to 'Configuration' page | |
| Resolves: RHBZ#1518153 | |
| - Resolves: #1461177 ipa-otptoken-import - XML file is missing PBKDF2 | |
| parameters! | |
| - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during | |
| search in cn=ad, cn=trusts,dc=example,dc=com | |
| - Resolves: #1467887 iommu platform support for ipxe | |
| - Resolves: #1477178 [ipa-replica-install] - 406 Client Error: Failed to | |
| validate message: Incorrect number of results (0) searching forpublic key for | |
| host | |
| - Resolves: #1478251 IPA WebUI does not work after upgrade from IPA 4.4 to | |
| 4.5 | |
| - Resolves: #1480102 ipa-server-upgrade failes with "This entry already | |
| exists" | |
| - Resolves: #1482802 Unable to set ca renewal master on replica | |
| - Resolves: #1484428 Updating from RHEL 7.3 fails with Server-Cert not found | |
| (ipa-server-upgrade) | |
| - Resolves: #1484826 FreeIPA/IdM installations which were upgraded from | |
| versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and | |
| thus startup of Web UI fails | |
| - Resolves: #1486283 TypeError in renew_ca_cert prevents from swiching back | |
| to self-signed CA | |
| - Resolves: #1469246 Replica install fails to configure IPA-specific | |
| temporary files/directories | |
| - Resolves: #1469480 bind package is not automatically updated during | |
| ipa-server upgrade process | |
| - Resolves: #1475238 Use CommonNameToSANDefault in default profile (new | |
| installs only) | |
| - Resolves: #1477703 IPA upgrade fails for latest ipa package | |
| - Throw zonemgr error message before installation proceeds (#1163849) | |
| - Winsync: Setup is broken due to incorrect import of certificate (#1169867) | |
| - Enable last token deletion when password auth type is configured (#919228) | |
| - ipa-otp-lasttoken loads all user's tokens on every mod/del (#1166641) | |
| - add --hosts and --hostgroup options to allow/retrieve keytab methods | |
| (#1007367) | |
| - Extend host-show to add the view attribute in set of default attributes | |
| (#1168916) | |
| - Prefer TCP connections to UDP in krb5 clients (#919228) | |
| - [WebUI] Not able to unprovisioning service in IPA 4.1 (#1168214) | |
| - webui: increase notification duration (#1171089) | |
| - RHEL7.1 ipa automatic CA cert renewal stuck in submitting state (#1166931) | |
| - RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert | |
| (#1170003) | |
| - Improve validation of --instance and --backend options in ipa-restore | |
| (#951581) | |
| - RHEL7.1 ipa replica unable to replicate to rhel6 master (#1167964) | |
| - Disable TLS 1.2 in nss.conf until mod_nss supports it (#1156466) | |
| - Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to | |
| Trusts | |
| - winsync-migrate: Convert entity names to posix friendly strings | |
| - winsync-migrate: Properly handle collisions in the names of external groups | |
| - Resolves: #1261074 Adjust Firefox configuration to new extension signing | |
| policy | |
| - webui: use manual Firefox configuration for Firefox >= 40 | |
| - Resolves: #1263337 IPA Restore failed with installed KRA | |
| - ipa-backup: Add mechanism to store empty directory structure | |
| - Resolves: #1264793 CVE-2015-5284 ipa: ipa-kra-install includes certificate | |
| and private key in world readable file [rhel-7.2] | |
| - install: fix KRA agent PEM file permissions | |
| - Resolves: #1265086 Mark IdM API Browser as experimental | |
| - WebUI: add API browser is experimental warning | |
| - Resolves: #1265277 Fix kdcproxy user creation | |
| - install: create kdcproxy user during server install | |
| - platform: add option to create home directory when adding user | |
| - install: fix kdcproxy user home directory | |
| - Resolves: #1265559 GSS failure after ipa-restore | |
| - destroy httpd ccache after stopping the service | |
| - Remove redundat Requires versions that are already in Fedora 17 | |
| - Replace python-crypto Requires with m2crypto | |
| - Add missing Requires(post) for client and server-trust-ad subpackages | |
| - Restart httpd service when server-trust-ad subpackage is installed | |
| - Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes | |
| - trustdomain-find with pkey-only fails (#1068611) | |
| - Invalid credential cache in trust-add (#1069182) | |
| - ipa-replica-install prints unexpected error (#1069722) | |
| - Too big font in input fields in details facet in Firefox (#1069720) | |
| - trust-add for POSIX AD does not fetch trustdomains (#1070925) | |
| - Misleading trust-add error message in some cases (#1070926) | |
| - Access is not rejected for disabled domain (#1070924) | |
| - Rebuild for broken deps | |
| - Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1 | |
| - Resolves: #1377973 ipa-server-install fails when the provided or resolved | |
| IP address is not found on local interfaces | |
| - Only warn when specified server IP addresses don't match intf | |
| - Resolves: #1438016 gssapi errors after IPA server upgrade | |
| - Bump version of python-gssapi | |
| - Resolves: #1457942 certauth: use canonical principal for lookups | |
| - ipa-kdb: use canonical principal in certauth plugin | |
| - Resolves: #1459153 Do not send Max-Age in ipa_session cookie to avoid | |
| breaking older clients | |
| - Add code to be able to set default kinit lifetime | |
| - Revert setting sessionMaxAge for old clients | |
| - Rebase to security release 4.8.3 (CVE-2019-14867, CVE-2019-10195) | |
| Resolves: RHBZ#1767304 | |
| Resolves: RHBZ#1776939 | |
| - Support KDC ticket policies for authentication indicators | |
| Resolves: RHBZ#1777564 | |
| - Added support for ipa_kpasswd and ipa_pwd_extop | |
| - Backport latest test fixes in python3-ipatests | |
| Resolves: RHBZ#2060841 | |
| - extdom: user getorigby{user|group}name if available | |
| Resolves: RHBZ#2062379 | |
| - Set the mode on ipaupgrade.log during RPM post snipppet | |
| Resolves: RHBZ#2061957 | |
| - test_krbtpolicy: skip SPAKE-related tests in FIPS mode | |
| Resolves: RHBZ#1909630 | |
| - Remove radius subpackages | |
| - Don't always override the port in import_included_profiles | |
| Fixes: RHBZ#2022483 | |
| - Remove ipa-join errors from behind the debug option | |
| Fixes: RHBZ#2048558 | |
| - Enable the ccache sweep timer during installation | |
| Fixes: RHBZ#2051575 | |
| - Set 0.14 as minimum version for slapi-nis | |
| - Marked with wrong license. IPA is GPLv2. | |
| - Update to upstream 3.2.1 | |
| - Drop dogtag-pki-server-theme requires, it won't be build for RHEL-7.0 | |
| - Fix bug #702633 | |
| - Resolves: #1451804 "AttributeError: 'tuple' object has no attribute 'append'" | |
| error observed during ipa upgrade with latest package. | |
| - ipa-server-install: fix uninstall | |
| - Resolves: #1445390 ipa-[ca|kra]-install with invalid DM password break | |
| replica | |
| - ca install: merge duplicated code for DM password | |
| - installutils: add DM password validator | |
| - ca, kra install: validate DM password | |
| - Fix status trust-add command status message (#910453) | |
| - NetBIOS was not trimmed at 15 characters (#1030517) | |
| - Harden CA subsystem certificate renewal on CA clones (#1040018) | |
| - Replace TurboGears requirement with python-cherrypy | |
| - Resolves: #1382812 Creation of replica for disconnected environment is | |
| failing with CA issuance errors; Need good steps. | |
| - gracefully handle setting replica bind dn group on old masters | |
| - Resolves: #1397439 ipa-ca-install on promoted replica hangs on creating a | |
| temporary CA admin | |
| - replication: ensure bind DN group check interval is set on replica config | |
| - add missing attribute to ipaca replica during CA topology update | |
| - Resolves: #1401088 IPA upgrade of replica without DNS fails during restart of | |
| named-pkcs11 | |
| - bindinstance: use data in named.conf to determine configuration status | |
| - Unable to add trust successfully with --trust-secret (#1075704) | |
| - Fix krb5-kdb-server -> krb5-kdb-version | |
| Related: RHBZ#1700121 | |
| - Resolves: #1477367 ipa-server-upgrade timeouts on wait_for_open ports | |
| expecting IPA services listening on IPv6 ports | |
| - Make sure upgrade also checks for IPv6 stack | |
| - control logging of host_port_open from caller | |
| - log progress of wait_for_open_ports | |
| - Resolves: #1477243 ipa help command returns traceback when no cache | |
| is present | |
| - Store help in Schema before writing to disk | |
| - Disable pylint in get_help function because of type confusion. | |
| - Update to upstream version 1.2.0 | |
| - Set fedora-ds-base minimum version to 1.1.3 for winsync header | |
| - Set the minimum version for SELinux policy | |
| - Remove references to Fedora 7 | |
| - Resolves: #828866 [RFE] enhance --subject option for ipa-server-install | |
| - Resolves: #1160555 ipa-server-install: Cannot handle double hyphen "--" in | |
| hostname | |
| - Resolves: #1286288 Insufficient 'write' privilege to the 'ipaExternalMember' | |
| attribute | |
| - Resolves: #1321652 ipa-server-install fails when using external certificates | |
| that encapsulate RDN components in double quotes | |
| - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on | |
| revocation reasons | |
| - Resolves: #1340880 ipa-server-install: improve prompt on interactive | |
| installation | |
| - Resolves: #1353841 ipa-replica-install fails to install when resolv.conf | |
| incomplete entries | |
| - Resolves: #1356104 cert-show command does not display Subject Alternative | |
| Names | |
| - Resolves: #1357511 Traceback message seen when ipa is provided with invalid | |
| configuration file name | |
| - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is | |
| converted from CA-less to CA-full | |
| - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication | |
| - Resolves: #1367572 improve error message in ipa migrate-ds: mention ipa | |
| config-mod --enable-migration=TRUE | |
| - Resolves: #1367868 Add options to retrieve lightweight CA certificate/chain | |
| - Resolves: #1371927 Implement ca-enable/disable commands. | |
| - Resolves: #1372202 Add Users into User Group editors fails to show Full names | |
| - Resolves: #1373091 Adding an auth indicator from the CLI creates an extra | |
| check box in the UI | |
| - Resolves: #1375596 Ipa-server WebUI - long user/group name show wrong error | |
| message | |
| - Resolves: #1375905 "Normal" group type in the UI is confusing | |
| - Resolves: #1376040 IPA client ipv6 - invalid --ip-address shows traceback | |
| - Resolves: #1376630 IDM admin password gets written to | |
| /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf | |
| - Resolves: #1376729 ipa-server-install script option --no_hbac_allow should | |
| match other options | |
| - Resolves: #1378461 IPA Allows Password Reuse with History value defined when | |
| admin resets the password. | |
| - Resolves: #1379029 conncheck failing intermittently during single step | |
| replica installs | |
| - Resolves: #1379858 [RFE] better debugging for ipa-replica-conncheck | |
| - Resolves: #1384310 ipa dnsrecord-add fails with Keyerror stack trace | |
| - Resolves: #1392778 Update man page for ipa-adtrust-install by | |
| removing --no-msdcs option | |
| - Resolves: #1392858 Rebase to FreeIPA 4.5+ | |
| - Rebase to 4.5.0 | |
| - Resolves: #1399133 Delete option shouldn't be available for hosts applied to | |
| view. | |
| - Resolves: #1399190 [RFE] Certificates issued by externally signed IdM CA | |
| should contain full trust chain | |
| - Resolves: #1400416 RFE: Provide option to take backup of IPA server before | |
| uninstalling IPA server | |
| - Resolves: #1400529 cert-request is not aware of Kerberos principal aliases | |
| - Resolves: #1401526 IPA WebUI certificates are grayed out on overview page but | |
| not on details page | |
| - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping | |
| - Resolves: #1404750 ipa-client-install fails to get CA cert via LDAP when | |
| non-FQDN name of IPA server is first in /etc/hosts | |
| - Resolves: #1409628 [RFE] Semi-automatic integration with external DNS using | |
| nsupdate | |
| - Resolves: #1413742 Backport request for bug/issue Change IP address | |
| validation errors to warnings | |
| - Resolves: #1415652 IPA replica install log shows password in plain text | |
| - Resolves: #1427897 different behavior regarding system wide certs in master | |
| and replica. | |
| - Resolves: #1430314 The ipa-managed-entries command failed, exception: | |
| AttributeError: ldap2 | |
| - Unified spec file | |
| - Fix SELinux code | |
| - Allow the admin user to be disabled | |
| Resolves: RHEL-34756 | |
| - ipa-otptoken-import: open the key file in binary mode | |
| Resolves: RHEL-39616 | |
| - ipa-crlgen-manage: manage the cert status task execution time | |
| Resolves: RHEL-30280 | |
| - idrange-add: add a warning because 389ds restart is required | |
| Resolves: RHEL-28996 | |
| - PKINIT certificate: fix renewal on hidden replica | |
| Resolves: RHEL-4913, RHEL-45908 | |
| - [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: | |
| (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312) | |
| - Resolves: #1348948 IPA server install fails with build | |
| ipa-server-4.4.0-0.el7.1.alpha1 | |
| - Revert "Increased mod_wsgi socket-timeout" | |
| - Add mod_auth_kerb and cyrus-sasl-gssapi to Requires | |
| - Remove references to admin server in ipa-server-setupssl | |
| - Generate a client certificate for the XML-RPC server to connect to LDAP with | |
| - Create a keytab for Apache | |
| - Create an ldif with a test user | |
| - Provide a certmap.conf for doing SSL client authentication | |
| - Remove strict dependencies to krb5-server version in order to allow | |
| update of krb5 to 1.17 and change dependency to KDB DAL version. | |
| Resolves: RHBZ#1700121 | |
| - kdb: apply combinatorial logic for ticket flags (CVE-2024-3183) | |
| Resolves: RHEL-29927 | |
| - kdb: fix vulnerability in GCD rules handling (CVE-2024-2698) | |
| Resolves: RHEL-29692 | |
| - Update Requires on krb5-server to 1.11 | |
| - Upstream release FreeIPA 4.9.6 | |
| Related: RHBZ#1945038 | |
| - Revise PKINIT upgrade code | |
| Resolves: RHBZ#1886837 | |
| - ipa-cert-fix man page: add note about certmonger renewal | |
| Resolves: RHBZ#1780317 | |
| - Certificate Serial Number issue | |
| Resolves: RHBZ#1919384 | |
| - Update to upstream 3.3.1 (#991064) | |
| - Update minimum version of bind-dyndb-ldap to 3.5 | |
| - Rebuild for Python 2.6 | |
| - Load ipa_dogtag.pp in post install | |
| - Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services | |
| by abusing password policy | |
| - password policy: Add explicit default password policy for hosts and | |
| services | |
| - Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in | |
| certprofile-mod | |
| - certprofile-mod: correctly authorise config update | |
| - Fix systemd-user HBAC rule | |
| Resolves: RHBZ#1664974 | |
| - dcerpc: invalidate forest trust intfo cache when filtering out realm domains | |
| Resolves: RHEL-28559 | |
| - Backport latests test fixes in python3-tests | |
| ipatests: add xfail for autoprivate group test with override | |
| ipatests: remove xfail thanks to sssd 2.9.4 | |
| ipatests: adapt for new automembership fixup behavior | |
| ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation testcases | |
| test_xmlrpc: adopt to automember plugin message changes in 389-ds | |
| Resolves: RHEL-29908 | |
| - Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations | |
| Resolves: RHBZ#1870202 | |
| - Do not check if port 8443 is available in step 2 of external CA install | |
| (#1129481) | |
| - Rebuilt for glibc bug#747377 | |
| - Resolves: #1260663 crash of ipa-dnskeysync-replica component during | |
| ipa-restore | |
| - IPA Restore: allows to specify files that should be removed | |
| - Resolves: #1261806 Installing ipa-server package breaks httpd | |
| - Handle timeout error in ipa-httpd-kdcproxy | |
| - Resolves: #1262322 Failed to backup CS.cfg message in upgrade. | |
| - Server Upgrade: backup CS.cfg when dogtag is turned off | |
| - Resolves: #1477178 - [ipa-replica-install] - 406 Client Error: Failed to | |
| validate message: Incorrect number of results (0) searching forpublic | |
| key for host | |
| - Always check peer has keys before connecting | |
| - Resolves: #1482802 - Unable to set ca renewal master on replica | |
| - Fix ipa config-mod --ca-renewal-master | |
| - Resolves: #1486283 - TypeError in renew_ca_cert prevents from swiching | |
| back to self-signed CA | |
| - Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca) | |
| - Resolves: #1480102 - ipa-server-upgrade failes with "This entry already exists" | |
| - Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already exists | |
| - Resolves: #1484826 - FreeIPA/IdM installations which were upgraded from | |
| versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and | |
| thus startup of Web UI fails | |
| - Adds whoami DS plugin in case that plugin is missing | |
| - Resolves: #1478251 - IPA WebUI does not work after upgrade from IPA 4.4 to 4.5 | |
| - Fixing how sssd.conf is updated when promoting a client to replica | |
| - Resolves: #1461177 - ipa-otptoken-import - XML file is missing PBKDF2 | |
| parameters! | |
| - ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace | |
| - Resolves: #1484428 - Updating from RHEL 7.3 fails with Server-Cert not found | |
| (ipa-server-upgrade) | |
| - Backport 4-5: Fix ipa-server-upgrade with server cert tracking | |
| - Add explicit dependency for libvert-libev | |
| Resolves: RHBZ#2104929 | |
| - Add versioned dependency of samba-client-libs to ipa-server | |
| - Related: RHBZ#2021443 | |
| - Version bump for release | |
| - PKI service restart after CA renewal failed (#1040018) | |
| - Resolves: #1469246 Replica install fails to configure IPA-specific | |
| temporary files/directories | |
| - replica install: drop-in IPA specific config to tmpfiles.d | |
| - Resolves: #1469480 bind package is not automatically updated during | |
| ipa-server upgrade process | |
| - Bumped Required version of bind-dyndb-ldap and bind package | |
| - Add dependency for python-krbV | |
| - Remove client-epn left over files for ONLY_CLIENT | |
| Related: RHBZ#1847999 | |
| - Drop Requires of python-krbV on ipa-client | |
| - Upstream release FreeIPA 4.9.5 | |
| Related: RHBZ#1945038 | |
| - IPA to allow setting a new range type | |
| Resolves: RHBZ#1688267 | |
| - ipa-server-install displays debug output when --debug output is not | |
| specified. | |
| Resolves: RHBZ#1943151 | |
| - ACME fails to generate a cert on migrated RHEL8.4 server | |
| Resolves: RHBZ#1934991 | |
| - Switch ipa-client to use the JSON API | |
| Resolves: RHBZ#1937856 | |
| - IDM - Allow specifying permanent logging settings for BIND | |
| Resolves: RHBZ#1951511 | |
| - Cache LDAP data within a request | |
| Resolves: RHBZ#1953656 | |
| - ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4 | |
| Resolves: RHBZ#1957768 | |
| - Upstream release FreeIPA 4.8.6 | |
| - New SELinux sub package to provide own module | |
| - Depend on selinux-policy-devel 3.14.3-43 for build due to a makefile issue in | |
| SELinux external policy support | |
| Related: RHBZ#1818765 | |
| - Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf | |
| - Upstream pre release FreeIPA 4.9.0rc1 | |
| Resolves: RHBZ#1891832 | |
| - Requirements and design for libpwquality integration | |
| Resolves: RHBZ#1340463 | |
| - When parsing options require name/value pairs | |
| Resolves: RHBZ#1357495 | |
| - WebUI: Fix issue with opening links in new tab/window | |
| Resolves: RHBZ#1484088 | |
| - Use a state to determine if a 389-ds upgrade is in progress | |
| Resolves: RHBZ#1569011 | |
| - Unlock user accounts after a password reset and replicate that unlock to | |
| all IdM servers | |
| Resolves: RHBZ#1784657 | |
| - Set the certmonger subject with a string, not an object | |
| Resolves: RHBZ#1810148 | |
| - Implement ACME certificate enrolment | |
| Resolves: RHBZ#1851835 | |
| - [WebUI] Backport jQuery patches from newer versions of the library (e.g. | |
| 3.5.0) | |
| Resolves: RHBZ#1859249 | |
| - It is not possible to edit KDC database when the FreeIPA server is running | |
| Resolves: RHBZ#1875001 | |
| - Fix nsslapd-db-lock tuning of BDB backend | |
| Resolves: RHBZ#1882340 | |
| - ipa-kdb: support subordinate/superior UPN suffixes | |
| Resolves: RHBZ#1891056 | |
| - wgi/plugins.py: ignore empty plugin directories | |
| Resolves: RHBZ#1894800 | |
| - Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit | |
| Resolves: RHBZ#1790663 | |
| - Rebase ipa to 4.9.12 | |
| Resolves: RHBZ#2196425 | |
| - user or group name: explain the supported format | |
| Resolves: RHBZ#2150217 | |
| - PassSync does not sync passwords due to missing ACIs (#1181093) | |
| - ipa-replica-manage list does not list synced domain (#1181010) | |
| - Do not assume certmonger is running in httpinstance (#1181767) | |
| - ipa-replica-manage disconnect fails without password (#1183279) | |
| - Put LDIF files to their original location in ipa-restore (#1175277) | |
| - DUA profile not available anonymously (#1184149) | |
| - IPA replica missing data after master upgraded (#1176995) | |
| - Resolves: #1258965 ipa vault: set owner of vault container | |
| - baseldap: make subtree deletion optional in LDAPDelete | |
| - vault: add vault container commands | |
| - vault: set owner to current user on container creation | |
| - vault: update access control | |
| - vault: add permissions and administrator privilege | |
| - install: support KRA update | |
| - Resolves: #1261586 ipa config-mod addattr fails for ipauserobjectclasses | |
| - config: allow user/host attributes with tagging options | |
| - Resolves: #1262315 Unable to establish winsync replication | |
| - winsync: Add inetUser objectclass to the passsync sysaccount | |
| - Hardening for CVE-2020-25717 | |
| - Related: RHBZ#2019668 | |
| - Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca | |
| - Keep NSS trust flags of existing certificates | |
| - Resolves: #1360813 ipa-server-certinstall does not update all certificate | |
| stores and doesn't set proper trust permissions | |
| - Add cert checks in ipa-server-certinstall | |
| - Resolves: #1371479 cert-find --all does not show information about revocation | |
| - cert: add revocation reason back to cert-find output | |
| - Resolves: #1375133 WinSync users who have First.Last casing creates users who | |
| can have their password set | |
| - ipa passwd: use correct normalizer for user principals | |
| - Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers | |
| - Properly handle LDAP socket closures in ipa-otpd | |
| - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 | |
| - Make httpd publish its CA certificate on DL1 | |
| - Use the OpenSSL certificate parser in cert-find | |
| Resolves: RHBZ#2209947 | |
| - Resolves: #1170770 [AD TRUST]IPA should detect inconsistent realm domains | |
| that conflicts with AD DC | |
| - trusts: Check for AD root domain among our trusted domains | |
| - Resolves: #1195339 ipa-client-install changes the label on various files | |
| which causes SELinux denials | |
| - sysrestore: copy files instead of moving them to avoind SELinux issues | |
| - Resolves: #1196656 [ipa-client][rhel71] enable debugging for spawned | |
| commands / ntpd -qgc $tmpfile hangs | |
| - enable debugging of ntpd during client installation | |
| - Resolves: #1205264 Migration UI Does Not Work When Anonymous Bind is Disabled | |
| - migration: Use api.env variables. | |
| - Resolves: #1212719 abort-clean-ruv subcommand should allow | |
| replica-certifyall: no | |
| - Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand | |
| - Resolves: #1216935 ipa trust-add shows ipa: ERROR: an internal error has | |
| occurred | |
| - dcerpc: Expand explanation for WERR_ACCESS_DENIED | |
| - dcerpc: Fix UnboundLocalError for ccache_name | |
| - Resolves: #1222778 idoverride group-del can delete user and user-del can | |
| delete group | |
| - dcerpc: Add get_trusted_domain_object_type method | |
| - idviews: Restrict anchor to name and name to anchor conversions | |
| - idviews: Enforce objectclass check in idoverride*-del | |
| - Resolves: #1234919 Be able to request certificates without certmonger service | |
| running | |
| - cermonger: Use private unix socket when DBus SystemBus is not available. | |
| - ipa-client-install: Do not (re)start certmonger and DBus daemons. | |
| - Resolves: #1240939 Please add dependency on bind-pkcs11 | |
| - Create server-dns sub-package. | |
| - ipaplatform: Add constants submodule | |
| - DNS: check if DNS package is installed | |
| - Resolves: #1242914 Bump minimal selinux-policy and add booleans to allow | |
| calling out oddjobd-activated services | |
| - selinux: enable httpd_run_ipa to allow communicating with oddjobd services | |
| - Resolves: #1243261 non-admin users cannot search hbac rules | |
| - fix hbac rule search for non-admin users | |
| - fix selinuxusermap search for non-admin users | |
| - Resolves: #1243652 Client has missing dependency on memcache | |
| - do not import memcache on client | |
| - Resolves: #1243835 [webui] user change password dialog does not work | |
| - webui: fix user reset password dialog | |
| - Resolves: #1244802 spec: selinux denial during kdcproxy user creation | |
| - Fix selinux denial during kdcproxy user creation | |
| - Resolves: #1246132 trust-fetch-domains: Do not chown keytab to the sssd user | |
| - oddjob: avoid chown keytab to sssd if sssd user does not exist | |
| - Resolves: #1246136 Adding a privilege to a permission avoids validation | |
| - Validate adding privilege to a permission | |
| - Resolves: #1246141 DNS Administrators cannot search in zones | |
| - DNS: Consolidate DNS RR types in API and schema | |
| - Resolves: #1246143 User plugin - user-find doesn't work properly with manager | |
| option | |
| - fix broken search for users by their manager | |
| - Updated to upstream 3.1.0 GA | |
| - Set minimum for sssd to 1.9.2 | |
| - Set minimum for pki-ca to 10.0.0-1 | |
| - Set minimum for 389-ds-base to 1.3.0 | |
| - Set minimum for selinux-policy to 3.11.1-60 | |
| - Remove unneeded dogtag package requires | |
| - Allow longer dirsrv startup with systemd: | |
| - IPAdmin class will wait until dirsrv instance is available up to 10 seconds | |
| - Helps with restarts during upgrade for ipa-ldap-updater | |
| - Fix pylint warnings from F16 and Rawhide | |
| - Update to upstream 2.2.0 beta 1 (2.1.90.rc1) | |
| - Set minimum n-v-r for pki-ca and pki-silent to 9.0.18. | |
| - Add Conflicts on mod_ssl | |
| - Update minimum n-v-r of 389-ds-base to 1.2.10.4 | |
| - Update minimum n-v-r of sssd to 1.8.0 | |
| - Update minimum n-v-r of slapi-nis to 0.38 | |
| - Update minimum n-v-r of pki-* to 9.0.18 | |
| - Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1 | |
| - Update conflicts on bind to < 9.9.0-1 | |
| - Drop requires on krb5-server-ldap | |
| - Add patch to remove escaping arguments to pkisilent | |
| - Resolves: #1475238 Use CommonNameToSANDefault in default profile | |
| (new installs only) | |
| - Restore old version of caIPAserviceCert for upgrade only | |
| - Default to systemd for Fedora 16 and onwards | |
| - Remove duplicate %files entries on share/ipa/static | |
| - Add python default encoding shared library | |
| - webui: Do not allow empty pagination size | |
| Resolves: RHBZ#2094672 | |
| - Fix requirement for python3-kdcproxy, add no autoreqprov for ipatests sub | |
| package | |
| Related: RHBZ#1891832 | |
| - Require krb5 release 1.18.2-25 or later | |
| Resolves: RHBZ#2234711 | |
| - Resolves: #1382053 Need to have validation for idrange names | |
| - idrange-add: properly handle empty --dom-name option | |
| - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit | |
| helper when installing replica | |
| - dsinstance: reconnect ldap2 after DS is restarted by certmonger | |
| - httpinstance: avoid httpd restart during certificate request | |
| - dsinstance, httpinstance: consolidate certificate request code | |
| - install: request service certs after host keytab is set up | |
| - renew agent: revert to host keytab authentication | |
| - renew agent, restart scripts: connect to LDAP after kinit | |
| - Resolves: #1436987 ipasam: gidNumber attribute is not created in the trusted | |
| domain entry | |
| - ipa-sam: create the gidNumber attribute in the trusted domain entry | |
| - Upgrade: add gidnumber to trusted domain entry | |
| - Resolves: #1438679 [ipa-replica-install] - IncorrectPasswordException: | |
| Incorrect client security database password | |
| - Add pki_pin only when needed | |
| - Resolves: #1438348 Console output message while adding trust should be | |
| mapped with texts changed in Samba. | |
| - ipaserver/dcerpc: unify error processing | |
| - Resolves: #1438366 ipa trust-fetch-domains: ValidationError: invalid | |
| 'Credentials': Missing credentials for cross-forest communication | |
| - trust: always use oddjobd helper for fetching trust information | |
| - Resolves: #1441192 Add the name of URL parameter which will be check for | |
| username during cert login | |
| - WebUI: cert login: Configure name of parameter used to pass username | |
| - Resolves: #1437879 [copr] Replica install failing | |
| - Create system users for FreeIPA services during package installation | |
| - Resolves: #1441316 WebUI cert auth fails after ipa-adtrust-install | |
| - Fix s4u2self with adtrust | |
| - Update to upstream 4.6.90.pre1 | |
| - Fix misleading errors during client install rollback | |
| Resolves: RHBZ#1658283 | |
| - ipa-advise: update url of cacerdir_rehash tool | |
| Resolves: RHBZ#1658287 | |
| - Handle NTP configuration in a replica server installation | |
| Resolves: RHBZ#1651679 | |
| - Fix defects found by static analysis | |
| Resolves: RHBZ#1658182 | |
| - ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad | |
| Resolves: RHBZ#1658294 | |
| - ipaldap: invalid modlist when attribute encoding can vary | |
| Resolves: RHBZ#1658302 | |
| - Allow ipaapi and Apache user to access SSSD IFP | |
| Resolves: RHBZ#1639910 | |
| - Add sysadm_r to default SELinux user map order | |
| Resolves: RHBZ#1658303 | |
| - certdb: ensure non-empty Subject Key Identifier and validate server cert sig | |
| Resolves: RHBZ#1641988 | |
| - ipa-replica-install: password and admin-password options mutually exclusive | |
| Resolves: RHBZ#1658309 | |
| - ipa upgrade: handle double-encoded certificates | |
| Resolves: RHBZ#1658310 | |
| - PKINIT: fix ipa-pkinit-manage enable|disable | |
| Resolves: RHBZ#1658313 | |
| - Enable LDAP debug output in client to display TLS errors in join | |
| Resolves: RHBZ#1658316 | |
| - rpc: always read response | |
| Resolves: RHBZ#1639890 | |
| - ipa vault-retrieve: fix internal error | |
| Resolves: RHBZ#1658485 | |
| - Move ipa's systemd tmpfiles from /var/run to /run | |
| Resolves: RHBZ#1658487 | |
| - Fix authselect invocations to work with 1.0.2 | |
| Resolves: RHBZ#1654291 | |
| - ipa-client-automount and NFS unit name changes | |
| Resolves: RHBZ#1645501 | |
| - Fix compile issue with new 389-ds | |
| Resolves: RHBZ#1659448 | |
| - Update to upstream 3.2.0 Prerelease 1 | |
| - Use upstream reference spec file as a base for Fedora spec file | |
| - Add dep for freeipa-admintools and acl | |
| - Drop conflicts on mod_nss | |
| - Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847) | |
| - Drop a slew of conditionals on older Fedora releases (< 12) | |
| - Add a few conditionals against RHEL 6 | |
| - Add Requires of nss-tools on ipa-client | |
| - Require samba packages instead of obsoleted samba4 packages | |
| - Upstream release FreeIPA 4.8.7 | |
| - Require new samba build 4.12.3-0 | |
| Related: RHBZ#1818765 | |
| - New client-epn sub package | |
| Resolves: RHBZ#913799 | |
| - Fix ipa-replica-install crashes | |
| - Fix ipa-server-install and ipa-dns-install logging | |
| - Set minimum version of pki-ca to 9.0.17 to fix sslget problem | |
| caused by FEDORA-2011-17400 update (#771357) | |
| - Added httpd SELinux policy so CRLs can be read | |
| - Build radius separately | |
| - Fix a few minor issues | |
| - rebuild with new openssl | |
| - Update to upstream 3.2.2 | |
| - Drop ipa-server-selinux subpackage | |
| - Drop redundant directory /var/cache/ipa/sessions | |
| - Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost | |
| - Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency | |
| issues when there are still old parts of software (like entitlements plugin) | |
| - [WebUI] IPA Error 3007: RequirmentError" while adding members in | |
| "User ID overrides" tab (updated) | |
| Resolves: RHBZ#1757045 | |
| - ipa-client-install: use the authselect backup during uninstall | |
| Resolves: RHBZ#1810179 | |
| - Replace SSLCertVerificationError with CertificateError for py36 | |
| Resolves: RHBZ#1858318 | |
| - Fix AVC denial during ipa-adtrust-install --add-agents | |
| Resolves: RHBZ#1859213 | |
| - Update to upstream 3.2.0 GA | |
| - ipa-client-install fails if /etc/ipa does not exist (#961483) | |
| - Certificate status is not visible in Service and Host page (#956718) | |
| - ipa-client-install removes needed options from ldap.conf (#953991) | |
| - Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957) | |
| - Add triggerin scriptlet to support OpenSSH 6.2 (#953617) | |
| - Require nss 3.14.3-12.0 to address certutil certificate import | |
| errors (#953485) | |
| - Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6 | |
| environments. (#953464) | |
| - ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453) | |
| - ipa-server-install --uninstall doesn't stop dirsrv instances (#953432) | |
| - Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for | |
| socket based connections (#960222) | |
| - Require libsss_nss_idmap-python | |
| - Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to | |
| member is now done automatically and having it in the config file raises | |
| an error. | |
| - Add backup and restore tools, directory. | |
| - require at least systemd 38 which provides the journal (we no longer | |
| need to require syslog.target) | |
| - Update Requires on policycoreutils to 2.1.14-37 | |
| - Update Requires on selinux-policy to 3.12.1-42 | |
| - Update Requires on 389-ds-base to 1.3.1.0 | |
| - Remove a Requires for java-atk-wrapper | |
| - Re-add accidentally removed patches for #1170695 and #1164896 | |
| - Broke invididual Requires and BuildRequires onto separate lines and | |
| reordered them | |
| - Added python-tgexpandingformwidget as a dependency | |
| - Require at least fedora-ds-base 1.1 | |
| - Resolves: #1432630 python2-jinja2 needed for python2-ipaclient | |
| - Remove csrgen | |
| - Resolves: #1432903 Set GssProxy options to enable caching of ldap tickets | |
| - Add options to allow ticket caching | |
| - Drop BuildRequires on mozldap-devel | |
| - Resolves: #747612 [RFE] IPA should support and manage DNS sites | |
| - Resolves: #826790 Disabling password expiration (--maxlife=0 and --minlife=0) | |
| in the default global_policy in IPA sets user's password expiration | |
| (krbPasswordExpiration) to be 90 days | |
| - Resolves: #896699 ipa-replica-manage -H does not delete DNS SRV records | |
| - Resolves: #1084018 [RFE] Add IdM user password change support for legacy | |
| client compat tree | |
| - Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos | |
| aliases) | |
| - Fix incorrect check for principal type when evaluating CA ACLs | |
| - Resolves: #1146860 [RFE] Offer OTP generation for host enrollment in the UI | |
| - Resolves: #1238190 ipasam unable to lookup group in directory yet manual | |
| search works | |
| - Resolves: #1250110 search by users which don't have read rights for all attrs | |
| in search_attributes fails | |
| - Resolves: #1263764 Show Certificate displays in useless format | |
| - Resolves: #1272491 [WebUI] Certificate action dropdown does not display all | |
| the options after adding new certificate | |
| - Resolves: #1292141 Rebase to FreeIPA 4.4+ | |
| - Rebase to 4.4.0 | |
| - Resolves: #1294503 IPA fails to issue 3rd party certs | |
| - Resolves: #1298242 [RFE] API compatibility - compatibility of clients | |
| - Resolves: #1298848 [RFE] Centralized topology management | |
| - Resolves: #1298966 [RFE] Extend Smart Card support | |
| - Resolves: #1315146 Multiple clients cannot join domain simultaneously: | |
| /var/run/httpd/ipa/clientcaches race condition? | |
| - Resolves: #1318903 ipa server install failing when SUBCA signs the cert | |
| - Resolves: #1319003 ipa-winsync-migrate: Traceback should be fixed with proper | |
| console output | |
| - Resolves: #1324055 IPA always qualify requests for admin | |
| - Resolves: #1328552 [RFE] Allow users to authenticate with alternative names | |
| - Resolves: #1334582 Inconsistent UI and CLI options for removing certificate | |
| hold | |
| - Resolves: #1346321 Exclude o=ipaca subtree from Retro Changelog (syncrepl) | |
| - Resolves: #1349281 Fix `Conflicts` with ipa-python | |
| - Resolves: #1350695 execution of copy-schema script fails | |
| - Resolves: #1351118 upgrade failed for RHEL-7.3 from RHEL-7.2.z | |
| - Resolves: #1351153 AVC seen on Replica during ipa-server upgrade test | |
| execution to 7.3 | |
| - Resolves: #1351276 ipa-server-install with dns cannot resolve itself to | |
| create ipa-ca entry | |
| - Related: #1343422 [RFE] Add GssapiImpersonate option | |
| - Upstream pre release FreeIPA 4.9.0rc3 | |
| Related: RHBZ#1891832 | |
| - kdb: PAC generator: do not fail if canonical principal is missing | |
| Resolves: RHEL-23630 | |
| - ipa-kdb: Fix memory leak during PAC verification | |
| Resolves: RHEL-22644 | |
| - Fix session cookie access | |
| Resolves: RHEL-23622 | |
| - Do not ignore staged users in sidgen plugin | |
| Resovlves: RHEL-23626 | |
| - ipa-kdb: Disable Bronze-Bit check if PAC not available | |
| Resolves: RHEL-22313 | |
| - krb5kdc: Fix start when pkinit and otp auth type are enabled | |
| Resolves: RHEL-4874 | |
| - hbactest was not collecting or returning messages | |
| Resolves: RHEL-12780 | |
| - Update to upstream freeipa-2.0.0.rc2 | |
| - Set minimum version of python-nss to 0.11 to make sure IPv6 support is in | |
| - Set minimum version of sssd to 1.5.1 | |
| - Patch to include SuiteSpotGroup when setting up 389-ds instances | |
| - Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled | |
| - Rebase ipa to 4.9.13 | |
| Resolves: RHEL-16936 | |
| - Add BuildRequires for authconfig | |
| - Move ipa-tests package to separate srpm (#1032668) | |
| - Remove dependency on python-paramiko (#1002884) | |
| - Broken redirection when deleting last entry of DNS resource | |
| record (#1006360) | |
| - Resolves: #1256840 [webui] majority of required fields is no longer marked as | |
| required | |
| - fix missing information in object metadata | |
| - Resolves: #1256842 [webui] no option to choose trust type when creating a | |
| trust | |
| - webui: add option to establish bidirectional trust | |
| - Resolves: #1256853 Clear text passwords in KRA install log | |
| - Removed clear text passwords from KRA install log. | |
| - Resolves: #1257072 The "Standard Vault" MUST not be the default and must be | |
| discouraged | |
| - vault: change default vault type to symmetric | |
| - Resolves: #1257163 renaming certificatte profile with --rename option leads | |
| to integrity issues | |
| - certprofile: prevent rename (modrdn) | |
| - Resolves: #1447284 Upgrade from ipa-4.1 fails when enabling KDC proxy | |
| - python2-ipalib: add missing python dependency | |
| - installer service: fix typo in service entry | |
| - upgrade: add missing suffix to http instance | |
| - Resolves: #1444791 Update man page of ipa-kra-install | |
| - ipa-kra-install manpage: document domain-level 1 | |
| - Resolves: #1441493 ipa cert-show raises stack traces when | |
| --certificate-out=/tmp | |
| - cert-show: writable files does not mean dirs | |
| - Resolves: #1441192 Add the name of URL parameter which will be check for | |
| username during cert login | |
| - Bump version of ipa.conf file | |
| - Resolves: #1378797 Web UI must check OCSP and CRL during smartcard login | |
| - Turn on NSSOCSP check in mod_nss conf | |
| - Resolves: #1322963 Errors from AD when trying to sign ipa.csr, conflicting | |
| template on | |
| - renew agent: respect CA renewal master setting | |
| - server upgrade: always fix certmonger tracking request | |
| - cainstance: use correct profile for lightweight CA certificates | |
| - renew agent: allow reusing existing certs | |
| - renew agent: always export CSR on IPA CA certificate renewal | |
| - renew agent: get rid of virtual profiles | |
| - ipa-cacert-manage: add --external-ca-type | |
| - Resolves: #1441593 error adding authenticator indicators to host | |
| - Fixing adding authenticator indicators to host | |
| - Resolves: #1449525 Set directory ownership in spec file | |
| - Added plugins directory to ipaclient subpackages | |
| - ipaclient: fix missing RPM ownership | |
| - Resolves: #1451279 otptoken-add-yubikey KeyError: 'ipatokenotpdigits' | |
| - otptoken-add-yubikey: When --digits not provided use default value | |
|
|
|
| python3-jwcrypto-0.5.0-2.module+el8.10.0+1818+2dfda7a6.noarch.rpm | - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild |
| - Build Python 3 package on RHEL > 7, fixes RHBZ#1516813 | |
| - Fix macro in changelog | |
| - Remove the last remnants of the test suite | |
| - Drop Python 2 subpackages from RHEL 8, fixes RHBZ#1567152 | |
| - Run tests with bytes warning | |
| - New release | |
| - Fix F21 build error by adding buildrequire python-setuptools | |
| - Move files into python3-jwcrypto subpackage | |
| - Run test suite | |
| - Do not install test suite | |
| - Fix summary and description of python3-jwcrypto | |
| - Ship readme and license with python3 subpackage | |
| - Move tests to %check | |
| - New upstream release 0.5.0 | |
| - Fixes Coverity scan issue | |
| - Enable python3 build | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 | |
| - Upstream release 0.4.2 | |
| - Resolves: RHBZ #1476150 | |
| - Rebuild for Python 3.6 | |
| - Upstream release 0.4.1 | |
| - Initial packaging | |
| - Modernize spec | |
| - Address potential DoS with high compression ratio | |
| Resolves: RHEL-28697 | |
| - Limit number of iterations for PBES | |
| Resolves: RHEL-23036 RHEL-23037 | |
| - Bump dist to solve version sorting issue, fixes RHBZ#2097800 | |
| - Security release 0.3.2 | |
| - Resolves: CVE-2016-6298 | |
| - Bugfix release 0.3.1 | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - New release | |
| - Fixes some key generation issues | |
|
|
|
| python3-ldap-3.3.1-2.el8.x86_64.rpm | - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild |
| - duh, build requires python-devel, not just python... | |
| - Fix a build error. | |
| - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild | |
| - New upstream release 3.1.0 | |
| - Resolves: rhbz#1889615 | |
| - New upstream release 3.1.0 | |
| - New upstream release 3.0.0 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Stricter python version requirements. | |
| - BuildRequire openssl-devel. | |
| - Explicitly build *.pyo, install them as %ghost. | |
| - Own more installed dirs. | |
| - Remove $RPM_BUILD_ROOT at start of %install. | |
| - Fix SASL get/set options on big endian platforms | |
| - Resolves: #1931865 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Update to 2.3 | |
| - Spec file cleanups. | |
| - rebuilt | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Fix issue in pyasn1 patch | |
| - fix license tag | |
| - update to 2.3.5 | |
| - Conditionalize, and don't build, the python2 subpackage | |
| - rebuild (#139161) | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - New upstream release fixes bug 1007820 | |
| - Dependency on pyasn1 was added to fix bug 995545 | |
| - Rebuild for Python 2.6 | |
| - Update to 2.2.0 | |
| - Update python-ldap-2.0.6-rpath.patch and rename it to | |
| python-ldap-2.2.0-dirs.patch. | |
| - Rebuild with GCC 4.3 | |
| - Update to 2.3.6 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - rebuilt to pick up new libssl.so.5 | |
| - New upstream release adds features required in bug 1122486 | |
| - Dependency on pyasn1-modules was added to fix bug 995545 | |
| - Update to 2.3.1 | |
| - bump again for double-long bug on ppc(64) | |
| - 2.0.6 | |
| - update to 2.0.1 | |
| - rebuild against python 2.5 | |
| - Don't build the python2 subpackage | |
| (fix for the previous commit) | |
| - New upstream release 3.0.0b3 (RHBZ #1496470) | |
| - rebuild with new openssl | |
| - fix spec permissions + release tag order (bug 1099) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - imported into Red Hat's packaging system from Fedora.us; set release to 1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Rebuild due to bug in RPM (RHBZ #1468476) | |
| - Apply fix for pyasn1 >= 0.3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Rebuild against new openssl. | |
| - rebuilt with new openssl | |
| - New upstream release 2.4.25 | |
| - add LICENCE (#150842) | |
| - simplify python reqs | |
| - remove invalid rpath | |
| - New upstream release | |
| - Put back the epoch line... happy beehive? | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - Initial Fedora packaging. | |
| - Rewrote description; added requirement for openldap | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - New upstream release 3.0.0b1 (RHBZ #1496470) | |
| - Resolves RHBZ #1489184 | |
| - Enable unittests | |
| - Remove dsml module | |
| - Package python3-ldap, which obsoletes python3-pyldap | |
| - Merge-review cleanup (#226343) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Require platform-python-setuptools instead of python3-setuptools | |
| - Resolves: rhbz#1650537 | |
| - In %check, use pytest directly rather than tox | |
| - Python 2 binary package renamed to python2-ldap | |
| See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 | |
| - rebuilt for new gcc4.1 snapshot and glibc changes | |
| - New upstream release 3.0.0b4 (RHBZ #1496470) | |
| - Update to 2.3.10 | |
| - Change source URI to pypi.python.org. | |
| - New upstream release 3.0.0b2 (RHBZ #1496470) | |
| - Require OpenLDAP with fix for NSS issue (see #1520990) | |
| - rebuild | |
| - rebuilt with new openssl | |
|
|
|
| python3-libipa_hbac-2.9.4-5.el8_10.3.x86_64.rpm | - Fix regressions with ipa and SELinux |
| - Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security | |
| context on client is staff_u | |
| - Rebuild against new libldb | |
| - Resolves: rhbz#1792331 - sssd_be crashes when krb5_realm and krb5_server is | |
| omitted and auth_provider is krb5 | |
| - Fix missing file permissions for sssd-clients | |
| - added sss_client | |
| - New upstream release 1.11.2 | |
| - Remove upstreamed patches | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 | |
| - Fix build issues: Update expided certificate in unit tests | |
| - New upstream release 1.10 beta1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1 | |
| - Resolves: rhbz#1900733 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() | |
| - Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process | |
| - Resolves: rhbz#1894540 - sssd component logging is now too generic in syslog/journal | |
| - Resolves: rhbz#1828483 - filtered ID is appearing due to strange negative cache behavior | |
| - Resolves: rhbz#1713368 - Add sssd-dbus package as a dependency of sssd-tools | |
| - New upstream release 1.11.5 | |
| - Remove upstreamed patch | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.5 | |
| - New upstream stable release 1.0.0 | |
| - New upstream release 1.9.4 | |
| - Resolves: rhbz#Bug 1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command. | |
| - Resolves: rhbz#1369130 - nss_sss should not link against libpthread | |
| - Resolves: rhbz#1392916 - sssd failes to start after update | |
| - Resolves: rhbz#1398789 - SELinux is preventing sssd from 'write' accesses | |
| on the directory /etc/sssd | |
| - Fix uninitialized value bug causing crashes throughout the code | |
| - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup | |
| - Resolves: rhbz#1628503 - sssd only sets the SELinux login context if it | |
| differs from the default | |
| - Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 | |
| - Add workaround patch for RHBZ #1366403 | |
| - Fix slow login with ipa and SELinux | |
| - Resolves: upstream #2624 - Only set the selinux context if the context | |
| differs from the local one | |
| - New upstream release 1.10.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1 | |
| - New upstream release 1.13 alpha | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0alpha | |
| - New upstream release 0.5.0 | |
| - Resolves: rhbz#1673443 - sssd man pages: The default value of | |
| "ldap_user_home_directory" is not mentioned | |
| with AD server configuration | |
| - New upstream release 1.5.1 | |
| - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins | |
| - Vast performance improvements when enumerate = true | |
| - All PAM actions will now perform a forced initgroups lookup instead of just | |
| - a user information lookup | |
| - This guarantees that all group information is available to other | |
| - providers, such as the simple provider. | |
| - For backwards-compatibility, DNS lookups will also fall back to trying the | |
| - SSSD domain name as a DNS discovery domain. | |
| - Support for more password expiration policies in LDAP | |
| - 389 Directory Server | |
| - FreeIPA | |
| - ActiveDirectory | |
| - Support for ldap_tls_{cert,key,cipher_suite} config options | |
| -Assorted bugfixes | |
| - Resolves: rhbz#752495 - Crash when apply settings | |
| - Fix regression with krb5_map_user | |
| - Resolves: rhbz#1375552 - krb5_map_user doesn't seem effective anymore | |
| - Resolves: rhbz#1349286 - authconfig fails with SSSDConfig.NoDomainError: | |
| default if nonexistent domain is mentioned | |
| - New upstream release 1.11 beta 2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 | |
| - Resolves: upstream#3684 - A group is not updated if its member is removed | |
| with the cleanup task, but the group does not | |
| change | |
| - Resolves: upstream#3558 - sudo: report error when two rules share cn | |
| - Tone down shutdown messages for socket activated responders | |
| - IPA: Qualify the externalUser sudo attribute | |
| - Resolves: upstream#3550 - refresh_expired_interval does not work with | |
| netgrous in 1.15 | |
| - Resolves: upstream#3402 - Support alternative sources for the files provider | |
| - Resolves: upstream#3646 - SSSD's GPO code ignores ad_site option | |
| - Resolves: upstream#3679 - Make nss netgroup requests more robust | |
| - Resolves: upstream#3634 - sssctl COMMAND --help fails if sssd is not | |
| configured | |
| - Resolves: upstream#3469 - extend sss-certmap man page regarding priority | |
| processing | |
| - Improve docs/debug message about GC detection | |
| - Resolves: upstream#3715 - ipa 389-ds-base crash in krb5-libs - k5_copy_etypes | |
| list out of bound? | |
| - Resolves: upstream#2653 - Group renaming issue when "id_provider = ldap" is | |
| set. | |
| - Document which principal does the AD provider use | |
| - Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is | |
| defined, but contains no SIDs | |
| - Resolves: upstream#3520 - Files provider supports only BE_FILTER_ENUM | |
| - Resolves: rhbz#1540703 - FreeIPA/SSSD implicit_file sssd_nss error: The Data | |
| Provider returned an error | |
| [org.freedesktop.sssd.Error.DataProvider.Fatal] | |
| - Fix licenses in sources and on RPMs | |
| - Make LDB dependency a strict equivalency | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Resolves: RHEL-14070 - sssd-2.9.2-1.el8 breaks smart card authentication | |
| - Resolves: RHEL-3665 - Unexplainable error "Unable to find primary gid [2]: No such file or directory" when SSSD performs lookup for an AD user | |
| - Fix regression on 64-bit platforms | |
| - Resolves: rhbz#1657979 - SSSD's LDAP authentication provider does not work | |
| if ID provider is authenticated with GSSAPI | |
| - New stable upstream version 1.2.1 | |
| - Resolves: rhbz#595529 - spec file should eschew %define in favor of | |
| - %global | |
| - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service | |
| - to fail while restart. | |
| - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel | |
| - keyring | |
| - Resolves: rhbz#599724 - sssd is broken on Rawhide | |
| - Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 | |
| - Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed) | |
| - Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket | |
| - Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7 | |
| - Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name | |
| - Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable") | |
| - Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username # | |
| - New upstream release 1.11.4 | |
| - Remove upstreamed patch | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.4 | |
| - Move sssd_pac to the sssd-krb5 subpackage | |
| - python-sssdconfig: Fix parssing sssd.conf without config_file_version | |
| - Resolves: upstream #2837 - REGRESSION: ipa-client-automout failed | |
| - Resolves: rhbz#1754996 - [sssd] Tier 0 Localization | |
| - Fix building of sssd-nfs-idmap with libnfsidmap.so.1 | |
| - Fix multicast checks in the SSSD | |
| - Resolves: rhbz#1007475 - The multicast check is wrong in the sudo source | |
| code getting the host info | |
| - New upstream release 1.5.4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 | |
| - Fixes for Active Directory when not all users and groups have POSIX attributes | |
| - Fixes for handling users and groups that have name aliases (aliases are ignored) | |
| - Fix group memberships after initgroups in the IPA provider | |
| - Resolves: rhbz#1328108 - Protocol error with FreeIPA on CentOS 6 | |
| - New upstream release 1.8.0 beta 3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 | |
| - Fixed a regression in group enumeration since 1.7.0 | |
| - Fixed several memory-corruption bugs | |
| - Finalized the ABI for the autofs support | |
| - Fixed a regression in the proxy provider | |
| - New upstream release 1.5.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 | |
| - Fixes for support of FreeIPA v2 | |
| - Fixes for failover if DNS entries change | |
| - Improved sss_obfuscate tool with better interactive mode | |
| - Fix several crash bugs | |
| - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this | |
| - Delete users from the local cache if initgroups calls return 'no such user' | |
| - (previously only worked for getpwnam/getpwuid) | |
| - Use new Transifex.net translations | |
| - Better support for automatic TGT renewal (now survives restart) | |
| - Netgroup fixes | |
| - Fix incorrect tarball URL | |
| - Backport more sbus2 fixes | |
| - Related: rhbz#1623878 - crash related to sbus_router_destructor() | |
| - Resolves: rhbz#1718193 - p11_child should have an option to skip | |
| C_WaitForSlotEvent if the PKCS#11 module | |
| does not implement it properly | |
| - Rebuild against libldb 1.11 | |
| error messages with line numbers | |
| - Fix typo in libwbclient-devel %preun | |
| - Fix broken ARM build | |
| - Add missing DP_OPTION_TERMINATOR in AD provider options | |
| - Rebuild SSSD against ding-libs 0.3.0beta1 | |
| - Fix endianness bug in service map protocol | |
| - New stable upstream version 1.2.0 | |
| - Support ServiceGroups for FreeIPA v2 HBAC rules | |
| - Fix long-standing issue with auth_provider = proxy | |
| - Better logging for TLS issues in LDAP | |
| - Relax libldb BuildRequires to be greater-or-equal | |
| - Remove the ability to create public ccachedir (#1015089) | |
| - Fix ipa-migration bug | |
| - Resolves: upstream #2719 - IPA: returned unknown dp error code with disabled | |
| migration mode | |
| - Only create the SELinux login file if there are SELinux mappings on | |
| the IPA server | |
| - Fixes a serious memory hierarchy bug causing unpredictable behavior in the | |
| LDAP provider. | |
| - New upstream release 1.6.4 | |
| - Rolls up previous patches applied to the 1.6.3 tarball | |
| - Fixes a rare issue causing crashes in the failover logic | |
| - Fixes an issue where SSSD would return the wrong PAM error code for users | |
| that it does not recognize. | |
| - Also relax libldb Requires | |
| - Remove --enable-ldb-version-check | |
| - New upstream release 1.9.0 beta7 | |
| - obsoletes patches #1-#3 | |
| - Handle OTP response from FreeIPA server gracefully | |
| -Resolves: rhbz#1659498 - Re-setting the trusted AD domain fails due to wrong | |
| subdomain service name being used | |
| - Apply a number of patches from upstream to fix issues found post-beta, | |
| in particular: | |
| -- segfault with a high DEBUG level | |
| -- Fix IPA password migration (upstream #1873) | |
| -- Fix fail over when retrying SRV resolution (upstream #1886) | |
| - Small cleanup and fixes in the spec file | |
| - New upstream release 1.16.1 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_1.html | |
| - New upstream release 1.1.1 | |
| - Fixed the IPA provider (which was segfaulting at start) | |
| - Fixed a bug in the SSSDConfig API causing some options to revert to | |
| - their defaults | |
| - This impacted the Authconfig UI | |
| - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal | |
| - New upstream release 1.5.3 | |
| - Support for libldb >= 1.0.0 | |
| - Recreate Kerberos ccache directory if it's missing | |
| - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache | |
| directory /run/user/UID/ccdir does not exist | |
| - Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 | |
| - Resolves: rhbz#1942387 - Wrong default debug level of sssd tools | |
| - Resolves: rhbz#1917444 - SSSD Error Msg Improvement: Server resolution failed: [2]: No such file or directory | |
| - Resolves: rhbz#1917511 - SSSD Error Msg Improvement: Failed to resolve server 'server.example.com': Error reading file | |
| - Resolves: rhbz#1917535 - sssd.conf man page: parameter dns_resolver_server_timeout and dns_resolver_op_timeout | |
| - Resolves: rhbz#1940509 - [RFE] Health and Support Analyzer: Link frontend to backend requests | |
| - Resolves: rhbz#1649464 - auto_private_groups not working as expected with posix ipa/ad trust | |
| - Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection | |
| - Resolves: rhbz#1961215 - Invalid sssd-kcm return code if requested operation is not found | |
| - Resolves: rhbz#1837090 - SSSD fails nss_getby_name for IPA user with SID if the user has user private group | |
| - Resolves: rhbz#1879869 - sudo commands incorrectly exports the KRB5CCNAME environment variable | |
| - Resolves: rhbz#1962550 - sss_pac_make_request fails on systems joined to Active Directory. | |
| - Resolves: rhbz#1737489 - [RFE] SSSD should honor default Kerberos settings (keytab name) in /etc/krb5.conf | |
| - New upstream release 1.5.9 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 | |
| - Support for overriding home directory, shell and primary GID locally | |
| - Properly honor TTL values from SRV record lookups | |
| - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP | |
| - servers) | |
| - Properly escape IPv6 addresses in the failover code | |
| - Do not crash if inotify fails (e.g. resource exhaustion) | |
| - Don't add multiple TGT renewal callbacks (too many log messages) | |
| - Resolves: RHEL-78300 - 'sssd_kcm' leaks memory [rhel-8.10.z] | |
| - Resolves: RHEL-82420 - Disk cache failure with large db sizes [rhel-8.10.z] | |
| - Resolves: RHEL-76022 - Use the DN from existing entry when updating a cached group [rhel-8.10.z] | |
| - Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy" | |
| - Resolves: rhbz#1736265 - Smart Card auth of local user: endless | |
| loop if wrong PIN was provided | |
| - Resolves: rhbz#1615417 - [RFE] Add Smart Card authentication for local | |
| users | |
| - Resolves: rhbz#2149241 - [sssd] SSSD enters failed state after heavy load in the system | |
| - New upstream release 1.13.4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.4 | |
| - Fix tests on big-endian | |
| - Fix previous changelog entry | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Resolves: rhbz#1382750 - Conflicting default timeout values | |
| - Resolves: rhbz#1669407 - MAN: Document that PAM stack contains the | |
| systemd-user service in the account phase in RHEL-8 | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Resolves: RHEL-1680 - auto_private_groups does not create cache in IPA server SSSD cache | |
| - Resolves: RHEL-10092 - logfile rotation for sssd_kcm not working properly, sssd_kcm never receives a 'kill -HUP' | |
| - Resolves: RHEL-17495 - New sssd.conf seems not to be backwards compatible (wrt SmartCard auth of local users using 'files provider') | |
| - Resolves: RHEL-18431 - Excessive logging to sssd_nss and sssd_be in multi-domain AD forest | |
| - Resolves: RHEL-5033 - Incorrect IdM product name in man sssd.conf | |
| - Resolves: RHEL-15368 - SSSD GPO lacks group resolution on hosts [rhel-8] | |
| - Resolves: RHEL-10721 - very bad performance when requesting service tickets | |
| - Resolves: RHEL-19011 - Invalid handling groups from child domain | |
| - Resolves: RHEL-19949 - latest sssd breaks logging in via XDMCP for LDAP/Kerberos users [rhel-8] | |
| - Rebuild for Python 3.6 | |
| - Fix Obsoletes: to account for dist tag | |
| - Convert post and pre scripts to run on the sssd-common subpackage | |
| - Remove old conversion from SYSV | |
| - Add a patch to fix krb5 unit tests | |
| raise(): /usr/libexec/sssd/sssd_autofs killed by 6 | |
| - New upstream release 1.12 beta2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0beta2 | |
| - New upstream release 1.14.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.1 | |
| - Patch SSSDConfig API to address | |
| - https://bugzilla.redhat.com/show_bug.cgi?id=549482 | |
| - Move the sss_cache tool to the main package | |
| - Resolves: rhbz#1625842 id_provider= local causes SSSD to abort startup | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Resolves: rhbz#1821719 - sssd (sssd_be) is consuming 100% CPU, partially due to failing mem-cache | |
| - Fixed "requires/provides" rpmdiff warning | |
| - Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites | |
| - cached password with predicatable filename | |
| - New upstream release 1.12 beta1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0beta1 | |
| - Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during | |
| realm join | |
| - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by | |
| default for AD Provider | |
| - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file | |
| parent directory when logging in | |
| - Resolves: rhbz#1855323 - When ad_gpo_implicit_deny is True, it is permitting users to login when no gpo is applied | |
| - Switch unicode library from libunistring to Glib | |
| - Drop unnecessary explicit Requires on keyutils | |
| - Guarantee that versioned Requires include the correct architecture | |
| - Fix OTP bug | |
| - Resolves: upstream #2729 - Do not send SSS_OTP if both factors were | |
| entered separately | |
| - Backport upstream patches required by FreeIPA 4.2.1 | |
| - the cmocka toolkit exists only on selected arches | |
| - Backport few upstream patches/fixes | |
| - Fix double free in monitor | |
| - Resolves: rhbz#1186887 [abrt] sssd-common: talloc_abort(): | |
| sssd killed by SIGABRT | |
| - New upstream release 1.14 alpha | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0alpha | |
| - Resolves: rhbz#1615460 - Rebase SSSD to the latest released version | |
| - Split internal helper libraries into a shared object | |
| - Significantly reduce disk-space usage | |
| - Resolves: rhbz#1657980 - sssd_nss memory leak | |
| - Fix a couple of segfaults that may happen on reload | |
| - New upstream release 1.9.3 | |
| - Resolves: rhbz#2116488 - virsh command will hang after the host run several auto test cases | |
| - Resolves: rhbz#2116486 - [regression] sssctl analyze fails to parse PAM related sssd logs | |
| - Resolves: rhbz#2116487 - cache_req_data_set_hybrid_lookup: cache_req_data should never be NULL | |
| - Related: rhbz#1638006 - Files: The files provider always enumerates | |
| which causes duplicate when running getent passwd | |
| - Cherry-pick patches from upstream that enable the files provider | |
| - Enable the files domain | |
| - Retire patch 0501-Partially-revert-CONFIG-Use-default-config-when-none.patch | |
| which is superseded by the files domain autoconfiguration | |
| - Related: rhbz#1357418 - SSSD fast cache for local users | |
| - Resolves: rhbz#1767514 - sssd requires timed sudoers ldap entries to be | |
| specified up to the seconds | |
| - Rebuild against PCRE 8.30 | |
| - Resolves: upstream#3573 - sssd won't show netgroups with blank domain | |
| - Resolves: upstream#3660 - confdb_expand_app_domains() always fails | |
| - Resolves: upstream#3658 - Application domain is not interpreted correctly | |
| - Resolves: upstream#3687 - KCM: Don't pass a non null terminated string to | |
| json_loads() | |
| - Resolves: upstream#3386 - KCM: Payload buffer is too small | |
| - Resolves: upstream#3666 - Fix usage of str.decode() in our tests | |
| - A few KCM misc fixes | |
| - Related: rhbz#1637131 - pam_unix unable to match fully qualified username | |
| provided by sssd during smartcard auth using gdm | |
| - sssd-tools should require sssd-common, not sssd | |
| - Fix systemd conversion. Upgrades from SysV to systemd weren't properly | |
| - enabling the systemd service. | |
| - Fix a serious memory leak in the memberOf plugin | |
| - Fix an issue where the user's full name would sometimes be removed | |
| - from the cache | |
| - Resolves: rhbz#1652563 - incorrect example in the man page of idmap_sss | |
| suggests using * for backend sss | |
| - Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during | |
| - rpmbuild | |
| - Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile | |
| with no specific host/hostgroup set | |
| - Resolves: upstream#3621 - FleetCommander integration must not require | |
| capability DAC_OVERRIDE | |
| - latest upstream release. | |
| - also add a patch that fixes debugging output (potential segfault) | |
| - Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib | |
| - New upstream release | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 | |
| - Fix two minor manpage bugs | |
| - Include the IPA AutoFS provider | |
| - Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate | |
| - against LDAP | |
| - New upstream release 1.9.0 beta 3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 | |
| - Add a new PAC responder for dealing with cross-realm Kerberos trusts | |
| - Terminate idle connections to the NSS and PAM responders | |
| - New upstream release 1.6.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 | |
| - Fixes a serious issue with LDAP connections when the communication is | |
| dropped (e.g. VPN disconnection, waking from sleep) | |
| - SSSD is now less strict when dealing with users/groups with multiple names | |
| when a definitive primary name cannot be determined | |
| - The LDAP provider will no longer attempt to canonicalize by default when | |
| using SASL. An option to re-enable this has been provided. | |
| - Fixes for non-standard LDAP attribute names (e.g. those used by Active | |
| Directory) | |
| - Three HBAC regressions have been fixed. | |
| - Fix for an infinite loop in the deref code | |
| - Resolves: rhbz#1578014 - sssd does not work under non-root user | |
| - Note: Actually the patches were in the 2.0.0-37, this one just adds this | |
| changelog because it was missing. | |
| - Resolves: rhbz#1164156 - libsss_simpleifp should pull sssd-dbus | |
| - Resolves: rhbz#1179379 - gzip: stdin: file size changed while | |
| zipping when rotating logfile | |
| - Add a patch to fix krb5 ccache creation issue with krb5 1.11 | |
| - Fix %postun | |
| - Related: rhbz#2132051 - Rebase Samba to the the latest 4.17.x release | |
| Rebuild against Samba rebase. | |
| - New upstream release 1.9.0 beta 5 | |
| - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 | |
| - Many fixes for the support for setting default SELinux user context from | |
| FreeIPA, most notably fixed the specificity evaluation | |
| - Fixed an incorrect default in the krb5_canonicalize option of the AD | |
| provider which was preventing password change operation | |
| - The shadowLastChange attribute value is now correctly updated with the | |
| number of days since the Epoch, not seconds | |
| - Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 | |
| - Resolves: rhbz#2098620 - sdap_nested_group_deref_direct_process() triggers internal watchdog for large data sets | |
| - Resolves: rhbz#2098619 - [Improvement] add SSSD support for more than one CRL PEM file name with parameters certificate_verification and crl_file | |
| - Resolves: rhbz#2088817 - pam_sss_gss ceased to work after upgrade to 8.6 | |
| - Resolves: rhbz#2098616 - Add idp authentication indicator in man page of sssd.conf | |
| - Resolves: rhbz#2056035 - 'getent hosts' not return hosts if they have more than one CN in LDAP | |
| - Resolves: rhbz#2098615 - Regression "Missing internal domain data." when setting ad_domain to incorrect | |
| - Resolves: rhbz#2098617 - Harden kerberos ticket validation | |
| - Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol | |
| - Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8 | |
| - Resolves: rhbz#2136701 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level. | |
| - Resolves: rhbz#2139760 - [sssd] RHEL 8.8 Tier 0 Localization | |
| - Resolves: rhbz#2139865 - Analyzer: Optimize and remove duplicate messages in verbose list | |
| - Resolves: rhbz#2142795 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged | |
| - Resolves: rhbz#2144491 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around | |
| - Resolves: rhbz#2150357 - Smart Card auth does not work with p11_uri (with-smartcard-required) | |
| - Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 | |
| - Resolves: rhbz#2196521 - [RHEL8] sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy | |
| - Resolves: rhbz#2195919 - sssd-be tends to run out of system resources, hitting the maximum number of open files | |
| - Resolves: rhbz#2192708 - [RHEL8] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed' | |
| - Resolves: rhbz#2139467 - [RHEL8] sssd attempts LDAP password modify extended op after BIND failure | |
| - Resolves: rhbz#2054825 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 error 4 in libc-2.28.so[7f16b5e72000+1bc000] | |
| - Resolves: rhbz#2189583 - [sssd] RHEL 8.9 Tier 0 Localization | |
| - Resolves: rhbz#2170720 - [RHEL8] When adding attributes in sssd.conf that we have already, the cross-forest query just stop working | |
| - Resolves: rhbz#2096183 - BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides | |
| - Resolves: rhbz#2151450 - [RHEL8] SSSD missing group membership when evaluating GPO policy with 'auto_private_groups = true' | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuild sssd against libldb 1.0.2 so the memberof module loads again. | |
| - Related: rhbz#677425 | |
| - Related: rhbz#1637513 - sssd crashes when refreshing expired sudo rules | |
| - Fix memberOf install path | |
| - Resolves: upstream#3618 - selinux_child segfaults in a docker container | |
| - Don't duplicate libsss_autofs.so in two packages | |
| - Set explicit package contents instead of globbing | |
| - New upstream release 1.10 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0 | |
| - Release SSSD 1.1.0 final | |
| - Fix two potential segfaults | |
| - Fix memory leak in monitor | |
| - Better error message for unusable confdb | |
| - Resolves: rhbz#1868387 - system not enforcing GPO rule restriction. ad_gpo_implicit_deny = True is not working | |
| - Resolves: rhbz#1854951 - sss-certmap man page change to add clarification for userPrincipalName attribute from AD schema | |
| - Resolves: rhbz#1856861 - False errors/warnings are logged in sssd.log file after enabling 2FA prompting settings in sssd.conf | |
| - Resolves: rhbz#1869683 - p11_child: default value of ocsp_dgst == sha256 doesn't conform RFC5019 and has to be changed to sha1 | |
| - New upstream release 1.16.0 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_0.html | |
| - Rebuild against new ding-libs | |
| - Resolves: rhbz#677768 - name service caches names, so id command shows | |
| - recently deleted users | |
| - Backport several patches from upstream. | |
| - Fix a potential crash against old (pre-4.0) IPA servers | |
| - Release candidate for SSSD 1.1 | |
| - Add simple access provider | |
| - Create subpackages for libcollection, libini_config, libdhash and librefarray | |
| - Support IPv6 | |
| - Support LDAP referrals | |
| - Fix cache issues | |
| - Better feedback from PAM when offline | |
| - Resolves: rhbz#1646113 - Missing concise documentation about valid options | |
| for sssd-files-provider | |
| - Fix segfault in TGT renewal | |
| - Improved handling of users and groups with multi-valued name attributes | |
| (aliases) | |
| - Performance enhancements | |
| Initgroups on RFC2307bis/FreeIPA | |
| HBAC rule processing | |
| - Improved process-hang detection and restarting | |
| - Enabled the midpoint cache refresh by default (fewer cache misses on | |
| commonly-used entries) | |
| - Cleaned up the example configuration | |
| - New tool to change debug level on the fly | |
| - New upstream release 1.5.8 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 | |
| - Support for the LDAP paging control | |
| - Support for multiple DNS servers for name resolution | |
| - Fixes for several group membership bugs | |
| - Fixes for rare crash bugs | |
| - Resolves: rhbz#1881992 - Rebase SSSD for RHEL 8.4 | |
| - Resolves: rhbz#1722842 - sssd-kcm does not store TGT with ssh login using GSSAPI | |
| - Resolves: rhbz#1734040 - sssd crash in ad_get_account_domain_search() | |
| - Resolves: rhbz#1784459 - [RFE] tlog does not allow to exclude some users from session recording | |
| - Resolves: rhbz#1791300 - sporadic sssd_be crash on s390x | |
| - Resolves: rhbz#1817122 - 'getent group ldapgroupname' doesn't show any LDAP users or some LDAP users when 'rfc2307bis' schema is used with SSSD. | |
| - Resolves: rhbz#1819012 - [RFE] Improve AD site discovery process | |
| - Resolves: rhbz#1846778 - [RfE] `/usr/libexec/sssd/p11_child` cmdline argument '--nssdb' might be confusing when SSSD was built against OpenSSL | |
| - Resolves: rhbz#1873715 - automount sssd issue when 2 automount maps have the same key (one un uppercase, one in lowercase) | |
| - Resolves: rhbz#1879860 - correction in sssd.conf:pam_response_filter man page | |
| - Resolves: rhbz#1881336 - [RFE] sssd-ldap man page modification for parameter "ldap_referrals" | |
| - Resolves: rhbz#1883488 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains | |
| - Resolves: rhbz#1884196 - [RFE] Add "enabled" option to domain section in config file | |
| - Resolves: rhbz#1884205 - KCM: Increase client idle timeout to 5 minutes | |
| - Resolves: rhbz#1884207 - [RFE] ldap: add new option ldap_library_debug_level | |
| - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff | |
| - Resolves: rhbz#1884281 - Secondary LDAP group go missing from 'id' command | |
| - Resolves: rhbz#1884301 - [RFE] dyndns: suport asymmetric auth for nsupdate | |
| - Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 | |
| - Resolves: rhbz#1693379 - sssd_be and sss_cache too heavy on CPU | |
| - Resolves: rhbz#1909373 - Missing search index for `originalADgidNumber` | |
| - Resolves: rhbz#1954630 - [RFE] Improve debug messages by adding a unique tag for each request the backend is handling | |
| - Resolves: rhbz#1936891 - SSSD Error Msg Improvement: Bad address | |
| - Resolves: rhbz#1364596 - sssd still showing ipa user after removed from last group | |
| - Resolves: rhbz#1979404 - Changes made to /etc/pam.d/sssd-shadowutils are overwritten back to default on sssd-common package upgrade | |
| - Resolves: rhbz#1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command. | |
| - Resolves: rhbz#1780404 - smartcards: special characters must be escaped when building search filter | |
| - Fix regressions and bugs in sssd upstream 1.12.2 | |
| - https://fedorahosted.org/sssd/ticket/{id} | |
| - Regressions: #2471, #2475, #2483, #2487, #2529, #2535 | |
| - Bugs: #2287, #2445 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Resolves: rhbz#1974257 - 'debug_microseconds' config option is broken | |
| - Resolves: rhbz#1936902 - SSSD Error Msg Improvement: Invalid argument | |
| - Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm (additional patches and rebuild) | |
| - Resolves: rhbz#1625670 - sssd needs to require a newer version of libtalloc | |
| and libtevent to avoid an issue in GPO processing | |
| - Related: rhbz#1620123 - [RFE] Add option to specify a Smartcard with a | |
| PKCS#11 URI | |
| - Resolves: rhbz#697057 - kpasswd fails when using sssd and | |
| - kadmin server != kdc server | |
| - Upgrades from SysV should now maintain enabled/disabled status | |
| - Related: rhbz#2190417 - Rebase Samba to the latest 4.18.x release | |
| Rebuild against rebased Samba libs | |
| - Resolves: rhbz#1175511 - sssd-libwbclient conflicts with Samba's and causes | |
| crash in wbinfo | |
| - in addition to the patch libwbclient.so is | |
| filtered out of the Provides list of the package | |
| - New upstream release 1.9.0 beta 2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 | |
| - Add support for the Kerberos DIR cache for storing multiple TGTs | |
| automatically | |
| - Major performance enhancement when storing large groups in the cache | |
| - Major performance enhancement when performing initgroups() against Active | |
| Directory | |
| - SSSDConfig data file default locations can now be set during configure for | |
| easier packaging | |
| - Add plugin for cifs-utils | |
| - Resolves: rhbz#998544 | |
| - Rebuild due to rhbz#2013596 - Rebase Samba to the the latest 4.15.x release | |
| - Resolves: #967012 - [abrt] sssd-1.9.5-1.fc18: sss_mmap_cache_gr_invalidate_gid: | |
| Process /usr/libexec/sssd/sssd_nss was killed by | |
| signal 11 (SIGSEGV) | |
| - Resolves: #996214 - sssd proxy_child segfault | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Resolves: RHEL-112455 - p11_child currently has an infinite timeout [rhel-8.10.z] | |
| - Resolves: RHEL-120292 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems [rhel-8.10.z] | |
| - Resolves: rhbz#1744134 - New defect found in sssd-2.2.0-16.el8 | |
| - Also sync. kcm multihost tests with master | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - New upstream release 1.9.0 rc1 | |
| - New upstream release 0.99.0 | |
| - Fix segfault in sssd_pam when cache_credentials was enabled | |
| - Update the sample configuration | |
| - Fix upgrade issues caused by data provider service removal | |
| - Fix systemd executions/requirements | |
| - Related: rhbz#1635595 - Cant login with smartcard with multiple certs | |
| - New upstream release 1.8.1 | |
| - Resolve issue where we could enter an infinite loop trying to connect to an | |
| auth server | |
| - Fix serious issue with complex (3+ levels) nested groups | |
| - Fix netgroup support for case-insensitivity and aliases | |
| - Fix serious issue with lookup bundling resulting in requests never | |
| completing | |
| - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt | |
| in addition to pam_authenticate | |
| - Fix several regressions in the proxy provider | |
| - Resolves: rhbz#743133 - Performance regression with Kerberos authentication | |
| against AD | |
| - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work | |
| - Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6 | |
| - Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files | |
| - Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries | |
| - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set. | |
| - Resolves: rhbz#1961182 - Passwordless (GSSAPI) SSH not working due to missing "includedir /var/lib/sss/pubconf/krb5.include.d" directive in /etc/krb5.conf | |
| - Resolves: rhbz#2008829 - sssd_be segfault due to empty forest root name | |
| - Resolves: rhbz#2012263 - pam responder does not call initgroups to refresh the user entry | |
| - Resolves: rhbz#2012308 - Add client certificate validation D-Bus API | |
| - Resolves: rhbz#2012327 - Groups are missing while performing id lookup as SSSD switching to offline mode due to the wrong domain name in the ldap-pings(netlogon). | |
| - Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs | |
| - Resolves: rhbz#2013259 - [RHEL8] Add tevent chain ID logic into responders | |
| - Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization | |
| - Rebuild for libldb 1.1.19 | |
| - Fix failover from Global Catalog to LDAP in case GC is not available | |
| - Rebuilt for libnfsidmap.so.1 | |
| - New upstream release 1.6.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 | |
| - Add host access control support for LDAP (similar to pam_host_attr) | |
| - Finer-grained control on principals used with Kerberos (such as for FAST or | |
| - validation) | |
| - Added a new tool sss_cache to allow selective expiring of cached entries | |
| - Added support for LDAP DEREF and ASQ controls | |
| - Added access control features for Novell Directory Server | |
| - FreeIPA dynamic DNS update now checks first to see if an update is needed | |
| - Complete rewrite of the HBAC library | |
| - New libraries: libipa_hbac and libipa_hbac-python | |
| - Resolves: rhbz#1661183 - SSSD 2.0 has drastically lower sbus timeout than | |
| 1.x, this can result in time outs | |
| - Fix release version for upgrades | |
| - Decrease priority of sssd-libwbclient 20 -> 5 | |
| - It should be lower than priority of samba veriosn of libwbclient. | |
| - https://bugzilla.redhat.com/show_bug.cgi?id=1175511#c18 | |
| - Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the | |
| username in getpwnam() | |
| - Resolves: rhbz#758425 - LDAP failover not working if server refuses | |
| connections | |
| - Resolves: rhbz#1642372 - SSSD Python getgrouplist API was removed but required for IPA | |
| - New LDAP access provider allows for filtering user access by LDAP attribute | |
| - Reduced default timeout for detecting offline status with LDAP | |
| - GSSAPI ticket lifetime made configurable | |
| - Better offline->online transition support in Kerberos | |
| - Change the default ccache location to DIR:/run/user/${UID}/krb5cc | |
| and patch man page accordingly | |
| - Resolves: rhbz#851304 | |
| - Handle new error code for IPA password migration | |
| - Only BuildRequire libcmocka on Fedora | |
| - New upstream release 1.4.1 | |
| - Add support for netgroups to the proxy provider | |
| - Fixes a minor bug with UIDs/GIDs >= 2^31 | |
| - Fixes a segfault in the kerberos provider | |
| - Fixes a segfault in the NSS responder if a data provider crashes | |
| - Correctly use sdap_netgroup_search_base | |
| - Resolves: rhbz#1672780 - gdm login not prompting for username when smart | |
| card maps to multiple users | |
| - New upstream release 1.11.5.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.5.1 | |
| - Resolves: #906427 - Do not use %{_lib} in specfile for the nss and | |
| pam libraries | |
| - Use mcpath insted of mcachepath macro to be consistent with | |
| upsteam spec file | |
| - Initial release (based on version 0.1.0 upstream code) | |
| - Move sssd_pac to the sssd-ipa and sssd-ad subpackages | |
| - Trim out RHEL5-specific macros since we don't build on RHEL 5 | |
| - Trim out macros for Fedora older than F18 | |
| - Update libldb requirement to 1.1.16 | |
| - Trim RPM changelog down to the last year | |
| - Version 0.2.1 | |
| - New upstream release 1.9.2 | |
| - Resolves: rhbz#1335639 - [abrt] sssd-dbus: ldb_msg_find_element(): | |
| sssd_ifp killed by SIGSEGV | |
| - Resolves: rhbz#1645566 - SSSD 2.x does not sanitize domain name properly | |
| for D-bus, resulting in a crash | |
| - Rebuild with libldb-1.2.0 | |
| - New upstream release 1.15.3 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_3.html | |
| - New upstream release 1.13.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.2 | |
| - Resolves: RHEL-39085 - [RfE] SSSD Failover Enhancements | |
| - Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online | |
| - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests | |
| - Several segfault bugfixes | |
| - Resolves: rhbz#1642508 - sssd ifp crash when trying to access ipa webui | |
| with smart card | |
| - Add support for libldb 1.0.0 | |
| - Resolves: rhbz#1920001 - Do not add '%' to group names already prefixed with '%' in IPA sudo rules | |
| - Resolves: rhbz#1918433 - sssd unable to lookup certmap rules | |
| - Resolves: rhbz#1917382 - [abrt] [faf] sssd: dp_client_handshake_timeout(): /usr/libexec/sssd/sssd_be killed by 11 | |
| - bugfix release 0.3.2 | |
| - includes previous release patches | |
| - change permissions of the /etc/sssd/sssd.conf to 0600 | |
| - Fix regression in endianness patch | |
| - Resolves: rhbz#1623878 - crash related to sbus_router_destructor() | |
| - Add last minute bug fixes, found in testing the package | |
| - New upstream release 1.7.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 | |
| - Support for case-insensitive domains | |
| - Support for multiple search bases in the LDAP provider | |
| - Support for the native FreeIPA netgroup implementation | |
| - Reliability improvements to the process monitor | |
| - New DEBUG facility with more consistent log levels | |
| - New tool to change debug log levels without restarting SSSD | |
| - SSSD will now disconnect from LDAP server when idle | |
| - FreeIPA HBAC rules can choose to ignore srchost options for significant | |
| performance gains | |
| - Assorted performance improvements in the LDAP provider | |
| - New upstream release 1.4.0 | |
| - Added support for netgroups to the LDAP provider | |
| - Performance improvements made to group processing of RFC2307 LDAP servers | |
| - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin | |
| - Build-system improvements to support Gentoo | |
| - Split out several libraries into the ding-libs tarball | |
| - Manpage reviewed and updated | |
| - New upstream release 1.12.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0 | |
| - Fix CVE-2010-0014 | |
| - Rebuild against libldb 1.10 | |
| - New upstream release 1.11.3 | |
| - Remove upstreamed patches | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.3 | |
| - Resolves: rhbz#1736483 - Sudo prompt for smart card authentication is missing | |
| the trailing colon | |
| - Resolves: rhbz#1256849 - SUDO: Support the IPA schema | |
| - Resolves: upstream#3621 - backport bug found by static analyzers | |
| - Own several directories create during make install (#839782) | |
| - New upstream release 1.13.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.3 | |
| - New upstream release 1.11.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 | |
| - Log startup errors to the syslog | |
| - Allow cache cleanup to be disabled in sssd.conf | |
| - Resolves: rhbz#1631410 - Can't login with smartcard with multiple certs having same ID value | |
| - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff (additional patches) | |
| - Resolves: rhbz#1893159 - Default debug level should report all errors / failures | |
| - Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication | |
| - Resolves: rhbz#1646168 - sssctl access-report always prints an error message | |
| - Resolves: rhbz#1643053 - Restarting the sssd-kcm service should reload the | |
| configuration without having to restart the whole | |
| sssd | |
| - Resolves: rhbz#1640576 - sssctl reports incorrect information about local | |
| user's cache entry expiration time | |
| - Resolves: rhbz#1645238 - Unable to su to root when logged in as a local user | |
| - Resolves: rhbz#1639411 - sssd support for for smartcards using ECC keys | |
| - require the latest libldb | |
| - Change default kerberos credential cache location to /run/user/ |
|
| - Resolves: rhbz#1725168 - sssd-proxy crashes resolving groups with | |
| no members | |
| - Rebuild against libldb 1.1.4 | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild | |
| - Resolves: rhbz#1676385 - pam_sss with smartcard auth does not create gnome | |
| keyring | |
| - Also apply a patch to fix gating tests issue | |
| - Resolves: rhbz#1113639 - autofs: return a connection failure until maps have been fetched | |
| - Resolves: rhbz#1915395 - Memory leak in the simple access provider | |
| - Resolves: rhbz#1915319 - SSSD: SBUS: failures during servers startup | |
| - Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication (additional patches) | |
| - Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8] | |
| - Resolves: rhbz#1962042 - [sssd] RHEL 8.5 Tier 0 Localization | |
| - Fixes link error on platforms that do not do implicit linking | |
| - Fixes double-free segfault in PAM | |
| - Fixes double-free error in async resolver | |
| - Fixes support for TCP-based DNS lookups in async resolver | |
| - Fixes memory alignment issues on ARM processors | |
| - Manpage fixes | |
| - Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8 | |
| - Resolves: rhbz#2119726 - sssctl analyze --logdir option requires sssd to be configured | |
| - Resolves: rhbz#2120669 - Incorrect request ID tracking from responder to backend | |
| - Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in | |
| setnetgrent_result_timeout | |
| - Resolves: upstream#3588 - sssd_nss consumes more memory until restarted | |
| or machine swaps | |
| - Resolves: failure in glibc tests | |
| https://sourceware.org/bugzilla/show_bug.cgi?id=22530 | |
| - Resolves: upstream#3451 - When sssd is configured with id_provider proxy and | |
| auth_provider ldap, login fails if the LDAP server | |
| is not allowing anonymous binds | |
| - Resolves: upstream#3285 - SSSD needs restart after incorrect clock is | |
| corrected with AD | |
| - Resolves: upstream#3586 - Give a more detailed debug and system-log message | |
| if krb5_init_context() failed | |
| - Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet | |
| in /etc/systemd/system | |
| - Backport few upstream features from 1.16.1 | |
| - New upstream release 1.14.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.2 | |
| - Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication | |
| - New upstream release 1.12.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.2 | |
| - Resolves: rhbz#1636397 - SSSD not fetching all sudo rules from AD | |
| - Resolves: rhbz#1711318 - p11_child::sign_data() function implementation is | |
| not FIPS140 compliant | |
| - New upstream release 1.14.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0 | |
| - Do not crash on resolving a group SID in IPA server mode | |
| - New upstream release 1.8.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 | |
| - Several fixes to case-insensitive domain functions | |
| - Fix for GSSAPI binds when the keytab contains unrelated principals | |
| - Fixed several segfaults | |
| - Workarounds added for LDAP servers with unreadable RootDSE | |
| - SSH knownhostproxy will no longer enter an infinite loop preventing login | |
| - The provided SYSV init script now starts SSSD earlier at startup and stops | |
| it later during shutdown | |
| - Assorted minor fixes for issues discovered by static analysis tools | |
| - Resolves: rhbz#1655459 - [abrt] [faf] sssd: raise(): | |
| /usr/libexec/sssd/proxy_child killed by 6 | |
| - Resolves: rhbz#1628126 - [abrt] [faf] sssd: unknown function(): | |
| /usr/libexec/sssd/sssd_be killed by 11 crash | |
| func _dbus_list_unlink | |
| - New upstream release 1.15.2 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html | |
| - Related: rhbz#1638150 - session not recording for local user when groups defined | |
| - Also add silence a Coverity warning, which is related to rhbz#1637131 | |
| for match rules sss-certmap | |
| - New upstream release 1.13.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.1 | |
| - Fix the Kerberos password expiration warning (#912223) | |
| - Try to fix build adding automake as an explicit BuildRequire | |
| - Add also a couple of last minute patches from upstream | |
| - Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8 | |
| - Resolves: rhbz#2144581 - [RFE] provide dbus method to find users by attr | |
| - Resolves: rhbz#2144579 - sssd timezone issues sudonotafter | |
| - Resolves: rhbz#2144519 - [RFE] SSSD does not support to change the user’s password when option ldap_pwd_policy equals to shadow in sssd.conf file | |
| - Resolves: rhbz#2127822 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict) | |
| - Resolves: rhbz#2111393 - authenticating against external IdP services okta (native app) with OAuth client secret failed | |
| -Resolves: rhbz#1660083 - extraAttributes is org.freedesktop.DBus.Error. | |
| UnknownProperty: Unknown property | |
| - Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard | |
| certificate EKU and perform an action based | |
| on value when generating SSH key from a certificate | |
| (additional patch) | |
| - Version 0.3.0 | |
| - Provides file based configuration and lots of improvements | |
| - Build with _hardened_build macro | |
| - release out of the official 0.3.2 tarball | |
| - Resolves: upstream#3529 - sssd-kcm Fix restart during/after upgrade | |
| - Resolves: rhbz#1810634 - id command taking 1+ minute for returning user | |
| information | |
| - Resolves: rhbz#1448094 - sssd-kcm cannot handle big tickets | |
| - New upstream bugfix release 0.99.1 | |
| - Fix few segfaults | |
| - Resolves: upstream #2811 - PAM responder crashed if user was not set | |
| - Resolves: upstream #2810 - sssd_be crashed in ipa_srv_ad_acct_lookup_step | |
| - New upstream release 1.5.11 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 | |
| - Fix a serious regression that prevented SSSD from working with ldaps:// URIs | |
| - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 | |
| - address being saved to the AAAA record | |
| - Resolves: 1657898 - SSSD must be cleared/restarted periodically in order to | |
| retrieve AD users through IPA Trust | |
| - New upstream release 1.10 beta2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 | |
| - BuildRequire libcmocka-devel in order to run all upstream tests during build | |
| - BuildRequire libnl3 instead of libnl1 | |
| - No longer BuildRequire initscripts, we no longer use /sbin/service | |
| - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any | |
| older krb5-libs version | |
| - Switch hardcoded python3 shebangs into the %{__python3} macro | |
| - Fix upgrade issues from old (pre-0.5.0) releases of SSSD | |
| - New upstream release 1.10 alpha1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1 | |
| - Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard | |
| certificate EKU and perform an action based | |
| on value when generating SSH key from a certificate | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Rebuild for libldb 1.1.3 | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process | |
| - Resolves: rhbz#1876658 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [RHEL 8] | |
| - Resolves: rhbz#1895001 - User lookups over the InfoPipe responder fail intermittently | |
| - Fix pre and post script requirements | |
| - Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug | |
| in ding-libs | |
| - Fix SSH integration with fully-qualified domains | |
| - Add the ability to dynamically discover the NetBIOS name | |
| - Backport important patches from upstream 1.14.2 prerelease | |
| - Resolves: upstream #3154 - sssd exits if clock is adjusted backwards after | |
| boot | |
| - Resolves: upstream #3163 - resolving IPA nested user group is broken in 1.14 | |
| - Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication | |
| - Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with | |
| file from package sssd-common-1.15.1-1.fc25.x86_64 | |
| - Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4 | |
| - New upstream release 1.8.0 | |
| - Support for the service map in NSS | |
| - Support for setting default SELinux user context from FreeIPA | |
| - Support for retrieving SSH user and host keys from LDAP (Experimental) | |
| - Support for caching autofs LDAP requests (Experimental) | |
| - Support for caching SUDO rules (Experimental) | |
| - Include the IPA AutoFS provider | |
| - Fixed several memory-corruption bugs | |
| - Fixed a regression in group enumeration since 1.7.0 | |
| - Fixed a regression in the proxy provider | |
| - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD | |
| - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is | |
| logged at each login | |
| - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process | |
| /usr/sbin/sssd was killed by signal 11 (SIGSEGV) | |
| - Resolves: rhbz#743133 - Performance regression with Kerberos authentication | |
| against AD | |
| - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for | |
| new LDAP features | |
| - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc | |
| - Fix build with new automake versions | |
| - Change selinux policy requirement to Conflicts: with the old version, | |
| rather than Requires: the supported version. | |
| - Fix building on rawhide. Remove -Wl,-z,defs from LDFLAGS | |
| - Release new upstream version 1.1.91 | |
| - Enhancements when using SSSD with FreeIPA v2 | |
| - Support for deferred kinit | |
| - Support for DNS SRV records for failover | |
| - Resolves: rhbz#1624785 - Remove references of sss_user/group/add/del | |
| commands in man pages since local provider | |
| is deprecated | |
| - Additional upstream fixes | |
| - Fix building pac responder with the krb5-1.14 | |
| - Resolves: rhbz#1622026 - sssd 2.0 regression: Kerberos authentication | |
| fails with the KCM ccache | |
| - Backport extended NSS API from upstream master branch | |
| - Enable hardened build for RHEL7 | |
| - Resolves: rhbz#1276868 - Sudo PAM Login should support multiple password | |
| prompts (e.g. Password + Token) | |
| - Resolves: rhbz#1313041 - ssh with sssd proxy fails with "Connection closed | |
| by remote host" if locale not available | |
| - Add explicit requirement on selinux-policy version to address new SBUS | |
| symlinks. | |
| - Rebuild for libldb 1.1.18 | |
| - Fix issue with IPA + SELinux in containers | |
| - Resolves: upstream https://fedorahosted.org/sssd/ticket/3297 | |
| - Solve a shutdown race-condition that sometimes left processes running | |
| - Resolves: rhbz#606887 - SSSD stops on upgrade | |
| - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for | |
| new LDAP features | |
| - Fix for CVE-2009-2410 - Native SSSD users with no password set could log in | |
| without a password. (Patch by Stephen Gallagher) | |
| - New upstream release 1.12.4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.4 | |
| - Rebuild against new libldb | |
| - Add support for python3 bindings | |
| - Add requirement to python3 or python3 bindings | |
| - Resolves: rhbz#1014594 - sssd: Support Python 3 | |
| - Ensure that the configuration upgrade script always writes the config | |
| file with 0600 permissions | |
| - Eliminate an infinite loop in group enumerations | |
| - Fix bug in generation of systemd unit file | |
| - New upstream release 1.5.5 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 | |
| - Fixes for several crash bugs | |
| - LDAP group lookups will no longer abort if there is a zero-length member | |
| - attribute | |
| - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist | |
| - Bump up release number to avoid library sub-packages version issues with | |
| previous releases. | |
| - Unify return type of list_active_domains for python{2,3} | |
| - Ensure that SSSD builds against libldb-1.0.0 on F15 and later | |
| - Remove .la for memberOf | |
| - Add SSSDConfig API | |
| - Update polish translation for 0.6.0 | |
| - Fix long timeout on ldap operation | |
| - Make dp requests more robust | |
| - Resolves: rhbz#1628122 - Printing incorrect information about domain | |
| with sssctl utility | |
| connection timeout | |
| - New upstream release 1.12.5 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.5 | |
| - Apply a couple of patches from upstream git that resolve crashes when | |
| ID mapping object was not initialized properly but needed later | |
| - Resolves: rhbz#1283798 - sssd failover does not work on connecting to | |
| non-responsive ldaps:// server | |
| - Rebuild against new libtevent | |
| - Version 0.3.1 | |
| - includes previous release patches | |
| - Re-add manpage translations | |
| - Resolves: rhbz#606887 - sssd stops on upgrade | |
| - Resolves: rhbz#1466503 - Snippets are not used when sssd.conf does not exist | |
| - Fix several regressions since 1.5.x | |
| - Ensure that the RPM creates the /var/lib/sss/mc directory | |
| - Add support for Netscape password warning expiration control | |
| - Rebuild against libldb 1.1.6 | |
| - New upstream release 1.8.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 | |
| - Numerous manpage and translation updates | |
| - LDAP: Handle situations where the RootDSE isn't available anonymously | |
| - LDAP: Fix regression for users using non-standard LDAP attributes for user | |
| information | |
| - Resolves: rhbz#1699480 - Include libsss_nss_idmap-devel in the Builder | |
| repository | |
| - This just required a raise in release number | |
| and changelog for the record. | |
| - Install systemd unit file instead of sysv init script | |
| - Check the validity of naming context | |
| - Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8 | |
| - New upstream release 1.12.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.1 | |
| - Resolves: rhbz#1494002 - sssd_nss crashed in cache_req_search_domains_next | |
| - Resolves: rhbz#1499354 - CVE-2017-12173 sssd: unsanitized input when | |
| searching in local cache database access on | |
| the sock_file system_bus_socket | |
| - Resolves: rhbz#1726945 - negative cache does not use values from | |
| 'filter_users' config option for known domains | |
| - Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d | |
| - Make sure to properly convert to systemd if upgrading from newer | |
| - updates for Fedora 14 | |
| - Backport patches with Python3 support from upstream | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - New upstream release 0.7.0 | |
| - Include upstream patch to build with krb5-1.11 | |
| - Rebuilt for Python3.5 rebuild | |
| - Resolves: rhbz#1820574 - [sssd] RHEL 8.3 Tier 0 Localization | |
| - Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files (additional patch) | |
| - New upstream release 1.5.6 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 | |
| - Fixed a serious memory leak in the memberOf plugin | |
| - Fixed a regression with the negative cache that caused it to be essentially | |
| - nonfunctional | |
| - Fixed an issue where the user's full name would sometimes be removed from | |
| - the cache | |
| - Fixed an issue with password changes in the kerberos provider not working | |
| - with kpasswd | |
| - Resolves: rhbz#1310664 - [RFE] IPA: resolve external group memberships of IPA | |
| groups during getgrnam and getgrgid | |
| - Resolves: rhbz#1301303 - sss_obfuscate: SyntaxError: Missing parentheses | |
| in call to 'print' | |
| - New upstream release 1.9.1 | |
| - Fix accidental disabling of the DIR cache support | |
| - Resolves: rhbz#1729055 - sssd does not pass correct rules to sudo | |
| - Resolves: rhbz#1645291 - Perform some basic ccache initialization as part | |
| of gen_new to avoid a subsequent switch call | |
| failure | |
| - Resolves: rhbz#1733372 - permission denied on logs when running sssd as | |
| non-root user | |
| - Resolves: rhbz#1652719 - [SECURITY] sssd returns '/' for emtpy home directories | |
| - New upstream release 1.13.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0 | |
| - New upstream version 1.2.91 (1.3.0rc1) | |
| - Improved LDAP failover | |
| - Synchronous sysdb API (provides performance enhancements) | |
| - Better online reconnection detection | |
| - New upstream release 1.9.0 beta 4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 | |
| - Add a new AD provider to improve integration with Active Directory 2008 R2 | |
| or later servers | |
| - SUDO integration was completely rewritten. The new implementation works | |
| with multiple domains and uses an improved refresh mechanism to download | |
| only the necessary rules | |
| - The IPA authentication provider now supports subdomains | |
| - Fixed regression for setups that were setting default_tkt_enctypes | |
| manually by reverting a previous workaround. | |
| - New upstream release 1.9.0 | |
| - New upstream release 1.14 beta | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0beta | |
| - Resolves: rhbz#1736796 - sssd config option "default_domain_suffix" | |
| should not cause files domain entries to be | |
| qualified, this can break sudo access | |
| - Resolves: rhbz#1488327 - SELinux is preventing selinux_child from write | |
| access on the sock_file system_bus_socket | |
| - Resolves: rhbz#1490402 - SSSD does not create /var/lib/sss/deskprofile and | |
| fails to download desktop profile data | |
| - Resolves: upstream#3485 - getsidbyid does not work with 1.15.3 | |
| - Resolves: upstream#3488 - SUDO doesn't work for IPA users on IPA clients | |
| after applying ID Views for them in IPA server | |
| - Resolves: upstream#3501 - Accessing IdM kerberos ticket fails while id | |
| mapping is applied | |
| - Remove %files reference to sss_debuglevel copied from wrong upstreeam | |
| spec file. | |
| - Resolves: RHEL-25064 - AD users are unable to log in due to case sensitivity of user because the domain is found as an alias to the email address. [rhel-8] | |
| - Resolves: RHEL-25066 - gdm smartcard login fails with sssd-2.9.3 in case of multiple identities [rhel-8] | |
| - Resolves: RHEL-25065 - ssh pubkey stored in ldap/AD no longer works to authenticate via sssd [rhel-8] | |
| - fixed items found during review | |
| - added initscript | |
| - Resolves: rhbz#1687281 | |
| Rebase sssd in RHEL-8.1 to the latest upstream release | |
| - Resolves: rhbz#1139962 - Fedora 21, FreeIPA 4.0.2: sssd does not find user | |
| private group from server | |
| - Resolves: RHEL-27205 - Race condition during authorization leads to GPO policies functioning inconsistently | |
| - New upstream release 0.6.0 | |
| - Resolves: rhbz#1815584 - id_provider = proxy proxy_lib_name = files returns * in password field, breaking PAM authentication | |
| - Resolves: rhbz#1794607 - SSSD must be able to resolve membership involving root with files provider | |
| - Resolves: rhbz#1803134 - Improve "unlock" time when user session already active | |
| - Resolves: rhbz#626205 - Unable to unlock screen | |
| - Use alternatives for libwbclient | |
| - Add missing %license macro | |
| - BuildRequire recent libini_config to ensure consistent behaviour | |
| - Resolves: rhbz#1926622 - Add support to verify authentication indicators in pam_sss_gss | |
| - Resolves: rhbz#1926454 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0. | |
| - Resolves: rhbz#1893159 - Default debug level should report all errors / failures (additional patch) | |
| - Related: rhbz#1611011 - Support for "require smartcard for login option" | |
| - Backport patches from upstream 1.12.5 prerelease - contains many fixes | |
| - Resolves: 1658813 - PKINIT with KCM does not work | |
| - New upstream release 1.15.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.15.0 | |
| - New upstream release 1.9.0 beta 6 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 | |
| - A new option, override_shell was added. If this option is set, all users | |
| managed by SSSD will have their shell set to its value. | |
| - Fixes for the support for setting default SELinux user context from FreeIPA. | |
| - Fixed a regression introduced in beta 5 that broke LDAP SASL binds | |
| - The SSSD supports the concept of a Primary Server and a Back Up Server in | |
| failover | |
| - A new command-line tool sss_seed is available to help prime the cache with | |
| a user record when deploying a new machine | |
| - SSSD is now able to discover and save the domain-realm mappings | |
| between an IPA server and a trusted Active Directory server. | |
| - Packaging changes to fix ldconfig usage in subpackages (#843995) | |
| - Rebuild against libldb 1.1.9 | |
| - Do not write out dots in the domain-realm mapping file (#905650) | |
| - Resolves: rhbz#1622008 - Error message when IPA server uninstall calls | |
| kdestroy caused by KCM returning a wrong error | |
| code during the delete operation | |
| - New upstream release 1.12.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.3 | |
| - Fix spelling errors in description (fedpkg lint) | |
| - Backport important patches from upstream 1.13 prerelease | |
| - Resolves: rhbz#1060325 - Does sssd-ad use the most suitable | |
| attribute for group name | |
| - Resolves: upstream #2335 - Investigate using the krb5 responder | |
| for driving the PAM conversation with OTPs | |
| - Enable cmocka tests for secondary architectures | |
| - Rebuild against libldb 1.12 | |
| - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for | |
| new LDAP features - fix netgroups and sudo as well | |
| - Resolves: rhbz#1736861 - dyndns_update = True is no longer enough to get | |
| the IP address of the machine updated in IPA upon | |
| sssd.service startup | |
| - Resolves: rhbz#1626001 - SSSD should log to syslog if a domain is not | |
| started due to a misconfiguration | |
| - This is to bump version to allow rebuild against rebased libldb. | |
| - New upstream release 1.11.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 | |
| - New upstream release 1.5.0 | |
| - Fixed issues with LDAP search filters that needed to be escaped | |
| - Add Kerberos FAST support on platforms that support it | |
| - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials | |
| - Added a Kerberos access provider to honor .k5login | |
| - Addressed several thread-safety issues in the sss_client code | |
| - Improved support for delayed online Kerberos auth | |
| - Significantly reduced time between connecting to the network/VPN and | |
| - acquiring a TGT | |
| - Added feature for automatic Kerberos ticket renewal | |
| - Provides the kerberos ticket for long-lived processes or cron jobs | |
| - even when the user logs out | |
| - Added several new features to the LDAP access provider | |
| - Support for 'shadow' access control | |
| - Support for authorizedService access control | |
| - Ability to mix-and-match LDAP access control features | |
| - Added an option for a separate password-change LDAP server for those | |
| - platforms where LDAP referrals are not supported | |
| - Added support for manpage translations | |
| - Resolves: rhbz#1839037 - Rebase SSSD for RHEL 8.3 | |
| - Resolves: rhbz#1843872 - sssd 2.3.0 breaks AD auth due to GPO parsing failure | |
| - Resolves: rhbz#1834156 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working | |
| - Fix nested group member filter sanitization for RFC2307bis | |
| - Put translated tool manpages into the sssd-tools subpackage | |
| - Resolve groups from AD correctly | |
| - Fix changelog dates to make F19 rpmbuild happy | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - Resolves: rhbz#1829470 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package | |
| - Resolves: rhbz#1544457 - sssd fails to release file descriptor on child logs after receiving HUP | |
| - Resolves: rhbz#1824323 - SSSD user filtering is failing on RHEL 8 after "files" provider rebuilds cache | |
| - Resolves: rhbz#1827432 - When the passwd or group files are replaced, sssd stops monitoring the file for | |
| inotify events, and no updates are triggered | |
| - Resolves: rhbz#1835710 - Change the message "Please enter smart card" to "Please insert smart card" | |
| on GDM login with smart-card | |
| - Resolves: rhbz#1838037 - Oddjob-mkhomedir fails when using NSS compat | |
| - Resolves: rhbz#1845904 - gdm smart card authentication does not work shortly after disconnecting from network. | |
| - Resolves: rhbz#1845975 - sssd doesn't follow the link order of AD Group Policy Management | |
| - Resolves: rhbz#1845980 - sssd is failing to discover other subdomains in the forest | |
| if LDAP entries do not contain AD forest root information | |
| - Resolves: rhbz#1845987 - Document how to prevent invalid selinux context for default home directories | |
| in SSSD-AD direct integration. | |
| - Resolves: rhbz#1845994 - GDM failure loop when no user mapped for smart card | |
| - Resolves: rhbz#1846003 - GDM password prompt when cert mapped to multiple users and promptusername is False | |
| - Resolves: rhbz#1850961 - /usr/share/systemtap/tapset/sssd_functions.stp missing a comma | |
| - Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6 | |
| - Resolves: rhbz#1968340 - 'exclude_groups' option provided in SSSD for session recording (tlog) doesn't work as expected | |
| - Resolves: rhbz#1952569 - SSSD should use "hidden" temporary file in its krb locator | |
| - Resolves: rhbz#1917970 - proxy provider: secondary group is showing in sssd cache after group is removed | |
| - Resolves: rhbz#1636002 - socket-activated services start as the sssd user and then are unable to read the confdb | |
| - Resolves: rhbz#2021196 - Make backtrace less "chatty" (avoid duplicate backtraces) | |
| - Resolves: rhbz#2018432 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest) | |
| - Resolves: rhbz#2015070 - Consistency in defaults between OpenSSH and SSSD | |
| - Resolves: rhbz#2013297 - disabled root ad domain causes subdomains to be marked offline | |
| - Resolves: rhbz#2013294 - Lookup with fully-qualified name does not work with 'cache_first = True' | |
| - Resolves: rhbz#2013218 - autofs lookups for unknown mounts are delayed for 50s | |
| - Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs | |
| - Resolves: rhbz#2013024 - Add support for CKM_RSA_PKCS in smart card authentication. | |
| - Resolves: rhbz#2013006 - [RFE] support subid ranges managed by FreeIPA | |
| - Resolves: rhbz#2012308 - Add client certificate validation D-Bus API | |
| - Resolves: rhbz#2012122 - tps tests fail with cross dependency on sssd debuginfo package: removal of 'sssd-libwbclient-debuginfo' is missing | |
| - Rebuild for new libldb | |
| - Resolves: rhbz#1687281 | |
| Rebase sssd in RHEL-8.1 to the latest upstream release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Replace ARRAY_SIZE with N_ELEMENTS to reflect samba changes. This is | |
| done here in order to unblock gating changes before rebase. | |
| - Related: rhbz#1682305 | |
| - Backport important patches from upstream 1.13 prerelease | |
| - Fix libwbclient alternatives | |
| - Apply a number of patches from upstream to fix issues found 1.12.3 | |
| - Resolves: rhbz#1176373 - dyndns_iface does not accept multiple | |
| interfaces, or isn't documented to be able to | |
| - Resolves: rhbz#988068 - getpwnam_r fails for non-existing users when sssd is | |
| not running | |
| - Resolves: upstream #2557 authentication failure with user from AD | |
| - Resolves: rhbz#1615590 - Do not rely on "python" for el8 | |
| - Backport upstream patches for 1.15.3 pre-release | |
| - required for building freeipa-4.5.x in rawhide | |
| - Rebuilt for glibc bug#747377 | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Resolves: rhbz#2226021 - dbus and crond getting terminated with SIGBUS in sss_client code | |
| - Resolves: rhbz#2237253 - SSSD runs multiples lookup search for each NFS request (SBUS req chaining stopped working in sssd-2.7) | |
| - Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names | |
| - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set. | |
| - Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries | |
| - Resolves: rhbz#2035245 - AD Domain in the AD Forest Missing after sssd latest update | |
| - Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization | |
| - Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but | |
| - doesn't require it | |
| - New upstream release 1.9.0 beta 1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 | |
| - Add native support for autofs to the IPA provider | |
| - Support for ID-mapping when connecting to Active Directory | |
| - Support for handling very large (> 1500 users) groups in Active Directory | |
| - Support for sub-domains (will be used for dealing with trust relationships) | |
| - Add a new fast in-memory cache to speed up lookups of cached data on | |
| repeated requests | |
| - Include couple of patches from upstream 1.11 branch | |
| - Resolves: rhbz#1431153 - sssd: libsss_proxy.so needs to be linked with -ldl | |
| - add missing configure check that broke stopping the daemon | |
| - also fix default config to add a missing required option | |
| - CVE-2010-4341 - DoS in sssd PAM responder can prevent logins | |
| - Add OSCP checks for p11_child | |
| - Related: rhbz#1615417 - [RFE] Add Smart Card authentication for local | |
| users | |
| - Update to 1.16.2 release | |
| - Cleanup unused global definitions | |
| - Remove python2 references from the spec file | |
| - Resolves: rhbz#1585313 - Kerberos with sssd-kcm is not working on s390x | |
| - Include the 1.9.2 tarball | |
| - Resolves: RHEL-33957 - ad: refresh root domain when read directly | |
| - New upstream release 1.6.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 | |
| - Fixes a major cache performance issue introduced in 1.6.2 | |
| - Fixes a potential infinite-loop with certain LDAP layouts | |
| - Fix potential crash with external groups in trusted IPA-AD setup | |
| - libwbclient-sssd: update interface to version 0.13 | |
| - Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 | |
| - Resolves: rhbz#1930535 - [abrt] [faf] sssd: monitor_service_shutdown(): /usr/sbin/sssd killed by 11 | |
| - Resolves: rhbz#1942387 - Wrong default debug level of sssd tools | |
| - Resolves: rhbz#1945888 - Inconsistant debug level for connection logging | |
| - Resolves: rhbz#1948657 - pam_sss_gss.so doesn't work with large kerberos tickets | |
| - Resolves: rhbz#1949149 - [RFE] Poor man's backtrace | |
| - Resolves: rhbz#1920500 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR | |
| - Resolves: rhbz#1923964 - [RFE] SSSD Error Msg Improvement: write_krb5info_file failed, authentication might fail. | |
| - Resolves: rhbz#1928648 - SSSD logs improvements: clarify which config option applies to each timeout in the logs | |
| - Resolves: rhbz#1632159 - sssd-kcm starts successfully for non existent socket_path | |
| - Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm | |
| - Resolves: rhbz#1925505 - [RFE] improve the sssd refresh timers for SUDO queries | |
| - Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection | |
| - Resolves: rhbz#1925561 - sssd-ldap(5) does not report how to disable the SUDO smart queries | |
| - Resolves: rhbz#1925621 - document impact of indices and of scope on performance of LDAP queries | |
| - Resolves: rhbz#1855320 - [RFE] RHEL8 sssd: inheritance of the case_sensitive parameter for subdomains. | |
| - Resolves: rhbz#1925608 - [RFE] make 'random_offset' addon to 'offline_timeout' option configurable | |
| - Resolves: rhbz#1447945 - man page / docs update required: if two certificate matching rules with the same priority match only one is used | |
| - Resolves: rhbz#1703436 - sssd not thread-safe in innetgr() | |
| - Resolves: rhbz#1713143 - SSSD does not translate the 2FA text labels("first factor" / "second factor") on GDM login and screensaver unlock screen | |
| - Resolves: rhbz#1888977 - sss_override: Usage limitations clarification in man page | |
| - Resolves: rhbz#1890177 - Clarify "single_prompt" option in "PROMPTING CONFIGURATION SECTION" section of sssd.conf man page | |
| - Resolves: rhbz#1902280 - fix sss_cache to also reset cached timestamp | |
| - Resolves: rhbz#1935683 - SSSD not detecting subdomain from AD forest (RHEL 8.3) | |
| - Resolves: rhbz#1937919 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 | |
| - Resolves: rhbz#1944665 - No gpo found and ad_gpo_implicit_deny set to True still permits user login | |
| - Resolves: rhbz#1919942 - sss_override does not take precedence over override_homedir directive | |
| - Version 0.2.0 | |
| - Resolves: rhbz#1712875 - Old kerberos credentials active instead of valid | |
| new ones (kcm) | |
| - New upstream release 1.15.1 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html | |
| - Backport simplification of ccache management from 1.11.1 | |
| - Resolves: rhbz#1010553 - sssd setting KRB5CCNAME=(null) on login | |
| - New upstream release 1.5.10 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 | |
| - Fixed a regression introduced in 1.5.9 that could result in blocking calls | |
| - to LDAP | |
| - package git snapshot | |
| - Fix typo in Requires that prevented an upgrade (#973916) | |
| - Use a hardcoded version in Conflicts, not less-than-current | |
| - Resolves: RHEL-67671 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option [rhel-8.10.z] | |
| - Resolves: RHEL-68507 - sssd backend process segfaults when krb5.conf is invalid [rhel-8.10.z] | |
| - Resolves: RHEL-66267 - SSSD needs an option to indicate if the LDAP server can run the exop with an anonymous bind or not [rhel-8.10.z] | |
| - Resolves: RHEL-67128 - Excessive "Domain not found' messages logged to sssd_nss & sssd_be in multidomain AD forest [rhel-8.10.z] | |
| - Resolves: RHEL-66272 - sssd is skipping GPO evaluation with auto_private_groups [rhel-8.10.z] | |
| - Resolves: RHEL-66277 - possible regression of rhbz#2196521 [rhel-8.10.z] | |
| - Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 | |
| - Resolves: rhbz#2063016 - [sssd] RHEL 8.7 Tier 0 Localization | |
| - Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 | |
| - Resolves: rhbz#2026799 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options) | |
| - Resolves: rhbz#2033347 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file. | |
| - Resolves: rhbz#2056483 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2 | |
| - Resolves: rhbz#2062689 - [Improvement] Add user and group version of sss_nss_getorigbyname() | |
| - Resolves: rhbz#2065692 - [RHEL8] Ship new sub-package called sssd-idp into sssd | |
| - Resolves: rhbz#2072050 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop | |
| - Resolves: rhbz#2072931 - Use right sdap_domain in ad_domain_info_send | |
| - Resolves: rhbz#2087088 - sssd does not enforce smartcard auth for kde screen locker | |
| - Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol | |
| - Resolves: rhbz#2087745 - 2FA prompting setting ineffective | |
| - Resolves: rhbz#2087746 - sssd fails GPO-based access if AD have setup with Japanese language | |
| - New upstream release | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 | |
| - Support for the service map in NSS | |
| - Support for setting default SELinux user context from FreeIPA | |
| - Support for retrieving SSH user and host keys from LDAP (Experimental) | |
| - Support for caching autofs LDAP requests (Experimental) | |
| - Support for caching SUDO rules (Experimental) | |
| - Don't discard HBAC rule processing result if SELinux is on | |
| Resolves: rhbz#846792 (CVE-2012-3462) | |
|
|
|
| python3-netaddr-0.7.19-8.el8.noarch.rpm | - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Add BuildDepends on dos2unix to clean up some upstream sources | |
| - New upstream release 0.7.14 | |
| - Minor tweaks to spec file aligning with latest Fedora packaging guidelines | |
| - Enforce python 2.4 dependency as needed by netaddr >= 0.6.2 | |
| - Drop BR on python-setuptool as it is not imported in setup.py | |
| - Drop BR on dos2unix use sed instead | |
| - Align description with that of delivered PKG-INFO | |
| - Rip out python shebangs | |
| - Add %check section to enable tests | |
| - Thanks to Gareth Armstrong |
|
| - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild | |
| - New upstream version | |
| - New upstream version | |
| - New upstream release 0.7.11 | |
| - Enabled Python 3 support (bz1070357) | |
| - Fix shebang mangling for python3 (RHBZ#1546800) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Do not traceback on invalid IPNetwork input (upstream issues #2, #6, #5, #8) | |
| - Remove executable bit from documentation files to make rpmlint happy | |
| - New upstream release 0.7.3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 | |
| - Delete file which contains bundled pytest | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Upstream 0.7.12 | |
| - Conditionalize python3 subpackages build on Fedora | |
| - Few spec cleanups | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - Initial packaging for Fedora | |
| - Don't build python2 subpackage on rhel>7 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1567153 | |
| - New upstream version, bug fixes for 0.5 | |
| - Update description | |
| - Fix netaddr shebang (bug #1394046) | |
| - New upstream bugfix release | |
| - Upstream release 0.7 | |
| - New upstream release 0.7.4 | |
| - Rebuild for Python 3.6 | |
| - Add provides for python2-netaddr (RHBZ#1282129) | |
| - Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 | |
| - Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 | |
| - New upstream release 0.7.17 | |
| - Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 | |
| - Python 2 binary package renamed to python2-netaddr | |
| See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Use updated python macros | |
| - Use %license | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - New upstream version, bug fixes for 0.5.1 | |
| - New upstream release 0.7.5 | |
| - Updated summary and description to match upstream README | |
| - Updated URL and source to reflect upstream move to github | |
| - New upstream release 0.7.18 (RHBZ#1259969) | |
| - New upstream release 0.7.2 | |
| - Updated Summary and Description with new values provided by upstream | |
| - Cleanup spec file conditionals | |
| - New upstream release 0.7.19 (RHBZ#1413231) | |
| - New upstream bugfix release | |
| - New upstream release 0.7.15 | |
| - Add separate source for tests, see https://github.com/drkjam/netaddr/issues/102 | |
| - Add patch for broken assertion, see https://github.com/drkjam/netaddr/pull/103 | |
| - Rebuild for Python 2.6 | |
| - New upstream release 0.7.1 fixes naming conflict with 'nash' by | |
| renaming the netaddr shell to 'netaddr' | |
| - New upstream bugfix release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
|
|
|
| python3-networkx-1.11-16.1.el8.noarch.rpm | - Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 |
| - Conditionalize the Python 2 subpackage and don't build it on EL > 7 | |
| - Rebuild for Python 3.6 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Update Python 2 dependency declarations to new packaging standards | |
| (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) | |
| - New upstream version | |
| - Update URLs | |
| - Add -numpy patch to fix test failure | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - New upstream version | |
| - New upstream version | |
| - Drop upstreamed -test-rounding-fix patch | |
| - Upstream no longer bundles python-decorator; drop the workaround | |
| - New upstream version | |
| - Drop upstreamed -numpy patch | |
| - New upstream version | |
| - Add tex-preview BR for documentation | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Change pydot dependencies to pydotplus (bz 1326957) | |
| - New upstream version | |
| - Drop defattr | |
| - Build documentation | |
| - Fix python3-networkx-drawing subpackage (bz 1149980) | |
| - Fix python(3)-geo subpackage | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Switch hardcoded python3 shebangs into the %{__python3} macro | |
| - Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 | |
| - Note bundled jquery | |
| - Initial package. | |
| - Build dependencies cleanup | |
| - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Comply with latest python packaging guidelines (bz 1301767) | |
| - Split to subpackages and support EL6 and EL7 | |
| - Fix gdal requires block | |
| - Cleanup spec file conditionals | |
| - New upstream version | |
| - Do not use bundled python-decorator | |
| - Remove Requires: ipython, needed by one example only | |
| - Clean junk files left in /tmp | |
| - Replace __python macros with direct python invocations. | |
| - Disable checks for now. | |
| - Replace a define with global. | |
| - Fix gdal and pydot dependencies | |
| - New upstream version | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - BR python-setuptools | |
| - Bump version to 1.0.1. | |
| - License changed LGPLv2+ -> BSD. | |
| - Update project and source URLs | |
| - Don't build the geo subpackage | |
| - License is really LGPLv2+. | |
| - Include license as documentation. | |
| - Add a check section to run tests. | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - Add patch to fix sphinx build | |
| - New upstream version | |
| - Build for both python2 and python3 | |
| - Drop BuildRoot, clean script, and clean at start of install script | |
| - Mass rebuild for Fedora 17 | |
| - Build dependencies cleanup | |
| - New upstream version | |
| - Fix license handling | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
|
|
|
| python3-networkx-core-1.11-16.1.el8.noarch.rpm | - Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 |
| - Conditionalize the Python 2 subpackage and don't build it on EL > 7 | |
| - Rebuild for Python 3.6 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Update Python 2 dependency declarations to new packaging standards | |
| (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) | |
| - New upstream version | |
| - Update URLs | |
| - Add -numpy patch to fix test failure | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - New upstream version | |
| - New upstream version | |
| - Drop upstreamed -test-rounding-fix patch | |
| - Upstream no longer bundles python-decorator; drop the workaround | |
| - New upstream version | |
| - Drop upstreamed -numpy patch | |
| - New upstream version | |
| - Add tex-preview BR for documentation | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Change pydot dependencies to pydotplus (bz 1326957) | |
| - New upstream version | |
| - Drop defattr | |
| - Build documentation | |
| - Fix python3-networkx-drawing subpackage (bz 1149980) | |
| - Fix python(3)-geo subpackage | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Switch hardcoded python3 shebangs into the %{__python3} macro | |
| - Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 | |
| - Note bundled jquery | |
| - Initial package. | |
| - Build dependencies cleanup | |
| - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Comply with latest python packaging guidelines (bz 1301767) | |
| - Split to subpackages and support EL6 and EL7 | |
| - Fix gdal requires block | |
| - Cleanup spec file conditionals | |
| - New upstream version | |
| - Do not use bundled python-decorator | |
| - Remove Requires: ipython, needed by one example only | |
| - Clean junk files left in /tmp | |
| - Replace __python macros with direct python invocations. | |
| - Disable checks for now. | |
| - Replace a define with global. | |
| - Fix gdal and pydot dependencies | |
| - New upstream version | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - BR python-setuptools | |
| - Bump version to 1.0.1. | |
| - License changed LGPLv2+ -> BSD. | |
| - Update project and source URLs | |
| - Don't build the geo subpackage | |
| - License is really LGPLv2+. | |
| - Include license as documentation. | |
| - Add a check section to run tests. | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - Add patch to fix sphinx build | |
| - New upstream version | |
| - Build for both python2 and python3 | |
| - Drop BuildRoot, clean script, and clean at start of install script | |
| - Mass rebuild for Fedora 17 | |
| - Build dependencies cleanup | |
| - New upstream version | |
| - Fix license handling | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
|
|
|
| python3-numpy-1.14.3-10.el8.x86_64.rpm | - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild |
| - Update gfortran patch to recognize latest gfortran f95 support | |
| - Resolves rhbz#236444 | |
| - Drop BR: atlas-devel, since it just provides binary-compat | |
| blas and lapack libs. Atlas can still be optionally used | |
| at runtime. (Note: this is all per the atlas maintainer). | |
| - Update to 1.9.0rc1 | |
| - Fix CVE-2019-6446 | |
| resolves: #1668466 | |
| - Adjusted the postun scriptlets to enable upgrading to RHEL 9 | |
| - Resolves: rhbz#1933055 | |
| - Update to 1.8.0 final | |
| - update to 1.5.1rc1 | |
| - add python3 subpackage | |
| - some spec-cleanups | |
| - Fix rpmlint warnings | |
| - Update License | |
| - Apply patch: change shebang of f2py to use binary directly | |
| - Update to 1.11.1 final | |
| - Update to 1.7.0 final | |
| - Fixed atlas BR, BZ 505376. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Update to 1.6.1 | |
| - Update to 1.9.1, BZ 1160273. | |
| - Update to 1.5.1 final | |
| - Switch runtime dependency of the python3-numpy-f2py package from | |
| python3-devel (that's now buildroot-only) to python3-libs-devel | |
| Resolves: rhbz#1610863 | |
| - Rebuild for Fedora Extras 5 | |
| - Since the previous didn't work, Requiring lapack. | |
| - Update to 1.7.0rc1 | |
| - Bump and rebuild for BZ 712251. | |
| - fix the AttributeError during tests | |
| - fix build on s390(x) | |
| - Update to latest upstream. | |
| - Fixed Source0 URL. | |
| - actually add the patch this time | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - New upstream release | |
| - 1.14.3 | |
| - Update to 1.6.2 final | |
| - Rebuild with fixed gating.yaml | |
| related: #1687873 | |
| - Update to 1.11.2 final | |
| - Add provides to satisfy numpy%{_isa} requires in other packages | |
| - New upstream release | |
| - Upstream update | |
| - Update to 1.6.0b1 | |
| - Build python3 module with python3 | |
| - Add patch from upstream to fix build time import error | |
| - Update to 1.12.0, build with gcc 7.0. | |
| - Fix __pycache__ ownership (bug #1072467) | |
| - Update to 1.7.0b1 | |
| - Rebase python 3.3 patchs to current git master | |
| - Drop patches applied upstream | |
| - Fix CVE-2014-1858, CVE-2014-1859: #1062009, #1062359 | |
| - Re-enabling atlas BR, dropping lapack Requires. | |
| - Remove fortran flags or arm would build with -march=x86-64 | |
| - New upstream release | |
| - 1.13.0 rc2 | |
| - Update to 1.11.0 final | |
| - New upstream release | |
| - Per discussion w/Jose Matos, Obsolete/Provide f2py, as the | |
| stand-alone one is no longer supported/maintained upstream | |
| - Upstream update | |
| - Fix obsoletes / provides for numpy -> python2-numpy rename | |
| - rebuild for newer python3 | |
| - ignore the "Ticket #1299 second test" failure on s390(x) | |
| - Update to 1.7.1 | |
| - Moved linalg, fft back to main package. | |
| - Split out f2py into subpackage, thanks Peter Robinson pbrobinson@gmail.com. | |
| - rework patches for 3.3 to more directly reflect upstream's commits | |
| - re-enable test suite on python 3 | |
| - forcibly regenerate Cython .c source to avoid import issues on Python 3.3 | |
| - Rebuilt for Python3.5 rebuild | |
| - New upstream release | |
| - source commit fix | |
| - 1.14.2 | |
| - Initial RPM release | |
| - Added gfortran patch from Neal Becker | |
| - Provide python2-* packages | |
| - Run tests with verbose=2 | |
| - URL Fix, BZ 1001337 | |
| - Update to 1.10.4, BZ 1296509. | |
| - Update to 1.6.0 final | |
| - 1.13.1 final | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Update to 1.8.0b2 | |
| - Fixing FTBFS on ppc64le (#1078354) | |
| - New upstream release | |
| - set proper environment variables for openblas | |
| - Update to 1.11.0b2, BZ 1306249. | |
| - Update to 1.10.2, BZ 1291674. | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - Reverted to 1.3.0 after upstream pulled 1.4.0, BZ 579065. | |
| - Linking /usr/include/numpy to .h files, BZ 185079. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - 1.14.0 rc1 | |
| - Update to 1.11.1rc1, BZ 1340440. | |
| - Update to 1.6.0b2 | |
| - Drop import patch fixed upstream | |
| - Update to 1.8.2 | |
| - Update to 1.2.1. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Add [atlas] to site.cfg for new atlas library names | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - 1.14.1 | |
| - 1.13.0 rc1 | |
| - Update to 1.6.2rc1 | |
| - New upstream release. Include backported doublefree patch | |
| - rebuild for https://fedoraproject.org/wiki/Features/Python_3.3 | |
| - needs unicode patch | |
| - Move f2py documentation to f2py package (bug #1027394) | |
| - New upstream release, added python-nose BR. BZ 465999. | |
| - Using atlas blas, not blas-devel. BZ 461472. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Add patch from github pull 371 to fix python 3.3 pickle issue | |
| - Remove cython .c source regeneration - fails now | |
| - Update to 1.7.0b2 | |
| - Drop patches applied upstream | |
| - Update to 1.8.0b1 | |
| - Drop f2py patch applied upstream | |
| - Add ARM support | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - 1.4.0. | |
| - Dropped ARM patch, ARM support added upstream. | |
| - Fix libdir path in site.cfg, BZ 1006242. | |
| - add workaround for rhbz#849713 (fixes FTBFS) | |
| - Update to 1.8.1 | |
| - Update to 1.8.0rc2 | |
| - Create clean site.cfg | |
| - Use serial atlas | |
| - Make f2py script name generation work with platform-python | |
| related: #1580828 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - fix segfault within %check on 2.7 (patch 2) | |
| - Split out doc subpackage. | |
| - Re-add provides f2py | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Bump Release. 1b2 is higher than 0b3 | |
| - New upstream release | |
| - Update to git snapshot (due to build issue) after 1.11.0b1, BZ 1301943. | |
| - Update to 1.11.0b2, BZ 1303387. | |
| - Remove f2py3 executable (only f2py3.6 should be provided) | |
| - Fix ambiguous Python 2 dependency declarations | |
| (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) | |
| - Rebuild for Python 2.6 | |
| - 1.13.2 | |
| - New upstream release | |
| - Update to 1.10.2rc1 | |
| - Drop opt-flags patch applied upstream | |
| - Update to 1.11.0rc2 | |
| - rebuild for atlas 3.10 | |
| - Ship doc module (bug #1034357) | |
| - Add python2-numpy provides (bug #1249423) | |
| - Spec cleanup | |
| - Add alternatives for the f2py exacutable | |
| - Resolves: rhbz#1633548 | |
| - Update to 1.10.1, BZ 1271022. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Specfile cleanup (bug #969854) | |
| - EVR bump for pygame chainbuild. | |
| - Update to 1.10.0b1, BZ 1252641. | |
| - Use openblas where available, BZ 1472318. | |
| - Add upstream patch to fix xerbla linkage (bug #1172834) | |
| - Moved distutils back to the main package, BZ 572820. | |
| - Update to latest upstream. | |
| - Fix broken float128 on all arches except x86_64 | |
| resolves: #1687873 | |
| - Cleanup spec file conditionals | |
| - Require python-devel, BZ 488464. | |
| - Add python egg to %files on f9+ | |
| - Update to 1.9.2 | |
| - Update site.cfg for new atlas library names | |
| - Update to 1.9.0 | |
| - Build only python3 subpackages | |
| - Use proper upstream release tarball | |
| resolves: #1594350 | |
| - Update to 1.10.0 final. | |
| - Fix up cpuinfo bug (#229753). Upstream bug/change: | |
| http://projects.scipy.org/scipy/scipy/ticket/349 | |
| - Rebuild for python 2.5 | |
| - New upstream release | |
| - Rebuild for Python 3.6 | |
| - Temporarily dropping atlas BR to work around 562577. | |
| - Update to 1.11.2rc1, BZ 1340440. | |
| - remove rhel logic from with_python3 conditional | |
| - 1.13.0 final | |
| - 1.12.1 | |
| - Update to 1.10.2rc1, BZ 1289550. | |
| - 1.13.3 | |
| - Rebuild for Python 3.4 | |
|
|
|
| python3-numpy-f2py-1.14.3-10.el8.x86_64.rpm | - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild |
| - Update gfortran patch to recognize latest gfortran f95 support | |
| - Resolves rhbz#236444 | |
| - Drop BR: atlas-devel, since it just provides binary-compat | |
| blas and lapack libs. Atlas can still be optionally used | |
| at runtime. (Note: this is all per the atlas maintainer). | |
| - Update to 1.9.0rc1 | |
| - Fix CVE-2019-6446 | |
| resolves: #1668466 | |
| - Adjusted the postun scriptlets to enable upgrading to RHEL 9 | |
| - Resolves: rhbz#1933055 | |
| - Update to 1.8.0 final | |
| - update to 1.5.1rc1 | |
| - add python3 subpackage | |
| - some spec-cleanups | |
| - Fix rpmlint warnings | |
| - Update License | |
| - Apply patch: change shebang of f2py to use binary directly | |
| - Update to 1.11.1 final | |
| - Update to 1.7.0 final | |
| - Fixed atlas BR, BZ 505376. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Update to 1.6.1 | |
| - Update to 1.9.1, BZ 1160273. | |
| - Update to 1.5.1 final | |
| - Switch runtime dependency of the python3-numpy-f2py package from | |
| python3-devel (that's now buildroot-only) to python3-libs-devel | |
| Resolves: rhbz#1610863 | |
| - Rebuild for Fedora Extras 5 | |
| - Since the previous didn't work, Requiring lapack. | |
| - Update to 1.7.0rc1 | |
| - Bump and rebuild for BZ 712251. | |
| - fix the AttributeError during tests | |
| - fix build on s390(x) | |
| - Update to latest upstream. | |
| - Fixed Source0 URL. | |
| - actually add the patch this time | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - New upstream release | |
| - 1.14.3 | |
| - Update to 1.6.2 final | |
| - Rebuild with fixed gating.yaml | |
| related: #1687873 | |
| - Update to 1.11.2 final | |
| - Add provides to satisfy numpy%{_isa} requires in other packages | |
| - New upstream release | |
| - Upstream update | |
| - Update to 1.6.0b1 | |
| - Build python3 module with python3 | |
| - Add patch from upstream to fix build time import error | |
| - Update to 1.12.0, build with gcc 7.0. | |
| - Fix __pycache__ ownership (bug #1072467) | |
| - Update to 1.7.0b1 | |
| - Rebase python 3.3 patchs to current git master | |
| - Drop patches applied upstream | |
| - Fix CVE-2014-1858, CVE-2014-1859: #1062009, #1062359 | |
| - Re-enabling atlas BR, dropping lapack Requires. | |
| - Remove fortran flags or arm would build with -march=x86-64 | |
| - New upstream release | |
| - 1.13.0 rc2 | |
| - Update to 1.11.0 final | |
| - New upstream release | |
| - Per discussion w/Jose Matos, Obsolete/Provide f2py, as the | |
| stand-alone one is no longer supported/maintained upstream | |
| - Upstream update | |
| - Fix obsoletes / provides for numpy -> python2-numpy rename | |
| - rebuild for newer python3 | |
| - ignore the "Ticket #1299 second test" failure on s390(x) | |
| - Update to 1.7.1 | |
| - Moved linalg, fft back to main package. | |
| - Split out f2py into subpackage, thanks Peter Robinson pbrobinson@gmail.com. | |
| - rework patches for 3.3 to more directly reflect upstream's commits | |
| - re-enable test suite on python 3 | |
| - forcibly regenerate Cython .c source to avoid import issues on Python 3.3 | |
| - Rebuilt for Python3.5 rebuild | |
| - New upstream release | |
| - source commit fix | |
| - 1.14.2 | |
| - Initial RPM release | |
| - Added gfortran patch from Neal Becker | |
| - Provide python2-* packages | |
| - Run tests with verbose=2 | |
| - URL Fix, BZ 1001337 | |
| - Update to 1.10.4, BZ 1296509. | |
| - Update to 1.6.0 final | |
| - 1.13.1 final | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Update to 1.8.0b2 | |
| - Fixing FTBFS on ppc64le (#1078354) | |
| - New upstream release | |
| - set proper environment variables for openblas | |
| - Update to 1.11.0b2, BZ 1306249. | |
| - Update to 1.10.2, BZ 1291674. | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - Reverted to 1.3.0 after upstream pulled 1.4.0, BZ 579065. | |
| - Linking /usr/include/numpy to .h files, BZ 185079. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - 1.14.0 rc1 | |
| - Update to 1.11.1rc1, BZ 1340440. | |
| - Update to 1.6.0b2 | |
| - Drop import patch fixed upstream | |
| - Update to 1.8.2 | |
| - Update to 1.2.1. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Add [atlas] to site.cfg for new atlas library names | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - 1.14.1 | |
| - 1.13.0 rc1 | |
| - Update to 1.6.2rc1 | |
| - New upstream release. Include backported doublefree patch | |
| - rebuild for https://fedoraproject.org/wiki/Features/Python_3.3 | |
| - needs unicode patch | |
| - Move f2py documentation to f2py package (bug #1027394) | |
| - New upstream release, added python-nose BR. BZ 465999. | |
| - Using atlas blas, not blas-devel. BZ 461472. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Add patch from github pull 371 to fix python 3.3 pickle issue | |
| - Remove cython .c source regeneration - fails now | |
| - Update to 1.7.0b2 | |
| - Drop patches applied upstream | |
| - Update to 1.8.0b1 | |
| - Drop f2py patch applied upstream | |
| - Add ARM support | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - 1.4.0. | |
| - Dropped ARM patch, ARM support added upstream. | |
| - Fix libdir path in site.cfg, BZ 1006242. | |
| - add workaround for rhbz#849713 (fixes FTBFS) | |
| - Update to 1.8.1 | |
| - Update to 1.8.0rc2 | |
| - Create clean site.cfg | |
| - Use serial atlas | |
| - Make f2py script name generation work with platform-python | |
| related: #1580828 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - fix segfault within %check on 2.7 (patch 2) | |
| - Split out doc subpackage. | |
| - Re-add provides f2py | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Bump Release. 1b2 is higher than 0b3 | |
| - New upstream release | |
| - Update to git snapshot (due to build issue) after 1.11.0b1, BZ 1301943. | |
| - Update to 1.11.0b2, BZ 1303387. | |
| - Remove f2py3 executable (only f2py3.6 should be provided) | |
| - Fix ambiguous Python 2 dependency declarations | |
| (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) | |
| - Rebuild for Python 2.6 | |
| - 1.13.2 | |
| - New upstream release | |
| - Update to 1.10.2rc1 | |
| - Drop opt-flags patch applied upstream | |
| - Update to 1.11.0rc2 | |
| - rebuild for atlas 3.10 | |
| - Ship doc module (bug #1034357) | |
| - Add python2-numpy provides (bug #1249423) | |
| - Spec cleanup | |
| - Add alternatives for the f2py exacutable | |
| - Resolves: rhbz#1633548 | |
| - Update to 1.10.1, BZ 1271022. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Specfile cleanup (bug #969854) | |
| - EVR bump for pygame chainbuild. | |
| - Update to 1.10.0b1, BZ 1252641. | |
| - Use openblas where available, BZ 1472318. | |
| - Add upstream patch to fix xerbla linkage (bug #1172834) | |
| - Moved distutils back to the main package, BZ 572820. | |
| - Update to latest upstream. | |
| - Fix broken float128 on all arches except x86_64 | |
| resolves: #1687873 | |
| - Cleanup spec file conditionals | |
| - Require python-devel, BZ 488464. | |
| - Add python egg to %files on f9+ | |
| - Update to 1.9.2 | |
| - Update site.cfg for new atlas library names | |
| - Update to 1.9.0 | |
| - Build only python3 subpackages | |
| - Use proper upstream release tarball | |
| resolves: #1594350 | |
| - Update to 1.10.0 final. | |
| - Fix up cpuinfo bug (#229753). Upstream bug/change: | |
| http://projects.scipy.org/scipy/scipy/ticket/349 | |
| - Rebuild for python 2.5 | |
| - New upstream release | |
| - Rebuild for Python 3.6 | |
| - Temporarily dropping atlas BR to work around 562577. | |
| - Update to 1.11.2rc1, BZ 1340440. | |
| - remove rhel logic from with_python3 conditional | |
| - 1.13.0 final | |
| - 1.12.1 | |
| - Update to 1.10.2rc1, BZ 1289550. | |
| - 1.13.3 | |
| - Rebuild for Python 3.4 | |
|
|
|
| python3-perf-4.18.0-553.97.1.el8_10.x86_64.rpm | - libceph: fix potential use-after-free in have_mon_and_osd_map() (CKI Backport Bot) [RHEL-137395] {CVE-2025-68285} |
| - media: rc: fix races with imon_disconnect() (Kate Hsuan) [RHEL-124396] {CVE-2025-39993} | |
| - media: imon: fix a race condition in send_packet() (Kate Hsuan) [RHEL-124396] | |
| - media: imon: reorganize serialization (Kate Hsuan) [RHEL-124396] | |
| - media: imon: drop references only after device is no longer used (Kate Hsuan) [RHEL-124396] | |
| - media: rc: Add support for another iMON 0xffdc device (Kate Hsuan) [RHEL-124396] | |
| - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping (CKI Backport Bot) [RHEL-129107] {CVE-2025-40154} | |
| - Bluetooth: hci_event: call disconnect callback before deleting conn (CKI Backport Bot) [RHEL-137039] {CVE-2023-53673} | |
| - drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE (CKI Backport Bot) [RHEL-134423] {CVE-2025-40277} | |
| - xen: delay xen_hvm_init_time_ops() if kdump is boot on vcpu>=32 (John J Coleman) [RHEL-111354] | |
| - xen: Fix x86 sched_clock() interface for xen (John J Coleman) [RHEL-111354] | |
| - x86/xen/time: Output xen sched_clock time from 0 (John J Coleman) [RHEL-111354] | |
| - Adding prod certs and changed cert date to 20210620 (Sherif Nagy) | |
| - Adding Rocky secure boot certs (Sherif Nagy) | |
| - Fixing vmlinuz removal (Sherif Nagy) | |
| - Fixing UEFI CA path (Sherif Nagy) | |
| - Porting to 8.10, debranding and Rocky branding (Louis Abel) | |
| - Fixing pesign_key_name values (Sherif Nagy) | |
| - Adding prod certs and changed cert date to 20210620 (Sherif Nagy) | |
| - Adding Rocky secure boot certs (Sherif Nagy) | |
| - Fixing vmlinuz removal (Sherif Nagy) | |
| - Fixing UEFI CA path (Sherif Nagy) | |
| - Porting to 8.10, debranding and Rocky branding (Louis Abel) | |
| - Fixing pesign_key_name values (Sherif Nagy) | |
| - NFSv4: xattr handlers should check for absent nfs filehandles (Scott Mayhew) [RHEL-129945] | |
| - gfs2: Do not cancel internal demote requests (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: run_queue cleanup (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: simplify finish_xmote (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Get rid of unnecessary test_and_set_bit (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Retries missing in gfs2_{rename,exchange} (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: glock cancelation flag fix (Andreas Gruenbacher) [RHEL-135355] | |
| - gfs2: Minor do_xmote cancelation fix (Andreas Gruenbacher) [RHEL-135355] | |
| - sctp: avoid NULL dereference when chunk data buffer is missing (CKI Backport Bot) [RHEL-133999] {CVE-2025-40240} | |
| - redhat: introduce RELEASE_LOCALVERSION variable (Jan Stancek) | |
| - cifs: fix automount with passwords that contain commas (Paulo Alcantara) [RHEL-125963] | |
| - perf/x86/intel/ds: Fix the conversion from TSC to perf time (Anubhav Shelat) [RHEL-127171] | |
| - perf/x86/intel/pebs: Fix PEBS timestamps overwritten (Anubhav Shelat) [RHEL-127171] | |
| - ceph: fix client race condition where r_parent becomes stale before sending message (Alex Markuze) [RHEL-120226] | |
| - ceph: fix client race condition validating r_parent before applying state (Alex Markuze) [RHEL-120226] | |
| - blk-mq: setup queue ->tag_set before initializing hctx (Ming Lei) [RHEL-30744] | |
| - blk-mq: add helper for checking if one CPU is mapped to specified hctx (Ming Lei) [RHEL-30744] | |
| - blk-mq: don't schedule block kworker on isolated CPUs (Ming Lei) [RHEL-30744] | |
| - sched/isolation: add cpu_is_isolated() API (Ming Lei) [RHEL-30744] | |
| - mm: compaction: update the COMPACT[STALL|FAIL] events properly (Lucas Oakley) [RHEL-132449] | |
| - drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies (Mika Penttilä) [RHEL-125456] {CVE-2025-40096} | |
| - drm/i915: mark requests for GuC virtual engines to avoid use-after-free (CKI Backport Bot) [RHEL-124682] {CVE-2023-53552} | |
| - NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() (Olga Kornievskaia) [RHEL-132819] | |
| - vsock: Ignore signal/timeout on connect() if already established (CKI Backport Bot) [RHEL-139273] {CVE-2025-40248} | |
| - scsi: lpfc: avoid crashing in lpfc_nlp_get() if lpfc_nodelist was freed (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Prevent failure to reregister with NVMe transport after PRLI retry (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Ignore ndlp rport mismatch in dev_loss_tmo callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Modify handling of ADISC based on ndlp state and RPI registration (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Delete NLP_TARGET_REMOVE flag due to obsolete usage (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Prevent NDLP reference count underflow in dev_loss_tmo callback (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Check devloss callbk done flag for potential stale NDLP ptrs (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Ensure DA_ID handling completion before deleting an NPIV instance (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix kref imbalance on fabric ndlps from dev_loss_tmo handler (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Update PRLO handling in direct attached topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix unsolicited FLOGI kref imbalance when in direct attached topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix handling of fully recovered fabric node in dev_loss callbk (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Add condition to delete ndlp object after sending BLS_RJT to an ABTS (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Remove NLP_RCV_PLOGI early return during RSCN processing for ndlps (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Allow lpfc_plogi_confirm_nport() logic to execute for Fabric nodes (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix list_entry null check warning in lpfc_cmpl_els_plogi() (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix possible file string name overflow when updating firmware (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Validate ELS LS_ACC completion payload (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Remove extra ndlp kref decrement in FLOGI cmpl for loop topology (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Revise NPIV ELS unsol rcv cmpl logic to drop ndlp based on nlp_state (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix double free in lpfc_cmpl_els_logo_acc() caused by lpfc_nlp_not_used() (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Move scsi_host_template outside dynamically allocated/freed phba (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fill in missing ndlp kref puts in error paths (Ewan D. Milne) [RHEL-32324] | |
| - scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login (Ewan D. Milne) [RHEL-32324] | |
| - net: atlantic: fix fragment overflow handling in RX path (CKI Backport Bot) [RHEL-139482] {CVE-2025-68301} | |
| - smb: client: let recv_done verify data_offset, data_length and remaining_data_length (Paulo Alcantara) [RHEL-131387] {CVE-2025-39933} | |
| - smb: client: Fix use-after-free in cifs_fill_dirent (CKI Backport Bot) [RHEL-134369] {CVE-2025-38051} | |
|
|
|
| python3-pyasn1-modules-0.3.7-6.el8.noarch.rpm | - Update to upstream version 0.0.12a |
| - Fix python2 provides for pyasn1 modules (#1295693) | |
| - Use Python 3 Sphinx if with Python 3 | |
| - Cleanup | |
| - Include doc/notes.html in the package | |
| + Revision: 31989 | |
| - fixed (build)requires | |
| - Import pyasn1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rename to python-pyasn1 | |
| - Spec file cleanups | |
| - New upstream version | |
| - If python_provide wasn't defined then the python2 subpackages | |
| didn't provide python-pyasn1-* | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Update to new upstream release 0.1.8, modules 0.0.6. | |
| - Rebuilt for Python 3.7 | |
| - Rebuilt for Python3.5 rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Rebuild for Python 3.6 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - update to upstream release 0.1.7 | |
| - update modules to 0.0.5 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Remove the python2 subpackage | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - Use setuptools to install the package | |
| - simplify the files included in the rpm so it includes the .egg-info | |
| - Update to upstream release 0.3.7 (#1492446) | |
| - Update modules to 0.1.5 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Update to upstream release 0.3.4 (#1485669) | |
| - Update modules to 0.1.2 | |
| - Patch to fixed crash at SequenceOf native decoder | |
| - Update to new upstream release 0.1.9, modules 0.0.8. | |
| - update to upstream release 0.1.6 | |
| - update modules to 0.0.4 | |
| - update description | |
| - add python3-pyasn1 subpackage | |
| - add versioned Requires for the module subpackages | |
| - add %check section | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Update to upstream version 0.0.9a | |
| - Include patch that adds parsing for the Any type | |
| - Add in missing colon after Provides | |
| - Update to upstream release 0.3.2 (#1475594) | |
| - Update modules to 0.0.11 | |
| - Explicitly provide python2 subpackages, use python_provide macro | |
| - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild | |
| - Update to upstream release 0.2.3 (#1426979) | |
| - Adapt to the way upstream changed the way tests are executed | |
| - Pass PYTHONPATH when building the documentation | |
| - Update Python 2 dependency declarations to new packaging standards | |
| (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) | |
| - Rebuild for Python 2.6 | |
| - Update rpm to be more fedora friendly | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Cleanup spec file conditionals | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - Update to upstream release 0.2.1 (#1419310) | |
| - Added doc subpackage and moved documentation there | |
| - Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 | |
| - New release | |
| - Update to upstream version 0.0.8a | |
| - Move LICENSE to the license tag instead of doc. | |
|
|
|
| python3-pyqt5-sip-4.19.25-1.el8.x86_64.rpm | - 4.19.25 + sync with Fedora |
| Resolves: bz#2071606 | |
|
|
|
| python3-pyusb-1.0.0-9.1.module+el8.9.0+1372+09f67869.noarch.rpm | - Rebuilt to fix the NVR issue (#2094880) |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Python 2 binary package renamed to python2-pyusb | |
| See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 | |
| - Latest upstream, BZ 1192561. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - 1.0.0-a2. | |
| - Latest upstream. | |
| - Cleanup packaging and fix archful provide in noarch package | |
| - Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Latest upstream. | |
| - Add python3 support, spec cleanup, BZ 1022851. | |
| - Fixed changelog. | |
| - Latest upstream, BZ 1192561. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Rebuild for Python 3.6 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - 1.0.0-a1 (bug #586950). | |
| - Conditionalize the python2 subpackage | |
| - Rebuild for Python 2.6 | |
| - Fix end-of-line in README | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - Initial packaging | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
|
|
|
| python3-qrcode-core-5.3-1.module+el8.10.0+1916+6bb8cf6b.noarch.rpm | - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild |
| - Rebuild for Python 3.6 | |
| - Create -core subpackage for minimal dependencies | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - Python 2 binary package renamed to python2-qrcode | |
| See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 | |
| - Resolves: RHEL-15090 Generation of image file fails with Python 3 | |
| - Initial package | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Update to 5.1 | |
| - Introduce python3 subpackages (#1237118) | |
| - Moved LICENSE from %doc to %license | |
| - Clean up spec, removing unnecessary declarations | |
| - Rename tool in %{_bindir} to the less ambiguous qrcode | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Update to 5.0.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Make python-qrcode-core conflicts with python-qrcode < 5.0 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Also rename python-qrcode-core to python2-qrcode-core | |
| - Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 | |
| - Require platform-python-setuptools instead of python3-setuptools | |
| - Resolves: rhbz#1654457, rhbz#1654458 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Conditionalize the python2 subpackage | |
|
|
|
| python3-qt5-5.15.0-3.el8.x86_64.rpm | - rebuild (qt5) |
| - Rebuilt for GCC 5 C++11 ABI change | |
| - limit -webengine support to just primary archs (for now) | |
| - rebuild (qt5), Provides: python2-qt5 | |
| - -webengine: add ExclusiveArch (matching qt5-qtwebengine's) | |
| - Rebuild again for Python 3.6 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - pkgconfig(QtOpenGL) being satisfied by qt4 devel (#1162415) | |
| - BR: qt5-qtbase-private-devel | |
| - python3-qt5: add versioned qt5 dep (like base python-qt5 pkg has) | |
| - rebuild (qt5) | |
| - 5.9.1 | |
| - (temporarily) omit webengine support on fc26 | |
| - rebuild (sip) | |
| - wrong python release used in pyuic5 launch script (#1193107) | |
| - -doc: add qsci doc QyQt5.api content | |
| - enable Qt5WebChannel/Qt5WebSockets support | |
| - add Obsoletes for misnamed -webengine/-webkit pkgs (#1315025) | |
| - restore python3 support | |
| - PyQt-5.2.1 | |
| - restore -webengine | |
| - python3: (Build)Requires: python3-dbus | |
| - rebuild (qt5) | |
| - Rebuild with binutils fix for ppc64le (#1475636) | |
| - rebuild (sip) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - New base sub package to provide QtBase only (RHBZ#1394626) | |
| - New requirement from the main package to the base sub package | |
| - -webengine,-webkit subpkgs | |
| - Rebuild (binutils) | |
| Resolves: bz#1949066 | |
| - 5.4.1 | |
| - move -devel binaries to main pkg(s) (#1422613) | |
| - PyQt5-5.10 | |
| - Update to 5.10.1 andd rop dependency on qt5-qtwebkit and qt5-qtwebengine | |
| - rebuild (sip) | |
| - 5.11.2 + sync with Fedora | |
| - add missing -webengine/-webkit descriptions | |
| - better python3-qt5-devel description | |
| - rebuild (qt5) | |
| - PyQt5-5.8.1 | |
| - -rpm-macros subpkg | |
| - PyQt-5.2 | |
| - rebuild (qt5-qtenginio) | |
| - Drop dependency on qt5-qtenginio | |
| - rebuild (sip) | |
| - fix pyrcc5 wrapper typo | |
| - add wrappers for pyrcc5,pylupdate5 (#141116,#1415812) | |
| - update provides filtering | |
| - 5.5 | |
| - Rebuild for Python 3.6 | |
| - 5.4 | |
| - PyQt5-5.9 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - fixed bz#1348507, pyqt5 with python2 in isolated mode | |
| - python3-qt5: omit sip files inadvertantly added in 5.7.1-5 | |
| - rebuild against new qt5-qtbase-5.7.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - rebuild (qt5) | |
| - PyQt5-5.7.1 | |
| - (temp) disable -webengine support | |
| - 5.13.1 | |
| Resolves: bz#1775603 | |
| - rebuild (sip), re-enable -webengine for secondary archs | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - rebuild (qt5) | |
| - rebuild (qt5) | |
| - PyQt5-5.7 | |
| - try to determine dbus-python install paths dynamically (#1161121) | |
| - drop ppc ppc64 ppc64le, it's not supported yet | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - +macros.pyqt5 | |
| - fix python3-qt5-webkit name | |
| - BR: python2-devel, use %__python2 macro | |
| - rebuild (f21-python) | |
| - +Qt5Positioning,Qt5Sensors support | |
| - rebuild (sip) | |
| - explicitly support Qt5 newer than just 5.9.3 (+5.9.4,5.10.0,5.10.1) | |
| - Add patch to fix python3 sip installation dir (#1228432) | |
| - ensure .so modules are executable (for proper -debuginfo extraction) | |
| - 5.4.2 | |
| - PyQt-gpl-5.3 | |
| - +Qt5Bluetooth,Qt5Quick,Qt5SerialPorts support | |
| - -devel: restore dep on base pkg | |
| - Enabled QtWebEngine for Fedora >= 24 | |
| - 5.5.1 | |
| - enable qtenginio, fix pyuic5 wrapper, use %license | |
| - PyQt-gpl-5.3.2 | |
| - python3-qt5 support | |
| - rebuild (qt5-qtbase), disable -webengine (temp on f25, until fixed) | |
| - 5.9.2 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - -rpm-macros: Conflicts: python(3)-qt5 < 5.6 | |
| - fix python3-qt5-webengine name | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - python3-qt5-devel subpkg | |
| - License: GPLv3 (#1520186) | |
| - BR: sip + sync with Fedora | |
| - Build failure in sipQtWebKitWidgestQWebInspector: qprinter.h not found (#1160932) | |
| - python2_sitelib should be python2_sitearch (#1161121) | |
| - enable -webengine on f25+ | |
| - PyQt5-5.8 | |
| - 5.15.0 | |
| Resolves: bz#1949066 | |
| - Cleanup spec file conditionals | |
| - %description: mention PyQt5 | |
| - PyQt5-5.6 | |
| - explicitly set CFLAGS,CXXFLAGS,LFLAGS | |
| - Rebuild (Qt 5.15.3) | |
| Resolves: bz#2061729 | |
| - fixed bz#1348507 - Arbitrary code execution due to insecure loading | |
| of Python module from CWD | |
| - PyQt5-5.11 + sync with Fedora | |
| - Drop dependency on phonon and python2 support | |
| - restore qtwebengine support | |
| - use safer subdir builds | |
| - Provides: PyQt5 | |
| - rebuild (qt5) | |
| - python-qt5 is not built with $RPM_OPT_FLAGS (#1314998) | |
| - Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 | |
| - PyQt-gpl-5.3.1 | |
| - PyQt5-5.8.2 | |
| - Rebuild against fixed qt5-qtbase to fix -debuginfo (#1065636) | |
| - rebuild (qt5) | |
| - rebuild | |
|
|
|
| python3-qt5-base-5.15.0-3.el8.x86_64.rpm | - rebuild (qt5) |
| - Rebuilt for GCC 5 C++11 ABI change | |
| - limit -webengine support to just primary archs (for now) | |
| - rebuild (qt5), Provides: python2-qt5 | |
| - -webengine: add ExclusiveArch (matching qt5-qtwebengine's) | |
| - Rebuild again for Python 3.6 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - pkgconfig(QtOpenGL) being satisfied by qt4 devel (#1162415) | |
| - BR: qt5-qtbase-private-devel | |
| - python3-qt5: add versioned qt5 dep (like base python-qt5 pkg has) | |
| - rebuild (qt5) | |
| - 5.9.1 | |
| - (temporarily) omit webengine support on fc26 | |
| - rebuild (sip) | |
| - wrong python release used in pyuic5 launch script (#1193107) | |
| - -doc: add qsci doc QyQt5.api content | |
| - enable Qt5WebChannel/Qt5WebSockets support | |
| - add Obsoletes for misnamed -webengine/-webkit pkgs (#1315025) | |
| - restore python3 support | |
| - PyQt-5.2.1 | |
| - restore -webengine | |
| - python3: (Build)Requires: python3-dbus | |
| - rebuild (qt5) | |
| - Rebuild with binutils fix for ppc64le (#1475636) | |
| - rebuild (sip) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - New base sub package to provide QtBase only (RHBZ#1394626) | |
| - New requirement from the main package to the base sub package | |
| - -webengine,-webkit subpkgs | |
| - Rebuild (binutils) | |
| Resolves: bz#1949066 | |
| - 5.4.1 | |
| - move -devel binaries to main pkg(s) (#1422613) | |
| - PyQt5-5.10 | |
| - Update to 5.10.1 andd rop dependency on qt5-qtwebkit and qt5-qtwebengine | |
| - rebuild (sip) | |
| - 5.11.2 + sync with Fedora | |
| - add missing -webengine/-webkit descriptions | |
| - better python3-qt5-devel description | |
| - rebuild (qt5) | |
| - PyQt5-5.8.1 | |
| - -rpm-macros subpkg | |
| - PyQt-5.2 | |
| - rebuild (qt5-qtenginio) | |
| - Drop dependency on qt5-qtenginio | |
| - rebuild (sip) | |
| - fix pyrcc5 wrapper typo | |
| - add wrappers for pyrcc5,pylupdate5 (#141116,#1415812) | |
| - update provides filtering | |
| - 5.5 | |
| - Rebuild for Python 3.6 | |
| - 5.4 | |
| - PyQt5-5.9 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - fixed bz#1348507, pyqt5 with python2 in isolated mode | |
| - python3-qt5: omit sip files inadvertantly added in 5.7.1-5 | |
| - rebuild against new qt5-qtbase-5.7.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - rebuild (qt5) | |
| - PyQt5-5.7.1 | |
| - (temp) disable -webengine support | |
| - 5.13.1 | |
| Resolves: bz#1775603 | |
| - rebuild (sip), re-enable -webengine for secondary archs | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - rebuild (qt5) | |
| - rebuild (qt5) | |
| - PyQt5-5.7 | |
| - try to determine dbus-python install paths dynamically (#1161121) | |
| - drop ppc ppc64 ppc64le, it's not supported yet | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - +macros.pyqt5 | |
| - fix python3-qt5-webkit name | |
| - BR: python2-devel, use %__python2 macro | |
| - rebuild (f21-python) | |
| - +Qt5Positioning,Qt5Sensors support | |
| - rebuild (sip) | |
| - explicitly support Qt5 newer than just 5.9.3 (+5.9.4,5.10.0,5.10.1) | |
| - Add patch to fix python3 sip installation dir (#1228432) | |
| - ensure .so modules are executable (for proper -debuginfo extraction) | |
| - 5.4.2 | |
| - PyQt-gpl-5.3 | |
| - +Qt5Bluetooth,Qt5Quick,Qt5SerialPorts support | |
| - -devel: restore dep on base pkg | |
| - Enabled QtWebEngine for Fedora >= 24 | |
| - 5.5.1 | |
| - enable qtenginio, fix pyuic5 wrapper, use %license | |
| - PyQt-gpl-5.3.2 | |
| - python3-qt5 support | |
| - rebuild (qt5-qtbase), disable -webengine (temp on f25, until fixed) | |
| - 5.9.2 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - -rpm-macros: Conflicts: python(3)-qt5 < 5.6 | |
| - fix python3-qt5-webengine name | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - python3-qt5-devel subpkg | |
| - License: GPLv3 (#1520186) | |
| - BR: sip + sync with Fedora | |
| - Build failure in sipQtWebKitWidgestQWebInspector: qprinter.h not found (#1160932) | |
| - python2_sitelib should be python2_sitearch (#1161121) | |
| - enable -webengine on f25+ | |
| - PyQt5-5.8 | |
| - 5.15.0 | |
| Resolves: bz#1949066 | |
| - Cleanup spec file conditionals | |
| - %description: mention PyQt5 | |
| - PyQt5-5.6 | |
| - explicitly set CFLAGS,CXXFLAGS,LFLAGS | |
| - Rebuild (Qt 5.15.3) | |
| Resolves: bz#2061729 | |
| - fixed bz#1348507 - Arbitrary code execution due to insecure loading | |
| of Python module from CWD | |
| - PyQt5-5.11 + sync with Fedora | |
| - Drop dependency on phonon and python2 support | |
| - restore qtwebengine support | |
| - use safer subdir builds | |
| - Provides: PyQt5 | |
| - rebuild (qt5) | |
| - python-qt5 is not built with $RPM_OPT_FLAGS (#1314998) | |
| - Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 | |
| - PyQt-gpl-5.3.1 | |
| - PyQt5-5.8.2 | |
| - Rebuild against fixed qt5-qtbase to fix -debuginfo (#1065636) | |
| - rebuild (qt5) | |
| - rebuild | |
|
|
|
| python3-rpm-generators-5-8.el8.noarch.rpm | - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild |
| - Update to a new upstream version of RPM | |
| - Drop upstreamed patches | |
| - Renumber remaining patches | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Switch bootsrapping macro to a bcond for modularity | |
| - Use nonstandardlib for purelib definition (#1609492) | |
| - Add patch 9: Generate requires and provides for platform-python(abi) | |
| (https://fedoraproject.org/wiki/Changes/Platform_Python_Stack) | |
| - Splitting Python RPM generators from the `rpm` package to standalone one | |
| - Fix the pythondeps.sh and pythondistdeps.py scripts for multiple digits python versions | |
| - Resolves: rhbz#2143990 | |
| - Add patch 10: Do not provide pythonXdist for platform-python packages (rhbz#1484607) | |
| - Require platform-python-setuptools instead of python3-setuptools | |
| - Resolves: rhbz#1650544 | |
| - Switch the pythondistdeps.py script to /usr/libexec/platform-python | |
| - Fork upstream generators | |
| - "Fix" support of environment markers | |
| - Rebase to rpm 4.14.0 final (http://rpm.org/wiki/Releases/4.14.0) | |
| - Re-synchronize version/release macros with the rpm Fedora package | |
| - Do not parse nested dist/egg-info metadata | |
| - Resolves: rhbz#1916172 | |
| - Enabled gating | |
| - Related: rhbz#1776941 | |
| - Create major-version provides only on major Python versions (2.7, 3.6) | |
| - Fix an extra parenthesis in python.attr | |
| - Resolves: rhbz#1776941 | |
| - Added a license file | |
| - Added a dependency on rpm for the proper directory structure | |
| - Properly owning the __pycache__ directory | |
|
|
|
| python3-scipy-1.0.0-21.module+el8.10.0+1910+234ad790.x86_64.rpm | - new version |
| - Rebuild for atlas-3.8.2 | |
| - little cosmetic changes | |
| - filter provides in python_sitearch | |
| - Minor adjustments to specfile for packaging guidelines. | |
| - Changed buildrequires fftw version 3 from fftw2 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Fix python{2,3}-six Requires | |
| - Resolves: rhbz#1709599 | |
| - Rebuild for libgfortran.so.3 | |
| - Switch Python 3 conditionals to bcond | |
| - Fix for gcc34 weave blitz bug #505379 | |
| - Update to 0.15.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Autorebuild for GCC 4.3 | |
| - revert to f77 due to issue with numpy in development | |
| - update to 1.0.0 and use pytest instead of nose | |
| - use timeout during parallel %check | |
| - Rebuild for Python 3.6 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Bumping due to problems with modular RPM upgrade path | |
| - Resolves: rhbz#1695587 | |
| - Bump for rebuild against numpy 1.4.0 | |
| - Patch for stsci image function syntax fix. | |
| - Fix unversioned requires/buildrequires | |
| - Resolves: rhbz#1628242 | |
| - Update to 0.13.3 | |
| - Different BR for python36 module build | |
| - Resolves: rhbz#1615727 | |
| - Rebuild for Python 2.6 | |
| - Bump for rebuild against python 2.5 in devel tree | |
| - Add provides to satisfy scipy%{_isa} requires in other packages | |
| - Add requires python3-numpy, python3-f2py for python3-scipy (bug 863755) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Rebuild for python 3.3 | |
| - remove arch specific optimizations | |
| - Add BuildRequires numpy | |
| - Update to 0.13.0 final | |
| - rebuilt with atlas 3.10 | |
| - Use openblas where available (except ppc64), to use same as numpy (BZ 1472318) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Build with $RPM_LD_FLAGS | |
| - Related: rhbz#1624172 | |
| - use python2 macros everywhere (Requested by Han Boetes) | |
| - Add BuildRequires gcc-c++ | |
| - Add python-devel | |
| - Add libstdc++ | |
| - rebuilt for GCC 8.x (gfortran soname bump) | |
| - Update to 0.11.0 final | |
| - Unbundle python-six (bug #1005350) | |
| - Disable tests on s390x | |
| - Link with -lm to build with new stricter Fedora flags | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1541416 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Update to 0.16.0 | |
| - Use python_provide macro | |
| - Remove unversioned provides | |
| - Resolves: rhbz#1628242 | |
| - fix source URL | |
| - Update to 0.13.1 | |
| - Update to 0.7.1. | |
| - Rebuild due to bug in RPM (RHBZ #1468476) | |
| - Update to 0.13.2 | |
| - Update to 0.12.0b1 | |
| - Drop upstreamed linalg patch | |
| - New upstream release | |
| - Update to new upstream source | |
| - Discard results of testsuite on %{arm} for now | |
| Segfaults on non-aligned memory test (expected for arm) | |
| - Update to final 0.7 release | |
| - Update to 0.9.0 | |
| - Drop all stsci sources and patches, dropped from upstream | |
| - Drop gcc and py27 patches fixed upstream | |
| - Add %check section to run tests | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Disable python3 tests for now | |
| - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild | |
| - Add f2py requires to prepared for numpy packaging split | |
| - Add patch to fix segfaul in test of sgeqrf | |
| - Disabled docs building due to missing BuildRequires: python2/3-numpydoc | |
| - Disabled BuildRequires on pytest-xdist since it's not available in RHEL8 | |
| right now and doesn't seem to be actually needed for the build | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Update to 0.13.0b1 | |
| - Drop patches applied upstream | |
| - Fixup changelog and summary | |
| - update to new upstream source | |
| - update Summary, License, Url, and description | |
| - added extra dependencies | |
| - remove symlink since Lib has been renamed scipy | |
| - Update to 0.14 | |
| - Do not use system python-six (bug #1046817) | |
| - Update to latest beta which lists python 2.6 support | |
| - Update to 0.10.0 | |
| - Fix licensing to match Fedora packaging guidance | |
| - Remove unnecessary library deps | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Use openblas where available https://fedoraproject.org/wiki/Changes/OpenBLAS_as_default_BLAS | |
| - Remove ppc64 hackery for OpenBLAS | |
| - Don't run tests in parallel as pytest crashes | |
| - Don't run test_denormals as it tends to stuck | |
| - Add patch from upstream to fix python3.3 issues in linalg routines | |
| - Add BuildRequires gcc-gfortran | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - Add patch to fix ctypes test | |
| - Move requires to correct python2 subpackage | |
| - Add FFLAGS also in %install | |
| - rebuild (suitesparse) | |
| - go back to using gfortran now that numpy is patched | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - fix the stsci fix | |
| - remove rhel logic from with_python3 conditional | |
| - Bump for rebuild against numpy 1.3 | |
| - Rebuild for rpm bug 1131892 | |
| - Update to 0.14.1 | |
| - Update for new upstream release | |
| - include_dirs changes for ufsparse change in development | |
| - Update to 0.13.0rc1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Fix rpmlint warnings | |
| - License update | |
| - Add patch to use build_dir argument in build_extension | |
| - include missing setup files for stsci module | |
| - Fix f2py requires | |
| - Resolves: rhbz#1628242 | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - fix for egg-info file creation | |
| - new version | |
| - Unbundle six | |
| - Resolves: rhbz#1647341 | |
| - Force preprocessing of Fortran sources to make annobin record proper flags | |
| - Resolves: rhbz#1624172 | |
| - Update to 0.10.1 | |
| - Removed test dependency python2/3-pytest-timeout, since it's not strictly needed and it's not available in RHEL8 | |
| - Add bconds for python2 | |
| - Resolves: rhbz#1615727 | |
| - Updated spec for FE Packaging Guidelines and for upstream version 0.5.1 | |
| - 0.18.0 | |
| - %check: make non-fatal as temporary workaround for scipy build on arm | |
| - minor correction for f77 usage | |
| - fix licensing tag and bump for buildid rebuild | |
| - Fix scipy build on python-2.7 | |
| - Update to 0.16.1 | |
| - New subpackages with HTML documentation | |
| - Do not create -PYTEST.pyc files | |
| - Resolves: rhbz#1934199 | |
| - Revert "Discard results of testsuite on %{arm} for now" | |
| - Fix BuildRoot | |
| - Add BuildRequires, Requires | |
| - Test remove d1mach patch | |
| - Fix defattr | |
| - Add changelog | |
| - Removed Prefix, Vendor | |
| - Fix Source0 | |
| - add python3 subpackage | |
| - Update to 0.17.0 | |
| - Drop ctypes patch applied upstream | |
| - Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 | |
| - Rebuild with Python 3.4 | |
| - Update to 0.11.0rc2 | |
| - Remove old ufsparse references, use suitesparse | |
| - Spec cleanup | |
| - Update to 0.12.0 final | |
| - No longer remove weave from python3 build | |
|
|
|
| python3-sss-2.9.4-5.el8_10.3.x86_64.rpm | - Fix regressions with ipa and SELinux |
| - Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security | |
| context on client is staff_u | |
| - Rebuild against new libldb | |
| - Resolves: rhbz#1792331 - sssd_be crashes when krb5_realm and krb5_server is | |
| omitted and auth_provider is krb5 | |
| - Fix missing file permissions for sssd-clients | |
| - added sss_client | |
| - New upstream release 1.11.2 | |
| - Remove upstreamed patches | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 | |
| - Fix build issues: Update expided certificate in unit tests | |
| - New upstream release 1.10 beta1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1 | |
| - Resolves: rhbz#1900733 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() | |
| - Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process | |
| - Resolves: rhbz#1894540 - sssd component logging is now too generic in syslog/journal | |
| - Resolves: rhbz#1828483 - filtered ID is appearing due to strange negative cache behavior | |
| - Resolves: rhbz#1713368 - Add sssd-dbus package as a dependency of sssd-tools | |
| - New upstream release 1.11.5 | |
| - Remove upstreamed patch | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.5 | |
| - New upstream stable release 1.0.0 | |
| - New upstream release 1.9.4 | |
| - Resolves: rhbz#Bug 1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command. | |
| - Resolves: rhbz#1369130 - nss_sss should not link against libpthread | |
| - Resolves: rhbz#1392916 - sssd failes to start after update | |
| - Resolves: rhbz#1398789 - SELinux is preventing sssd from 'write' accesses | |
| on the directory /etc/sssd | |
| - Fix uninitialized value bug causing crashes throughout the code | |
| - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup | |
| - Resolves: rhbz#1628503 - sssd only sets the SELinux login context if it | |
| differs from the default | |
| - Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 | |
| - Add workaround patch for RHBZ #1366403 | |
| - Fix slow login with ipa and SELinux | |
| - Resolves: upstream #2624 - Only set the selinux context if the context | |
| differs from the local one | |
| - New upstream release 1.10.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1 | |
| - New upstream release 1.13 alpha | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0alpha | |
| - New upstream release 0.5.0 | |
| - Resolves: rhbz#1673443 - sssd man pages: The default value of | |
| "ldap_user_home_directory" is not mentioned | |
| with AD server configuration | |
| - New upstream release 1.5.1 | |
| - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins | |
| - Vast performance improvements when enumerate = true | |
| - All PAM actions will now perform a forced initgroups lookup instead of just | |
| - a user information lookup | |
| - This guarantees that all group information is available to other | |
| - providers, such as the simple provider. | |
| - For backwards-compatibility, DNS lookups will also fall back to trying the | |
| - SSSD domain name as a DNS discovery domain. | |
| - Support for more password expiration policies in LDAP | |
| - 389 Directory Server | |
| - FreeIPA | |
| - ActiveDirectory | |
| - Support for ldap_tls_{cert,key,cipher_suite} config options | |
| -Assorted bugfixes | |
| - Resolves: rhbz#752495 - Crash when apply settings | |
| - Fix regression with krb5_map_user | |
| - Resolves: rhbz#1375552 - krb5_map_user doesn't seem effective anymore | |
| - Resolves: rhbz#1349286 - authconfig fails with SSSDConfig.NoDomainError: | |
| default if nonexistent domain is mentioned | |
| - New upstream release 1.11 beta 2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 | |
| - Resolves: upstream#3684 - A group is not updated if its member is removed | |
| with the cleanup task, but the group does not | |
| change | |
| - Resolves: upstream#3558 - sudo: report error when two rules share cn | |
| - Tone down shutdown messages for socket activated responders | |
| - IPA: Qualify the externalUser sudo attribute | |
| - Resolves: upstream#3550 - refresh_expired_interval does not work with | |
| netgrous in 1.15 | |
| - Resolves: upstream#3402 - Support alternative sources for the files provider | |
| - Resolves: upstream#3646 - SSSD's GPO code ignores ad_site option | |
| - Resolves: upstream#3679 - Make nss netgroup requests more robust | |
| - Resolves: upstream#3634 - sssctl COMMAND --help fails if sssd is not | |
| configured | |
| - Resolves: upstream#3469 - extend sss-certmap man page regarding priority | |
| processing | |
| - Improve docs/debug message about GC detection | |
| - Resolves: upstream#3715 - ipa 389-ds-base crash in krb5-libs - k5_copy_etypes | |
| list out of bound? | |
| - Resolves: upstream#2653 - Group renaming issue when "id_provider = ldap" is | |
| set. | |
| - Document which principal does the AD provider use | |
| - Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is | |
| defined, but contains no SIDs | |
| - Resolves: upstream#3520 - Files provider supports only BE_FILTER_ENUM | |
| - Resolves: rhbz#1540703 - FreeIPA/SSSD implicit_file sssd_nss error: The Data | |
| Provider returned an error | |
| [org.freedesktop.sssd.Error.DataProvider.Fatal] | |
| - Fix licenses in sources and on RPMs | |
| - Make LDB dependency a strict equivalency | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Resolves: RHEL-14070 - sssd-2.9.2-1.el8 breaks smart card authentication | |
| - Resolves: RHEL-3665 - Unexplainable error "Unable to find primary gid [2]: No such file or directory" when SSSD performs lookup for an AD user | |
| - Fix regression on 64-bit platforms | |
| - Resolves: rhbz#1657979 - SSSD's LDAP authentication provider does not work | |
| if ID provider is authenticated with GSSAPI | |
| - New stable upstream version 1.2.1 | |
| - Resolves: rhbz#595529 - spec file should eschew %define in favor of | |
| - %global | |
| - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service | |
| - to fail while restart. | |
| - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel | |
| - keyring | |
| - Resolves: rhbz#599724 - sssd is broken on Rawhide | |
| - Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 | |
| - Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed) | |
| - Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket | |
| - Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7 | |
| - Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name | |
| - Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable") | |
| - Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username # | |
| - New upstream release 1.11.4 | |
| - Remove upstreamed patch | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.4 | |
| - Move sssd_pac to the sssd-krb5 subpackage | |
| - python-sssdconfig: Fix parssing sssd.conf without config_file_version | |
| - Resolves: upstream #2837 - REGRESSION: ipa-client-automout failed | |
| - Resolves: rhbz#1754996 - [sssd] Tier 0 Localization | |
| - Fix building of sssd-nfs-idmap with libnfsidmap.so.1 | |
| - Fix multicast checks in the SSSD | |
| - Resolves: rhbz#1007475 - The multicast check is wrong in the sudo source | |
| code getting the host info | |
| - New upstream release 1.5.4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 | |
| - Fixes for Active Directory when not all users and groups have POSIX attributes | |
| - Fixes for handling users and groups that have name aliases (aliases are ignored) | |
| - Fix group memberships after initgroups in the IPA provider | |
| - Resolves: rhbz#1328108 - Protocol error with FreeIPA on CentOS 6 | |
| - New upstream release 1.8.0 beta 3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 | |
| - Fixed a regression in group enumeration since 1.7.0 | |
| - Fixed several memory-corruption bugs | |
| - Finalized the ABI for the autofs support | |
| - Fixed a regression in the proxy provider | |
| - New upstream release 1.5.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 | |
| - Fixes for support of FreeIPA v2 | |
| - Fixes for failover if DNS entries change | |
| - Improved sss_obfuscate tool with better interactive mode | |
| - Fix several crash bugs | |
| - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this | |
| - Delete users from the local cache if initgroups calls return 'no such user' | |
| - (previously only worked for getpwnam/getpwuid) | |
| - Use new Transifex.net translations | |
| - Better support for automatic TGT renewal (now survives restart) | |
| - Netgroup fixes | |
| - Fix incorrect tarball URL | |
| - Backport more sbus2 fixes | |
| - Related: rhbz#1623878 - crash related to sbus_router_destructor() | |
| - Resolves: rhbz#1718193 - p11_child should have an option to skip | |
| C_WaitForSlotEvent if the PKCS#11 module | |
| does not implement it properly | |
| - Rebuild against libldb 1.11 | |
| error messages with line numbers | |
| - Fix typo in libwbclient-devel %preun | |
| - Fix broken ARM build | |
| - Add missing DP_OPTION_TERMINATOR in AD provider options | |
| - Rebuild SSSD against ding-libs 0.3.0beta1 | |
| - Fix endianness bug in service map protocol | |
| - New stable upstream version 1.2.0 | |
| - Support ServiceGroups for FreeIPA v2 HBAC rules | |
| - Fix long-standing issue with auth_provider = proxy | |
| - Better logging for TLS issues in LDAP | |
| - Relax libldb BuildRequires to be greater-or-equal | |
| - Remove the ability to create public ccachedir (#1015089) | |
| - Fix ipa-migration bug | |
| - Resolves: upstream #2719 - IPA: returned unknown dp error code with disabled | |
| migration mode | |
| - Only create the SELinux login file if there are SELinux mappings on | |
| the IPA server | |
| - Fixes a serious memory hierarchy bug causing unpredictable behavior in the | |
| LDAP provider. | |
| - New upstream release 1.6.4 | |
| - Rolls up previous patches applied to the 1.6.3 tarball | |
| - Fixes a rare issue causing crashes in the failover logic | |
| - Fixes an issue where SSSD would return the wrong PAM error code for users | |
| that it does not recognize. | |
| - Also relax libldb Requires | |
| - Remove --enable-ldb-version-check | |
| - New upstream release 1.9.0 beta7 | |
| - obsoletes patches #1-#3 | |
| - Handle OTP response from FreeIPA server gracefully | |
| -Resolves: rhbz#1659498 - Re-setting the trusted AD domain fails due to wrong | |
| subdomain service name being used | |
| - Apply a number of patches from upstream to fix issues found post-beta, | |
| in particular: | |
| -- segfault with a high DEBUG level | |
| -- Fix IPA password migration (upstream #1873) | |
| -- Fix fail over when retrying SRV resolution (upstream #1886) | |
| - Small cleanup and fixes in the spec file | |
| - New upstream release 1.16.1 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_1.html | |
| - New upstream release 1.1.1 | |
| - Fixed the IPA provider (which was segfaulting at start) | |
| - Fixed a bug in the SSSDConfig API causing some options to revert to | |
| - their defaults | |
| - This impacted the Authconfig UI | |
| - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal | |
| - New upstream release 1.5.3 | |
| - Support for libldb >= 1.0.0 | |
| - Recreate Kerberos ccache directory if it's missing | |
| - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache | |
| directory /run/user/UID/ccdir does not exist | |
| - Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 | |
| - Resolves: rhbz#1942387 - Wrong default debug level of sssd tools | |
| - Resolves: rhbz#1917444 - SSSD Error Msg Improvement: Server resolution failed: [2]: No such file or directory | |
| - Resolves: rhbz#1917511 - SSSD Error Msg Improvement: Failed to resolve server 'server.example.com': Error reading file | |
| - Resolves: rhbz#1917535 - sssd.conf man page: parameter dns_resolver_server_timeout and dns_resolver_op_timeout | |
| - Resolves: rhbz#1940509 - [RFE] Health and Support Analyzer: Link frontend to backend requests | |
| - Resolves: rhbz#1649464 - auto_private_groups not working as expected with posix ipa/ad trust | |
| - Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection | |
| - Resolves: rhbz#1961215 - Invalid sssd-kcm return code if requested operation is not found | |
| - Resolves: rhbz#1837090 - SSSD fails nss_getby_name for IPA user with SID if the user has user private group | |
| - Resolves: rhbz#1879869 - sudo commands incorrectly exports the KRB5CCNAME environment variable | |
| - Resolves: rhbz#1962550 - sss_pac_make_request fails on systems joined to Active Directory. | |
| - Resolves: rhbz#1737489 - [RFE] SSSD should honor default Kerberos settings (keytab name) in /etc/krb5.conf | |
| - New upstream release 1.5.9 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 | |
| - Support for overriding home directory, shell and primary GID locally | |
| - Properly honor TTL values from SRV record lookups | |
| - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP | |
| - servers) | |
| - Properly escape IPv6 addresses in the failover code | |
| - Do not crash if inotify fails (e.g. resource exhaustion) | |
| - Don't add multiple TGT renewal callbacks (too many log messages) | |
| - Resolves: RHEL-78300 - 'sssd_kcm' leaks memory [rhel-8.10.z] | |
| - Resolves: RHEL-82420 - Disk cache failure with large db sizes [rhel-8.10.z] | |
| - Resolves: RHEL-76022 - Use the DN from existing entry when updating a cached group [rhel-8.10.z] | |
| - Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy" | |
| - Resolves: rhbz#1736265 - Smart Card auth of local user: endless | |
| loop if wrong PIN was provided | |
| - Resolves: rhbz#1615417 - [RFE] Add Smart Card authentication for local | |
| users | |
| - Resolves: rhbz#2149241 - [sssd] SSSD enters failed state after heavy load in the system | |
| - New upstream release 1.13.4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.4 | |
| - Fix tests on big-endian | |
| - Fix previous changelog entry | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Resolves: rhbz#1382750 - Conflicting default timeout values | |
| - Resolves: rhbz#1669407 - MAN: Document that PAM stack contains the | |
| systemd-user service in the account phase in RHEL-8 | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Resolves: RHEL-1680 - auto_private_groups does not create cache in IPA server SSSD cache | |
| - Resolves: RHEL-10092 - logfile rotation for sssd_kcm not working properly, sssd_kcm never receives a 'kill -HUP' | |
| - Resolves: RHEL-17495 - New sssd.conf seems not to be backwards compatible (wrt SmartCard auth of local users using 'files provider') | |
| - Resolves: RHEL-18431 - Excessive logging to sssd_nss and sssd_be in multi-domain AD forest | |
| - Resolves: RHEL-5033 - Incorrect IdM product name in man sssd.conf | |
| - Resolves: RHEL-15368 - SSSD GPO lacks group resolution on hosts [rhel-8] | |
| - Resolves: RHEL-10721 - very bad performance when requesting service tickets | |
| - Resolves: RHEL-19011 - Invalid handling groups from child domain | |
| - Resolves: RHEL-19949 - latest sssd breaks logging in via XDMCP for LDAP/Kerberos users [rhel-8] | |
| - Rebuild for Python 3.6 | |
| - Fix Obsoletes: to account for dist tag | |
| - Convert post and pre scripts to run on the sssd-common subpackage | |
| - Remove old conversion from SYSV | |
| - Add a patch to fix krb5 unit tests | |
| raise(): /usr/libexec/sssd/sssd_autofs killed by 6 | |
| - New upstream release 1.12 beta2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0beta2 | |
| - New upstream release 1.14.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.1 | |
| - Patch SSSDConfig API to address | |
| - https://bugzilla.redhat.com/show_bug.cgi?id=549482 | |
| - Move the sss_cache tool to the main package | |
| - Resolves: rhbz#1625842 id_provider= local causes SSSD to abort startup | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Resolves: rhbz#1821719 - sssd (sssd_be) is consuming 100% CPU, partially due to failing mem-cache | |
| - Fixed "requires/provides" rpmdiff warning | |
| - Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites | |
| - cached password with predicatable filename | |
| - New upstream release 1.12 beta1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0beta1 | |
| - Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during | |
| realm join | |
| - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by | |
| default for AD Provider | |
| - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file | |
| parent directory when logging in | |
| - Resolves: rhbz#1855323 - When ad_gpo_implicit_deny is True, it is permitting users to login when no gpo is applied | |
| - Switch unicode library from libunistring to Glib | |
| - Drop unnecessary explicit Requires on keyutils | |
| - Guarantee that versioned Requires include the correct architecture | |
| - Fix OTP bug | |
| - Resolves: upstream #2729 - Do not send SSS_OTP if both factors were | |
| entered separately | |
| - Backport upstream patches required by FreeIPA 4.2.1 | |
| - the cmocka toolkit exists only on selected arches | |
| - Backport few upstream patches/fixes | |
| - Fix double free in monitor | |
| - Resolves: rhbz#1186887 [abrt] sssd-common: talloc_abort(): | |
| sssd killed by SIGABRT | |
| - New upstream release 1.14 alpha | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0alpha | |
| - Resolves: rhbz#1615460 - Rebase SSSD to the latest released version | |
| - Split internal helper libraries into a shared object | |
| - Significantly reduce disk-space usage | |
| - Resolves: rhbz#1657980 - sssd_nss memory leak | |
| - Fix a couple of segfaults that may happen on reload | |
| - New upstream release 1.9.3 | |
| - Resolves: rhbz#2116488 - virsh command will hang after the host run several auto test cases | |
| - Resolves: rhbz#2116486 - [regression] sssctl analyze fails to parse PAM related sssd logs | |
| - Resolves: rhbz#2116487 - cache_req_data_set_hybrid_lookup: cache_req_data should never be NULL | |
| - Related: rhbz#1638006 - Files: The files provider always enumerates | |
| which causes duplicate when running getent passwd | |
| - Cherry-pick patches from upstream that enable the files provider | |
| - Enable the files domain | |
| - Retire patch 0501-Partially-revert-CONFIG-Use-default-config-when-none.patch | |
| which is superseded by the files domain autoconfiguration | |
| - Related: rhbz#1357418 - SSSD fast cache for local users | |
| - Resolves: rhbz#1767514 - sssd requires timed sudoers ldap entries to be | |
| specified up to the seconds | |
| - Rebuild against PCRE 8.30 | |
| - Resolves: upstream#3573 - sssd won't show netgroups with blank domain | |
| - Resolves: upstream#3660 - confdb_expand_app_domains() always fails | |
| - Resolves: upstream#3658 - Application domain is not interpreted correctly | |
| - Resolves: upstream#3687 - KCM: Don't pass a non null terminated string to | |
| json_loads() | |
| - Resolves: upstream#3386 - KCM: Payload buffer is too small | |
| - Resolves: upstream#3666 - Fix usage of str.decode() in our tests | |
| - A few KCM misc fixes | |
| - Related: rhbz#1637131 - pam_unix unable to match fully qualified username | |
| provided by sssd during smartcard auth using gdm | |
| - sssd-tools should require sssd-common, not sssd | |
| - Fix systemd conversion. Upgrades from SysV to systemd weren't properly | |
| - enabling the systemd service. | |
| - Fix a serious memory leak in the memberOf plugin | |
| - Fix an issue where the user's full name would sometimes be removed | |
| - from the cache | |
| - Resolves: rhbz#1652563 - incorrect example in the man page of idmap_sss | |
| suggests using * for backend sss | |
| - Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during | |
| - rpmbuild | |
| - Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile | |
| with no specific host/hostgroup set | |
| - Resolves: upstream#3621 - FleetCommander integration must not require | |
| capability DAC_OVERRIDE | |
| - latest upstream release. | |
| - also add a patch that fixes debugging output (potential segfault) | |
| - Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib | |
| - New upstream release | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 | |
| - Fix two minor manpage bugs | |
| - Include the IPA AutoFS provider | |
| - Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate | |
| - against LDAP | |
| - New upstream release 1.9.0 beta 3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 | |
| - Add a new PAC responder for dealing with cross-realm Kerberos trusts | |
| - Terminate idle connections to the NSS and PAM responders | |
| - New upstream release 1.6.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 | |
| - Fixes a serious issue with LDAP connections when the communication is | |
| dropped (e.g. VPN disconnection, waking from sleep) | |
| - SSSD is now less strict when dealing with users/groups with multiple names | |
| when a definitive primary name cannot be determined | |
| - The LDAP provider will no longer attempt to canonicalize by default when | |
| using SASL. An option to re-enable this has been provided. | |
| - Fixes for non-standard LDAP attribute names (e.g. those used by Active | |
| Directory) | |
| - Three HBAC regressions have been fixed. | |
| - Fix for an infinite loop in the deref code | |
| - Resolves: rhbz#1578014 - sssd does not work under non-root user | |
| - Note: Actually the patches were in the 2.0.0-37, this one just adds this | |
| changelog because it was missing. | |
| - Resolves: rhbz#1164156 - libsss_simpleifp should pull sssd-dbus | |
| - Resolves: rhbz#1179379 - gzip: stdin: file size changed while | |
| zipping when rotating logfile | |
| - Add a patch to fix krb5 ccache creation issue with krb5 1.11 | |
| - Fix %postun | |
| - Related: rhbz#2132051 - Rebase Samba to the the latest 4.17.x release | |
| Rebuild against Samba rebase. | |
| - New upstream release 1.9.0 beta 5 | |
| - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 | |
| - Many fixes for the support for setting default SELinux user context from | |
| FreeIPA, most notably fixed the specificity evaluation | |
| - Fixed an incorrect default in the krb5_canonicalize option of the AD | |
| provider which was preventing password change operation | |
| - The shadowLastChange attribute value is now correctly updated with the | |
| number of days since the Epoch, not seconds | |
| - Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 | |
| - Resolves: rhbz#2098620 - sdap_nested_group_deref_direct_process() triggers internal watchdog for large data sets | |
| - Resolves: rhbz#2098619 - [Improvement] add SSSD support for more than one CRL PEM file name with parameters certificate_verification and crl_file | |
| - Resolves: rhbz#2088817 - pam_sss_gss ceased to work after upgrade to 8.6 | |
| - Resolves: rhbz#2098616 - Add idp authentication indicator in man page of sssd.conf | |
| - Resolves: rhbz#2056035 - 'getent hosts' not return hosts if they have more than one CN in LDAP | |
| - Resolves: rhbz#2098615 - Regression "Missing internal domain data." when setting ad_domain to incorrect | |
| - Resolves: rhbz#2098617 - Harden kerberos ticket validation | |
| - Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol | |
| - Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8 | |
| - Resolves: rhbz#2136701 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level. | |
| - Resolves: rhbz#2139760 - [sssd] RHEL 8.8 Tier 0 Localization | |
| - Resolves: rhbz#2139865 - Analyzer: Optimize and remove duplicate messages in verbose list | |
| - Resolves: rhbz#2142795 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged | |
| - Resolves: rhbz#2144491 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around | |
| - Resolves: rhbz#2150357 - Smart Card auth does not work with p11_uri (with-smartcard-required) | |
| - Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 | |
| - Resolves: rhbz#2196521 - [RHEL8] sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy | |
| - Resolves: rhbz#2195919 - sssd-be tends to run out of system resources, hitting the maximum number of open files | |
| - Resolves: rhbz#2192708 - [RHEL8] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed' | |
| - Resolves: rhbz#2139467 - [RHEL8] sssd attempts LDAP password modify extended op after BIND failure | |
| - Resolves: rhbz#2054825 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 error 4 in libc-2.28.so[7f16b5e72000+1bc000] | |
| - Resolves: rhbz#2189583 - [sssd] RHEL 8.9 Tier 0 Localization | |
| - Resolves: rhbz#2170720 - [RHEL8] When adding attributes in sssd.conf that we have already, the cross-forest query just stop working | |
| - Resolves: rhbz#2096183 - BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides | |
| - Resolves: rhbz#2151450 - [RHEL8] SSSD missing group membership when evaluating GPO policy with 'auto_private_groups = true' | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuild sssd against libldb 1.0.2 so the memberof module loads again. | |
| - Related: rhbz#677425 | |
| - Related: rhbz#1637513 - sssd crashes when refreshing expired sudo rules | |
| - Fix memberOf install path | |
| - Resolves: upstream#3618 - selinux_child segfaults in a docker container | |
| - Don't duplicate libsss_autofs.so in two packages | |
| - Set explicit package contents instead of globbing | |
| - New upstream release 1.10 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0 | |
| - Release SSSD 1.1.0 final | |
| - Fix two potential segfaults | |
| - Fix memory leak in monitor | |
| - Better error message for unusable confdb | |
| - Resolves: rhbz#1868387 - system not enforcing GPO rule restriction. ad_gpo_implicit_deny = True is not working | |
| - Resolves: rhbz#1854951 - sss-certmap man page change to add clarification for userPrincipalName attribute from AD schema | |
| - Resolves: rhbz#1856861 - False errors/warnings are logged in sssd.log file after enabling 2FA prompting settings in sssd.conf | |
| - Resolves: rhbz#1869683 - p11_child: default value of ocsp_dgst == sha256 doesn't conform RFC5019 and has to be changed to sha1 | |
| - New upstream release 1.16.0 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_0.html | |
| - Rebuild against new ding-libs | |
| - Resolves: rhbz#677768 - name service caches names, so id command shows | |
| - recently deleted users | |
| - Backport several patches from upstream. | |
| - Fix a potential crash against old (pre-4.0) IPA servers | |
| - Release candidate for SSSD 1.1 | |
| - Add simple access provider | |
| - Create subpackages for libcollection, libini_config, libdhash and librefarray | |
| - Support IPv6 | |
| - Support LDAP referrals | |
| - Fix cache issues | |
| - Better feedback from PAM when offline | |
| - Resolves: rhbz#1646113 - Missing concise documentation about valid options | |
| for sssd-files-provider | |
| - Fix segfault in TGT renewal | |
| - Improved handling of users and groups with multi-valued name attributes | |
| (aliases) | |
| - Performance enhancements | |
| Initgroups on RFC2307bis/FreeIPA | |
| HBAC rule processing | |
| - Improved process-hang detection and restarting | |
| - Enabled the midpoint cache refresh by default (fewer cache misses on | |
| commonly-used entries) | |
| - Cleaned up the example configuration | |
| - New tool to change debug level on the fly | |
| - New upstream release 1.5.8 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 | |
| - Support for the LDAP paging control | |
| - Support for multiple DNS servers for name resolution | |
| - Fixes for several group membership bugs | |
| - Fixes for rare crash bugs | |
| - Resolves: rhbz#1881992 - Rebase SSSD for RHEL 8.4 | |
| - Resolves: rhbz#1722842 - sssd-kcm does not store TGT with ssh login using GSSAPI | |
| - Resolves: rhbz#1734040 - sssd crash in ad_get_account_domain_search() | |
| - Resolves: rhbz#1784459 - [RFE] tlog does not allow to exclude some users from session recording | |
| - Resolves: rhbz#1791300 - sporadic sssd_be crash on s390x | |
| - Resolves: rhbz#1817122 - 'getent group ldapgroupname' doesn't show any LDAP users or some LDAP users when 'rfc2307bis' schema is used with SSSD. | |
| - Resolves: rhbz#1819012 - [RFE] Improve AD site discovery process | |
| - Resolves: rhbz#1846778 - [RfE] `/usr/libexec/sssd/p11_child` cmdline argument '--nssdb' might be confusing when SSSD was built against OpenSSL | |
| - Resolves: rhbz#1873715 - automount sssd issue when 2 automount maps have the same key (one un uppercase, one in lowercase) | |
| - Resolves: rhbz#1879860 - correction in sssd.conf:pam_response_filter man page | |
| - Resolves: rhbz#1881336 - [RFE] sssd-ldap man page modification for parameter "ldap_referrals" | |
| - Resolves: rhbz#1883488 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains | |
| - Resolves: rhbz#1884196 - [RFE] Add "enabled" option to domain section in config file | |
| - Resolves: rhbz#1884205 - KCM: Increase client idle timeout to 5 minutes | |
| - Resolves: rhbz#1884207 - [RFE] ldap: add new option ldap_library_debug_level | |
| - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff | |
| - Resolves: rhbz#1884281 - Secondary LDAP group go missing from 'id' command | |
| - Resolves: rhbz#1884301 - [RFE] dyndns: suport asymmetric auth for nsupdate | |
| - Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 | |
| - Resolves: rhbz#1693379 - sssd_be and sss_cache too heavy on CPU | |
| - Resolves: rhbz#1909373 - Missing search index for `originalADgidNumber` | |
| - Resolves: rhbz#1954630 - [RFE] Improve debug messages by adding a unique tag for each request the backend is handling | |
| - Resolves: rhbz#1936891 - SSSD Error Msg Improvement: Bad address | |
| - Resolves: rhbz#1364596 - sssd still showing ipa user after removed from last group | |
| - Resolves: rhbz#1979404 - Changes made to /etc/pam.d/sssd-shadowutils are overwritten back to default on sssd-common package upgrade | |
| - Resolves: rhbz#1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command. | |
| - Resolves: rhbz#1780404 - smartcards: special characters must be escaped when building search filter | |
| - Fix regressions and bugs in sssd upstream 1.12.2 | |
| - https://fedorahosted.org/sssd/ticket/{id} | |
| - Regressions: #2471, #2475, #2483, #2487, #2529, #2535 | |
| - Bugs: #2287, #2445 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Resolves: rhbz#1974257 - 'debug_microseconds' config option is broken | |
| - Resolves: rhbz#1936902 - SSSD Error Msg Improvement: Invalid argument | |
| - Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm (additional patches and rebuild) | |
| - Resolves: rhbz#1625670 - sssd needs to require a newer version of libtalloc | |
| and libtevent to avoid an issue in GPO processing | |
| - Related: rhbz#1620123 - [RFE] Add option to specify a Smartcard with a | |
| PKCS#11 URI | |
| - Resolves: rhbz#697057 - kpasswd fails when using sssd and | |
| - kadmin server != kdc server | |
| - Upgrades from SysV should now maintain enabled/disabled status | |
| - Related: rhbz#2190417 - Rebase Samba to the latest 4.18.x release | |
| Rebuild against rebased Samba libs | |
| - Resolves: rhbz#1175511 - sssd-libwbclient conflicts with Samba's and causes | |
| crash in wbinfo | |
| - in addition to the patch libwbclient.so is | |
| filtered out of the Provides list of the package | |
| - New upstream release 1.9.0 beta 2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 | |
| - Add support for the Kerberos DIR cache for storing multiple TGTs | |
| automatically | |
| - Major performance enhancement when storing large groups in the cache | |
| - Major performance enhancement when performing initgroups() against Active | |
| Directory | |
| - SSSDConfig data file default locations can now be set during configure for | |
| easier packaging | |
| - Add plugin for cifs-utils | |
| - Resolves: rhbz#998544 | |
| - Rebuild due to rhbz#2013596 - Rebase Samba to the the latest 4.15.x release | |
| - Resolves: #967012 - [abrt] sssd-1.9.5-1.fc18: sss_mmap_cache_gr_invalidate_gid: | |
| Process /usr/libexec/sssd/sssd_nss was killed by | |
| signal 11 (SIGSEGV) | |
| - Resolves: #996214 - sssd proxy_child segfault | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Resolves: RHEL-112455 - p11_child currently has an infinite timeout [rhel-8.10.z] | |
| - Resolves: RHEL-120292 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems [rhel-8.10.z] | |
| - Resolves: rhbz#1744134 - New defect found in sssd-2.2.0-16.el8 | |
| - Also sync. kcm multihost tests with master | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - New upstream release 1.9.0 rc1 | |
| - New upstream release 0.99.0 | |
| - Fix segfault in sssd_pam when cache_credentials was enabled | |
| - Update the sample configuration | |
| - Fix upgrade issues caused by data provider service removal | |
| - Fix systemd executions/requirements | |
| - Related: rhbz#1635595 - Cant login with smartcard with multiple certs | |
| - New upstream release 1.8.1 | |
| - Resolve issue where we could enter an infinite loop trying to connect to an | |
| auth server | |
| - Fix serious issue with complex (3+ levels) nested groups | |
| - Fix netgroup support for case-insensitivity and aliases | |
| - Fix serious issue with lookup bundling resulting in requests never | |
| completing | |
| - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt | |
| in addition to pam_authenticate | |
| - Fix several regressions in the proxy provider | |
| - Resolves: rhbz#743133 - Performance regression with Kerberos authentication | |
| against AD | |
| - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work | |
| - Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6 | |
| - Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files | |
| - Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries | |
| - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set. | |
| - Resolves: rhbz#1961182 - Passwordless (GSSAPI) SSH not working due to missing "includedir /var/lib/sss/pubconf/krb5.include.d" directive in /etc/krb5.conf | |
| - Resolves: rhbz#2008829 - sssd_be segfault due to empty forest root name | |
| - Resolves: rhbz#2012263 - pam responder does not call initgroups to refresh the user entry | |
| - Resolves: rhbz#2012308 - Add client certificate validation D-Bus API | |
| - Resolves: rhbz#2012327 - Groups are missing while performing id lookup as SSSD switching to offline mode due to the wrong domain name in the ldap-pings(netlogon). | |
| - Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs | |
| - Resolves: rhbz#2013259 - [RHEL8] Add tevent chain ID logic into responders | |
| - Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization | |
| - Rebuild for libldb 1.1.19 | |
| - Fix failover from Global Catalog to LDAP in case GC is not available | |
| - Rebuilt for libnfsidmap.so.1 | |
| - New upstream release 1.6.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 | |
| - Add host access control support for LDAP (similar to pam_host_attr) | |
| - Finer-grained control on principals used with Kerberos (such as for FAST or | |
| - validation) | |
| - Added a new tool sss_cache to allow selective expiring of cached entries | |
| - Added support for LDAP DEREF and ASQ controls | |
| - Added access control features for Novell Directory Server | |
| - FreeIPA dynamic DNS update now checks first to see if an update is needed | |
| - Complete rewrite of the HBAC library | |
| - New libraries: libipa_hbac and libipa_hbac-python | |
| - Resolves: rhbz#1661183 - SSSD 2.0 has drastically lower sbus timeout than | |
| 1.x, this can result in time outs | |
| - Fix release version for upgrades | |
| - Decrease priority of sssd-libwbclient 20 -> 5 | |
| - It should be lower than priority of samba veriosn of libwbclient. | |
| - https://bugzilla.redhat.com/show_bug.cgi?id=1175511#c18 | |
| - Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the | |
| username in getpwnam() | |
| - Resolves: rhbz#758425 - LDAP failover not working if server refuses | |
| connections | |
| - Resolves: rhbz#1642372 - SSSD Python getgrouplist API was removed but required for IPA | |
| - New LDAP access provider allows for filtering user access by LDAP attribute | |
| - Reduced default timeout for detecting offline status with LDAP | |
| - GSSAPI ticket lifetime made configurable | |
| - Better offline->online transition support in Kerberos | |
| - Change the default ccache location to DIR:/run/user/${UID}/krb5cc | |
| and patch man page accordingly | |
| - Resolves: rhbz#851304 | |
| - Handle new error code for IPA password migration | |
| - Only BuildRequire libcmocka on Fedora | |
| - New upstream release 1.4.1 | |
| - Add support for netgroups to the proxy provider | |
| - Fixes a minor bug with UIDs/GIDs >= 2^31 | |
| - Fixes a segfault in the kerberos provider | |
| - Fixes a segfault in the NSS responder if a data provider crashes | |
| - Correctly use sdap_netgroup_search_base | |
| - Resolves: rhbz#1672780 - gdm login not prompting for username when smart | |
| card maps to multiple users | |
| - New upstream release 1.11.5.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.5.1 | |
| - Resolves: #906427 - Do not use %{_lib} in specfile for the nss and | |
| pam libraries | |
| - Use mcpath insted of mcachepath macro to be consistent with | |
| upsteam spec file | |
| - Initial release (based on version 0.1.0 upstream code) | |
| - Move sssd_pac to the sssd-ipa and sssd-ad subpackages | |
| - Trim out RHEL5-specific macros since we don't build on RHEL 5 | |
| - Trim out macros for Fedora older than F18 | |
| - Update libldb requirement to 1.1.16 | |
| - Trim RPM changelog down to the last year | |
| - Version 0.2.1 | |
| - New upstream release 1.9.2 | |
| - Resolves: rhbz#1335639 - [abrt] sssd-dbus: ldb_msg_find_element(): | |
| sssd_ifp killed by SIGSEGV | |
| - Resolves: rhbz#1645566 - SSSD 2.x does not sanitize domain name properly | |
| for D-bus, resulting in a crash | |
| - Rebuild with libldb-1.2.0 | |
| - New upstream release 1.15.3 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_3.html | |
| - New upstream release 1.13.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.2 | |
| - Resolves: RHEL-39085 - [RfE] SSSD Failover Enhancements | |
| - Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online | |
| - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests | |
| - Several segfault bugfixes | |
| - Resolves: rhbz#1642508 - sssd ifp crash when trying to access ipa webui | |
| with smart card | |
| - Add support for libldb 1.0.0 | |
| - Resolves: rhbz#1920001 - Do not add '%' to group names already prefixed with '%' in IPA sudo rules | |
| - Resolves: rhbz#1918433 - sssd unable to lookup certmap rules | |
| - Resolves: rhbz#1917382 - [abrt] [faf] sssd: dp_client_handshake_timeout(): /usr/libexec/sssd/sssd_be killed by 11 | |
| - bugfix release 0.3.2 | |
| - includes previous release patches | |
| - change permissions of the /etc/sssd/sssd.conf to 0600 | |
| - Fix regression in endianness patch | |
| - Resolves: rhbz#1623878 - crash related to sbus_router_destructor() | |
| - Add last minute bug fixes, found in testing the package | |
| - New upstream release 1.7.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 | |
| - Support for case-insensitive domains | |
| - Support for multiple search bases in the LDAP provider | |
| - Support for the native FreeIPA netgroup implementation | |
| - Reliability improvements to the process monitor | |
| - New DEBUG facility with more consistent log levels | |
| - New tool to change debug log levels without restarting SSSD | |
| - SSSD will now disconnect from LDAP server when idle | |
| - FreeIPA HBAC rules can choose to ignore srchost options for significant | |
| performance gains | |
| - Assorted performance improvements in the LDAP provider | |
| - New upstream release 1.4.0 | |
| - Added support for netgroups to the LDAP provider | |
| - Performance improvements made to group processing of RFC2307 LDAP servers | |
| - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin | |
| - Build-system improvements to support Gentoo | |
| - Split out several libraries into the ding-libs tarball | |
| - Manpage reviewed and updated | |
| - New upstream release 1.12.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0 | |
| - Fix CVE-2010-0014 | |
| - Rebuild against libldb 1.10 | |
| - New upstream release 1.11.3 | |
| - Remove upstreamed patches | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.3 | |
| - Resolves: rhbz#1736483 - Sudo prompt for smart card authentication is missing | |
| the trailing colon | |
| - Resolves: rhbz#1256849 - SUDO: Support the IPA schema | |
| - Resolves: upstream#3621 - backport bug found by static analyzers | |
| - Own several directories create during make install (#839782) | |
| - New upstream release 1.13.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.3 | |
| - New upstream release 1.11.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 | |
| - Log startup errors to the syslog | |
| - Allow cache cleanup to be disabled in sssd.conf | |
| - Resolves: rhbz#1631410 - Can't login with smartcard with multiple certs having same ID value | |
| - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff (additional patches) | |
| - Resolves: rhbz#1893159 - Default debug level should report all errors / failures | |
| - Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication | |
| - Resolves: rhbz#1646168 - sssctl access-report always prints an error message | |
| - Resolves: rhbz#1643053 - Restarting the sssd-kcm service should reload the | |
| configuration without having to restart the whole | |
| sssd | |
| - Resolves: rhbz#1640576 - sssctl reports incorrect information about local | |
| user's cache entry expiration time | |
| - Resolves: rhbz#1645238 - Unable to su to root when logged in as a local user | |
| - Resolves: rhbz#1639411 - sssd support for for smartcards using ECC keys | |
| - require the latest libldb | |
| - Change default kerberos credential cache location to /run/user/ |
|
| - Resolves: rhbz#1725168 - sssd-proxy crashes resolving groups with | |
| no members | |
| - Rebuild against libldb 1.1.4 | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild | |
| - Resolves: rhbz#1676385 - pam_sss with smartcard auth does not create gnome | |
| keyring | |
| - Also apply a patch to fix gating tests issue | |
| - Resolves: rhbz#1113639 - autofs: return a connection failure until maps have been fetched | |
| - Resolves: rhbz#1915395 - Memory leak in the simple access provider | |
| - Resolves: rhbz#1915319 - SSSD: SBUS: failures during servers startup | |
| - Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication (additional patches) | |
| - Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8] | |
| - Resolves: rhbz#1962042 - [sssd] RHEL 8.5 Tier 0 Localization | |
| - Fixes link error on platforms that do not do implicit linking | |
| - Fixes double-free segfault in PAM | |
| - Fixes double-free error in async resolver | |
| - Fixes support for TCP-based DNS lookups in async resolver | |
| - Fixes memory alignment issues on ARM processors | |
| - Manpage fixes | |
| - Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8 | |
| - Resolves: rhbz#2119726 - sssctl analyze --logdir option requires sssd to be configured | |
| - Resolves: rhbz#2120669 - Incorrect request ID tracking from responder to backend | |
| - Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in | |
| setnetgrent_result_timeout | |
| - Resolves: upstream#3588 - sssd_nss consumes more memory until restarted | |
| or machine swaps | |
| - Resolves: failure in glibc tests | |
| https://sourceware.org/bugzilla/show_bug.cgi?id=22530 | |
| - Resolves: upstream#3451 - When sssd is configured with id_provider proxy and | |
| auth_provider ldap, login fails if the LDAP server | |
| is not allowing anonymous binds | |
| - Resolves: upstream#3285 - SSSD needs restart after incorrect clock is | |
| corrected with AD | |
| - Resolves: upstream#3586 - Give a more detailed debug and system-log message | |
| if krb5_init_context() failed | |
| - Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet | |
| in /etc/systemd/system | |
| - Backport few upstream features from 1.16.1 | |
| - New upstream release 1.14.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.2 | |
| - Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication | |
| - New upstream release 1.12.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.2 | |
| - Resolves: rhbz#1636397 - SSSD not fetching all sudo rules from AD | |
| - Resolves: rhbz#1711318 - p11_child::sign_data() function implementation is | |
| not FIPS140 compliant | |
| - New upstream release 1.14.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0 | |
| - Do not crash on resolving a group SID in IPA server mode | |
| - New upstream release 1.8.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 | |
| - Several fixes to case-insensitive domain functions | |
| - Fix for GSSAPI binds when the keytab contains unrelated principals | |
| - Fixed several segfaults | |
| - Workarounds added for LDAP servers with unreadable RootDSE | |
| - SSH knownhostproxy will no longer enter an infinite loop preventing login | |
| - The provided SYSV init script now starts SSSD earlier at startup and stops | |
| it later during shutdown | |
| - Assorted minor fixes for issues discovered by static analysis tools | |
| - Resolves: rhbz#1655459 - [abrt] [faf] sssd: raise(): | |
| /usr/libexec/sssd/proxy_child killed by 6 | |
| - Resolves: rhbz#1628126 - [abrt] [faf] sssd: unknown function(): | |
| /usr/libexec/sssd/sssd_be killed by 11 crash | |
| func _dbus_list_unlink | |
| - New upstream release 1.15.2 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html | |
| - Related: rhbz#1638150 - session not recording for local user when groups defined | |
| - Also add silence a Coverity warning, which is related to rhbz#1637131 | |
| for match rules sss-certmap | |
| - New upstream release 1.13.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.1 | |
| - Fix the Kerberos password expiration warning (#912223) | |
| - Try to fix build adding automake as an explicit BuildRequire | |
| - Add also a couple of last minute patches from upstream | |
| - Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8 | |
| - Resolves: rhbz#2144581 - [RFE] provide dbus method to find users by attr | |
| - Resolves: rhbz#2144579 - sssd timezone issues sudonotafter | |
| - Resolves: rhbz#2144519 - [RFE] SSSD does not support to change the user’s password when option ldap_pwd_policy equals to shadow in sssd.conf file | |
| - Resolves: rhbz#2127822 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict) | |
| - Resolves: rhbz#2111393 - authenticating against external IdP services okta (native app) with OAuth client secret failed | |
| -Resolves: rhbz#1660083 - extraAttributes is org.freedesktop.DBus.Error. | |
| UnknownProperty: Unknown property | |
| - Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard | |
| certificate EKU and perform an action based | |
| on value when generating SSH key from a certificate | |
| (additional patch) | |
| - Version 0.3.0 | |
| - Provides file based configuration and lots of improvements | |
| - Build with _hardened_build macro | |
| - release out of the official 0.3.2 tarball | |
| - Resolves: upstream#3529 - sssd-kcm Fix restart during/after upgrade | |
| - Resolves: rhbz#1810634 - id command taking 1+ minute for returning user | |
| information | |
| - Resolves: rhbz#1448094 - sssd-kcm cannot handle big tickets | |
| - New upstream bugfix release 0.99.1 | |
| - Fix few segfaults | |
| - Resolves: upstream #2811 - PAM responder crashed if user was not set | |
| - Resolves: upstream #2810 - sssd_be crashed in ipa_srv_ad_acct_lookup_step | |
| - New upstream release 1.5.11 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 | |
| - Fix a serious regression that prevented SSSD from working with ldaps:// URIs | |
| - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 | |
| - address being saved to the AAAA record | |
| - Resolves: 1657898 - SSSD must be cleared/restarted periodically in order to | |
| retrieve AD users through IPA Trust | |
| - New upstream release 1.10 beta2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 | |
| - BuildRequire libcmocka-devel in order to run all upstream tests during build | |
| - BuildRequire libnl3 instead of libnl1 | |
| - No longer BuildRequire initscripts, we no longer use /sbin/service | |
| - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any | |
| older krb5-libs version | |
| - Switch hardcoded python3 shebangs into the %{__python3} macro | |
| - Fix upgrade issues from old (pre-0.5.0) releases of SSSD | |
| - New upstream release 1.10 alpha1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1 | |
| - Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard | |
| certificate EKU and perform an action based | |
| on value when generating SSH key from a certificate | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Rebuild for libldb 1.1.3 | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process | |
| - Resolves: rhbz#1876658 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [RHEL 8] | |
| - Resolves: rhbz#1895001 - User lookups over the InfoPipe responder fail intermittently | |
| - Fix pre and post script requirements | |
| - Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug | |
| in ding-libs | |
| - Fix SSH integration with fully-qualified domains | |
| - Add the ability to dynamically discover the NetBIOS name | |
| - Backport important patches from upstream 1.14.2 prerelease | |
| - Resolves: upstream #3154 - sssd exits if clock is adjusted backwards after | |
| boot | |
| - Resolves: upstream #3163 - resolving IPA nested user group is broken in 1.14 | |
| - Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication | |
| - Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with | |
| file from package sssd-common-1.15.1-1.fc25.x86_64 | |
| - Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4 | |
| - New upstream release 1.8.0 | |
| - Support for the service map in NSS | |
| - Support for setting default SELinux user context from FreeIPA | |
| - Support for retrieving SSH user and host keys from LDAP (Experimental) | |
| - Support for caching autofs LDAP requests (Experimental) | |
| - Support for caching SUDO rules (Experimental) | |
| - Include the IPA AutoFS provider | |
| - Fixed several memory-corruption bugs | |
| - Fixed a regression in group enumeration since 1.7.0 | |
| - Fixed a regression in the proxy provider | |
| - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD | |
| - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is | |
| logged at each login | |
| - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process | |
| /usr/sbin/sssd was killed by signal 11 (SIGSEGV) | |
| - Resolves: rhbz#743133 - Performance regression with Kerberos authentication | |
| against AD | |
| - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for | |
| new LDAP features | |
| - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc | |
| - Fix build with new automake versions | |
| - Change selinux policy requirement to Conflicts: with the old version, | |
| rather than Requires: the supported version. | |
| - Fix building on rawhide. Remove -Wl,-z,defs from LDFLAGS | |
| - Release new upstream version 1.1.91 | |
| - Enhancements when using SSSD with FreeIPA v2 | |
| - Support for deferred kinit | |
| - Support for DNS SRV records for failover | |
| - Resolves: rhbz#1624785 - Remove references of sss_user/group/add/del | |
| commands in man pages since local provider | |
| is deprecated | |
| - Additional upstream fixes | |
| - Fix building pac responder with the krb5-1.14 | |
| - Resolves: rhbz#1622026 - sssd 2.0 regression: Kerberos authentication | |
| fails with the KCM ccache | |
| - Backport extended NSS API from upstream master branch | |
| - Enable hardened build for RHEL7 | |
| - Resolves: rhbz#1276868 - Sudo PAM Login should support multiple password | |
| prompts (e.g. Password + Token) | |
| - Resolves: rhbz#1313041 - ssh with sssd proxy fails with "Connection closed | |
| by remote host" if locale not available | |
| - Add explicit requirement on selinux-policy version to address new SBUS | |
| symlinks. | |
| - Rebuild for libldb 1.1.18 | |
| - Fix issue with IPA + SELinux in containers | |
| - Resolves: upstream https://fedorahosted.org/sssd/ticket/3297 | |
| - Solve a shutdown race-condition that sometimes left processes running | |
| - Resolves: rhbz#606887 - SSSD stops on upgrade | |
| - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for | |
| new LDAP features | |
| - Fix for CVE-2009-2410 - Native SSSD users with no password set could log in | |
| without a password. (Patch by Stephen Gallagher) | |
| - New upstream release 1.12.4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.4 | |
| - Rebuild against new libldb | |
| - Add support for python3 bindings | |
| - Add requirement to python3 or python3 bindings | |
| - Resolves: rhbz#1014594 - sssd: Support Python 3 | |
| - Ensure that the configuration upgrade script always writes the config | |
| file with 0600 permissions | |
| - Eliminate an infinite loop in group enumerations | |
| - Fix bug in generation of systemd unit file | |
| - New upstream release 1.5.5 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 | |
| - Fixes for several crash bugs | |
| - LDAP group lookups will no longer abort if there is a zero-length member | |
| - attribute | |
| - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist | |
| - Bump up release number to avoid library sub-packages version issues with | |
| previous releases. | |
| - Unify return type of list_active_domains for python{2,3} | |
| - Ensure that SSSD builds against libldb-1.0.0 on F15 and later | |
| - Remove .la for memberOf | |
| - Add SSSDConfig API | |
| - Update polish translation for 0.6.0 | |
| - Fix long timeout on ldap operation | |
| - Make dp requests more robust | |
| - Resolves: rhbz#1628122 - Printing incorrect information about domain | |
| with sssctl utility | |
| connection timeout | |
| - New upstream release 1.12.5 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.5 | |
| - Apply a couple of patches from upstream git that resolve crashes when | |
| ID mapping object was not initialized properly but needed later | |
| - Resolves: rhbz#1283798 - sssd failover does not work on connecting to | |
| non-responsive ldaps:// server | |
| - Rebuild against new libtevent | |
| - Version 0.3.1 | |
| - includes previous release patches | |
| - Re-add manpage translations | |
| - Resolves: rhbz#606887 - sssd stops on upgrade | |
| - Resolves: rhbz#1466503 - Snippets are not used when sssd.conf does not exist | |
| - Fix several regressions since 1.5.x | |
| - Ensure that the RPM creates the /var/lib/sss/mc directory | |
| - Add support for Netscape password warning expiration control | |
| - Rebuild against libldb 1.1.6 | |
| - New upstream release 1.8.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 | |
| - Numerous manpage and translation updates | |
| - LDAP: Handle situations where the RootDSE isn't available anonymously | |
| - LDAP: Fix regression for users using non-standard LDAP attributes for user | |
| information | |
| - Resolves: rhbz#1699480 - Include libsss_nss_idmap-devel in the Builder | |
| repository | |
| - This just required a raise in release number | |
| and changelog for the record. | |
| - Install systemd unit file instead of sysv init script | |
| - Check the validity of naming context | |
| - Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8 | |
| - New upstream release 1.12.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.1 | |
| - Resolves: rhbz#1494002 - sssd_nss crashed in cache_req_search_domains_next | |
| - Resolves: rhbz#1499354 - CVE-2017-12173 sssd: unsanitized input when | |
| searching in local cache database access on | |
| the sock_file system_bus_socket | |
| - Resolves: rhbz#1726945 - negative cache does not use values from | |
| 'filter_users' config option for known domains | |
| - Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d | |
| - Make sure to properly convert to systemd if upgrading from newer | |
| - updates for Fedora 14 | |
| - Backport patches with Python3 support from upstream | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - New upstream release 0.7.0 | |
| - Include upstream patch to build with krb5-1.11 | |
| - Rebuilt for Python3.5 rebuild | |
| - Resolves: rhbz#1820574 - [sssd] RHEL 8.3 Tier 0 Localization | |
| - Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files (additional patch) | |
| - New upstream release 1.5.6 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 | |
| - Fixed a serious memory leak in the memberOf plugin | |
| - Fixed a regression with the negative cache that caused it to be essentially | |
| - nonfunctional | |
| - Fixed an issue where the user's full name would sometimes be removed from | |
| - the cache | |
| - Fixed an issue with password changes in the kerberos provider not working | |
| - with kpasswd | |
| - Resolves: rhbz#1310664 - [RFE] IPA: resolve external group memberships of IPA | |
| groups during getgrnam and getgrgid | |
| - Resolves: rhbz#1301303 - sss_obfuscate: SyntaxError: Missing parentheses | |
| in call to 'print' | |
| - New upstream release 1.9.1 | |
| - Fix accidental disabling of the DIR cache support | |
| - Resolves: rhbz#1729055 - sssd does not pass correct rules to sudo | |
| - Resolves: rhbz#1645291 - Perform some basic ccache initialization as part | |
| of gen_new to avoid a subsequent switch call | |
| failure | |
| - Resolves: rhbz#1733372 - permission denied on logs when running sssd as | |
| non-root user | |
| - Resolves: rhbz#1652719 - [SECURITY] sssd returns '/' for emtpy home directories | |
| - New upstream release 1.13.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0 | |
| - New upstream version 1.2.91 (1.3.0rc1) | |
| - Improved LDAP failover | |
| - Synchronous sysdb API (provides performance enhancements) | |
| - Better online reconnection detection | |
| - New upstream release 1.9.0 beta 4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 | |
| - Add a new AD provider to improve integration with Active Directory 2008 R2 | |
| or later servers | |
| - SUDO integration was completely rewritten. The new implementation works | |
| with multiple domains and uses an improved refresh mechanism to download | |
| only the necessary rules | |
| - The IPA authentication provider now supports subdomains | |
| - Fixed regression for setups that were setting default_tkt_enctypes | |
| manually by reverting a previous workaround. | |
| - New upstream release 1.9.0 | |
| - New upstream release 1.14 beta | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0beta | |
| - Resolves: rhbz#1736796 - sssd config option "default_domain_suffix" | |
| should not cause files domain entries to be | |
| qualified, this can break sudo access | |
| - Resolves: rhbz#1488327 - SELinux is preventing selinux_child from write | |
| access on the sock_file system_bus_socket | |
| - Resolves: rhbz#1490402 - SSSD does not create /var/lib/sss/deskprofile and | |
| fails to download desktop profile data | |
| - Resolves: upstream#3485 - getsidbyid does not work with 1.15.3 | |
| - Resolves: upstream#3488 - SUDO doesn't work for IPA users on IPA clients | |
| after applying ID Views for them in IPA server | |
| - Resolves: upstream#3501 - Accessing IdM kerberos ticket fails while id | |
| mapping is applied | |
| - Remove %files reference to sss_debuglevel copied from wrong upstreeam | |
| spec file. | |
| - Resolves: RHEL-25064 - AD users are unable to log in due to case sensitivity of user because the domain is found as an alias to the email address. [rhel-8] | |
| - Resolves: RHEL-25066 - gdm smartcard login fails with sssd-2.9.3 in case of multiple identities [rhel-8] | |
| - Resolves: RHEL-25065 - ssh pubkey stored in ldap/AD no longer works to authenticate via sssd [rhel-8] | |
| - fixed items found during review | |
| - added initscript | |
| - Resolves: rhbz#1687281 | |
| Rebase sssd in RHEL-8.1 to the latest upstream release | |
| - Resolves: rhbz#1139962 - Fedora 21, FreeIPA 4.0.2: sssd does not find user | |
| private group from server | |
| - Resolves: RHEL-27205 - Race condition during authorization leads to GPO policies functioning inconsistently | |
| - New upstream release 0.6.0 | |
| - Resolves: rhbz#1815584 - id_provider = proxy proxy_lib_name = files returns * in password field, breaking PAM authentication | |
| - Resolves: rhbz#1794607 - SSSD must be able to resolve membership involving root with files provider | |
| - Resolves: rhbz#1803134 - Improve "unlock" time when user session already active | |
| - Resolves: rhbz#626205 - Unable to unlock screen | |
| - Use alternatives for libwbclient | |
| - Add missing %license macro | |
| - BuildRequire recent libini_config to ensure consistent behaviour | |
| - Resolves: rhbz#1926622 - Add support to verify authentication indicators in pam_sss_gss | |
| - Resolves: rhbz#1926454 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0. | |
| - Resolves: rhbz#1893159 - Default debug level should report all errors / failures (additional patch) | |
| - Related: rhbz#1611011 - Support for "require smartcard for login option" | |
| - Backport patches from upstream 1.12.5 prerelease - contains many fixes | |
| - Resolves: 1658813 - PKINIT with KCM does not work | |
| - New upstream release 1.15.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.15.0 | |
| - New upstream release 1.9.0 beta 6 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 | |
| - A new option, override_shell was added. If this option is set, all users | |
| managed by SSSD will have their shell set to its value. | |
| - Fixes for the support for setting default SELinux user context from FreeIPA. | |
| - Fixed a regression introduced in beta 5 that broke LDAP SASL binds | |
| - The SSSD supports the concept of a Primary Server and a Back Up Server in | |
| failover | |
| - A new command-line tool sss_seed is available to help prime the cache with | |
| a user record when deploying a new machine | |
| - SSSD is now able to discover and save the domain-realm mappings | |
| between an IPA server and a trusted Active Directory server. | |
| - Packaging changes to fix ldconfig usage in subpackages (#843995) | |
| - Rebuild against libldb 1.1.9 | |
| - Do not write out dots in the domain-realm mapping file (#905650) | |
| - Resolves: rhbz#1622008 - Error message when IPA server uninstall calls | |
| kdestroy caused by KCM returning a wrong error | |
| code during the delete operation | |
| - New upstream release 1.12.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.3 | |
| - Fix spelling errors in description (fedpkg lint) | |
| - Backport important patches from upstream 1.13 prerelease | |
| - Resolves: rhbz#1060325 - Does sssd-ad use the most suitable | |
| attribute for group name | |
| - Resolves: upstream #2335 - Investigate using the krb5 responder | |
| for driving the PAM conversation with OTPs | |
| - Enable cmocka tests for secondary architectures | |
| - Rebuild against libldb 1.12 | |
| - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for | |
| new LDAP features - fix netgroups and sudo as well | |
| - Resolves: rhbz#1736861 - dyndns_update = True is no longer enough to get | |
| the IP address of the machine updated in IPA upon | |
| sssd.service startup | |
| - Resolves: rhbz#1626001 - SSSD should log to syslog if a domain is not | |
| started due to a misconfiguration | |
| - This is to bump version to allow rebuild against rebased libldb. | |
| - New upstream release 1.11.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 | |
| - New upstream release 1.5.0 | |
| - Fixed issues with LDAP search filters that needed to be escaped | |
| - Add Kerberos FAST support on platforms that support it | |
| - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials | |
| - Added a Kerberos access provider to honor .k5login | |
| - Addressed several thread-safety issues in the sss_client code | |
| - Improved support for delayed online Kerberos auth | |
| - Significantly reduced time between connecting to the network/VPN and | |
| - acquiring a TGT | |
| - Added feature for automatic Kerberos ticket renewal | |
| - Provides the kerberos ticket for long-lived processes or cron jobs | |
| - even when the user logs out | |
| - Added several new features to the LDAP access provider | |
| - Support for 'shadow' access control | |
| - Support for authorizedService access control | |
| - Ability to mix-and-match LDAP access control features | |
| - Added an option for a separate password-change LDAP server for those | |
| - platforms where LDAP referrals are not supported | |
| - Added support for manpage translations | |
| - Resolves: rhbz#1839037 - Rebase SSSD for RHEL 8.3 | |
| - Resolves: rhbz#1843872 - sssd 2.3.0 breaks AD auth due to GPO parsing failure | |
| - Resolves: rhbz#1834156 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working | |
| - Fix nested group member filter sanitization for RFC2307bis | |
| - Put translated tool manpages into the sssd-tools subpackage | |
| - Resolve groups from AD correctly | |
| - Fix changelog dates to make F19 rpmbuild happy | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - Resolves: rhbz#1829470 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package | |
| - Resolves: rhbz#1544457 - sssd fails to release file descriptor on child logs after receiving HUP | |
| - Resolves: rhbz#1824323 - SSSD user filtering is failing on RHEL 8 after "files" provider rebuilds cache | |
| - Resolves: rhbz#1827432 - When the passwd or group files are replaced, sssd stops monitoring the file for | |
| inotify events, and no updates are triggered | |
| - Resolves: rhbz#1835710 - Change the message "Please enter smart card" to "Please insert smart card" | |
| on GDM login with smart-card | |
| - Resolves: rhbz#1838037 - Oddjob-mkhomedir fails when using NSS compat | |
| - Resolves: rhbz#1845904 - gdm smart card authentication does not work shortly after disconnecting from network. | |
| - Resolves: rhbz#1845975 - sssd doesn't follow the link order of AD Group Policy Management | |
| - Resolves: rhbz#1845980 - sssd is failing to discover other subdomains in the forest | |
| if LDAP entries do not contain AD forest root information | |
| - Resolves: rhbz#1845987 - Document how to prevent invalid selinux context for default home directories | |
| in SSSD-AD direct integration. | |
| - Resolves: rhbz#1845994 - GDM failure loop when no user mapped for smart card | |
| - Resolves: rhbz#1846003 - GDM password prompt when cert mapped to multiple users and promptusername is False | |
| - Resolves: rhbz#1850961 - /usr/share/systemtap/tapset/sssd_functions.stp missing a comma | |
| - Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6 | |
| - Resolves: rhbz#1968340 - 'exclude_groups' option provided in SSSD for session recording (tlog) doesn't work as expected | |
| - Resolves: rhbz#1952569 - SSSD should use "hidden" temporary file in its krb locator | |
| - Resolves: rhbz#1917970 - proxy provider: secondary group is showing in sssd cache after group is removed | |
| - Resolves: rhbz#1636002 - socket-activated services start as the sssd user and then are unable to read the confdb | |
| - Resolves: rhbz#2021196 - Make backtrace less "chatty" (avoid duplicate backtraces) | |
| - Resolves: rhbz#2018432 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest) | |
| - Resolves: rhbz#2015070 - Consistency in defaults between OpenSSH and SSSD | |
| - Resolves: rhbz#2013297 - disabled root ad domain causes subdomains to be marked offline | |
| - Resolves: rhbz#2013294 - Lookup with fully-qualified name does not work with 'cache_first = True' | |
| - Resolves: rhbz#2013218 - autofs lookups for unknown mounts are delayed for 50s | |
| - Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs | |
| - Resolves: rhbz#2013024 - Add support for CKM_RSA_PKCS in smart card authentication. | |
| - Resolves: rhbz#2013006 - [RFE] support subid ranges managed by FreeIPA | |
| - Resolves: rhbz#2012308 - Add client certificate validation D-Bus API | |
| - Resolves: rhbz#2012122 - tps tests fail with cross dependency on sssd debuginfo package: removal of 'sssd-libwbclient-debuginfo' is missing | |
| - Rebuild for new libldb | |
| - Resolves: rhbz#1687281 | |
| Rebase sssd in RHEL-8.1 to the latest upstream release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Replace ARRAY_SIZE with N_ELEMENTS to reflect samba changes. This is | |
| done here in order to unblock gating changes before rebase. | |
| - Related: rhbz#1682305 | |
| - Backport important patches from upstream 1.13 prerelease | |
| - Fix libwbclient alternatives | |
| - Apply a number of patches from upstream to fix issues found 1.12.3 | |
| - Resolves: rhbz#1176373 - dyndns_iface does not accept multiple | |
| interfaces, or isn't documented to be able to | |
| - Resolves: rhbz#988068 - getpwnam_r fails for non-existing users when sssd is | |
| not running | |
| - Resolves: upstream #2557 authentication failure with user from AD | |
| - Resolves: rhbz#1615590 - Do not rely on "python" for el8 | |
| - Backport upstream patches for 1.15.3 pre-release | |
| - required for building freeipa-4.5.x in rawhide | |
| - Rebuilt for glibc bug#747377 | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Resolves: rhbz#2226021 - dbus and crond getting terminated with SIGBUS in sss_client code | |
| - Resolves: rhbz#2237253 - SSSD runs multiples lookup search for each NFS request (SBUS req chaining stopped working in sssd-2.7) | |
| - Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names | |
| - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set. | |
| - Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries | |
| - Resolves: rhbz#2035245 - AD Domain in the AD Forest Missing after sssd latest update | |
| - Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization | |
| - Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but | |
| - doesn't require it | |
| - New upstream release 1.9.0 beta 1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 | |
| - Add native support for autofs to the IPA provider | |
| - Support for ID-mapping when connecting to Active Directory | |
| - Support for handling very large (> 1500 users) groups in Active Directory | |
| - Support for sub-domains (will be used for dealing with trust relationships) | |
| - Add a new fast in-memory cache to speed up lookups of cached data on | |
| repeated requests | |
| - Include couple of patches from upstream 1.11 branch | |
| - Resolves: rhbz#1431153 - sssd: libsss_proxy.so needs to be linked with -ldl | |
| - add missing configure check that broke stopping the daemon | |
| - also fix default config to add a missing required option | |
| - CVE-2010-4341 - DoS in sssd PAM responder can prevent logins | |
| - Add OSCP checks for p11_child | |
| - Related: rhbz#1615417 - [RFE] Add Smart Card authentication for local | |
| users | |
| - Update to 1.16.2 release | |
| - Cleanup unused global definitions | |
| - Remove python2 references from the spec file | |
| - Resolves: rhbz#1585313 - Kerberos with sssd-kcm is not working on s390x | |
| - Include the 1.9.2 tarball | |
| - Resolves: RHEL-33957 - ad: refresh root domain when read directly | |
| - New upstream release 1.6.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 | |
| - Fixes a major cache performance issue introduced in 1.6.2 | |
| - Fixes a potential infinite-loop with certain LDAP layouts | |
| - Fix potential crash with external groups in trusted IPA-AD setup | |
| - libwbclient-sssd: update interface to version 0.13 | |
| - Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 | |
| - Resolves: rhbz#1930535 - [abrt] [faf] sssd: monitor_service_shutdown(): /usr/sbin/sssd killed by 11 | |
| - Resolves: rhbz#1942387 - Wrong default debug level of sssd tools | |
| - Resolves: rhbz#1945888 - Inconsistant debug level for connection logging | |
| - Resolves: rhbz#1948657 - pam_sss_gss.so doesn't work with large kerberos tickets | |
| - Resolves: rhbz#1949149 - [RFE] Poor man's backtrace | |
| - Resolves: rhbz#1920500 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR | |
| - Resolves: rhbz#1923964 - [RFE] SSSD Error Msg Improvement: write_krb5info_file failed, authentication might fail. | |
| - Resolves: rhbz#1928648 - SSSD logs improvements: clarify which config option applies to each timeout in the logs | |
| - Resolves: rhbz#1632159 - sssd-kcm starts successfully for non existent socket_path | |
| - Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm | |
| - Resolves: rhbz#1925505 - [RFE] improve the sssd refresh timers for SUDO queries | |
| - Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection | |
| - Resolves: rhbz#1925561 - sssd-ldap(5) does not report how to disable the SUDO smart queries | |
| - Resolves: rhbz#1925621 - document impact of indices and of scope on performance of LDAP queries | |
| - Resolves: rhbz#1855320 - [RFE] RHEL8 sssd: inheritance of the case_sensitive parameter for subdomains. | |
| - Resolves: rhbz#1925608 - [RFE] make 'random_offset' addon to 'offline_timeout' option configurable | |
| - Resolves: rhbz#1447945 - man page / docs update required: if two certificate matching rules with the same priority match only one is used | |
| - Resolves: rhbz#1703436 - sssd not thread-safe in innetgr() | |
| - Resolves: rhbz#1713143 - SSSD does not translate the 2FA text labels("first factor" / "second factor") on GDM login and screensaver unlock screen | |
| - Resolves: rhbz#1888977 - sss_override: Usage limitations clarification in man page | |
| - Resolves: rhbz#1890177 - Clarify "single_prompt" option in "PROMPTING CONFIGURATION SECTION" section of sssd.conf man page | |
| - Resolves: rhbz#1902280 - fix sss_cache to also reset cached timestamp | |
| - Resolves: rhbz#1935683 - SSSD not detecting subdomain from AD forest (RHEL 8.3) | |
| - Resolves: rhbz#1937919 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 | |
| - Resolves: rhbz#1944665 - No gpo found and ad_gpo_implicit_deny set to True still permits user login | |
| - Resolves: rhbz#1919942 - sss_override does not take precedence over override_homedir directive | |
| - Version 0.2.0 | |
| - Resolves: rhbz#1712875 - Old kerberos credentials active instead of valid | |
| new ones (kcm) | |
| - New upstream release 1.15.1 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html | |
| - Backport simplification of ccache management from 1.11.1 | |
| - Resolves: rhbz#1010553 - sssd setting KRB5CCNAME=(null) on login | |
| - New upstream release 1.5.10 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 | |
| - Fixed a regression introduced in 1.5.9 that could result in blocking calls | |
| - to LDAP | |
| - package git snapshot | |
| - Fix typo in Requires that prevented an upgrade (#973916) | |
| - Use a hardcoded version in Conflicts, not less-than-current | |
| - Resolves: RHEL-67671 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option [rhel-8.10.z] | |
| - Resolves: RHEL-68507 - sssd backend process segfaults when krb5.conf is invalid [rhel-8.10.z] | |
| - Resolves: RHEL-66267 - SSSD needs an option to indicate if the LDAP server can run the exop with an anonymous bind or not [rhel-8.10.z] | |
| - Resolves: RHEL-67128 - Excessive "Domain not found' messages logged to sssd_nss & sssd_be in multidomain AD forest [rhel-8.10.z] | |
| - Resolves: RHEL-66272 - sssd is skipping GPO evaluation with auto_private_groups [rhel-8.10.z] | |
| - Resolves: RHEL-66277 - possible regression of rhbz#2196521 [rhel-8.10.z] | |
| - Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 | |
| - Resolves: rhbz#2063016 - [sssd] RHEL 8.7 Tier 0 Localization | |
| - Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 | |
| - Resolves: rhbz#2026799 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options) | |
| - Resolves: rhbz#2033347 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file. | |
| - Resolves: rhbz#2056483 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2 | |
| - Resolves: rhbz#2062689 - [Improvement] Add user and group version of sss_nss_getorigbyname() | |
| - Resolves: rhbz#2065692 - [RHEL8] Ship new sub-package called sssd-idp into sssd | |
| - Resolves: rhbz#2072050 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop | |
| - Resolves: rhbz#2072931 - Use right sdap_domain in ad_domain_info_send | |
| - Resolves: rhbz#2087088 - sssd does not enforce smartcard auth for kde screen locker | |
| - Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol | |
| - Resolves: rhbz#2087745 - 2FA prompting setting ineffective | |
| - Resolves: rhbz#2087746 - sssd fails GPO-based access if AD have setup with Japanese language | |
| - New upstream release | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 | |
| - Support for the service map in NSS | |
| - Support for setting default SELinux user context from FreeIPA | |
| - Support for retrieving SSH user and host keys from LDAP (Experimental) | |
| - Support for caching autofs LDAP requests (Experimental) | |
| - Support for caching SUDO rules (Experimental) | |
| - Don't discard HBAC rule processing result if SELinux is on | |
| Resolves: rhbz#846792 (CVE-2012-3462) | |
|
|
|
| python3-sss-murmur-2.9.4-5.el8_10.3.x86_64.rpm | - Fix regressions with ipa and SELinux |
| - Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security | |
| context on client is staff_u | |
| - Rebuild against new libldb | |
| - Resolves: rhbz#1792331 - sssd_be crashes when krb5_realm and krb5_server is | |
| omitted and auth_provider is krb5 | |
| - Fix missing file permissions for sssd-clients | |
| - added sss_client | |
| - New upstream release 1.11.2 | |
| - Remove upstreamed patches | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 | |
| - Fix build issues: Update expided certificate in unit tests | |
| - New upstream release 1.10 beta1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1 | |
| - Resolves: rhbz#1900733 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() | |
| - Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process | |
| - Resolves: rhbz#1894540 - sssd component logging is now too generic in syslog/journal | |
| - Resolves: rhbz#1828483 - filtered ID is appearing due to strange negative cache behavior | |
| - Resolves: rhbz#1713368 - Add sssd-dbus package as a dependency of sssd-tools | |
| - New upstream release 1.11.5 | |
| - Remove upstreamed patch | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.5 | |
| - New upstream stable release 1.0.0 | |
| - New upstream release 1.9.4 | |
| - Resolves: rhbz#Bug 1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command. | |
| - Resolves: rhbz#1369130 - nss_sss should not link against libpthread | |
| - Resolves: rhbz#1392916 - sssd failes to start after update | |
| - Resolves: rhbz#1398789 - SELinux is preventing sssd from 'write' accesses | |
| on the directory /etc/sssd | |
| - Fix uninitialized value bug causing crashes throughout the code | |
| - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup | |
| - Resolves: rhbz#1628503 - sssd only sets the SELinux login context if it | |
| differs from the default | |
| - Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 | |
| - Add workaround patch for RHBZ #1366403 | |
| - Fix slow login with ipa and SELinux | |
| - Resolves: upstream #2624 - Only set the selinux context if the context | |
| differs from the local one | |
| - New upstream release 1.10.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1 | |
| - New upstream release 1.13 alpha | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0alpha | |
| - New upstream release 0.5.0 | |
| - Resolves: rhbz#1673443 - sssd man pages: The default value of | |
| "ldap_user_home_directory" is not mentioned | |
| with AD server configuration | |
| - New upstream release 1.5.1 | |
| - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins | |
| - Vast performance improvements when enumerate = true | |
| - All PAM actions will now perform a forced initgroups lookup instead of just | |
| - a user information lookup | |
| - This guarantees that all group information is available to other | |
| - providers, such as the simple provider. | |
| - For backwards-compatibility, DNS lookups will also fall back to trying the | |
| - SSSD domain name as a DNS discovery domain. | |
| - Support for more password expiration policies in LDAP | |
| - 389 Directory Server | |
| - FreeIPA | |
| - ActiveDirectory | |
| - Support for ldap_tls_{cert,key,cipher_suite} config options | |
| -Assorted bugfixes | |
| - Resolves: rhbz#752495 - Crash when apply settings | |
| - Fix regression with krb5_map_user | |
| - Resolves: rhbz#1375552 - krb5_map_user doesn't seem effective anymore | |
| - Resolves: rhbz#1349286 - authconfig fails with SSSDConfig.NoDomainError: | |
| default if nonexistent domain is mentioned | |
| - New upstream release 1.11 beta 2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 | |
| - Resolves: upstream#3684 - A group is not updated if its member is removed | |
| with the cleanup task, but the group does not | |
| change | |
| - Resolves: upstream#3558 - sudo: report error when two rules share cn | |
| - Tone down shutdown messages for socket activated responders | |
| - IPA: Qualify the externalUser sudo attribute | |
| - Resolves: upstream#3550 - refresh_expired_interval does not work with | |
| netgrous in 1.15 | |
| - Resolves: upstream#3402 - Support alternative sources for the files provider | |
| - Resolves: upstream#3646 - SSSD's GPO code ignores ad_site option | |
| - Resolves: upstream#3679 - Make nss netgroup requests more robust | |
| - Resolves: upstream#3634 - sssctl COMMAND --help fails if sssd is not | |
| configured | |
| - Resolves: upstream#3469 - extend sss-certmap man page regarding priority | |
| processing | |
| - Improve docs/debug message about GC detection | |
| - Resolves: upstream#3715 - ipa 389-ds-base crash in krb5-libs - k5_copy_etypes | |
| list out of bound? | |
| - Resolves: upstream#2653 - Group renaming issue when "id_provider = ldap" is | |
| set. | |
| - Document which principal does the AD provider use | |
| - Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is | |
| defined, but contains no SIDs | |
| - Resolves: upstream#3520 - Files provider supports only BE_FILTER_ENUM | |
| - Resolves: rhbz#1540703 - FreeIPA/SSSD implicit_file sssd_nss error: The Data | |
| Provider returned an error | |
| [org.freedesktop.sssd.Error.DataProvider.Fatal] | |
| - Fix licenses in sources and on RPMs | |
| - Make LDB dependency a strict equivalency | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Resolves: RHEL-14070 - sssd-2.9.2-1.el8 breaks smart card authentication | |
| - Resolves: RHEL-3665 - Unexplainable error "Unable to find primary gid [2]: No such file or directory" when SSSD performs lookup for an AD user | |
| - Fix regression on 64-bit platforms | |
| - Resolves: rhbz#1657979 - SSSD's LDAP authentication provider does not work | |
| if ID provider is authenticated with GSSAPI | |
| - New stable upstream version 1.2.1 | |
| - Resolves: rhbz#595529 - spec file should eschew %define in favor of | |
| - %global | |
| - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service | |
| - to fail while restart. | |
| - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel | |
| - keyring | |
| - Resolves: rhbz#599724 - sssd is broken on Rawhide | |
| - Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 | |
| - Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed) | |
| - Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket | |
| - Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7 | |
| - Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name | |
| - Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable") | |
| - Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username # | |
| - New upstream release 1.11.4 | |
| - Remove upstreamed patch | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.4 | |
| - Move sssd_pac to the sssd-krb5 subpackage | |
| - python-sssdconfig: Fix parssing sssd.conf without config_file_version | |
| - Resolves: upstream #2837 - REGRESSION: ipa-client-automout failed | |
| - Resolves: rhbz#1754996 - [sssd] Tier 0 Localization | |
| - Fix building of sssd-nfs-idmap with libnfsidmap.so.1 | |
| - Fix multicast checks in the SSSD | |
| - Resolves: rhbz#1007475 - The multicast check is wrong in the sudo source | |
| code getting the host info | |
| - New upstream release 1.5.4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 | |
| - Fixes for Active Directory when not all users and groups have POSIX attributes | |
| - Fixes for handling users and groups that have name aliases (aliases are ignored) | |
| - Fix group memberships after initgroups in the IPA provider | |
| - Resolves: rhbz#1328108 - Protocol error with FreeIPA on CentOS 6 | |
| - New upstream release 1.8.0 beta 3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 | |
| - Fixed a regression in group enumeration since 1.7.0 | |
| - Fixed several memory-corruption bugs | |
| - Finalized the ABI for the autofs support | |
| - Fixed a regression in the proxy provider | |
| - New upstream release 1.5.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 | |
| - Fixes for support of FreeIPA v2 | |
| - Fixes for failover if DNS entries change | |
| - Improved sss_obfuscate tool with better interactive mode | |
| - Fix several crash bugs | |
| - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this | |
| - Delete users from the local cache if initgroups calls return 'no such user' | |
| - (previously only worked for getpwnam/getpwuid) | |
| - Use new Transifex.net translations | |
| - Better support for automatic TGT renewal (now survives restart) | |
| - Netgroup fixes | |
| - Fix incorrect tarball URL | |
| - Backport more sbus2 fixes | |
| - Related: rhbz#1623878 - crash related to sbus_router_destructor() | |
| - Resolves: rhbz#1718193 - p11_child should have an option to skip | |
| C_WaitForSlotEvent if the PKCS#11 module | |
| does not implement it properly | |
| - Rebuild against libldb 1.11 | |
| error messages with line numbers | |
| - Fix typo in libwbclient-devel %preun | |
| - Fix broken ARM build | |
| - Add missing DP_OPTION_TERMINATOR in AD provider options | |
| - Rebuild SSSD against ding-libs 0.3.0beta1 | |
| - Fix endianness bug in service map protocol | |
| - New stable upstream version 1.2.0 | |
| - Support ServiceGroups for FreeIPA v2 HBAC rules | |
| - Fix long-standing issue with auth_provider = proxy | |
| - Better logging for TLS issues in LDAP | |
| - Relax libldb BuildRequires to be greater-or-equal | |
| - Remove the ability to create public ccachedir (#1015089) | |
| - Fix ipa-migration bug | |
| - Resolves: upstream #2719 - IPA: returned unknown dp error code with disabled | |
| migration mode | |
| - Only create the SELinux login file if there are SELinux mappings on | |
| the IPA server | |
| - Fixes a serious memory hierarchy bug causing unpredictable behavior in the | |
| LDAP provider. | |
| - New upstream release 1.6.4 | |
| - Rolls up previous patches applied to the 1.6.3 tarball | |
| - Fixes a rare issue causing crashes in the failover logic | |
| - Fixes an issue where SSSD would return the wrong PAM error code for users | |
| that it does not recognize. | |
| - Also relax libldb Requires | |
| - Remove --enable-ldb-version-check | |
| - New upstream release 1.9.0 beta7 | |
| - obsoletes patches #1-#3 | |
| - Handle OTP response from FreeIPA server gracefully | |
| -Resolves: rhbz#1659498 - Re-setting the trusted AD domain fails due to wrong | |
| subdomain service name being used | |
| - Apply a number of patches from upstream to fix issues found post-beta, | |
| in particular: | |
| -- segfault with a high DEBUG level | |
| -- Fix IPA password migration (upstream #1873) | |
| -- Fix fail over when retrying SRV resolution (upstream #1886) | |
| - Small cleanup and fixes in the spec file | |
| - New upstream release 1.16.1 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_1.html | |
| - New upstream release 1.1.1 | |
| - Fixed the IPA provider (which was segfaulting at start) | |
| - Fixed a bug in the SSSDConfig API causing some options to revert to | |
| - their defaults | |
| - This impacted the Authconfig UI | |
| - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal | |
| - New upstream release 1.5.3 | |
| - Support for libldb >= 1.0.0 | |
| - Recreate Kerberos ccache directory if it's missing | |
| - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache | |
| directory /run/user/UID/ccdir does not exist | |
| - Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 | |
| - Resolves: rhbz#1942387 - Wrong default debug level of sssd tools | |
| - Resolves: rhbz#1917444 - SSSD Error Msg Improvement: Server resolution failed: [2]: No such file or directory | |
| - Resolves: rhbz#1917511 - SSSD Error Msg Improvement: Failed to resolve server 'server.example.com': Error reading file | |
| - Resolves: rhbz#1917535 - sssd.conf man page: parameter dns_resolver_server_timeout and dns_resolver_op_timeout | |
| - Resolves: rhbz#1940509 - [RFE] Health and Support Analyzer: Link frontend to backend requests | |
| - Resolves: rhbz#1649464 - auto_private_groups not working as expected with posix ipa/ad trust | |
| - Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection | |
| - Resolves: rhbz#1961215 - Invalid sssd-kcm return code if requested operation is not found | |
| - Resolves: rhbz#1837090 - SSSD fails nss_getby_name for IPA user with SID if the user has user private group | |
| - Resolves: rhbz#1879869 - sudo commands incorrectly exports the KRB5CCNAME environment variable | |
| - Resolves: rhbz#1962550 - sss_pac_make_request fails on systems joined to Active Directory. | |
| - Resolves: rhbz#1737489 - [RFE] SSSD should honor default Kerberos settings (keytab name) in /etc/krb5.conf | |
| - New upstream release 1.5.9 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 | |
| - Support for overriding home directory, shell and primary GID locally | |
| - Properly honor TTL values from SRV record lookups | |
| - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP | |
| - servers) | |
| - Properly escape IPv6 addresses in the failover code | |
| - Do not crash if inotify fails (e.g. resource exhaustion) | |
| - Don't add multiple TGT renewal callbacks (too many log messages) | |
| - Resolves: RHEL-78300 - 'sssd_kcm' leaks memory [rhel-8.10.z] | |
| - Resolves: RHEL-82420 - Disk cache failure with large db sizes [rhel-8.10.z] | |
| - Resolves: RHEL-76022 - Use the DN from existing entry when updating a cached group [rhel-8.10.z] | |
| - Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy" | |
| - Resolves: rhbz#1736265 - Smart Card auth of local user: endless | |
| loop if wrong PIN was provided | |
| - Resolves: rhbz#1615417 - [RFE] Add Smart Card authentication for local | |
| users | |
| - Resolves: rhbz#2149241 - [sssd] SSSD enters failed state after heavy load in the system | |
| - New upstream release 1.13.4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.4 | |
| - Fix tests on big-endian | |
| - Fix previous changelog entry | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Resolves: rhbz#1382750 - Conflicting default timeout values | |
| - Resolves: rhbz#1669407 - MAN: Document that PAM stack contains the | |
| systemd-user service in the account phase in RHEL-8 | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Resolves: RHEL-1680 - auto_private_groups does not create cache in IPA server SSSD cache | |
| - Resolves: RHEL-10092 - logfile rotation for sssd_kcm not working properly, sssd_kcm never receives a 'kill -HUP' | |
| - Resolves: RHEL-17495 - New sssd.conf seems not to be backwards compatible (wrt SmartCard auth of local users using 'files provider') | |
| - Resolves: RHEL-18431 - Excessive logging to sssd_nss and sssd_be in multi-domain AD forest | |
| - Resolves: RHEL-5033 - Incorrect IdM product name in man sssd.conf | |
| - Resolves: RHEL-15368 - SSSD GPO lacks group resolution on hosts [rhel-8] | |
| - Resolves: RHEL-10721 - very bad performance when requesting service tickets | |
| - Resolves: RHEL-19011 - Invalid handling groups from child domain | |
| - Resolves: RHEL-19949 - latest sssd breaks logging in via XDMCP for LDAP/Kerberos users [rhel-8] | |
| - Rebuild for Python 3.6 | |
| - Fix Obsoletes: to account for dist tag | |
| - Convert post and pre scripts to run on the sssd-common subpackage | |
| - Remove old conversion from SYSV | |
| - Add a patch to fix krb5 unit tests | |
| raise(): /usr/libexec/sssd/sssd_autofs killed by 6 | |
| - New upstream release 1.12 beta2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0beta2 | |
| - New upstream release 1.14.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.1 | |
| - Patch SSSDConfig API to address | |
| - https://bugzilla.redhat.com/show_bug.cgi?id=549482 | |
| - Move the sss_cache tool to the main package | |
| - Resolves: rhbz#1625842 id_provider= local causes SSSD to abort startup | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Resolves: rhbz#1821719 - sssd (sssd_be) is consuming 100% CPU, partially due to failing mem-cache | |
| - Fixed "requires/provides" rpmdiff warning | |
| - Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites | |
| - cached password with predicatable filename | |
| - New upstream release 1.12 beta1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0beta1 | |
| - Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during | |
| realm join | |
| - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by | |
| default for AD Provider | |
| - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file | |
| parent directory when logging in | |
| - Resolves: rhbz#1855323 - When ad_gpo_implicit_deny is True, it is permitting users to login when no gpo is applied | |
| - Switch unicode library from libunistring to Glib | |
| - Drop unnecessary explicit Requires on keyutils | |
| - Guarantee that versioned Requires include the correct architecture | |
| - Fix OTP bug | |
| - Resolves: upstream #2729 - Do not send SSS_OTP if both factors were | |
| entered separately | |
| - Backport upstream patches required by FreeIPA 4.2.1 | |
| - the cmocka toolkit exists only on selected arches | |
| - Backport few upstream patches/fixes | |
| - Fix double free in monitor | |
| - Resolves: rhbz#1186887 [abrt] sssd-common: talloc_abort(): | |
| sssd killed by SIGABRT | |
| - New upstream release 1.14 alpha | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0alpha | |
| - Resolves: rhbz#1615460 - Rebase SSSD to the latest released version | |
| - Split internal helper libraries into a shared object | |
| - Significantly reduce disk-space usage | |
| - Resolves: rhbz#1657980 - sssd_nss memory leak | |
| - Fix a couple of segfaults that may happen on reload | |
| - New upstream release 1.9.3 | |
| - Resolves: rhbz#2116488 - virsh command will hang after the host run several auto test cases | |
| - Resolves: rhbz#2116486 - [regression] sssctl analyze fails to parse PAM related sssd logs | |
| - Resolves: rhbz#2116487 - cache_req_data_set_hybrid_lookup: cache_req_data should never be NULL | |
| - Related: rhbz#1638006 - Files: The files provider always enumerates | |
| which causes duplicate when running getent passwd | |
| - Cherry-pick patches from upstream that enable the files provider | |
| - Enable the files domain | |
| - Retire patch 0501-Partially-revert-CONFIG-Use-default-config-when-none.patch | |
| which is superseded by the files domain autoconfiguration | |
| - Related: rhbz#1357418 - SSSD fast cache for local users | |
| - Resolves: rhbz#1767514 - sssd requires timed sudoers ldap entries to be | |
| specified up to the seconds | |
| - Rebuild against PCRE 8.30 | |
| - Resolves: upstream#3573 - sssd won't show netgroups with blank domain | |
| - Resolves: upstream#3660 - confdb_expand_app_domains() always fails | |
| - Resolves: upstream#3658 - Application domain is not interpreted correctly | |
| - Resolves: upstream#3687 - KCM: Don't pass a non null terminated string to | |
| json_loads() | |
| - Resolves: upstream#3386 - KCM: Payload buffer is too small | |
| - Resolves: upstream#3666 - Fix usage of str.decode() in our tests | |
| - A few KCM misc fixes | |
| - Related: rhbz#1637131 - pam_unix unable to match fully qualified username | |
| provided by sssd during smartcard auth using gdm | |
| - sssd-tools should require sssd-common, not sssd | |
| - Fix systemd conversion. Upgrades from SysV to systemd weren't properly | |
| - enabling the systemd service. | |
| - Fix a serious memory leak in the memberOf plugin | |
| - Fix an issue where the user's full name would sometimes be removed | |
| - from the cache | |
| - Resolves: rhbz#1652563 - incorrect example in the man page of idmap_sss | |
| suggests using * for backend sss | |
| - Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during | |
| - rpmbuild | |
| - Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile | |
| with no specific host/hostgroup set | |
| - Resolves: upstream#3621 - FleetCommander integration must not require | |
| capability DAC_OVERRIDE | |
| - latest upstream release. | |
| - also add a patch that fixes debugging output (potential segfault) | |
| - Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib | |
| - New upstream release | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 | |
| - Fix two minor manpage bugs | |
| - Include the IPA AutoFS provider | |
| - Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate | |
| - against LDAP | |
| - New upstream release 1.9.0 beta 3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 | |
| - Add a new PAC responder for dealing with cross-realm Kerberos trusts | |
| - Terminate idle connections to the NSS and PAM responders | |
| - New upstream release 1.6.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 | |
| - Fixes a serious issue with LDAP connections when the communication is | |
| dropped (e.g. VPN disconnection, waking from sleep) | |
| - SSSD is now less strict when dealing with users/groups with multiple names | |
| when a definitive primary name cannot be determined | |
| - The LDAP provider will no longer attempt to canonicalize by default when | |
| using SASL. An option to re-enable this has been provided. | |
| - Fixes for non-standard LDAP attribute names (e.g. those used by Active | |
| Directory) | |
| - Three HBAC regressions have been fixed. | |
| - Fix for an infinite loop in the deref code | |
| - Resolves: rhbz#1578014 - sssd does not work under non-root user | |
| - Note: Actually the patches were in the 2.0.0-37, this one just adds this | |
| changelog because it was missing. | |
| - Resolves: rhbz#1164156 - libsss_simpleifp should pull sssd-dbus | |
| - Resolves: rhbz#1179379 - gzip: stdin: file size changed while | |
| zipping when rotating logfile | |
| - Add a patch to fix krb5 ccache creation issue with krb5 1.11 | |
| - Fix %postun | |
| - Related: rhbz#2132051 - Rebase Samba to the the latest 4.17.x release | |
| Rebuild against Samba rebase. | |
| - New upstream release 1.9.0 beta 5 | |
| - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 | |
| - Many fixes for the support for setting default SELinux user context from | |
| FreeIPA, most notably fixed the specificity evaluation | |
| - Fixed an incorrect default in the krb5_canonicalize option of the AD | |
| provider which was preventing password change operation | |
| - The shadowLastChange attribute value is now correctly updated with the | |
| number of days since the Epoch, not seconds | |
| - Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 | |
| - Resolves: rhbz#2098620 - sdap_nested_group_deref_direct_process() triggers internal watchdog for large data sets | |
| - Resolves: rhbz#2098619 - [Improvement] add SSSD support for more than one CRL PEM file name with parameters certificate_verification and crl_file | |
| - Resolves: rhbz#2088817 - pam_sss_gss ceased to work after upgrade to 8.6 | |
| - Resolves: rhbz#2098616 - Add idp authentication indicator in man page of sssd.conf | |
| - Resolves: rhbz#2056035 - 'getent hosts' not return hosts if they have more than one CN in LDAP | |
| - Resolves: rhbz#2098615 - Regression "Missing internal domain data." when setting ad_domain to incorrect | |
| - Resolves: rhbz#2098617 - Harden kerberos ticket validation | |
| - Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol | |
| - Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8 | |
| - Resolves: rhbz#2136701 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level. | |
| - Resolves: rhbz#2139760 - [sssd] RHEL 8.8 Tier 0 Localization | |
| - Resolves: rhbz#2139865 - Analyzer: Optimize and remove duplicate messages in verbose list | |
| - Resolves: rhbz#2142795 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged | |
| - Resolves: rhbz#2144491 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around | |
| - Resolves: rhbz#2150357 - Smart Card auth does not work with p11_uri (with-smartcard-required) | |
| - Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 | |
| - Resolves: rhbz#2196521 - [RHEL8] sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy | |
| - Resolves: rhbz#2195919 - sssd-be tends to run out of system resources, hitting the maximum number of open files | |
| - Resolves: rhbz#2192708 - [RHEL8] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed' | |
| - Resolves: rhbz#2139467 - [RHEL8] sssd attempts LDAP password modify extended op after BIND failure | |
| - Resolves: rhbz#2054825 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 error 4 in libc-2.28.so[7f16b5e72000+1bc000] | |
| - Resolves: rhbz#2189583 - [sssd] RHEL 8.9 Tier 0 Localization | |
| - Resolves: rhbz#2170720 - [RHEL8] When adding attributes in sssd.conf that we have already, the cross-forest query just stop working | |
| - Resolves: rhbz#2096183 - BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides | |
| - Resolves: rhbz#2151450 - [RHEL8] SSSD missing group membership when evaluating GPO policy with 'auto_private_groups = true' | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuild sssd against libldb 1.0.2 so the memberof module loads again. | |
| - Related: rhbz#677425 | |
| - Related: rhbz#1637513 - sssd crashes when refreshing expired sudo rules | |
| - Fix memberOf install path | |
| - Resolves: upstream#3618 - selinux_child segfaults in a docker container | |
| - Don't duplicate libsss_autofs.so in two packages | |
| - Set explicit package contents instead of globbing | |
| - New upstream release 1.10 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0 | |
| - Release SSSD 1.1.0 final | |
| - Fix two potential segfaults | |
| - Fix memory leak in monitor | |
| - Better error message for unusable confdb | |
| - Resolves: rhbz#1868387 - system not enforcing GPO rule restriction. ad_gpo_implicit_deny = True is not working | |
| - Resolves: rhbz#1854951 - sss-certmap man page change to add clarification for userPrincipalName attribute from AD schema | |
| - Resolves: rhbz#1856861 - False errors/warnings are logged in sssd.log file after enabling 2FA prompting settings in sssd.conf | |
| - Resolves: rhbz#1869683 - p11_child: default value of ocsp_dgst == sha256 doesn't conform RFC5019 and has to be changed to sha1 | |
| - New upstream release 1.16.0 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_0.html | |
| - Rebuild against new ding-libs | |
| - Resolves: rhbz#677768 - name service caches names, so id command shows | |
| - recently deleted users | |
| - Backport several patches from upstream. | |
| - Fix a potential crash against old (pre-4.0) IPA servers | |
| - Release candidate for SSSD 1.1 | |
| - Add simple access provider | |
| - Create subpackages for libcollection, libini_config, libdhash and librefarray | |
| - Support IPv6 | |
| - Support LDAP referrals | |
| - Fix cache issues | |
| - Better feedback from PAM when offline | |
| - Resolves: rhbz#1646113 - Missing concise documentation about valid options | |
| for sssd-files-provider | |
| - Fix segfault in TGT renewal | |
| - Improved handling of users and groups with multi-valued name attributes | |
| (aliases) | |
| - Performance enhancements | |
| Initgroups on RFC2307bis/FreeIPA | |
| HBAC rule processing | |
| - Improved process-hang detection and restarting | |
| - Enabled the midpoint cache refresh by default (fewer cache misses on | |
| commonly-used entries) | |
| - Cleaned up the example configuration | |
| - New tool to change debug level on the fly | |
| - New upstream release 1.5.8 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 | |
| - Support for the LDAP paging control | |
| - Support for multiple DNS servers for name resolution | |
| - Fixes for several group membership bugs | |
| - Fixes for rare crash bugs | |
| - Resolves: rhbz#1881992 - Rebase SSSD for RHEL 8.4 | |
| - Resolves: rhbz#1722842 - sssd-kcm does not store TGT with ssh login using GSSAPI | |
| - Resolves: rhbz#1734040 - sssd crash in ad_get_account_domain_search() | |
| - Resolves: rhbz#1784459 - [RFE] tlog does not allow to exclude some users from session recording | |
| - Resolves: rhbz#1791300 - sporadic sssd_be crash on s390x | |
| - Resolves: rhbz#1817122 - 'getent group ldapgroupname' doesn't show any LDAP users or some LDAP users when 'rfc2307bis' schema is used with SSSD. | |
| - Resolves: rhbz#1819012 - [RFE] Improve AD site discovery process | |
| - Resolves: rhbz#1846778 - [RfE] `/usr/libexec/sssd/p11_child` cmdline argument '--nssdb' might be confusing when SSSD was built against OpenSSL | |
| - Resolves: rhbz#1873715 - automount sssd issue when 2 automount maps have the same key (one un uppercase, one in lowercase) | |
| - Resolves: rhbz#1879860 - correction in sssd.conf:pam_response_filter man page | |
| - Resolves: rhbz#1881336 - [RFE] sssd-ldap man page modification for parameter "ldap_referrals" | |
| - Resolves: rhbz#1883488 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains | |
| - Resolves: rhbz#1884196 - [RFE] Add "enabled" option to domain section in config file | |
| - Resolves: rhbz#1884205 - KCM: Increase client idle timeout to 5 minutes | |
| - Resolves: rhbz#1884207 - [RFE] ldap: add new option ldap_library_debug_level | |
| - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff | |
| - Resolves: rhbz#1884281 - Secondary LDAP group go missing from 'id' command | |
| - Resolves: rhbz#1884301 - [RFE] dyndns: suport asymmetric auth for nsupdate | |
| - Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 | |
| - Resolves: rhbz#1693379 - sssd_be and sss_cache too heavy on CPU | |
| - Resolves: rhbz#1909373 - Missing search index for `originalADgidNumber` | |
| - Resolves: rhbz#1954630 - [RFE] Improve debug messages by adding a unique tag for each request the backend is handling | |
| - Resolves: rhbz#1936891 - SSSD Error Msg Improvement: Bad address | |
| - Resolves: rhbz#1364596 - sssd still showing ipa user after removed from last group | |
| - Resolves: rhbz#1979404 - Changes made to /etc/pam.d/sssd-shadowutils are overwritten back to default on sssd-common package upgrade | |
| - Resolves: rhbz#1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command. | |
| - Resolves: rhbz#1780404 - smartcards: special characters must be escaped when building search filter | |
| - Fix regressions and bugs in sssd upstream 1.12.2 | |
| - https://fedorahosted.org/sssd/ticket/{id} | |
| - Regressions: #2471, #2475, #2483, #2487, #2529, #2535 | |
| - Bugs: #2287, #2445 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Resolves: rhbz#1974257 - 'debug_microseconds' config option is broken | |
| - Resolves: rhbz#1936902 - SSSD Error Msg Improvement: Invalid argument | |
| - Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm (additional patches and rebuild) | |
| - Resolves: rhbz#1625670 - sssd needs to require a newer version of libtalloc | |
| and libtevent to avoid an issue in GPO processing | |
| - Related: rhbz#1620123 - [RFE] Add option to specify a Smartcard with a | |
| PKCS#11 URI | |
| - Resolves: rhbz#697057 - kpasswd fails when using sssd and | |
| - kadmin server != kdc server | |
| - Upgrades from SysV should now maintain enabled/disabled status | |
| - Related: rhbz#2190417 - Rebase Samba to the latest 4.18.x release | |
| Rebuild against rebased Samba libs | |
| - Resolves: rhbz#1175511 - sssd-libwbclient conflicts with Samba's and causes | |
| crash in wbinfo | |
| - in addition to the patch libwbclient.so is | |
| filtered out of the Provides list of the package | |
| - New upstream release 1.9.0 beta 2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 | |
| - Add support for the Kerberos DIR cache for storing multiple TGTs | |
| automatically | |
| - Major performance enhancement when storing large groups in the cache | |
| - Major performance enhancement when performing initgroups() against Active | |
| Directory | |
| - SSSDConfig data file default locations can now be set during configure for | |
| easier packaging | |
| - Add plugin for cifs-utils | |
| - Resolves: rhbz#998544 | |
| - Rebuild due to rhbz#2013596 - Rebase Samba to the the latest 4.15.x release | |
| - Resolves: #967012 - [abrt] sssd-1.9.5-1.fc18: sss_mmap_cache_gr_invalidate_gid: | |
| Process /usr/libexec/sssd/sssd_nss was killed by | |
| signal 11 (SIGSEGV) | |
| - Resolves: #996214 - sssd proxy_child segfault | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Resolves: RHEL-112455 - p11_child currently has an infinite timeout [rhel-8.10.z] | |
| - Resolves: RHEL-120292 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems [rhel-8.10.z] | |
| - Resolves: rhbz#1744134 - New defect found in sssd-2.2.0-16.el8 | |
| - Also sync. kcm multihost tests with master | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - New upstream release 1.9.0 rc1 | |
| - New upstream release 0.99.0 | |
| - Fix segfault in sssd_pam when cache_credentials was enabled | |
| - Update the sample configuration | |
| - Fix upgrade issues caused by data provider service removal | |
| - Fix systemd executions/requirements | |
| - Related: rhbz#1635595 - Cant login with smartcard with multiple certs | |
| - New upstream release 1.8.1 | |
| - Resolve issue where we could enter an infinite loop trying to connect to an | |
| auth server | |
| - Fix serious issue with complex (3+ levels) nested groups | |
| - Fix netgroup support for case-insensitivity and aliases | |
| - Fix serious issue with lookup bundling resulting in requests never | |
| completing | |
| - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt | |
| in addition to pam_authenticate | |
| - Fix several regressions in the proxy provider | |
| - Resolves: rhbz#743133 - Performance regression with Kerberos authentication | |
| against AD | |
| - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work | |
| - Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6 | |
| - Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files | |
| - Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries | |
| - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set. | |
| - Resolves: rhbz#1961182 - Passwordless (GSSAPI) SSH not working due to missing "includedir /var/lib/sss/pubconf/krb5.include.d" directive in /etc/krb5.conf | |
| - Resolves: rhbz#2008829 - sssd_be segfault due to empty forest root name | |
| - Resolves: rhbz#2012263 - pam responder does not call initgroups to refresh the user entry | |
| - Resolves: rhbz#2012308 - Add client certificate validation D-Bus API | |
| - Resolves: rhbz#2012327 - Groups are missing while performing id lookup as SSSD switching to offline mode due to the wrong domain name in the ldap-pings(netlogon). | |
| - Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs | |
| - Resolves: rhbz#2013259 - [RHEL8] Add tevent chain ID logic into responders | |
| - Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization | |
| - Rebuild for libldb 1.1.19 | |
| - Fix failover from Global Catalog to LDAP in case GC is not available | |
| - Rebuilt for libnfsidmap.so.1 | |
| - New upstream release 1.6.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 | |
| - Add host access control support for LDAP (similar to pam_host_attr) | |
| - Finer-grained control on principals used with Kerberos (such as for FAST or | |
| - validation) | |
| - Added a new tool sss_cache to allow selective expiring of cached entries | |
| - Added support for LDAP DEREF and ASQ controls | |
| - Added access control features for Novell Directory Server | |
| - FreeIPA dynamic DNS update now checks first to see if an update is needed | |
| - Complete rewrite of the HBAC library | |
| - New libraries: libipa_hbac and libipa_hbac-python | |
| - Resolves: rhbz#1661183 - SSSD 2.0 has drastically lower sbus timeout than | |
| 1.x, this can result in time outs | |
| - Fix release version for upgrades | |
| - Decrease priority of sssd-libwbclient 20 -> 5 | |
| - It should be lower than priority of samba veriosn of libwbclient. | |
| - https://bugzilla.redhat.com/show_bug.cgi?id=1175511#c18 | |
| - Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the | |
| username in getpwnam() | |
| - Resolves: rhbz#758425 - LDAP failover not working if server refuses | |
| connections | |
| - Resolves: rhbz#1642372 - SSSD Python getgrouplist API was removed but required for IPA | |
| - New LDAP access provider allows for filtering user access by LDAP attribute | |
| - Reduced default timeout for detecting offline status with LDAP | |
| - GSSAPI ticket lifetime made configurable | |
| - Better offline->online transition support in Kerberos | |
| - Change the default ccache location to DIR:/run/user/${UID}/krb5cc | |
| and patch man page accordingly | |
| - Resolves: rhbz#851304 | |
| - Handle new error code for IPA password migration | |
| - Only BuildRequire libcmocka on Fedora | |
| - New upstream release 1.4.1 | |
| - Add support for netgroups to the proxy provider | |
| - Fixes a minor bug with UIDs/GIDs >= 2^31 | |
| - Fixes a segfault in the kerberos provider | |
| - Fixes a segfault in the NSS responder if a data provider crashes | |
| - Correctly use sdap_netgroup_search_base | |
| - Resolves: rhbz#1672780 - gdm login not prompting for username when smart | |
| card maps to multiple users | |
| - New upstream release 1.11.5.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.5.1 | |
| - Resolves: #906427 - Do not use %{_lib} in specfile for the nss and | |
| pam libraries | |
| - Use mcpath insted of mcachepath macro to be consistent with | |
| upsteam spec file | |
| - Initial release (based on version 0.1.0 upstream code) | |
| - Move sssd_pac to the sssd-ipa and sssd-ad subpackages | |
| - Trim out RHEL5-specific macros since we don't build on RHEL 5 | |
| - Trim out macros for Fedora older than F18 | |
| - Update libldb requirement to 1.1.16 | |
| - Trim RPM changelog down to the last year | |
| - Version 0.2.1 | |
| - New upstream release 1.9.2 | |
| - Resolves: rhbz#1335639 - [abrt] sssd-dbus: ldb_msg_find_element(): | |
| sssd_ifp killed by SIGSEGV | |
| - Resolves: rhbz#1645566 - SSSD 2.x does not sanitize domain name properly | |
| for D-bus, resulting in a crash | |
| - Rebuild with libldb-1.2.0 | |
| - New upstream release 1.15.3 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_3.html | |
| - New upstream release 1.13.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.2 | |
| - Resolves: RHEL-39085 - [RfE] SSSD Failover Enhancements | |
| - Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online | |
| - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests | |
| - Several segfault bugfixes | |
| - Resolves: rhbz#1642508 - sssd ifp crash when trying to access ipa webui | |
| with smart card | |
| - Add support for libldb 1.0.0 | |
| - Resolves: rhbz#1920001 - Do not add '%' to group names already prefixed with '%' in IPA sudo rules | |
| - Resolves: rhbz#1918433 - sssd unable to lookup certmap rules | |
| - Resolves: rhbz#1917382 - [abrt] [faf] sssd: dp_client_handshake_timeout(): /usr/libexec/sssd/sssd_be killed by 11 | |
| - bugfix release 0.3.2 | |
| - includes previous release patches | |
| - change permissions of the /etc/sssd/sssd.conf to 0600 | |
| - Fix regression in endianness patch | |
| - Resolves: rhbz#1623878 - crash related to sbus_router_destructor() | |
| - Add last minute bug fixes, found in testing the package | |
| - New upstream release 1.7.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 | |
| - Support for case-insensitive domains | |
| - Support for multiple search bases in the LDAP provider | |
| - Support for the native FreeIPA netgroup implementation | |
| - Reliability improvements to the process monitor | |
| - New DEBUG facility with more consistent log levels | |
| - New tool to change debug log levels without restarting SSSD | |
| - SSSD will now disconnect from LDAP server when idle | |
| - FreeIPA HBAC rules can choose to ignore srchost options for significant | |
| performance gains | |
| - Assorted performance improvements in the LDAP provider | |
| - New upstream release 1.4.0 | |
| - Added support for netgroups to the LDAP provider | |
| - Performance improvements made to group processing of RFC2307 LDAP servers | |
| - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin | |
| - Build-system improvements to support Gentoo | |
| - Split out several libraries into the ding-libs tarball | |
| - Manpage reviewed and updated | |
| - New upstream release 1.12.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0 | |
| - Fix CVE-2010-0014 | |
| - Rebuild against libldb 1.10 | |
| - New upstream release 1.11.3 | |
| - Remove upstreamed patches | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.3 | |
| - Resolves: rhbz#1736483 - Sudo prompt for smart card authentication is missing | |
| the trailing colon | |
| - Resolves: rhbz#1256849 - SUDO: Support the IPA schema | |
| - Resolves: upstream#3621 - backport bug found by static analyzers | |
| - Own several directories create during make install (#839782) | |
| - New upstream release 1.13.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.3 | |
| - New upstream release 1.11.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 | |
| - Log startup errors to the syslog | |
| - Allow cache cleanup to be disabled in sssd.conf | |
| - Resolves: rhbz#1631410 - Can't login with smartcard with multiple certs having same ID value | |
| - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff (additional patches) | |
| - Resolves: rhbz#1893159 - Default debug level should report all errors / failures | |
| - Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication | |
| - Resolves: rhbz#1646168 - sssctl access-report always prints an error message | |
| - Resolves: rhbz#1643053 - Restarting the sssd-kcm service should reload the | |
| configuration without having to restart the whole | |
| sssd | |
| - Resolves: rhbz#1640576 - sssctl reports incorrect information about local | |
| user's cache entry expiration time | |
| - Resolves: rhbz#1645238 - Unable to su to root when logged in as a local user | |
| - Resolves: rhbz#1639411 - sssd support for for smartcards using ECC keys | |
| - require the latest libldb | |
| - Change default kerberos credential cache location to /run/user/ |
|
| - Resolves: rhbz#1725168 - sssd-proxy crashes resolving groups with | |
| no members | |
| - Rebuild against libldb 1.1.4 | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild | |
| - Resolves: rhbz#1676385 - pam_sss with smartcard auth does not create gnome | |
| keyring | |
| - Also apply a patch to fix gating tests issue | |
| - Resolves: rhbz#1113639 - autofs: return a connection failure until maps have been fetched | |
| - Resolves: rhbz#1915395 - Memory leak in the simple access provider | |
| - Resolves: rhbz#1915319 - SSSD: SBUS: failures during servers startup | |
| - Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication (additional patches) | |
| - Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8] | |
| - Resolves: rhbz#1962042 - [sssd] RHEL 8.5 Tier 0 Localization | |
| - Fixes link error on platforms that do not do implicit linking | |
| - Fixes double-free segfault in PAM | |
| - Fixes double-free error in async resolver | |
| - Fixes support for TCP-based DNS lookups in async resolver | |
| - Fixes memory alignment issues on ARM processors | |
| - Manpage fixes | |
| - Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8 | |
| - Resolves: rhbz#2119726 - sssctl analyze --logdir option requires sssd to be configured | |
| - Resolves: rhbz#2120669 - Incorrect request ID tracking from responder to backend | |
| - Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in | |
| setnetgrent_result_timeout | |
| - Resolves: upstream#3588 - sssd_nss consumes more memory until restarted | |
| or machine swaps | |
| - Resolves: failure in glibc tests | |
| https://sourceware.org/bugzilla/show_bug.cgi?id=22530 | |
| - Resolves: upstream#3451 - When sssd is configured with id_provider proxy and | |
| auth_provider ldap, login fails if the LDAP server | |
| is not allowing anonymous binds | |
| - Resolves: upstream#3285 - SSSD needs restart after incorrect clock is | |
| corrected with AD | |
| - Resolves: upstream#3586 - Give a more detailed debug and system-log message | |
| if krb5_init_context() failed | |
| - Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet | |
| in /etc/systemd/system | |
| - Backport few upstream features from 1.16.1 | |
| - New upstream release 1.14.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.2 | |
| - Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication | |
| - New upstream release 1.12.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.2 | |
| - Resolves: rhbz#1636397 - SSSD not fetching all sudo rules from AD | |
| - Resolves: rhbz#1711318 - p11_child::sign_data() function implementation is | |
| not FIPS140 compliant | |
| - New upstream release 1.14.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0 | |
| - Do not crash on resolving a group SID in IPA server mode | |
| - New upstream release 1.8.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 | |
| - Several fixes to case-insensitive domain functions | |
| - Fix for GSSAPI binds when the keytab contains unrelated principals | |
| - Fixed several segfaults | |
| - Workarounds added for LDAP servers with unreadable RootDSE | |
| - SSH knownhostproxy will no longer enter an infinite loop preventing login | |
| - The provided SYSV init script now starts SSSD earlier at startup and stops | |
| it later during shutdown | |
| - Assorted minor fixes for issues discovered by static analysis tools | |
| - Resolves: rhbz#1655459 - [abrt] [faf] sssd: raise(): | |
| /usr/libexec/sssd/proxy_child killed by 6 | |
| - Resolves: rhbz#1628126 - [abrt] [faf] sssd: unknown function(): | |
| /usr/libexec/sssd/sssd_be killed by 11 crash | |
| func _dbus_list_unlink | |
| - New upstream release 1.15.2 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html | |
| - Related: rhbz#1638150 - session not recording for local user when groups defined | |
| - Also add silence a Coverity warning, which is related to rhbz#1637131 | |
| for match rules sss-certmap | |
| - New upstream release 1.13.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.1 | |
| - Fix the Kerberos password expiration warning (#912223) | |
| - Try to fix build adding automake as an explicit BuildRequire | |
| - Add also a couple of last minute patches from upstream | |
| - Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8 | |
| - Resolves: rhbz#2144581 - [RFE] provide dbus method to find users by attr | |
| - Resolves: rhbz#2144579 - sssd timezone issues sudonotafter | |
| - Resolves: rhbz#2144519 - [RFE] SSSD does not support to change the user’s password when option ldap_pwd_policy equals to shadow in sssd.conf file | |
| - Resolves: rhbz#2127822 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict) | |
| - Resolves: rhbz#2111393 - authenticating against external IdP services okta (native app) with OAuth client secret failed | |
| -Resolves: rhbz#1660083 - extraAttributes is org.freedesktop.DBus.Error. | |
| UnknownProperty: Unknown property | |
| - Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard | |
| certificate EKU and perform an action based | |
| on value when generating SSH key from a certificate | |
| (additional patch) | |
| - Version 0.3.0 | |
| - Provides file based configuration and lots of improvements | |
| - Build with _hardened_build macro | |
| - release out of the official 0.3.2 tarball | |
| - Resolves: upstream#3529 - sssd-kcm Fix restart during/after upgrade | |
| - Resolves: rhbz#1810634 - id command taking 1+ minute for returning user | |
| information | |
| - Resolves: rhbz#1448094 - sssd-kcm cannot handle big tickets | |
| - New upstream bugfix release 0.99.1 | |
| - Fix few segfaults | |
| - Resolves: upstream #2811 - PAM responder crashed if user was not set | |
| - Resolves: upstream #2810 - sssd_be crashed in ipa_srv_ad_acct_lookup_step | |
| - New upstream release 1.5.11 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 | |
| - Fix a serious regression that prevented SSSD from working with ldaps:// URIs | |
| - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 | |
| - address being saved to the AAAA record | |
| - Resolves: 1657898 - SSSD must be cleared/restarted periodically in order to | |
| retrieve AD users through IPA Trust | |
| - New upstream release 1.10 beta2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 | |
| - BuildRequire libcmocka-devel in order to run all upstream tests during build | |
| - BuildRequire libnl3 instead of libnl1 | |
| - No longer BuildRequire initscripts, we no longer use /sbin/service | |
| - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any | |
| older krb5-libs version | |
| - Switch hardcoded python3 shebangs into the %{__python3} macro | |
| - Fix upgrade issues from old (pre-0.5.0) releases of SSSD | |
| - New upstream release 1.10 alpha1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1 | |
| - Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard | |
| certificate EKU and perform an action based | |
| on value when generating SSH key from a certificate | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Rebuild for libldb 1.1.3 | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process | |
| - Resolves: rhbz#1876658 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [RHEL 8] | |
| - Resolves: rhbz#1895001 - User lookups over the InfoPipe responder fail intermittently | |
| - Fix pre and post script requirements | |
| - Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug | |
| in ding-libs | |
| - Fix SSH integration with fully-qualified domains | |
| - Add the ability to dynamically discover the NetBIOS name | |
| - Backport important patches from upstream 1.14.2 prerelease | |
| - Resolves: upstream #3154 - sssd exits if clock is adjusted backwards after | |
| boot | |
| - Resolves: upstream #3163 - resolving IPA nested user group is broken in 1.14 | |
| - Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication | |
| - Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with | |
| file from package sssd-common-1.15.1-1.fc25.x86_64 | |
| - Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4 | |
| - New upstream release 1.8.0 | |
| - Support for the service map in NSS | |
| - Support for setting default SELinux user context from FreeIPA | |
| - Support for retrieving SSH user and host keys from LDAP (Experimental) | |
| - Support for caching autofs LDAP requests (Experimental) | |
| - Support for caching SUDO rules (Experimental) | |
| - Include the IPA AutoFS provider | |
| - Fixed several memory-corruption bugs | |
| - Fixed a regression in group enumeration since 1.7.0 | |
| - Fixed a regression in the proxy provider | |
| - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD | |
| - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is | |
| logged at each login | |
| - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process | |
| /usr/sbin/sssd was killed by signal 11 (SIGSEGV) | |
| - Resolves: rhbz#743133 - Performance regression with Kerberos authentication | |
| against AD | |
| - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for | |
| new LDAP features | |
| - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc | |
| - Fix build with new automake versions | |
| - Change selinux policy requirement to Conflicts: with the old version, | |
| rather than Requires: the supported version. | |
| - Fix building on rawhide. Remove -Wl,-z,defs from LDFLAGS | |
| - Release new upstream version 1.1.91 | |
| - Enhancements when using SSSD with FreeIPA v2 | |
| - Support for deferred kinit | |
| - Support for DNS SRV records for failover | |
| - Resolves: rhbz#1624785 - Remove references of sss_user/group/add/del | |
| commands in man pages since local provider | |
| is deprecated | |
| - Additional upstream fixes | |
| - Fix building pac responder with the krb5-1.14 | |
| - Resolves: rhbz#1622026 - sssd 2.0 regression: Kerberos authentication | |
| fails with the KCM ccache | |
| - Backport extended NSS API from upstream master branch | |
| - Enable hardened build for RHEL7 | |
| - Resolves: rhbz#1276868 - Sudo PAM Login should support multiple password | |
| prompts (e.g. Password + Token) | |
| - Resolves: rhbz#1313041 - ssh with sssd proxy fails with "Connection closed | |
| by remote host" if locale not available | |
| - Add explicit requirement on selinux-policy version to address new SBUS | |
| symlinks. | |
| - Rebuild for libldb 1.1.18 | |
| - Fix issue with IPA + SELinux in containers | |
| - Resolves: upstream https://fedorahosted.org/sssd/ticket/3297 | |
| - Solve a shutdown race-condition that sometimes left processes running | |
| - Resolves: rhbz#606887 - SSSD stops on upgrade | |
| - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for | |
| new LDAP features | |
| - Fix for CVE-2009-2410 - Native SSSD users with no password set could log in | |
| without a password. (Patch by Stephen Gallagher) | |
| - New upstream release 1.12.4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.4 | |
| - Rebuild against new libldb | |
| - Add support for python3 bindings | |
| - Add requirement to python3 or python3 bindings | |
| - Resolves: rhbz#1014594 - sssd: Support Python 3 | |
| - Ensure that the configuration upgrade script always writes the config | |
| file with 0600 permissions | |
| - Eliminate an infinite loop in group enumerations | |
| - Fix bug in generation of systemd unit file | |
| - New upstream release 1.5.5 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 | |
| - Fixes for several crash bugs | |
| - LDAP group lookups will no longer abort if there is a zero-length member | |
| - attribute | |
| - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist | |
| - Bump up release number to avoid library sub-packages version issues with | |
| previous releases. | |
| - Unify return type of list_active_domains for python{2,3} | |
| - Ensure that SSSD builds against libldb-1.0.0 on F15 and later | |
| - Remove .la for memberOf | |
| - Add SSSDConfig API | |
| - Update polish translation for 0.6.0 | |
| - Fix long timeout on ldap operation | |
| - Make dp requests more robust | |
| - Resolves: rhbz#1628122 - Printing incorrect information about domain | |
| with sssctl utility | |
| connection timeout | |
| - New upstream release 1.12.5 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.5 | |
| - Apply a couple of patches from upstream git that resolve crashes when | |
| ID mapping object was not initialized properly but needed later | |
| - Resolves: rhbz#1283798 - sssd failover does not work on connecting to | |
| non-responsive ldaps:// server | |
| - Rebuild against new libtevent | |
| - Version 0.3.1 | |
| - includes previous release patches | |
| - Re-add manpage translations | |
| - Resolves: rhbz#606887 - sssd stops on upgrade | |
| - Resolves: rhbz#1466503 - Snippets are not used when sssd.conf does not exist | |
| - Fix several regressions since 1.5.x | |
| - Ensure that the RPM creates the /var/lib/sss/mc directory | |
| - Add support for Netscape password warning expiration control | |
| - Rebuild against libldb 1.1.6 | |
| - New upstream release 1.8.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 | |
| - Numerous manpage and translation updates | |
| - LDAP: Handle situations where the RootDSE isn't available anonymously | |
| - LDAP: Fix regression for users using non-standard LDAP attributes for user | |
| information | |
| - Resolves: rhbz#1699480 - Include libsss_nss_idmap-devel in the Builder | |
| repository | |
| - This just required a raise in release number | |
| and changelog for the record. | |
| - Install systemd unit file instead of sysv init script | |
| - Check the validity of naming context | |
| - Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8 | |
| - New upstream release 1.12.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.1 | |
| - Resolves: rhbz#1494002 - sssd_nss crashed in cache_req_search_domains_next | |
| - Resolves: rhbz#1499354 - CVE-2017-12173 sssd: unsanitized input when | |
| searching in local cache database access on | |
| the sock_file system_bus_socket | |
| - Resolves: rhbz#1726945 - negative cache does not use values from | |
| 'filter_users' config option for known domains | |
| - Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d | |
| - Make sure to properly convert to systemd if upgrading from newer | |
| - updates for Fedora 14 | |
| - Backport patches with Python3 support from upstream | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - New upstream release 0.7.0 | |
| - Include upstream patch to build with krb5-1.11 | |
| - Rebuilt for Python3.5 rebuild | |
| - Resolves: rhbz#1820574 - [sssd] RHEL 8.3 Tier 0 Localization | |
| - Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files (additional patch) | |
| - New upstream release 1.5.6 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 | |
| - Fixed a serious memory leak in the memberOf plugin | |
| - Fixed a regression with the negative cache that caused it to be essentially | |
| - nonfunctional | |
| - Fixed an issue where the user's full name would sometimes be removed from | |
| - the cache | |
| - Fixed an issue with password changes in the kerberos provider not working | |
| - with kpasswd | |
| - Resolves: rhbz#1310664 - [RFE] IPA: resolve external group memberships of IPA | |
| groups during getgrnam and getgrgid | |
| - Resolves: rhbz#1301303 - sss_obfuscate: SyntaxError: Missing parentheses | |
| in call to 'print' | |
| - New upstream release 1.9.1 | |
| - Fix accidental disabling of the DIR cache support | |
| - Resolves: rhbz#1729055 - sssd does not pass correct rules to sudo | |
| - Resolves: rhbz#1645291 - Perform some basic ccache initialization as part | |
| of gen_new to avoid a subsequent switch call | |
| failure | |
| - Resolves: rhbz#1733372 - permission denied on logs when running sssd as | |
| non-root user | |
| - Resolves: rhbz#1652719 - [SECURITY] sssd returns '/' for emtpy home directories | |
| - New upstream release 1.13.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0 | |
| - New upstream version 1.2.91 (1.3.0rc1) | |
| - Improved LDAP failover | |
| - Synchronous sysdb API (provides performance enhancements) | |
| - Better online reconnection detection | |
| - New upstream release 1.9.0 beta 4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 | |
| - Add a new AD provider to improve integration with Active Directory 2008 R2 | |
| or later servers | |
| - SUDO integration was completely rewritten. The new implementation works | |
| with multiple domains and uses an improved refresh mechanism to download | |
| only the necessary rules | |
| - The IPA authentication provider now supports subdomains | |
| - Fixed regression for setups that were setting default_tkt_enctypes | |
| manually by reverting a previous workaround. | |
| - New upstream release 1.9.0 | |
| - New upstream release 1.14 beta | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0beta | |
| - Resolves: rhbz#1736796 - sssd config option "default_domain_suffix" | |
| should not cause files domain entries to be | |
| qualified, this can break sudo access | |
| - Resolves: rhbz#1488327 - SELinux is preventing selinux_child from write | |
| access on the sock_file system_bus_socket | |
| - Resolves: rhbz#1490402 - SSSD does not create /var/lib/sss/deskprofile and | |
| fails to download desktop profile data | |
| - Resolves: upstream#3485 - getsidbyid does not work with 1.15.3 | |
| - Resolves: upstream#3488 - SUDO doesn't work for IPA users on IPA clients | |
| after applying ID Views for them in IPA server | |
| - Resolves: upstream#3501 - Accessing IdM kerberos ticket fails while id | |
| mapping is applied | |
| - Remove %files reference to sss_debuglevel copied from wrong upstreeam | |
| spec file. | |
| - Resolves: RHEL-25064 - AD users are unable to log in due to case sensitivity of user because the domain is found as an alias to the email address. [rhel-8] | |
| - Resolves: RHEL-25066 - gdm smartcard login fails with sssd-2.9.3 in case of multiple identities [rhel-8] | |
| - Resolves: RHEL-25065 - ssh pubkey stored in ldap/AD no longer works to authenticate via sssd [rhel-8] | |
| - fixed items found during review | |
| - added initscript | |
| - Resolves: rhbz#1687281 | |
| Rebase sssd in RHEL-8.1 to the latest upstream release | |
| - Resolves: rhbz#1139962 - Fedora 21, FreeIPA 4.0.2: sssd does not find user | |
| private group from server | |
| - Resolves: RHEL-27205 - Race condition during authorization leads to GPO policies functioning inconsistently | |
| - New upstream release 0.6.0 | |
| - Resolves: rhbz#1815584 - id_provider = proxy proxy_lib_name = files returns * in password field, breaking PAM authentication | |
| - Resolves: rhbz#1794607 - SSSD must be able to resolve membership involving root with files provider | |
| - Resolves: rhbz#1803134 - Improve "unlock" time when user session already active | |
| - Resolves: rhbz#626205 - Unable to unlock screen | |
| - Use alternatives for libwbclient | |
| - Add missing %license macro | |
| - BuildRequire recent libini_config to ensure consistent behaviour | |
| - Resolves: rhbz#1926622 - Add support to verify authentication indicators in pam_sss_gss | |
| - Resolves: rhbz#1926454 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0. | |
| - Resolves: rhbz#1893159 - Default debug level should report all errors / failures (additional patch) | |
| - Related: rhbz#1611011 - Support for "require smartcard for login option" | |
| - Backport patches from upstream 1.12.5 prerelease - contains many fixes | |
| - Resolves: 1658813 - PKINIT with KCM does not work | |
| - New upstream release 1.15.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.15.0 | |
| - New upstream release 1.9.0 beta 6 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 | |
| - A new option, override_shell was added. If this option is set, all users | |
| managed by SSSD will have their shell set to its value. | |
| - Fixes for the support for setting default SELinux user context from FreeIPA. | |
| - Fixed a regression introduced in beta 5 that broke LDAP SASL binds | |
| - The SSSD supports the concept of a Primary Server and a Back Up Server in | |
| failover | |
| - A new command-line tool sss_seed is available to help prime the cache with | |
| a user record when deploying a new machine | |
| - SSSD is now able to discover and save the domain-realm mappings | |
| between an IPA server and a trusted Active Directory server. | |
| - Packaging changes to fix ldconfig usage in subpackages (#843995) | |
| - Rebuild against libldb 1.1.9 | |
| - Do not write out dots in the domain-realm mapping file (#905650) | |
| - Resolves: rhbz#1622008 - Error message when IPA server uninstall calls | |
| kdestroy caused by KCM returning a wrong error | |
| code during the delete operation | |
| - New upstream release 1.12.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.3 | |
| - Fix spelling errors in description (fedpkg lint) | |
| - Backport important patches from upstream 1.13 prerelease | |
| - Resolves: rhbz#1060325 - Does sssd-ad use the most suitable | |
| attribute for group name | |
| - Resolves: upstream #2335 - Investigate using the krb5 responder | |
| for driving the PAM conversation with OTPs | |
| - Enable cmocka tests for secondary architectures | |
| - Rebuild against libldb 1.12 | |
| - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for | |
| new LDAP features - fix netgroups and sudo as well | |
| - Resolves: rhbz#1736861 - dyndns_update = True is no longer enough to get | |
| the IP address of the machine updated in IPA upon | |
| sssd.service startup | |
| - Resolves: rhbz#1626001 - SSSD should log to syslog if a domain is not | |
| started due to a misconfiguration | |
| - This is to bump version to allow rebuild against rebased libldb. | |
| - New upstream release 1.11.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 | |
| - New upstream release 1.5.0 | |
| - Fixed issues with LDAP search filters that needed to be escaped | |
| - Add Kerberos FAST support on platforms that support it | |
| - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials | |
| - Added a Kerberos access provider to honor .k5login | |
| - Addressed several thread-safety issues in the sss_client code | |
| - Improved support for delayed online Kerberos auth | |
| - Significantly reduced time between connecting to the network/VPN and | |
| - acquiring a TGT | |
| - Added feature for automatic Kerberos ticket renewal | |
| - Provides the kerberos ticket for long-lived processes or cron jobs | |
| - even when the user logs out | |
| - Added several new features to the LDAP access provider | |
| - Support for 'shadow' access control | |
| - Support for authorizedService access control | |
| - Ability to mix-and-match LDAP access control features | |
| - Added an option for a separate password-change LDAP server for those | |
| - platforms where LDAP referrals are not supported | |
| - Added support for manpage translations | |
| - Resolves: rhbz#1839037 - Rebase SSSD for RHEL 8.3 | |
| - Resolves: rhbz#1843872 - sssd 2.3.0 breaks AD auth due to GPO parsing failure | |
| - Resolves: rhbz#1834156 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working | |
| - Fix nested group member filter sanitization for RFC2307bis | |
| - Put translated tool manpages into the sssd-tools subpackage | |
| - Resolve groups from AD correctly | |
| - Fix changelog dates to make F19 rpmbuild happy | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - Resolves: rhbz#1829470 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package | |
| - Resolves: rhbz#1544457 - sssd fails to release file descriptor on child logs after receiving HUP | |
| - Resolves: rhbz#1824323 - SSSD user filtering is failing on RHEL 8 after "files" provider rebuilds cache | |
| - Resolves: rhbz#1827432 - When the passwd or group files are replaced, sssd stops monitoring the file for | |
| inotify events, and no updates are triggered | |
| - Resolves: rhbz#1835710 - Change the message "Please enter smart card" to "Please insert smart card" | |
| on GDM login with smart-card | |
| - Resolves: rhbz#1838037 - Oddjob-mkhomedir fails when using NSS compat | |
| - Resolves: rhbz#1845904 - gdm smart card authentication does not work shortly after disconnecting from network. | |
| - Resolves: rhbz#1845975 - sssd doesn't follow the link order of AD Group Policy Management | |
| - Resolves: rhbz#1845980 - sssd is failing to discover other subdomains in the forest | |
| if LDAP entries do not contain AD forest root information | |
| - Resolves: rhbz#1845987 - Document how to prevent invalid selinux context for default home directories | |
| in SSSD-AD direct integration. | |
| - Resolves: rhbz#1845994 - GDM failure loop when no user mapped for smart card | |
| - Resolves: rhbz#1846003 - GDM password prompt when cert mapped to multiple users and promptusername is False | |
| - Resolves: rhbz#1850961 - /usr/share/systemtap/tapset/sssd_functions.stp missing a comma | |
| - Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6 | |
| - Resolves: rhbz#1968340 - 'exclude_groups' option provided in SSSD for session recording (tlog) doesn't work as expected | |
| - Resolves: rhbz#1952569 - SSSD should use "hidden" temporary file in its krb locator | |
| - Resolves: rhbz#1917970 - proxy provider: secondary group is showing in sssd cache after group is removed | |
| - Resolves: rhbz#1636002 - socket-activated services start as the sssd user and then are unable to read the confdb | |
| - Resolves: rhbz#2021196 - Make backtrace less "chatty" (avoid duplicate backtraces) | |
| - Resolves: rhbz#2018432 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest) | |
| - Resolves: rhbz#2015070 - Consistency in defaults between OpenSSH and SSSD | |
| - Resolves: rhbz#2013297 - disabled root ad domain causes subdomains to be marked offline | |
| - Resolves: rhbz#2013294 - Lookup with fully-qualified name does not work with 'cache_first = True' | |
| - Resolves: rhbz#2013218 - autofs lookups for unknown mounts are delayed for 50s | |
| - Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs | |
| - Resolves: rhbz#2013024 - Add support for CKM_RSA_PKCS in smart card authentication. | |
| - Resolves: rhbz#2013006 - [RFE] support subid ranges managed by FreeIPA | |
| - Resolves: rhbz#2012308 - Add client certificate validation D-Bus API | |
| - Resolves: rhbz#2012122 - tps tests fail with cross dependency on sssd debuginfo package: removal of 'sssd-libwbclient-debuginfo' is missing | |
| - Rebuild for new libldb | |
| - Resolves: rhbz#1687281 | |
| Rebase sssd in RHEL-8.1 to the latest upstream release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Replace ARRAY_SIZE with N_ELEMENTS to reflect samba changes. This is | |
| done here in order to unblock gating changes before rebase. | |
| - Related: rhbz#1682305 | |
| - Backport important patches from upstream 1.13 prerelease | |
| - Fix libwbclient alternatives | |
| - Apply a number of patches from upstream to fix issues found 1.12.3 | |
| - Resolves: rhbz#1176373 - dyndns_iface does not accept multiple | |
| interfaces, or isn't documented to be able to | |
| - Resolves: rhbz#988068 - getpwnam_r fails for non-existing users when sssd is | |
| not running | |
| - Resolves: upstream #2557 authentication failure with user from AD | |
| - Resolves: rhbz#1615590 - Do not rely on "python" for el8 | |
| - Backport upstream patches for 1.15.3 pre-release | |
| - required for building freeipa-4.5.x in rawhide | |
| - Rebuilt for glibc bug#747377 | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Resolves: rhbz#2226021 - dbus and crond getting terminated with SIGBUS in sss_client code | |
| - Resolves: rhbz#2237253 - SSSD runs multiples lookup search for each NFS request (SBUS req chaining stopped working in sssd-2.7) | |
| - Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names | |
| - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set. | |
| - Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries | |
| - Resolves: rhbz#2035245 - AD Domain in the AD Forest Missing after sssd latest update | |
| - Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization | |
| - Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but | |
| - doesn't require it | |
| - New upstream release 1.9.0 beta 1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 | |
| - Add native support for autofs to the IPA provider | |
| - Support for ID-mapping when connecting to Active Directory | |
| - Support for handling very large (> 1500 users) groups in Active Directory | |
| - Support for sub-domains (will be used for dealing with trust relationships) | |
| - Add a new fast in-memory cache to speed up lookups of cached data on | |
| repeated requests | |
| - Include couple of patches from upstream 1.11 branch | |
| - Resolves: rhbz#1431153 - sssd: libsss_proxy.so needs to be linked with -ldl | |
| - add missing configure check that broke stopping the daemon | |
| - also fix default config to add a missing required option | |
| - CVE-2010-4341 - DoS in sssd PAM responder can prevent logins | |
| - Add OSCP checks for p11_child | |
| - Related: rhbz#1615417 - [RFE] Add Smart Card authentication for local | |
| users | |
| - Update to 1.16.2 release | |
| - Cleanup unused global definitions | |
| - Remove python2 references from the spec file | |
| - Resolves: rhbz#1585313 - Kerberos with sssd-kcm is not working on s390x | |
| - Include the 1.9.2 tarball | |
| - Resolves: RHEL-33957 - ad: refresh root domain when read directly | |
| - New upstream release 1.6.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 | |
| - Fixes a major cache performance issue introduced in 1.6.2 | |
| - Fixes a potential infinite-loop with certain LDAP layouts | |
| - Fix potential crash with external groups in trusted IPA-AD setup | |
| - libwbclient-sssd: update interface to version 0.13 | |
| - Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 | |
| - Resolves: rhbz#1930535 - [abrt] [faf] sssd: monitor_service_shutdown(): /usr/sbin/sssd killed by 11 | |
| - Resolves: rhbz#1942387 - Wrong default debug level of sssd tools | |
| - Resolves: rhbz#1945888 - Inconsistant debug level for connection logging | |
| - Resolves: rhbz#1948657 - pam_sss_gss.so doesn't work with large kerberos tickets | |
| - Resolves: rhbz#1949149 - [RFE] Poor man's backtrace | |
| - Resolves: rhbz#1920500 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR | |
| - Resolves: rhbz#1923964 - [RFE] SSSD Error Msg Improvement: write_krb5info_file failed, authentication might fail. | |
| - Resolves: rhbz#1928648 - SSSD logs improvements: clarify which config option applies to each timeout in the logs | |
| - Resolves: rhbz#1632159 - sssd-kcm starts successfully for non existent socket_path | |
| - Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm | |
| - Resolves: rhbz#1925505 - [RFE] improve the sssd refresh timers for SUDO queries | |
| - Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection | |
| - Resolves: rhbz#1925561 - sssd-ldap(5) does not report how to disable the SUDO smart queries | |
| - Resolves: rhbz#1925621 - document impact of indices and of scope on performance of LDAP queries | |
| - Resolves: rhbz#1855320 - [RFE] RHEL8 sssd: inheritance of the case_sensitive parameter for subdomains. | |
| - Resolves: rhbz#1925608 - [RFE] make 'random_offset' addon to 'offline_timeout' option configurable | |
| - Resolves: rhbz#1447945 - man page / docs update required: if two certificate matching rules with the same priority match only one is used | |
| - Resolves: rhbz#1703436 - sssd not thread-safe in innetgr() | |
| - Resolves: rhbz#1713143 - SSSD does not translate the 2FA text labels("first factor" / "second factor") on GDM login and screensaver unlock screen | |
| - Resolves: rhbz#1888977 - sss_override: Usage limitations clarification in man page | |
| - Resolves: rhbz#1890177 - Clarify "single_prompt" option in "PROMPTING CONFIGURATION SECTION" section of sssd.conf man page | |
| - Resolves: rhbz#1902280 - fix sss_cache to also reset cached timestamp | |
| - Resolves: rhbz#1935683 - SSSD not detecting subdomain from AD forest (RHEL 8.3) | |
| - Resolves: rhbz#1937919 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 | |
| - Resolves: rhbz#1944665 - No gpo found and ad_gpo_implicit_deny set to True still permits user login | |
| - Resolves: rhbz#1919942 - sss_override does not take precedence over override_homedir directive | |
| - Version 0.2.0 | |
| - Resolves: rhbz#1712875 - Old kerberos credentials active instead of valid | |
| new ones (kcm) | |
| - New upstream release 1.15.1 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html | |
| - Backport simplification of ccache management from 1.11.1 | |
| - Resolves: rhbz#1010553 - sssd setting KRB5CCNAME=(null) on login | |
| - New upstream release 1.5.10 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 | |
| - Fixed a regression introduced in 1.5.9 that could result in blocking calls | |
| - to LDAP | |
| - package git snapshot | |
| - Fix typo in Requires that prevented an upgrade (#973916) | |
| - Use a hardcoded version in Conflicts, not less-than-current | |
| - Resolves: RHEL-67671 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option [rhel-8.10.z] | |
| - Resolves: RHEL-68507 - sssd backend process segfaults when krb5.conf is invalid [rhel-8.10.z] | |
| - Resolves: RHEL-66267 - SSSD needs an option to indicate if the LDAP server can run the exop with an anonymous bind or not [rhel-8.10.z] | |
| - Resolves: RHEL-67128 - Excessive "Domain not found' messages logged to sssd_nss & sssd_be in multidomain AD forest [rhel-8.10.z] | |
| - Resolves: RHEL-66272 - sssd is skipping GPO evaluation with auto_private_groups [rhel-8.10.z] | |
| - Resolves: RHEL-66277 - possible regression of rhbz#2196521 [rhel-8.10.z] | |
| - Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 | |
| - Resolves: rhbz#2063016 - [sssd] RHEL 8.7 Tier 0 Localization | |
| - Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 | |
| - Resolves: rhbz#2026799 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options) | |
| - Resolves: rhbz#2033347 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file. | |
| - Resolves: rhbz#2056483 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2 | |
| - Resolves: rhbz#2062689 - [Improvement] Add user and group version of sss_nss_getorigbyname() | |
| - Resolves: rhbz#2065692 - [RHEL8] Ship new sub-package called sssd-idp into sssd | |
| - Resolves: rhbz#2072050 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop | |
| - Resolves: rhbz#2072931 - Use right sdap_domain in ad_domain_info_send | |
| - Resolves: rhbz#2087088 - sssd does not enforce smartcard auth for kde screen locker | |
| - Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol | |
| - Resolves: rhbz#2087745 - 2FA prompting setting ineffective | |
| - Resolves: rhbz#2087746 - sssd fails GPO-based access if AD have setup with Japanese language | |
| - New upstream release | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 | |
| - Support for the service map in NSS | |
| - Support for setting default SELinux user context from FreeIPA | |
| - Support for retrieving SSH user and host keys from LDAP (Experimental) | |
| - Support for caching autofs LDAP requests (Experimental) | |
| - Support for caching SUDO rules (Experimental) | |
| - Don't discard HBAC rule processing result if SELinux is on | |
| Resolves: rhbz#846792 (CVE-2012-3462) | |
|
|
|
| python3-urllib3-1.24.2-9.el8_10.noarch.rpm | - Security fix for CVE-2025-66471 |
| - Security fix for CVE-2025-66418 | |
| - Security fix for CVE-2026-21441 | |
| Resolves: RHEL-139410 | |
|
|
|
| python3-yubico-1.3.2-9.1.module+el8.9.0+1372+09f67869.noarch.rpm | - Conditionalize the python2 subpackage |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Rebuilt to fix NVR issue (#2097803) | |
| - Add python3-pyusb dependency to python3 subpackage (#1278210) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Add Python 3 subpackage (#1244237) | |
| - Cleanup obsolete conditions (like RHEL 6) | |
| - Update to v1.3.2 | |
| - Ship COPYING as %license where applicable | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Backport an upstream python3 fix (#1484862) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 | |
| - Add missing provide for python-yubico | |
| - Add missing obsoletes for python-yubico | |
| - Upstream 1.2.3 | |
| - Require pyusb during building when running tests | |
| - Run upstream tests during build. | |
| - Initial release. | |
| - Enable build on EL6. | |
| - Rebuild for Python 3.6 | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
|
|
|
| qt5-qtbase-5.15.3-8.el8_10.x86_64.rpm | - backport 0055-Respect-manual-set-icon-themes.patch (kde#344469) |
| - conditionally use valgrind only if needed | |
| - first try | |
| - Crash in QXcbWindow::setParent() due to NULL xcbScreen (QTBUG-50081, #1291003) | |
| - 5.3.1 | |
| - 5.9.3 | |
| - DoS vulnerability in the GIF image handler (QTBUG-38367) | |
| - 5.10.0 | |
| - 5.4.0 (final) | |
| - -common: Obsoletes: qt5-qtquick1(-devel) | |
| - remove GDB hackery, it is not producing useful backtraces for the ARM crash | |
| - readd plugin __requires_exclude_from filter, it is still needed | |
| - own /etc/xdg/QtProject | |
| - Requires: qt-settings (f22+) | |
| - try bootstrap=1 (f23) | |
| - create_cmake.prf: adjust CMAKE_NO_PRIVATE_INCLUDES (#1456211,QTBUG-37417) | |
| - -no-use-gold-linker (f22+, #1193044) | |
| - Don't allow remote attacker to bypass security restrictions caused by | |
| flaw in certificate validation (CVE-2023-34410) (version #2) | |
| Resolves: bz#2212753 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Fix build on MIPS (#1322537) | |
| - drop BR: valgrind (not used, for awhile) | |
| - unconditionally enable freetype lcd_filter | |
| - (temp) disable docs (libxcb bootstrap) | |
| - Move libQt5EglFSDeviceIntegration lib out of the -devel subpkg | |
| Resolves: bz#1692970 | |
| - Fix QImage allocaion failure | |
| Resolve: bz#1667860 | |
| - Fix double free in QXmlStreamReader | |
| Resolve: bz#1667858 | |
| - Fix segmentation fault on malformed BMP file | |
| Resolve: bz#1667859 | |
| - Prefer QPA implementation in qsystemtrayicon_x11 if available | |
| - introduce macros.qt5-qtbase (for %_qt5, %_qt5_epoch, %_qt5_version, %_qt5_evr) | |
| - macros.qt5: we really only want the null-pointer-checks flag here | |
| and definitely no arch-specific ones | |
| - candidate fixes for various QtDBus deadlocks (QTBUG-51648,QTBUG-51676) | |
| - -Wno-deprecated-declarations (typo missed trailing 's') | |
| - drop 5.5 XCB patches, the rebase is incomplete and does not work properly with Qt 5.4 | |
| - pull upstream patches (upstreamed versions, gcc6-related bits mostly) | |
| - F20: require libxkbcommon >= 0.4.1, only patch for the old libxcb | |
| - fix build issue with gcc6 | |
| - include recommended qtdbus patches, fix Release | |
| - respin QTBUG-51649 patch | |
| - %build: use -dbus-runtime unconditionally | |
| - drop (unused) build deps: atspi, dbus, networkmanager | |
| - disable bootstrap again | |
| - don't inject $RPM_OPT_FLAGS/$RPM_LD_FLAGS into qmake defaults f24+ (#1279265) | |
| - Rebuild for platform-python | |
| - re-introduce bootstrap/examples macros | |
| - put examples-manifest.xml in -examples | |
| - restore -doc multilib hack (to be on the safe side, can't hurt) | |
| - %build: s/-optimized-qmake/-optimized-tools/ | |
| - unconditionally undo valgrind hack when done (#1255054) | |
| - SM_CLIENT_ID property is not set (QTBUG-46310) | |
| - refresh mariadb patch wrt cr#206850 (#1491316) | |
| - fix bootstrapping logic | |
| - Non-bootstrapped build | |
| - 5.15.2 + sync with Fedora | |
| Resolves: bz#1930040 | |
| - Debootstrap | |
| - Use meta doctools package to build docs | |
| - Rebuild (binutils) | |
| Resolves: bz#1930040 | |
| - fixed bz#1409600, stack overflow in QXmlSimpleReader, CVE-2016-10040 | |
| - enable -qt-xcb to fix non-US keys under VNC (#1295713) | |
| - fix Source0: https://download.qt.io/official_releases/qt/5.9/5.9.0/submodules/qtbase-opensource-src-5.9.0.tar.xz | |
| - Valgrind still needed as buildreq due recent split qdoc package, but we can get rid of | |
| specific arch set. | |
| - Added missing libproxy buildreq | |
| - Epel and RHEL doesn't have libinput, so a plugin need to be excluded for this distros | |
| - add better fix for compile error on big endian | |
| - Enable bootstrap to first import on rawhide | |
| - crashes when connecting/disconnecting displays (#1083664,QTBUG-42985) | |
| - 5.3.0 | |
| - qt5-rpm-macros pkg | |
| - bz#1328659, load openssl libs dynamically | |
| - workaround moc/qconfig-multilib issues (#1290020,QTBUG-49972) | |
| - BR: pkgconfig(xcb-xkb) > 1.10 (f21+) | |
| - allow possibility for libxkbcommon-0.4.x only | |
| - Really debootstrap :-P | |
| - Update for official RC1 released packages | |
| - fix the allow-forcing-llvmpipe patch to patch actual caller of __glXInitialize | |
| - -examples subpkg | |
| - 5.15.3 + sync with Fedora | |
| Resolves: bz#2061377 | |
| Resolves: bz#2059853 | |
| - disable -docs (for ppc bootstrap mostly) | |
| - add rpm macros qtwebengine_arches for qtwebengine | |
| - bz#1518958, backport to fix out of bounds reads in qdnslookup_unix | |
| - Fix buffer overflow in XBM parser | |
| Resolves: bz#1870364 | |
| - add versioned Requires: libxkbcommon dep | |
| - create/own %{_qt5_plugindir}/iconengines | |
| - -devel: create/own %{_qt5_archdatadir}/mkspecs/modules | |
| - cleanup .prl | |
| - qtlogging.ini: remove comments | |
| - respin QTBUG-51767 patch | |
| - adapted the berolinux's patch for new openssl-1.1.x | |
| - -examples: include %{_qt5_docdir}/qdoc/examples-manifest.xml (#1212750) | |
| - add macros qtwebengine_arches in qt5 | |
| - When a screen comes back online, the windows need to be told about it (QTBUG-47041) | |
| - xcb: Ignore disabling of outputs in the middle of the mode switch | |
| - fix build failure on secondary arch | |
| - remove GDB hackery again, -12 built fine on i686, hack breaks ARM build | |
| - fix 10-qt5-check-opengl2.sh for multiple screens (#1245755) | |
| - Some Qt apps crash if they are compiled with gcc5 (QTBUG-45755) | |
| - workaround 'make docs' crasher on el6 (QTBUG-43057) | |
| - use %make_build, %ldconfig | |
| - drop %_licensedir hack | |
| - rebase the lowmem patch | |
| - build: ./configure -journal (f24+) | |
| - revert out-of-tree build, breaks Qt5*Config.cmake *_PRIVATE_INCLUDE_DIRS entries (all blank) | |
| - Fix incorrect integer overflow check in HTTP2 implementation | |
| Resolves: RHEL-20238 | |
| - fix build issue with gcc6 | |
| - fix check for alsa 1.1.x | |
| - Update to 5.11.1 | |
| - Update tarball with https://bugreports.qt.io/browse/QTBUG-50703 fix | |
| - enable (non-conflicting) qtchooser support | |
| - Update proper tarball. Need avoid the fix branch | |
| - Compiled with gcc | |
| - Shortcuts with KeypadModifier not working (QTBUG-33093,#1219173) | |
| - use valgrind to debug qdoc HTML generation | |
| - use linux-g++ platform unconditionally | |
| - We're back to gold linker | |
| - Remove reduce relocations | |
| - fixed bz#1442553, multilib issue | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_27_Mass_Rebuild | |
| - track private api use via properly versioned symbols (unused for now) | |
| - pull in handful of upstream fixes, particularly... | |
| - Fix a division by zero when processing malformed BMP files (QTBUG-44547, CVE-2015-0295) | |
| - 5.2.1 | |
| - Enable EGL support | |
| - 2013-11-08_141 snapshot, arm switch qreal double | |
| - workaround gold linker issue with duplicate symbols (f27+, #1458003) | |
| - OpenSSL: handle SSL_shutdown's errors properly | |
| Resolves: bz#1851538 | |
| - Bump for rebuild. | |
| - support ppc64le multilib (#1080629) | |
| - qt5-base-devel.x86_64 qt5-base-devel.i686 file conflict qconfig.h (#1036956) | |
| - enable patch to track private api | |
| - Fix specific overflow in qtextlayout | |
| - Fix incorrect parsing of the strict-transport-security (HSTS) header | |
| - Fix buffer over-read via a crafted reply from a DNS server | |
| Resolves: bz#2209491 | |
| - pull in upstream gcc-4.8.0 buildfix | |
| - port qtdbusconnection_no_debug.patch from qt(4) | |
| - rebuild for ICU 54.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - enable bootstrap (and disable failing docs) | |
| - Fix infinite loops in QXmlStreamReader (CVE-2023-38197) | |
| Resolves: bz#2222770 | |
| - de-bootstrap | |
| - make -doc arch'd (workaround bug #1437522) | |
| - full build | |
| - -devel: Requires: redhat-rpm-config (#1248174) | |
| - HTTP2: Delay any communication until encrypted() can be responded to | |
| Resolves: RHEL-46340 | |
| - 5.0.2-rc1 | |
| - Add mesa-dri-drivers as recommends on gui package as reported by Kevin Kofler | |
| - Reference https://bugzilla.redhat.com/1249280 | |
| - Rebuild with binutils fix for ppc64le (#1475636) | |
| - rebase to latest SM patches (QTBUG-45484, QTBUG-46310) | |
| - Fix build failure with glibc | |
| - Qt5 application crashes when connecting/disconnecting displays (#1083664) | |
| - macros.qt5: use newer location, use unexpanded macros | |
| - qt5-qtbase-5.3.0-2.fc21 breaks keyboard input (#1100213) | |
| - respin lowmem patch to apply (unconditionally) to gcc-4.7.2 too | |
| - 5.2.0-beta1 | |
| - -system-libxkbcommon (f21+) | |
| - use '#!/usr/bin/perl' instead of '#!/usr/bin/env perl' | |
| - try reverting from -optimized-tools to -optimized-qmake | |
| - %build: hack around 'make docs' failures (on f22+) | |
| - limit -reduce-relocations to %ix86 x86_64 archs (QTBUG-36129) | |
| - Broken window scaling (#1381828) | |
| - Start to implement 5.6.0 beta | |
| - 5.0 (final) | |
| - Bad font rendering (#1052389,QTBUG-41590) | |
| - Disable bootstrap | |
| - rebuild for ICU 57.1 | |
| - Update to final RC | |
| - Perl 5.18 rebuild | |
| - restore moc_system_defines.patch lost in 5.7.0 rebase | |
| - -devel: Provides: qt5-qtbase-private-devel (#1233829) | |
| - undefine QMAKE_STRIP (and friends), so we get useful -debuginfo pkgs (#1065636) | |
| - New upstream version | |
| - Beta 3 | |
| - Reintroduce xcb patch from https://codereview.qt-project.org/#/c/138201/ | |
| - 5.0.2 | |
| - fix cmake config (#929227) | |
| - QOpenGLShaderProgram: glProgramBinary() resulting in LINK_STATUS=FALSE not handled properly (QTBUG-66420) | |
| - +%_qt5_libexecdir | |
| - 5.6.0-beta (final) | |
| - Integrate rc releases now. | |
| - Fix build on RHEL 7 kernel | |
| Resolves: bz#1733135 | |
| - add qtchooser support (disabled by default) | |
| - Prepare 5.7 | |
| - Move macros package away from qtbase. Now is called qt5-rpm-macros | |
| - Do not require qt-settings package | |
| - fixed build issue with new mariadb | |
| - 5.0-rc2 | |
| - initial try at putting non-conflicting binaries in %_bindir | |
| - Unify firebird patch for both versions | |
| - Bootstrap again for copr | |
| - -docs: BuildRequires: qt5-qhelpgenerator | |
| - %ix86: build -no-sse2 (#1103185) | |
| - needs a minimum version on sqlite build dependency (#1038617) | |
| - fix build when doc macro not defined | |
| - -doc subpkg (not enabled) | |
| - enable %check | |
| - ExcludeArch: ppc64 ppc (#1005482) | |
| - Upstream official release | |
| - 5.4.0-beta | |
| - avoid extra -devel deps by moving *Plugin.cmake files to base pkgs | |
| - support bootstrap macro, to disable -doc,-examples | |
| - build with and add to macros.qt5 flags: -fno-delete-null-pointer-checks | |
| - bootstrap rebuild for hunspell 1.4.0 | |
| - Create a tests subpkg with unit tests for gating | |
| Resolves: bz#1681889 | |
| - Beta 3 release | |
| - drop disconnect_displays.patch so we can better test latest xcb/display work | |
| - -dbus=runtime on el6 (#1196359) | |
| - %build: -no-directfb | |
| - unable to use input methods in ibus-1.5.10 (#1203575) | |
| - enable -doc only on primary archs (allow secondary bootstrap) | |
| - Qt 5.7.0 release | |
| - update to 5.4.1 | |
| - backport "crash on start if system bus is not available" (QTBUG-51299) | |
| - Get rid of valgrind hack. It sort out that we don't need it anymore (#1211203) | |
| - update moc patch to define _SYS_SYSMACROS_H_OUTER instead (#1396755) | |
| - 5.12.5 + sync with Fedora | |
| Resolves: bz#1733135 | |
| - add poll support, thanks to fweimer@redhat.com (QTBUG-27195) | |
| - own %{_qt5_plugindir}/{designer,iconengines,script,styles} | |
| - Rebuild to fix CET notes | |
| Resolves: bz#1657206 | |
| - 5.4.0-rc | |
| - use upstream commit/fix for QTBUG-46310 | |
| - restore qdoc/gdb hackery, i686 still needs it :( | |
| - Multiple Vulnerabilities in Qt Image Format Handling (CVE-2015-1860 CVE-2015-1859 CVE-2015-1858) | |
| - try harder to avoid doc/multilib conflicts (#1212750) | |
| - Qt 5.5 RC 1 | |
| - qt5-qtbase: RPM build flags only partially injected (#1543888) | |
| - Update to Qt 5.5.1 RC1 | |
| - Patchs 13, 52, 53, 101, 155, 223, 297 removed due to inclusion upstream | |
| - Install changes-5.x.y file (#989149) | |
| - -gui: don't require gtk2 (__requires_exclude_from platformthemes) (#1154884) | |
| - 5.3.2 | |
| - full build after ICU soname bump | |
| - macros.qt5: +%qmake_qt5 , to help set standard build flags (CFLAGS, etc...) | |
| - Rebuild against new openssl | |
| - -devel: qtsql apparently wants all drivers available at buildtime | |
| - fix build failure on big endian platform (ppc64,s390x) | |
| - Debootstrap after tools built. New tool needed qtattributionsscanner | |
| - macros.qt5: cleanup, %_qt5_cflags, %_qt5_cxxflags (for f24+) | |
| - 5.6.0 release | |
| - -devel: Requires: pkgconfig(egl) | |
| - make the QMAKE_STRIP sed not sensitive to whitespace (see #1074041 in Qt 4) | |
| - pull in another upstream moc fix/improvement (#1290020,QTBUG-49972) | |
| - fix bootstrap/docs | |
| - move sql build deps into subpkg sections | |
| - macro'ize ibase,tds support (disabled on rhel) | |
| - Try to ensure that -fPIC is used in CMake builds (QTBUG-45755) | |
| - Remove Android specific test to avoid unnecessary dependencies | |
| Resolves: bz#1733135 | |
| - fix/update Release: 1%{?dist} | |
| - pass QMAKE_*_RELEASE to configure to ensure optflags get used (#1505260) | |
| - macros.qt5: null-pointer-checks flag isn't c++-specific | |
| - qt5-qdoc subpkg | |
| - Initial update for 5.8.0 | |
| - Crash due to unsafe access to QTextLayout::lineCount (#1207279,QTBUG-43562) | |
| - restore previously dropped patches | |
| - enable openssl11 support only for f27+ (for now) | |
| - Use mariadb-connector-c-devel, f28+ (#1493909) | |
| - Backport upstream mariadb patch (#1491316) | |
| - own %{_qt5_plugindir}/egldeviceintegrations | |
| - BR: pkgconfig(libudev) pkgconfig(xkbcommon) pkgconfig(xcb-xkb) | |
| - bootstrap (rawhide) | |
| - revert some minor changes introduced since 5.7 | |
| - move *Plugin.cmake items to runtime (not -devel) | |
| - qt5-qtbase-static missing dependencies (#1311311) | |
| - %build: -system-pcre, BR: pkgconfig(libpcre) | |
| - use -O1 optimization on lowmem (s390) arch | |
| - QFileDialog: implement getOpenFileUrl and friends for real | |
| - 5.0-rc1 | |
| - use software OpenGL (llvmpipe) if the hardware driver doesn't support OpenGL 2 | |
| - Fix: Files placed by attacker can influence the working directory and lead to malicious code execution | |
| Resolves: bz#1814739 | |
| Resolves: bz#1814683 | |
| - Fix: XML entity expansion vulnerability | |
| Resolves: bz#1822193 | |
| - macros.qt5: fix %qt5_ldflags macro | |
| - aarch64 is secondary arch too | |
| - ppc64le is NOT multilib | |
| - Fix Power 64 macro use | |
| - Fix out-of-bounds write in QOutlineMapper::convertPath | |
| Resolves: bz#1996877 | |
| - rebuild | |
| - full build | |
| - qtbase --> qt5-qtbase | |
| - Update to 5.4.2 | |
| - really apply QT_VERSION_CHECK workaround (#1396755) | |
| - namespace QT_VERSION_CHECK to workaround major/minor being pre-defined (#1396755) | |
| - update moc patch to define _SYS_SYSMACROS_H (#1396755) | |
| - pull in slightly different upstreamed font rendering fix (#1052389,QTBUG-41590) | |
| - (re)enable -docs | |
| - Official beta release | |
| - categoried logging for xcb entries (#1497564, QTBUG-55167) | |
| - backport 5.8 patch for wayland crasher (#1403500,QTBUG-55583) | |
| - re-enable gold linker (#1458003) | |
| - drop qt5_null_flag/qt5_deprecated_flag hacks (should be fixed upstream for awhile) | |
| - make qt_settings/journald support unconditional | |
| - drop gcc6 workaround on arm | |
| - pull in upstream drag-n-drop related fixes (QTBUG-45812, QTBUG-51215) | |
| - Requires: openssl-libs%{?_isa} (#1328659) | |
| - rebuild for ICU 56.1 | |
| - Update to final release 5.5.1 | |
| - %build: restore -dbus-linked | |
| - more cmake_path love (#929227) | |
| - fix big endian builds | |
| - QListView upstream regression (#1509649, QTBUG-63846) | |
| - actually apply mariadb-related patch (#1491316) | |
| - rebuild for ICU 53.1 | |
| - 5.1.1 | |
| - enable qtchooser support | |
| - disable openssl11 (for now, FTBFS), use -openssl-linked (bug #1401459) | |
| - BR: perl-generators | |
| - pull in set of upstream Qt 5.5 fixes and improvements for XCB screen handling rebased to 5.4 | |
| - Build against system xkb and openssl 1.1 | |
| Resolves: bz#1882375 | |
| - better %rpm_macros_dir handling | |
| - QWidget::setWindowRole does nothing (QTBUG-45484) | |
| - 5.10.1 | |
| - drop dep on xorg-x11-xinit (own shared dirs instead) | |
| - fix/improve qtchooser support using alternatives (#1122316) | |
| - -static subpkg, Requires: fontconfig-devel,glib2-devel,zlib-devel | |
| - -devel: Requires: pkgconfig(gl) | |
| - Upstream Release Candidate retagged | |
| - make 10-qt5-check-opengl2.sh xinit script more robust | |
| - enable journald support for el7+ (#1315239) | |
| - Item views don't handle insert/remove of rows robustly (QTBUG-48870) | |
| - fix QTBUG-35459 (too low entityCharacterLimit=1024 for CVE-2013-4549) | |
| - fix QTBUG-35460 (error message for CVE-2013-4549 is misspelled) | |
| - reenable docs on Fedora (accidentally disabled) | |
| - refresh mariadb patch to actually match cr#206850 logic (#1491316) | |
| - 5.2.0 | |
| - Attempt not to hardcode ABI-tag for specific kernel version | |
| Resolves: bz#1612434 | |
| - No more docs, no more bootstrap. Docs comes now on a single package. | |
| - filter plugin provides, drop filter plugin excludes (no longer needed) | |
| - use qdoc.gdb wrapper | |
| - fix %_qt5_examplesdir macro | |
| - drop BR: cmake (handled by qt5-rpm-macros now) | |
| - 5.0.1 | |
| - lowmem patch for %arm, s390 | |
| - Second round of builds now with bootstrap enabled due new qttools | |
| - fixed bz#1401459, backport openssl-1.1 support | |
| - qconfig.pri: +alsa +kms +pulseaudio +xcb-sm | |
| - qt5-qtbase: RPM build flags only partially injected (#1543888) | |
| - full rebuild for hunspell 1.4.0 | |
| - support the old versions of libxcb and libxkbcommon in F19 and F20 | |
| - don't use the bundled libxkbcommon | |
| - Upstream Release Candidate 1 | |
| - bootstrap for libicu bump | |
| - 5.9.2 | |
| - Fix CVE-2024-25580: potential buffer overflow when reading KTX images | |
| Resolves: RHEL-25725 | |
| - Drop apache2 test server from unit tests to drop perl(CGI) dependency | |
| Resolves: bz#1930040 | |
| - %build: -accessibility | |
| - macros.qt5: +%_qt5_archdatadir +%_qt5_settingsdir | |
| - pull in a couple more configure-related upstream patches | |
| - ship $$[QT_INSTALL_DATA]/qtlogging.ini for packaged logging defaults (#1227295) | |
| - Fixes #1005482 - qtbase FTBFS on ppc/ppc64 | |
| - 5.9.1 | |
| - Perl 5.18 rebuild | |
| - ship /etc/xdg/qtchooser/5.conf alternative instead (of qt5.conf) | |
| - backport: data corruption in QNetworkAccessManager | |
| - Rebuild for ICU 60.1 | |
| - Official beta release | |
| - sync latest xcb/screen/display related upstream commits | |
| - QMimeType: remove unwanted *.bin as preferredSuffix for octet-stream (fdo#101667,kde#382437) | |
| - Don't allow remote attacker to bypass security restrictions caused by | |
| flaw in certificate validation (CVE-2023-34410) | |
| Resolves: bz#2212753 | |
| - Escape macros in %changelog | |
| - 5.2.0-rc1 | |
| - revert/omit recent egl packaging changes | |
| - -doc install changes-5.* files here (#989149) | |
| - backport a couple more upstream fixes | |
| - introduce -common noarch subpkg, should help multilib issues | |
| - macros.qt5: fix %_qt5_headerdir, %_qt5_datadir, %_qt5_plugindir | |
| - refresh mariadb patch support (upstreamed version apparently incomplete) | |
| - 5.7.1 dec5 snapshot | |
| - qt5-qdoc need requires >= current version, otherwise will prevent the usage further when moved to qttools | |
| - 5.2.0-alpha | |
| - -system-harfbuzz | |
| - rename subpkg -x11 => -gui | |
| - move some gui-related plugins base => -gui | |
| - don't use symlinks in %_qt5_bindir (more qtchooser-friendly) | |
| - rebuild | |
| - do a normal build with docs | |
| - support out-of-tree build | |
| - better %check | |
| - pull in final/upstream fixes for QTBUG-51648,QTBUG-51649 | |
| - disable examples/tests in bootstrap mode | |
| - don't omit examples for bootstrap (needs work) | |
| - added privat headers for Qt5 Xcb | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - add condition for rhel | |
| - add support for firebird-3.x | |
| - full build | |
| - reenable documentation | |
| - restore font rendering patch (#1052389,QTBUG-41590) | |
| - fix %pre scriptlet | |
|
|
|
| qt5-qtbase-common-5.15.3-8.el8_10.noarch.rpm | - backport 0055-Respect-manual-set-icon-themes.patch (kde#344469) |
| - conditionally use valgrind only if needed | |
| - first try | |
| - Crash in QXcbWindow::setParent() due to NULL xcbScreen (QTBUG-50081, #1291003) | |
| - 5.3.1 | |
| - 5.9.3 | |
| - DoS vulnerability in the GIF image handler (QTBUG-38367) | |
| - 5.10.0 | |
| - 5.4.0 (final) | |
| - -common: Obsoletes: qt5-qtquick1(-devel) | |
| - remove GDB hackery, it is not producing useful backtraces for the ARM crash | |
| - readd plugin __requires_exclude_from filter, it is still needed | |
| - own /etc/xdg/QtProject | |
| - Requires: qt-settings (f22+) | |
| - try bootstrap=1 (f23) | |
| - create_cmake.prf: adjust CMAKE_NO_PRIVATE_INCLUDES (#1456211,QTBUG-37417) | |
| - -no-use-gold-linker (f22+, #1193044) | |
| - Don't allow remote attacker to bypass security restrictions caused by | |
| flaw in certificate validation (CVE-2023-34410) (version #2) | |
| Resolves: bz#2212753 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Fix build on MIPS (#1322537) | |
| - drop BR: valgrind (not used, for awhile) | |
| - unconditionally enable freetype lcd_filter | |
| - (temp) disable docs (libxcb bootstrap) | |
| - Move libQt5EglFSDeviceIntegration lib out of the -devel subpkg | |
| Resolves: bz#1692970 | |
| - Fix QImage allocaion failure | |
| Resolve: bz#1667860 | |
| - Fix double free in QXmlStreamReader | |
| Resolve: bz#1667858 | |
| - Fix segmentation fault on malformed BMP file | |
| Resolve: bz#1667859 | |
| - Prefer QPA implementation in qsystemtrayicon_x11 if available | |
| - introduce macros.qt5-qtbase (for %_qt5, %_qt5_epoch, %_qt5_version, %_qt5_evr) | |
| - macros.qt5: we really only want the null-pointer-checks flag here | |
| and definitely no arch-specific ones | |
| - candidate fixes for various QtDBus deadlocks (QTBUG-51648,QTBUG-51676) | |
| - -Wno-deprecated-declarations (typo missed trailing 's') | |
| - drop 5.5 XCB patches, the rebase is incomplete and does not work properly with Qt 5.4 | |
| - pull upstream patches (upstreamed versions, gcc6-related bits mostly) | |
| - F20: require libxkbcommon >= 0.4.1, only patch for the old libxcb | |
| - fix build issue with gcc6 | |
| - include recommended qtdbus patches, fix Release | |
| - respin QTBUG-51649 patch | |
| - %build: use -dbus-runtime unconditionally | |
| - drop (unused) build deps: atspi, dbus, networkmanager | |
| - disable bootstrap again | |
| - don't inject $RPM_OPT_FLAGS/$RPM_LD_FLAGS into qmake defaults f24+ (#1279265) | |
| - Rebuild for platform-python | |
| - re-introduce bootstrap/examples macros | |
| - put examples-manifest.xml in -examples | |
| - restore -doc multilib hack (to be on the safe side, can't hurt) | |
| - %build: s/-optimized-qmake/-optimized-tools/ | |
| - unconditionally undo valgrind hack when done (#1255054) | |
| - SM_CLIENT_ID property is not set (QTBUG-46310) | |
| - refresh mariadb patch wrt cr#206850 (#1491316) | |
| - fix bootstrapping logic | |
| - Non-bootstrapped build | |
| - 5.15.2 + sync with Fedora | |
| Resolves: bz#1930040 | |
| - Debootstrap | |
| - Use meta doctools package to build docs | |
| - Rebuild (binutils) | |
| Resolves: bz#1930040 | |
| - fixed bz#1409600, stack overflow in QXmlSimpleReader, CVE-2016-10040 | |
| - enable -qt-xcb to fix non-US keys under VNC (#1295713) | |
| - fix Source0: https://download.qt.io/official_releases/qt/5.9/5.9.0/submodules/qtbase-opensource-src-5.9.0.tar.xz | |
| - Valgrind still needed as buildreq due recent split qdoc package, but we can get rid of | |
| specific arch set. | |
| - Added missing libproxy buildreq | |
| - Epel and RHEL doesn't have libinput, so a plugin need to be excluded for this distros | |
| - add better fix for compile error on big endian | |
| - Enable bootstrap to first import on rawhide | |
| - crashes when connecting/disconnecting displays (#1083664,QTBUG-42985) | |
| - 5.3.0 | |
| - qt5-rpm-macros pkg | |
| - bz#1328659, load openssl libs dynamically | |
| - workaround moc/qconfig-multilib issues (#1290020,QTBUG-49972) | |
| - BR: pkgconfig(xcb-xkb) > 1.10 (f21+) | |
| - allow possibility for libxkbcommon-0.4.x only | |
| - Really debootstrap :-P | |
| - Update for official RC1 released packages | |
| - fix the allow-forcing-llvmpipe patch to patch actual caller of __glXInitialize | |
| - -examples subpkg | |
| - 5.15.3 + sync with Fedora | |
| Resolves: bz#2061377 | |
| Resolves: bz#2059853 | |
| - disable -docs (for ppc bootstrap mostly) | |
| - add rpm macros qtwebengine_arches for qtwebengine | |
| - bz#1518958, backport to fix out of bounds reads in qdnslookup_unix | |
| - Fix buffer overflow in XBM parser | |
| Resolves: bz#1870364 | |
| - add versioned Requires: libxkbcommon dep | |
| - create/own %{_qt5_plugindir}/iconengines | |
| - -devel: create/own %{_qt5_archdatadir}/mkspecs/modules | |
| - cleanup .prl | |
| - qtlogging.ini: remove comments | |
| - respin QTBUG-51767 patch | |
| - adapted the berolinux's patch for new openssl-1.1.x | |
| - -examples: include %{_qt5_docdir}/qdoc/examples-manifest.xml (#1212750) | |
| - add macros qtwebengine_arches in qt5 | |
| - When a screen comes back online, the windows need to be told about it (QTBUG-47041) | |
| - xcb: Ignore disabling of outputs in the middle of the mode switch | |
| - fix build failure on secondary arch | |
| - remove GDB hackery again, -12 built fine on i686, hack breaks ARM build | |
| - fix 10-qt5-check-opengl2.sh for multiple screens (#1245755) | |
| - Some Qt apps crash if they are compiled with gcc5 (QTBUG-45755) | |
| - workaround 'make docs' crasher on el6 (QTBUG-43057) | |
| - use %make_build, %ldconfig | |
| - drop %_licensedir hack | |
| - rebase the lowmem patch | |
| - build: ./configure -journal (f24+) | |
| - revert out-of-tree build, breaks Qt5*Config.cmake *_PRIVATE_INCLUDE_DIRS entries (all blank) | |
| - Fix incorrect integer overflow check in HTTP2 implementation | |
| Resolves: RHEL-20238 | |
| - fix build issue with gcc6 | |
| - fix check for alsa 1.1.x | |
| - Update to 5.11.1 | |
| - Update tarball with https://bugreports.qt.io/browse/QTBUG-50703 fix | |
| - enable (non-conflicting) qtchooser support | |
| - Update proper tarball. Need avoid the fix branch | |
| - Compiled with gcc | |
| - Shortcuts with KeypadModifier not working (QTBUG-33093,#1219173) | |
| - use valgrind to debug qdoc HTML generation | |
| - use linux-g++ platform unconditionally | |
| - We're back to gold linker | |
| - Remove reduce relocations | |
| - fixed bz#1442553, multilib issue | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_27_Mass_Rebuild | |
| - track private api use via properly versioned symbols (unused for now) | |
| - pull in handful of upstream fixes, particularly... | |
| - Fix a division by zero when processing malformed BMP files (QTBUG-44547, CVE-2015-0295) | |
| - 5.2.1 | |
| - Enable EGL support | |
| - 2013-11-08_141 snapshot, arm switch qreal double | |
| - workaround gold linker issue with duplicate symbols (f27+, #1458003) | |
| - OpenSSL: handle SSL_shutdown's errors properly | |
| Resolves: bz#1851538 | |
| - Bump for rebuild. | |
| - support ppc64le multilib (#1080629) | |
| - qt5-base-devel.x86_64 qt5-base-devel.i686 file conflict qconfig.h (#1036956) | |
| - enable patch to track private api | |
| - Fix specific overflow in qtextlayout | |
| - Fix incorrect parsing of the strict-transport-security (HSTS) header | |
| - Fix buffer over-read via a crafted reply from a DNS server | |
| Resolves: bz#2209491 | |
| - pull in upstream gcc-4.8.0 buildfix | |
| - port qtdbusconnection_no_debug.patch from qt(4) | |
| - rebuild for ICU 54.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - enable bootstrap (and disable failing docs) | |
| - Fix infinite loops in QXmlStreamReader (CVE-2023-38197) | |
| Resolves: bz#2222770 | |
| - de-bootstrap | |
| - make -doc arch'd (workaround bug #1437522) | |
| - full build | |
| - -devel: Requires: redhat-rpm-config (#1248174) | |
| - HTTP2: Delay any communication until encrypted() can be responded to | |
| Resolves: RHEL-46340 | |
| - 5.0.2-rc1 | |
| - Add mesa-dri-drivers as recommends on gui package as reported by Kevin Kofler | |
| - Reference https://bugzilla.redhat.com/1249280 | |
| - Rebuild with binutils fix for ppc64le (#1475636) | |
| - rebase to latest SM patches (QTBUG-45484, QTBUG-46310) | |
| - Fix build failure with glibc | |
| - Qt5 application crashes when connecting/disconnecting displays (#1083664) | |
| - macros.qt5: use newer location, use unexpanded macros | |
| - qt5-qtbase-5.3.0-2.fc21 breaks keyboard input (#1100213) | |
| - respin lowmem patch to apply (unconditionally) to gcc-4.7.2 too | |
| - 5.2.0-beta1 | |
| - -system-libxkbcommon (f21+) | |
| - use '#!/usr/bin/perl' instead of '#!/usr/bin/env perl' | |
| - try reverting from -optimized-tools to -optimized-qmake | |
| - %build: hack around 'make docs' failures (on f22+) | |
| - limit -reduce-relocations to %ix86 x86_64 archs (QTBUG-36129) | |
| - Broken window scaling (#1381828) | |
| - Start to implement 5.6.0 beta | |
| - 5.0 (final) | |
| - Bad font rendering (#1052389,QTBUG-41590) | |
| - Disable bootstrap | |
| - rebuild for ICU 57.1 | |
| - Update to final RC | |
| - Perl 5.18 rebuild | |
| - restore moc_system_defines.patch lost in 5.7.0 rebase | |
| - -devel: Provides: qt5-qtbase-private-devel (#1233829) | |
| - undefine QMAKE_STRIP (and friends), so we get useful -debuginfo pkgs (#1065636) | |
| - New upstream version | |
| - Beta 3 | |
| - Reintroduce xcb patch from https://codereview.qt-project.org/#/c/138201/ | |
| - 5.0.2 | |
| - fix cmake config (#929227) | |
| - QOpenGLShaderProgram: glProgramBinary() resulting in LINK_STATUS=FALSE not handled properly (QTBUG-66420) | |
| - +%_qt5_libexecdir | |
| - 5.6.0-beta (final) | |
| - Integrate rc releases now. | |
| - Fix build on RHEL 7 kernel | |
| Resolves: bz#1733135 | |
| - add qtchooser support (disabled by default) | |
| - Prepare 5.7 | |
| - Move macros package away from qtbase. Now is called qt5-rpm-macros | |
| - Do not require qt-settings package | |
| - fixed build issue with new mariadb | |
| - 5.0-rc2 | |
| - initial try at putting non-conflicting binaries in %_bindir | |
| - Unify firebird patch for both versions | |
| - Bootstrap again for copr | |
| - -docs: BuildRequires: qt5-qhelpgenerator | |
| - %ix86: build -no-sse2 (#1103185) | |
| - needs a minimum version on sqlite build dependency (#1038617) | |
| - fix build when doc macro not defined | |
| - -doc subpkg (not enabled) | |
| - enable %check | |
| - ExcludeArch: ppc64 ppc (#1005482) | |
| - Upstream official release | |
| - 5.4.0-beta | |
| - avoid extra -devel deps by moving *Plugin.cmake files to base pkgs | |
| - support bootstrap macro, to disable -doc,-examples | |
| - build with and add to macros.qt5 flags: -fno-delete-null-pointer-checks | |
| - bootstrap rebuild for hunspell 1.4.0 | |
| - Create a tests subpkg with unit tests for gating | |
| Resolves: bz#1681889 | |
| - Beta 3 release | |
| - drop disconnect_displays.patch so we can better test latest xcb/display work | |
| - -dbus=runtime on el6 (#1196359) | |
| - %build: -no-directfb | |
| - unable to use input methods in ibus-1.5.10 (#1203575) | |
| - enable -doc only on primary archs (allow secondary bootstrap) | |
| - Qt 5.7.0 release | |
| - update to 5.4.1 | |
| - backport "crash on start if system bus is not available" (QTBUG-51299) | |
| - Get rid of valgrind hack. It sort out that we don't need it anymore (#1211203) | |
| - update moc patch to define _SYS_SYSMACROS_H_OUTER instead (#1396755) | |
| - 5.12.5 + sync with Fedora | |
| Resolves: bz#1733135 | |
| - add poll support, thanks to fweimer@redhat.com (QTBUG-27195) | |
| - own %{_qt5_plugindir}/{designer,iconengines,script,styles} | |
| - Rebuild to fix CET notes | |
| Resolves: bz#1657206 | |
| - 5.4.0-rc | |
| - use upstream commit/fix for QTBUG-46310 | |
| - restore qdoc/gdb hackery, i686 still needs it :( | |
| - Multiple Vulnerabilities in Qt Image Format Handling (CVE-2015-1860 CVE-2015-1859 CVE-2015-1858) | |
| - try harder to avoid doc/multilib conflicts (#1212750) | |
| - Qt 5.5 RC 1 | |
| - qt5-qtbase: RPM build flags only partially injected (#1543888) | |
| - Update to Qt 5.5.1 RC1 | |
| - Patchs 13, 52, 53, 101, 155, 223, 297 removed due to inclusion upstream | |
| - Install changes-5.x.y file (#989149) | |
| - -gui: don't require gtk2 (__requires_exclude_from platformthemes) (#1154884) | |
| - 5.3.2 | |
| - full build after ICU soname bump | |
| - macros.qt5: +%qmake_qt5 , to help set standard build flags (CFLAGS, etc...) | |
| - Rebuild against new openssl | |
| - -devel: qtsql apparently wants all drivers available at buildtime | |
| - fix build failure on big endian platform (ppc64,s390x) | |
| - Debootstrap after tools built. New tool needed qtattributionsscanner | |
| - macros.qt5: cleanup, %_qt5_cflags, %_qt5_cxxflags (for f24+) | |
| - 5.6.0 release | |
| - -devel: Requires: pkgconfig(egl) | |
| - make the QMAKE_STRIP sed not sensitive to whitespace (see #1074041 in Qt 4) | |
| - pull in another upstream moc fix/improvement (#1290020,QTBUG-49972) | |
| - fix bootstrap/docs | |
| - move sql build deps into subpkg sections | |
| - macro'ize ibase,tds support (disabled on rhel) | |
| - Try to ensure that -fPIC is used in CMake builds (QTBUG-45755) | |
| - Remove Android specific test to avoid unnecessary dependencies | |
| Resolves: bz#1733135 | |
| - fix/update Release: 1%{?dist} | |
| - pass QMAKE_*_RELEASE to configure to ensure optflags get used (#1505260) | |
| - macros.qt5: null-pointer-checks flag isn't c++-specific | |
| - qt5-qdoc subpkg | |
| - Initial update for 5.8.0 | |
| - Crash due to unsafe access to QTextLayout::lineCount (#1207279,QTBUG-43562) | |
| - restore previously dropped patches | |
| - enable openssl11 support only for f27+ (for now) | |
| - Use mariadb-connector-c-devel, f28+ (#1493909) | |
| - Backport upstream mariadb patch (#1491316) | |
| - own %{_qt5_plugindir}/egldeviceintegrations | |
| - BR: pkgconfig(libudev) pkgconfig(xkbcommon) pkgconfig(xcb-xkb) | |
| - bootstrap (rawhide) | |
| - revert some minor changes introduced since 5.7 | |
| - move *Plugin.cmake items to runtime (not -devel) | |
| - qt5-qtbase-static missing dependencies (#1311311) | |
| - %build: -system-pcre, BR: pkgconfig(libpcre) | |
| - use -O1 optimization on lowmem (s390) arch | |
| - QFileDialog: implement getOpenFileUrl and friends for real | |
| - 5.0-rc1 | |
| - use software OpenGL (llvmpipe) if the hardware driver doesn't support OpenGL 2 | |
| - Fix: Files placed by attacker can influence the working directory and lead to malicious code execution | |
| Resolves: bz#1814739 | |
| Resolves: bz#1814683 | |
| - Fix: XML entity expansion vulnerability | |
| Resolves: bz#1822193 | |
| - macros.qt5: fix %qt5_ldflags macro | |
| - aarch64 is secondary arch too | |
| - ppc64le is NOT multilib | |
| - Fix Power 64 macro use | |
| - Fix out-of-bounds write in QOutlineMapper::convertPath | |
| Resolves: bz#1996877 | |
| - rebuild | |
| - full build | |
| - qtbase --> qt5-qtbase | |
| - Update to 5.4.2 | |
| - really apply QT_VERSION_CHECK workaround (#1396755) | |
| - namespace QT_VERSION_CHECK to workaround major/minor being pre-defined (#1396755) | |
| - update moc patch to define _SYS_SYSMACROS_H (#1396755) | |
| - pull in slightly different upstreamed font rendering fix (#1052389,QTBUG-41590) | |
| - (re)enable -docs | |
| - Official beta release | |
| - categoried logging for xcb entries (#1497564, QTBUG-55167) | |
| - backport 5.8 patch for wayland crasher (#1403500,QTBUG-55583) | |
| - re-enable gold linker (#1458003) | |
| - drop qt5_null_flag/qt5_deprecated_flag hacks (should be fixed upstream for awhile) | |
| - make qt_settings/journald support unconditional | |
| - drop gcc6 workaround on arm | |
| - pull in upstream drag-n-drop related fixes (QTBUG-45812, QTBUG-51215) | |
| - Requires: openssl-libs%{?_isa} (#1328659) | |
| - rebuild for ICU 56.1 | |
| - Update to final release 5.5.1 | |
| - %build: restore -dbus-linked | |
| - more cmake_path love (#929227) | |
| - fix big endian builds | |
| - QListView upstream regression (#1509649, QTBUG-63846) | |
| - actually apply mariadb-related patch (#1491316) | |
| - rebuild for ICU 53.1 | |
| - 5.1.1 | |
| - enable qtchooser support | |
| - disable openssl11 (for now, FTBFS), use -openssl-linked (bug #1401459) | |
| - BR: perl-generators | |
| - pull in set of upstream Qt 5.5 fixes and improvements for XCB screen handling rebased to 5.4 | |
| - Build against system xkb and openssl 1.1 | |
| Resolves: bz#1882375 | |
| - better %rpm_macros_dir handling | |
| - QWidget::setWindowRole does nothing (QTBUG-45484) | |
| - 5.10.1 | |
| - drop dep on xorg-x11-xinit (own shared dirs instead) | |
| - fix/improve qtchooser support using alternatives (#1122316) | |
| - -static subpkg, Requires: fontconfig-devel,glib2-devel,zlib-devel | |
| - -devel: Requires: pkgconfig(gl) | |
| - Upstream Release Candidate retagged | |
| - make 10-qt5-check-opengl2.sh xinit script more robust | |
| - enable journald support for el7+ (#1315239) | |
| - Item views don't handle insert/remove of rows robustly (QTBUG-48870) | |
| - fix QTBUG-35459 (too low entityCharacterLimit=1024 for CVE-2013-4549) | |
| - fix QTBUG-35460 (error message for CVE-2013-4549 is misspelled) | |
| - reenable docs on Fedora (accidentally disabled) | |
| - refresh mariadb patch to actually match cr#206850 logic (#1491316) | |
| - 5.2.0 | |
| - Attempt not to hardcode ABI-tag for specific kernel version | |
| Resolves: bz#1612434 | |
| - No more docs, no more bootstrap. Docs comes now on a single package. | |
| - filter plugin provides, drop filter plugin excludes (no longer needed) | |
| - use qdoc.gdb wrapper | |
| - fix %_qt5_examplesdir macro | |
| - drop BR: cmake (handled by qt5-rpm-macros now) | |
| - 5.0.1 | |
| - lowmem patch for %arm, s390 | |
| - Second round of builds now with bootstrap enabled due new qttools | |
| - fixed bz#1401459, backport openssl-1.1 support | |
| - qconfig.pri: +alsa +kms +pulseaudio +xcb-sm | |
| - qt5-qtbase: RPM build flags only partially injected (#1543888) | |
| - full rebuild for hunspell 1.4.0 | |
| - support the old versions of libxcb and libxkbcommon in F19 and F20 | |
| - don't use the bundled libxkbcommon | |
| - Upstream Release Candidate 1 | |
| - bootstrap for libicu bump | |
| - 5.9.2 | |
| - Fix CVE-2024-25580: potential buffer overflow when reading KTX images | |
| Resolves: RHEL-25725 | |
| - Drop apache2 test server from unit tests to drop perl(CGI) dependency | |
| Resolves: bz#1930040 | |
| - %build: -accessibility | |
| - macros.qt5: +%_qt5_archdatadir +%_qt5_settingsdir | |
| - pull in a couple more configure-related upstream patches | |
| - ship $$[QT_INSTALL_DATA]/qtlogging.ini for packaged logging defaults (#1227295) | |
| - Fixes #1005482 - qtbase FTBFS on ppc/ppc64 | |
| - 5.9.1 | |
| - Perl 5.18 rebuild | |
| - ship /etc/xdg/qtchooser/5.conf alternative instead (of qt5.conf) | |
| - backport: data corruption in QNetworkAccessManager | |
| - Rebuild for ICU 60.1 | |
| - Official beta release | |
| - sync latest xcb/screen/display related upstream commits | |
| - QMimeType: remove unwanted *.bin as preferredSuffix for octet-stream (fdo#101667,kde#382437) | |
| - Don't allow remote attacker to bypass security restrictions caused by | |
| flaw in certificate validation (CVE-2023-34410) | |
| Resolves: bz#2212753 | |
| - Escape macros in %changelog | |
| - 5.2.0-rc1 | |
| - revert/omit recent egl packaging changes | |
| - -doc install changes-5.* files here (#989149) | |
| - backport a couple more upstream fixes | |
| - introduce -common noarch subpkg, should help multilib issues | |
| - macros.qt5: fix %_qt5_headerdir, %_qt5_datadir, %_qt5_plugindir | |
| - refresh mariadb patch support (upstreamed version apparently incomplete) | |
| - 5.7.1 dec5 snapshot | |
| - qt5-qdoc need requires >= current version, otherwise will prevent the usage further when moved to qttools | |
| - 5.2.0-alpha | |
| - -system-harfbuzz | |
| - rename subpkg -x11 => -gui | |
| - move some gui-related plugins base => -gui | |
| - don't use symlinks in %_qt5_bindir (more qtchooser-friendly) | |
| - rebuild | |
| - do a normal build with docs | |
| - support out-of-tree build | |
| - better %check | |
| - pull in final/upstream fixes for QTBUG-51648,QTBUG-51649 | |
| - disable examples/tests in bootstrap mode | |
| - don't omit examples for bootstrap (needs work) | |
| - added privat headers for Qt5 Xcb | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - add condition for rhel | |
| - add support for firebird-3.x | |
| - full build | |
| - reenable documentation | |
| - restore font rendering patch (#1052389,QTBUG-41590) | |
| - fix %pre scriptlet | |
|
|
|
| qt5-qtbase-gui-5.15.3-8.el8_10.x86_64.rpm | - backport 0055-Respect-manual-set-icon-themes.patch (kde#344469) |
| - conditionally use valgrind only if needed | |
| - first try | |
| - Crash in QXcbWindow::setParent() due to NULL xcbScreen (QTBUG-50081, #1291003) | |
| - 5.3.1 | |
| - 5.9.3 | |
| - DoS vulnerability in the GIF image handler (QTBUG-38367) | |
| - 5.10.0 | |
| - 5.4.0 (final) | |
| - -common: Obsoletes: qt5-qtquick1(-devel) | |
| - remove GDB hackery, it is not producing useful backtraces for the ARM crash | |
| - readd plugin __requires_exclude_from filter, it is still needed | |
| - own /etc/xdg/QtProject | |
| - Requires: qt-settings (f22+) | |
| - try bootstrap=1 (f23) | |
| - create_cmake.prf: adjust CMAKE_NO_PRIVATE_INCLUDES (#1456211,QTBUG-37417) | |
| - -no-use-gold-linker (f22+, #1193044) | |
| - Don't allow remote attacker to bypass security restrictions caused by | |
| flaw in certificate validation (CVE-2023-34410) (version #2) | |
| Resolves: bz#2212753 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Fix build on MIPS (#1322537) | |
| - drop BR: valgrind (not used, for awhile) | |
| - unconditionally enable freetype lcd_filter | |
| - (temp) disable docs (libxcb bootstrap) | |
| - Move libQt5EglFSDeviceIntegration lib out of the -devel subpkg | |
| Resolves: bz#1692970 | |
| - Fix QImage allocaion failure | |
| Resolve: bz#1667860 | |
| - Fix double free in QXmlStreamReader | |
| Resolve: bz#1667858 | |
| - Fix segmentation fault on malformed BMP file | |
| Resolve: bz#1667859 | |
| - Prefer QPA implementation in qsystemtrayicon_x11 if available | |
| - introduce macros.qt5-qtbase (for %_qt5, %_qt5_epoch, %_qt5_version, %_qt5_evr) | |
| - macros.qt5: we really only want the null-pointer-checks flag here | |
| and definitely no arch-specific ones | |
| - candidate fixes for various QtDBus deadlocks (QTBUG-51648,QTBUG-51676) | |
| - -Wno-deprecated-declarations (typo missed trailing 's') | |
| - drop 5.5 XCB patches, the rebase is incomplete and does not work properly with Qt 5.4 | |
| - pull upstream patches (upstreamed versions, gcc6-related bits mostly) | |
| - F20: require libxkbcommon >= 0.4.1, only patch for the old libxcb | |
| - fix build issue with gcc6 | |
| - include recommended qtdbus patches, fix Release | |
| - respin QTBUG-51649 patch | |
| - %build: use -dbus-runtime unconditionally | |
| - drop (unused) build deps: atspi, dbus, networkmanager | |
| - disable bootstrap again | |
| - don't inject $RPM_OPT_FLAGS/$RPM_LD_FLAGS into qmake defaults f24+ (#1279265) | |
| - Rebuild for platform-python | |
| - re-introduce bootstrap/examples macros | |
| - put examples-manifest.xml in -examples | |
| - restore -doc multilib hack (to be on the safe side, can't hurt) | |
| - %build: s/-optimized-qmake/-optimized-tools/ | |
| - unconditionally undo valgrind hack when done (#1255054) | |
| - SM_CLIENT_ID property is not set (QTBUG-46310) | |
| - refresh mariadb patch wrt cr#206850 (#1491316) | |
| - fix bootstrapping logic | |
| - Non-bootstrapped build | |
| - 5.15.2 + sync with Fedora | |
| Resolves: bz#1930040 | |
| - Debootstrap | |
| - Use meta doctools package to build docs | |
| - Rebuild (binutils) | |
| Resolves: bz#1930040 | |
| - fixed bz#1409600, stack overflow in QXmlSimpleReader, CVE-2016-10040 | |
| - enable -qt-xcb to fix non-US keys under VNC (#1295713) | |
| - fix Source0: https://download.qt.io/official_releases/qt/5.9/5.9.0/submodules/qtbase-opensource-src-5.9.0.tar.xz | |
| - Valgrind still needed as buildreq due recent split qdoc package, but we can get rid of | |
| specific arch set. | |
| - Added missing libproxy buildreq | |
| - Epel and RHEL doesn't have libinput, so a plugin need to be excluded for this distros | |
| - add better fix for compile error on big endian | |
| - Enable bootstrap to first import on rawhide | |
| - crashes when connecting/disconnecting displays (#1083664,QTBUG-42985) | |
| - 5.3.0 | |
| - qt5-rpm-macros pkg | |
| - bz#1328659, load openssl libs dynamically | |
| - workaround moc/qconfig-multilib issues (#1290020,QTBUG-49972) | |
| - BR: pkgconfig(xcb-xkb) > 1.10 (f21+) | |
| - allow possibility for libxkbcommon-0.4.x only | |
| - Really debootstrap :-P | |
| - Update for official RC1 released packages | |
| - fix the allow-forcing-llvmpipe patch to patch actual caller of __glXInitialize | |
| - -examples subpkg | |
| - 5.15.3 + sync with Fedora | |
| Resolves: bz#2061377 | |
| Resolves: bz#2059853 | |
| - disable -docs (for ppc bootstrap mostly) | |
| - add rpm macros qtwebengine_arches for qtwebengine | |
| - bz#1518958, backport to fix out of bounds reads in qdnslookup_unix | |
| - Fix buffer overflow in XBM parser | |
| Resolves: bz#1870364 | |
| - add versioned Requires: libxkbcommon dep | |
| - create/own %{_qt5_plugindir}/iconengines | |
| - -devel: create/own %{_qt5_archdatadir}/mkspecs/modules | |
| - cleanup .prl | |
| - qtlogging.ini: remove comments | |
| - respin QTBUG-51767 patch | |
| - adapted the berolinux's patch for new openssl-1.1.x | |
| - -examples: include %{_qt5_docdir}/qdoc/examples-manifest.xml (#1212750) | |
| - add macros qtwebengine_arches in qt5 | |
| - When a screen comes back online, the windows need to be told about it (QTBUG-47041) | |
| - xcb: Ignore disabling of outputs in the middle of the mode switch | |
| - fix build failure on secondary arch | |
| - remove GDB hackery again, -12 built fine on i686, hack breaks ARM build | |
| - fix 10-qt5-check-opengl2.sh for multiple screens (#1245755) | |
| - Some Qt apps crash if they are compiled with gcc5 (QTBUG-45755) | |
| - workaround 'make docs' crasher on el6 (QTBUG-43057) | |
| - use %make_build, %ldconfig | |
| - drop %_licensedir hack | |
| - rebase the lowmem patch | |
| - build: ./configure -journal (f24+) | |
| - revert out-of-tree build, breaks Qt5*Config.cmake *_PRIVATE_INCLUDE_DIRS entries (all blank) | |
| - Fix incorrect integer overflow check in HTTP2 implementation | |
| Resolves: RHEL-20238 | |
| - fix build issue with gcc6 | |
| - fix check for alsa 1.1.x | |
| - Update to 5.11.1 | |
| - Update tarball with https://bugreports.qt.io/browse/QTBUG-50703 fix | |
| - enable (non-conflicting) qtchooser support | |
| - Update proper tarball. Need avoid the fix branch | |
| - Compiled with gcc | |
| - Shortcuts with KeypadModifier not working (QTBUG-33093,#1219173) | |
| - use valgrind to debug qdoc HTML generation | |
| - use linux-g++ platform unconditionally | |
| - We're back to gold linker | |
| - Remove reduce relocations | |
| - fixed bz#1442553, multilib issue | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_27_Mass_Rebuild | |
| - track private api use via properly versioned symbols (unused for now) | |
| - pull in handful of upstream fixes, particularly... | |
| - Fix a division by zero when processing malformed BMP files (QTBUG-44547, CVE-2015-0295) | |
| - 5.2.1 | |
| - Enable EGL support | |
| - 2013-11-08_141 snapshot, arm switch qreal double | |
| - workaround gold linker issue with duplicate symbols (f27+, #1458003) | |
| - OpenSSL: handle SSL_shutdown's errors properly | |
| Resolves: bz#1851538 | |
| - Bump for rebuild. | |
| - support ppc64le multilib (#1080629) | |
| - qt5-base-devel.x86_64 qt5-base-devel.i686 file conflict qconfig.h (#1036956) | |
| - enable patch to track private api | |
| - Fix specific overflow in qtextlayout | |
| - Fix incorrect parsing of the strict-transport-security (HSTS) header | |
| - Fix buffer over-read via a crafted reply from a DNS server | |
| Resolves: bz#2209491 | |
| - pull in upstream gcc-4.8.0 buildfix | |
| - port qtdbusconnection_no_debug.patch from qt(4) | |
| - rebuild for ICU 54.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - enable bootstrap (and disable failing docs) | |
| - Fix infinite loops in QXmlStreamReader (CVE-2023-38197) | |
| Resolves: bz#2222770 | |
| - de-bootstrap | |
| - make -doc arch'd (workaround bug #1437522) | |
| - full build | |
| - -devel: Requires: redhat-rpm-config (#1248174) | |
| - HTTP2: Delay any communication until encrypted() can be responded to | |
| Resolves: RHEL-46340 | |
| - 5.0.2-rc1 | |
| - Add mesa-dri-drivers as recommends on gui package as reported by Kevin Kofler | |
| - Reference https://bugzilla.redhat.com/1249280 | |
| - Rebuild with binutils fix for ppc64le (#1475636) | |
| - rebase to latest SM patches (QTBUG-45484, QTBUG-46310) | |
| - Fix build failure with glibc | |
| - Qt5 application crashes when connecting/disconnecting displays (#1083664) | |
| - macros.qt5: use newer location, use unexpanded macros | |
| - qt5-qtbase-5.3.0-2.fc21 breaks keyboard input (#1100213) | |
| - respin lowmem patch to apply (unconditionally) to gcc-4.7.2 too | |
| - 5.2.0-beta1 | |
| - -system-libxkbcommon (f21+) | |
| - use '#!/usr/bin/perl' instead of '#!/usr/bin/env perl' | |
| - try reverting from -optimized-tools to -optimized-qmake | |
| - %build: hack around 'make docs' failures (on f22+) | |
| - limit -reduce-relocations to %ix86 x86_64 archs (QTBUG-36129) | |
| - Broken window scaling (#1381828) | |
| - Start to implement 5.6.0 beta | |
| - 5.0 (final) | |
| - Bad font rendering (#1052389,QTBUG-41590) | |
| - Disable bootstrap | |
| - rebuild for ICU 57.1 | |
| - Update to final RC | |
| - Perl 5.18 rebuild | |
| - restore moc_system_defines.patch lost in 5.7.0 rebase | |
| - -devel: Provides: qt5-qtbase-private-devel (#1233829) | |
| - undefine QMAKE_STRIP (and friends), so we get useful -debuginfo pkgs (#1065636) | |
| - New upstream version | |
| - Beta 3 | |
| - Reintroduce xcb patch from https://codereview.qt-project.org/#/c/138201/ | |
| - 5.0.2 | |
| - fix cmake config (#929227) | |
| - QOpenGLShaderProgram: glProgramBinary() resulting in LINK_STATUS=FALSE not handled properly (QTBUG-66420) | |
| - +%_qt5_libexecdir | |
| - 5.6.0-beta (final) | |
| - Integrate rc releases now. | |
| - Fix build on RHEL 7 kernel | |
| Resolves: bz#1733135 | |
| - add qtchooser support (disabled by default) | |
| - Prepare 5.7 | |
| - Move macros package away from qtbase. Now is called qt5-rpm-macros | |
| - Do not require qt-settings package | |
| - fixed build issue with new mariadb | |
| - 5.0-rc2 | |
| - initial try at putting non-conflicting binaries in %_bindir | |
| - Unify firebird patch for both versions | |
| - Bootstrap again for copr | |
| - -docs: BuildRequires: qt5-qhelpgenerator | |
| - %ix86: build -no-sse2 (#1103185) | |
| - needs a minimum version on sqlite build dependency (#1038617) | |
| - fix build when doc macro not defined | |
| - -doc subpkg (not enabled) | |
| - enable %check | |
| - ExcludeArch: ppc64 ppc (#1005482) | |
| - Upstream official release | |
| - 5.4.0-beta | |
| - avoid extra -devel deps by moving *Plugin.cmake files to base pkgs | |
| - support bootstrap macro, to disable -doc,-examples | |
| - build with and add to macros.qt5 flags: -fno-delete-null-pointer-checks | |
| - bootstrap rebuild for hunspell 1.4.0 | |
| - Create a tests subpkg with unit tests for gating | |
| Resolves: bz#1681889 | |
| - Beta 3 release | |
| - drop disconnect_displays.patch so we can better test latest xcb/display work | |
| - -dbus=runtime on el6 (#1196359) | |
| - %build: -no-directfb | |
| - unable to use input methods in ibus-1.5.10 (#1203575) | |
| - enable -doc only on primary archs (allow secondary bootstrap) | |
| - Qt 5.7.0 release | |
| - update to 5.4.1 | |
| - backport "crash on start if system bus is not available" (QTBUG-51299) | |
| - Get rid of valgrind hack. It sort out that we don't need it anymore (#1211203) | |
| - update moc patch to define _SYS_SYSMACROS_H_OUTER instead (#1396755) | |
| - 5.12.5 + sync with Fedora | |
| Resolves: bz#1733135 | |
| - add poll support, thanks to fweimer@redhat.com (QTBUG-27195) | |
| - own %{_qt5_plugindir}/{designer,iconengines,script,styles} | |
| - Rebuild to fix CET notes | |
| Resolves: bz#1657206 | |
| - 5.4.0-rc | |
| - use upstream commit/fix for QTBUG-46310 | |
| - restore qdoc/gdb hackery, i686 still needs it :( | |
| - Multiple Vulnerabilities in Qt Image Format Handling (CVE-2015-1860 CVE-2015-1859 CVE-2015-1858) | |
| - try harder to avoid doc/multilib conflicts (#1212750) | |
| - Qt 5.5 RC 1 | |
| - qt5-qtbase: RPM build flags only partially injected (#1543888) | |
| - Update to Qt 5.5.1 RC1 | |
| - Patchs 13, 52, 53, 101, 155, 223, 297 removed due to inclusion upstream | |
| - Install changes-5.x.y file (#989149) | |
| - -gui: don't require gtk2 (__requires_exclude_from platformthemes) (#1154884) | |
| - 5.3.2 | |
| - full build after ICU soname bump | |
| - macros.qt5: +%qmake_qt5 , to help set standard build flags (CFLAGS, etc...) | |
| - Rebuild against new openssl | |
| - -devel: qtsql apparently wants all drivers available at buildtime | |
| - fix build failure on big endian platform (ppc64,s390x) | |
| - Debootstrap after tools built. New tool needed qtattributionsscanner | |
| - macros.qt5: cleanup, %_qt5_cflags, %_qt5_cxxflags (for f24+) | |
| - 5.6.0 release | |
| - -devel: Requires: pkgconfig(egl) | |
| - make the QMAKE_STRIP sed not sensitive to whitespace (see #1074041 in Qt 4) | |
| - pull in another upstream moc fix/improvement (#1290020,QTBUG-49972) | |
| - fix bootstrap/docs | |
| - move sql build deps into subpkg sections | |
| - macro'ize ibase,tds support (disabled on rhel) | |
| - Try to ensure that -fPIC is used in CMake builds (QTBUG-45755) | |
| - Remove Android specific test to avoid unnecessary dependencies | |
| Resolves: bz#1733135 | |
| - fix/update Release: 1%{?dist} | |
| - pass QMAKE_*_RELEASE to configure to ensure optflags get used (#1505260) | |
| - macros.qt5: null-pointer-checks flag isn't c++-specific | |
| - qt5-qdoc subpkg | |
| - Initial update for 5.8.0 | |
| - Crash due to unsafe access to QTextLayout::lineCount (#1207279,QTBUG-43562) | |
| - restore previously dropped patches | |
| - enable openssl11 support only for f27+ (for now) | |
| - Use mariadb-connector-c-devel, f28+ (#1493909) | |
| - Backport upstream mariadb patch (#1491316) | |
| - own %{_qt5_plugindir}/egldeviceintegrations | |
| - BR: pkgconfig(libudev) pkgconfig(xkbcommon) pkgconfig(xcb-xkb) | |
| - bootstrap (rawhide) | |
| - revert some minor changes introduced since 5.7 | |
| - move *Plugin.cmake items to runtime (not -devel) | |
| - qt5-qtbase-static missing dependencies (#1311311) | |
| - %build: -system-pcre, BR: pkgconfig(libpcre) | |
| - use -O1 optimization on lowmem (s390) arch | |
| - QFileDialog: implement getOpenFileUrl and friends for real | |
| - 5.0-rc1 | |
| - use software OpenGL (llvmpipe) if the hardware driver doesn't support OpenGL 2 | |
| - Fix: Files placed by attacker can influence the working directory and lead to malicious code execution | |
| Resolves: bz#1814739 | |
| Resolves: bz#1814683 | |
| - Fix: XML entity expansion vulnerability | |
| Resolves: bz#1822193 | |
| - macros.qt5: fix %qt5_ldflags macro | |
| - aarch64 is secondary arch too | |
| - ppc64le is NOT multilib | |
| - Fix Power 64 macro use | |
| - Fix out-of-bounds write in QOutlineMapper::convertPath | |
| Resolves: bz#1996877 | |
| - rebuild | |
| - full build | |
| - qtbase --> qt5-qtbase | |
| - Update to 5.4.2 | |
| - really apply QT_VERSION_CHECK workaround (#1396755) | |
| - namespace QT_VERSION_CHECK to workaround major/minor being pre-defined (#1396755) | |
| - update moc patch to define _SYS_SYSMACROS_H (#1396755) | |
| - pull in slightly different upstreamed font rendering fix (#1052389,QTBUG-41590) | |
| - (re)enable -docs | |
| - Official beta release | |
| - categoried logging for xcb entries (#1497564, QTBUG-55167) | |
| - backport 5.8 patch for wayland crasher (#1403500,QTBUG-55583) | |
| - re-enable gold linker (#1458003) | |
| - drop qt5_null_flag/qt5_deprecated_flag hacks (should be fixed upstream for awhile) | |
| - make qt_settings/journald support unconditional | |
| - drop gcc6 workaround on arm | |
| - pull in upstream drag-n-drop related fixes (QTBUG-45812, QTBUG-51215) | |
| - Requires: openssl-libs%{?_isa} (#1328659) | |
| - rebuild for ICU 56.1 | |
| - Update to final release 5.5.1 | |
| - %build: restore -dbus-linked | |
| - more cmake_path love (#929227) | |
| - fix big endian builds | |
| - QListView upstream regression (#1509649, QTBUG-63846) | |
| - actually apply mariadb-related patch (#1491316) | |
| - rebuild for ICU 53.1 | |
| - 5.1.1 | |
| - enable qtchooser support | |
| - disable openssl11 (for now, FTBFS), use -openssl-linked (bug #1401459) | |
| - BR: perl-generators | |
| - pull in set of upstream Qt 5.5 fixes and improvements for XCB screen handling rebased to 5.4 | |
| - Build against system xkb and openssl 1.1 | |
| Resolves: bz#1882375 | |
| - better %rpm_macros_dir handling | |
| - QWidget::setWindowRole does nothing (QTBUG-45484) | |
| - 5.10.1 | |
| - drop dep on xorg-x11-xinit (own shared dirs instead) | |
| - fix/improve qtchooser support using alternatives (#1122316) | |
| - -static subpkg, Requires: fontconfig-devel,glib2-devel,zlib-devel | |
| - -devel: Requires: pkgconfig(gl) | |
| - Upstream Release Candidate retagged | |
| - make 10-qt5-check-opengl2.sh xinit script more robust | |
| - enable journald support for el7+ (#1315239) | |
| - Item views don't handle insert/remove of rows robustly (QTBUG-48870) | |
| - fix QTBUG-35459 (too low entityCharacterLimit=1024 for CVE-2013-4549) | |
| - fix QTBUG-35460 (error message for CVE-2013-4549 is misspelled) | |
| - reenable docs on Fedora (accidentally disabled) | |
| - refresh mariadb patch to actually match cr#206850 logic (#1491316) | |
| - 5.2.0 | |
| - Attempt not to hardcode ABI-tag for specific kernel version | |
| Resolves: bz#1612434 | |
| - No more docs, no more bootstrap. Docs comes now on a single package. | |
| - filter plugin provides, drop filter plugin excludes (no longer needed) | |
| - use qdoc.gdb wrapper | |
| - fix %_qt5_examplesdir macro | |
| - drop BR: cmake (handled by qt5-rpm-macros now) | |
| - 5.0.1 | |
| - lowmem patch for %arm, s390 | |
| - Second round of builds now with bootstrap enabled due new qttools | |
| - fixed bz#1401459, backport openssl-1.1 support | |
| - qconfig.pri: +alsa +kms +pulseaudio +xcb-sm | |
| - qt5-qtbase: RPM build flags only partially injected (#1543888) | |
| - full rebuild for hunspell 1.4.0 | |
| - support the old versions of libxcb and libxkbcommon in F19 and F20 | |
| - don't use the bundled libxkbcommon | |
| - Upstream Release Candidate 1 | |
| - bootstrap for libicu bump | |
| - 5.9.2 | |
| - Fix CVE-2024-25580: potential buffer overflow when reading KTX images | |
| Resolves: RHEL-25725 | |
| - Drop apache2 test server from unit tests to drop perl(CGI) dependency | |
| Resolves: bz#1930040 | |
| - %build: -accessibility | |
| - macros.qt5: +%_qt5_archdatadir +%_qt5_settingsdir | |
| - pull in a couple more configure-related upstream patches | |
| - ship $$[QT_INSTALL_DATA]/qtlogging.ini for packaged logging defaults (#1227295) | |
| - Fixes #1005482 - qtbase FTBFS on ppc/ppc64 | |
| - 5.9.1 | |
| - Perl 5.18 rebuild | |
| - ship /etc/xdg/qtchooser/5.conf alternative instead (of qt5.conf) | |
| - backport: data corruption in QNetworkAccessManager | |
| - Rebuild for ICU 60.1 | |
| - Official beta release | |
| - sync latest xcb/screen/display related upstream commits | |
| - QMimeType: remove unwanted *.bin as preferredSuffix for octet-stream (fdo#101667,kde#382437) | |
| - Don't allow remote attacker to bypass security restrictions caused by | |
| flaw in certificate validation (CVE-2023-34410) | |
| Resolves: bz#2212753 | |
| - Escape macros in %changelog | |
| - 5.2.0-rc1 | |
| - revert/omit recent egl packaging changes | |
| - -doc install changes-5.* files here (#989149) | |
| - backport a couple more upstream fixes | |
| - introduce -common noarch subpkg, should help multilib issues | |
| - macros.qt5: fix %_qt5_headerdir, %_qt5_datadir, %_qt5_plugindir | |
| - refresh mariadb patch support (upstreamed version apparently incomplete) | |
| - 5.7.1 dec5 snapshot | |
| - qt5-qdoc need requires >= current version, otherwise will prevent the usage further when moved to qttools | |
| - 5.2.0-alpha | |
| - -system-harfbuzz | |
| - rename subpkg -x11 => -gui | |
| - move some gui-related plugins base => -gui | |
| - don't use symlinks in %_qt5_bindir (more qtchooser-friendly) | |
| - rebuild | |
| - do a normal build with docs | |
| - support out-of-tree build | |
| - better %check | |
| - pull in final/upstream fixes for QTBUG-51648,QTBUG-51649 | |
| - disable examples/tests in bootstrap mode | |
| - don't omit examples for bootstrap (needs work) | |
| - added privat headers for Qt5 Xcb | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - add condition for rhel | |
| - add support for firebird-3.x | |
| - full build | |
| - reenable documentation | |
| - restore font rendering patch (#1052389,QTBUG-41590) | |
| - fix %pre scriptlet | |
|
|
|
| qt5-qtconnectivity-5.15.3-1.el8.x86_64.rpm | - 5.12.5 |
| Resolves: bz#1733137 | |
| - Qt 5.5.0 RC1 | |
| - out-of-tree build, use %qmake_qt5 | |
| =- Qt 5.7.0 release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_27_Mass_Rebuild | |
| - rebuild | |
| - New final upstream release Qt 5.5.0 | |
| - 5.3.1 | |
| - 5.2.1 | |
| - Update to final release 5.5.1 | |
| - Rebuilt for GCC 5 C++11 ABI change | |
| - Enabled docs | |
| - 5.4.0 (final) | |
| - 5.10.1 | |
| - first try | |
| - Update RC release | |
| - New upstream version | |
| - 5.9.3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Upstream beta 3 | |
| - Upstream Release Candidate retagged | |
| - 5.7.1 dec5 snapshot, drop cmake/pkgconfig style BR | |
| - 5.4.0-rc | |
| - filter qml provides | |
| - include the bswap patch in F-20 and F-21 builds too | |
| - 5.3.2 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - cleaner qtbase dep, .spec cosmetics | |
| - New upstream version | |
| - BR: cmake, use %license, update Source URL | |
| - sanitize .prl files | |
| - 5.9.2 | |
| - 5.6.0 final release | |
| - Compiled with gcc | |
| - Update to final RC | |
| - 5.15.3 | |
| Resolves: bz#2061382 | |
| - 5.10.0 | |
| - Official beta release | |
| - 5.4.1 | |
| - 5.9.1 | |
| - 5.3.0 | |
| - Start to implement 5.6.0 beta | |
| - Update to 5.6.1 | |
| - 5.15.2 | |
| Resolves: bz#1930042 | |
| - Rebuild (binutils) | |
| Resolves: bz#1930042 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Update for official RC1 released packages | |
| - rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - -docs: BuildRequires: qt5-qhelpgenerator, standardize bootstrapping macros | |
| - 5.4.2 | |
| - rebuild | |
| - Rebuild to fix CET notes | |
| Resolves: bz#1657221 | |
| - Prepare 5.7.0 | |
| - 5.4.0-beta | |
| - drop shadow/out-of-tree builds (#1456211,QTBUG-37417) | |
| - Update to Qt 5.5.1 RC1 | |
| - Update to final beta release | |
| - rebuild (gcc5) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - 5.11.1 | |
| - Upstream official release | |
|
|
|
| qt5-qtdeclarative-5.15.3-2.el8.x86_64.rpm | - %ix86: cannot assume sse2 (and related support) or the JIT that requires it... disable. |
| - fix qmlplugindump conflict with qt4-devel | |
| - include license files, dist/changes* | |
| - 5.3.1 | |
| - Prepare for 5.7.0 | |
| - 5.4.0 (final) | |
| - 5.2.0 | |
| - Conflict in qt5-qtdeclarative-devel (#1441343), fix Release: 1%{?dist} | |
| - Obsoletes: qt5-qtdeclarative-render2d | |
| - rebuild (gcc) | |
| - build with -fno-delete-null-pointer-checks to workaround gcc6-related runtime crashes (#1303643) | |
| - 5.15.3 + sync with Fedora | |
| Resolves: bz#2061380 | |
| - Update Python 2 dependency declarations to new packaging standards | |
| (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) | |
| - Disable bootstrap | |
| - rebuild | |
| - BR: cmake (cmake autoprovides) | |
| - 5.4.1 | |
| - 5.3.0 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Update for official RC1 released packages | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - rebuild (gcc5) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - New upstream beta release | |
| - New final upstream release Qt 5.5.0 | |
| - 5.2.1 | |
| - 5.7.1 dec5 snapshot | |
| - Official beta3 release | |
| - Add AArch64 support (RHBUG: 1040452, QTBUG-35528) | |
| - 5.9.3 | |
| - Fix cmake dir ownerhips | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Update to final beta3 release | |
| - restore bootstrap/doc macros, drop pkgconfig-style deps (for now) | |
| - New upstream beta3 release | |
| - revert commit causing regresions (QTBUG-64017) | |
| - bootstrap ppc | |
| - de-bootstrap | |
| - Second round of builds now with bootstrap enabled due new qttools | |
| - Rebuild (binutils) | |
| Resolves: bz#1930043 | |
| - first try | |
| - support out-of-src-tree builds | |
| - %ix86: install sse2/jit version to %_qt5_libdir/sse2/ | |
| - qt5-qtjsbackend only supports ix86, x86_64 and arm | |
| - BR: gcc-c++, use %make_build %make_install %ldconfig_scriptlets | |
| - fix qmlprofiler conflict with qt-creator | |
| - Compiled with gcc | |
| - Update to 5.6.1 | |
| - enable -doc only on primary archs (allow secondary bootstrap) | |
| - 5.11.1 | |
| - Drop dependency on Python2 | |
| - New upstream version | |
| - 5.12.5 | |
| Resolves: bz#1733139 | |
| - New upstream version | |
| - bootstrap | |
| - backport upstream fixes | |
| - drop -fno-delete-null-pointer-checks hack (included in qt5-rpm-macros as needed now) | |
| - Update to Qt 5.5.1 RC1 | |
| - use new %qmake_qt5 macro | |
| - 5.0.2 | |
| - Upstream official release | |
| - BR: qt5-qtbase-private-devel, -devel: Provides: -private-devel | |
| - -examples subpkg | |
| - rebuild (arm/qreal) | |
| - 5.15.2 | |
| Resolves: bz#1930043 | |
| - -devel: don't own libQt5QuickWidgets.so.5 (#1337621) | |
| - Update RC release | |
| - drop shadow/out-of-tree builds (#1456211,QTBUG-37417) | |
| - use debian's i686/sse2 support patch | |
| - 5.4.0-rc | |
| - de-bootstrap | |
| - 5.3.2 | |
| - Start to implement 5.6.0 beta3, bootstrap | |
| - workaround QQuickShaderEffectSource::updatePaintNode deadlock (#1237269, kde#348385) | |
| - -docs: BuildRequires: qt5-qhelpgenerator | |
| - Rebuild to fix CET notes | |
| Resolves: bz#1657232 | |
| - 5.2.0-rc1 | |
| - Enable SSE2 | |
| - BR: qt5-rpm-macros | |
| - 5.4.2 | |
| - pull in upstream qml/jsruntime workaround (ie, apply compiler workarounds only for src/qml/) | |
| - rebuild | |
| - drop local -fno-delete-null-pointer-checks hack, used in all Qt5 builds now | |
| - add %check | |
| - 5.2.0-alpha | |
| - Obsoletes: qt5-qtjsbackend | |
| - -doc subpkg | |
| - build -doc on all archs | |
| - Update to final release 5.5.1 | |
| - tighten qtbase dep (#1233829), .spec cosmetics | |
| - Escape macros in %changelog | |
| - -qt5 wrappers for qml qmlbundle qmlmin qmlscene | |
| - 5.2.0-beta31 | |
| - use %license | |
| - Update RC tarball from git | |
| - 5.10.1 | |
| - drop useless qtdeclarative-opensource-src-5.9.0-v4bootstrap.patch, | |
| apply correct qtdeclarative-opensource-src-5.9.0-no_sse2.patch to | |
| fix the build issue in JIT on ppc64/ppc64le/s390x | |
| - BR: qt5-qtxmlpatterns-devel (#1048558) | |
| - Upstream Release Candidate retagged | |
| - epel7 bootstrapped | |
| - pull in candidate memleak fix (review#224684) | |
| - Fix BuildRequires for /usr/bin/python3 | |
| - Resolves: #1615562 | |
| - 5.1.1 | |
| - BR: mesa-dri-drivers (tests) | |
| - Upstream Release Candidate 1 | |
| - 5.9.2 | |
| - include crasher workaround (#1259472,kde#346118) | |
| - 5.6.0 final release | |
| - 5.10.0 | |
| - backport fix for older compilers (aka rhel6) | |
| - 5.9.1 | |
| - Use system double-conversion (#1078524) | |
| - fix Source URL, Release: 1%{?dist} | |
| - 5.4.0-beta3 | |
| - %ix84: drop sse2-optimized bits, need to rethink if/how to support it now | |
| - build -examples only if supported | |
| - macro'ize no_sse2 hack (to make it easier to enable/disable) | |
| - re-introduce -fno-delete-null-pointer-checks here (following upstream) | |
| - add -fno-lifetime-dse too, helps fix i686/qml crasher (#1331593) | |
| - disable tests (for now, not useful yet) | |
| - Fix V4 JIT generating bad JIT code on ARM64 | |
| Resolves: bz#2178625 | |
| - fix non-sse2 support (kde#346244) and optimize sse2 binaries | |
| - drop BR: cmake (handled by qt5-rpm-macros now) | |
| - rebuild | |
| - Update to final RC | |
| - pull in some upstream fixes, for QTBUG-45753/kde-345544 in particular | |
| - filter qml provides | |
| - Qt 5.7.0 release | |
| - restore fix for QTBUG-45753/kde-345544 lost in 5.4.2 rebase | |
|
|
|
| qt5-qtlocation-5.15.3-1.el8.x86_64.rpm | - 5.15.2 |
| Resolves: bz#1930047 | |
| - (re) add bootstrap macro support | |
| - drop geoclue(1) dep (unused at build time anyway (#1286886) | |
| - drop (deprecated) gypsy support (#1069225) | |
| - out-of-tree build, use %qmake_qt5 | |
| - Qt 5.5.0 RC1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_27_Mass_Rebuild | |
| - New final upstream release Qt 5.5.0 | |
| - 5.3.1 | |
| - 5.2.1 | |
| - Update to final release 5.5.1 | |
| - Rebuilt for GCC 5 C++11 ABI change | |
| - drop shadow/out-of-tree builds (#1456211,QTBUG-37417) | |
| - directly reference other qt5-related build deps | |
| - 5.4.0 (final) | |
| - 5.10.1 | |
| - 5.11.1 | |
| - first try | |
| - Rebuild to fix GCC 8 mis-compilation | |
| See https://da.gd/YJVwk ("GCC 8 ABI change on x86_64") | |
| - 5.9.3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Upstream beta 3 | |
| - Upstream Release Candidate retagged | |
| - filter qml provides, BR: qt5-qtdeclarative explicitly | |
| - build -examples only when supported | |
| - build docs on all archs | |
| - Rebuild to fix CET notes | |
| Resolves: bz#1657251 | |
| - 5.4.0-rc | |
| - Official beta release | |
| - 5.3.2 | |
| - tighten qtbase dep (#1233829), .spec cosmetics, (re)enable docs | |
| - Update RC release | |
| - BR: qt5-qtbase-private-devel | |
| - New upstream version | |
| - update source URL, use %license, BR: cmake | |
| - Update to final RC | |
| - filter plugins too | |
| - 5.9.2 | |
| - 5.6.0 final release | |
| - Compiled with gcc | |
| - Rebuild (binutils) | |
| Resolves: bz#1930047 | |
| - 5.4.1 | |
| - 5.10.0 | |
| - rebuild | |
| - 5.3.0 | |
| - 5.9.1 | |
| - 5.15.3 | |
| Resolves: bz#2061396 | |
| - Start to implement 5.6.0 beta | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - sanitize .prl file(s) | |
| - rebuild (gcc) | |
| - use %make_build %ldconfig_scriptlets | |
| - Update to 5.6.1 | |
| - -docs: BuildRequires: qt5-qhelpgenerator, standardize bootstrapping | |
| - rebuild (gcc5) | |
| - 5.12.5 | |
| Resolves: bz#1733143 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Update for official RC1 released packages | |
| - rebuild | |
| - (re)add bootstrap macro support | |
| - drop BR: cmake (handled by qt5-rpm-macros now) | |
| - 5.7.1 dec5 snapshot | |
| - New upstream version | |
| - Rebuild for ICU 60.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - rebuild | |
| - -examples subpkg | |
| - 5.4.0-beta | |
| - Update to Qt 5.5.1 RC1 | |
| - BR: pkgconfig(Qt5Qml) > 5.4.0 (#1177986) | |
| - Update to final beta release | |
| - rebuild (gcc5) | |
| - 5.4.2 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Qt 5.7.0 release | |
| - Upstream official release | |
|
|
|
| qt5-qtmultimedia-5.15.3-1.el8.x86_64.rpm | - out-of-tree build, use %qmake_qt5 |
| - 5.4.0 (final) + backported gst1 support from dev/ branch | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - 5.3.1 | |
| - New final upstream release Qt 5.5.0 | |
| - Fix spec file conditionals | |
| - Update to final release 5.5.1 | |
| - Rebuilt for GCC 5 C++11 ABI change | |
| - 5.2.1 | |
| - Update to final RC | |
| - 5.10.1 | |
| - 5.11.1 | |
| - Qt 5.7.0 release | |
| - update Source URL (and refetch tarball) | |
| - improved summary/description | |
| - filter plugin provides too | |
| - 5.2.0 | |
| - wip/gstreamer1 snapshot (#1149885) | |
| - update source URL, use %license, BR: cmake | |
| - Qt 5.5.0 RC1 | |
| - 5.9.3 | |
| - 5.3.2 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Upstream beta 3 | |
| - 5.2.0-alpha | |
| - -doc subpkg | |
| - Upstream Release Candidate retagged | |
| - 5.7.1 dec5 snapshot, drop cmake/pkgconfig style BR | |
| - tighten qtbase dep (#1233829) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - BR: qt5-qtbase-private-devel | |
| - filter qml provides | |
| - pull in upstream fixes, QTBUG-48939 in particular | |
| - bootstrap ppc | |
| - ExclusiveArch: %{ix86} x86_64 %{arm} (to match qt5-qtdeclarative) | |
| - BR: qt5-qtdeclarative-devel | |
| - Upstream official release | |
| - first try | |
| - -devel: pkgconfig(libpulse-mainloop-glib) (#1438077) | |
| - use standard (same as qtbase) .prl sanitation | |
| - New upstream version | |
| - 5.1.1 | |
| - 5.2.0-beta1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - rebuild (arm/qreal) | |
| - 5.9.2 | |
| - 5.6.0 final release | |
| - 5.15.2 | |
| Resolves: bz#1930048 | |
| - Compiled with gcc | |
| - Update to final beta release | |
| - 5.10.0 | |
| - Official beta release | |
| - 5.4.1 | |
| - 5.9.1 | |
| - 5.15.3 | |
| Resolves: bz#2061396 | |
| - Start to implement 5.6.0 beta | |
| - include BR: qt5-qdoc only in -doc subpkg | |
| - restore bootstrap macro support | |
| - make openal support unconditional (#1069231) | |
| - Update RC release | |
| - drop gst support on el6 (QTBUG-48939) | |
| - 5.3.0 | |
| - 5.2.0-rc1 | |
| - Update to 5.6.1 | |
| - -docs: BuildRequires: qt5-qhelpgenerator, standardize bootstrapping | |
| - Rebuild to fix CET notes | |
| Resolves: bz#1657249 | |
| - Update for official RC1 released packages | |
| - Rebuild (binutils) | |
| Resolves: bz#1930048 | |
| - rebuild | |
| - New upstream version | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - rebuild | |
| - -examples subpkg | |
| - 5.12.5 | |
| Resolves: bz#1733144 | |
| - 5.4.0-beta | |
| - drop shadow/out-of-tree builds (#1456211,QTBUG-37417) | |
| - Update to Qt 5.5.1 RC1 | |
| - rebuild (for pulseaudio, bug #1117683) | |
| - rebuild (gcc5) | |
| - 5.4.2 | |
| - 5.0.2 | |
| - build -examples only if supported | |
|
|
|
| qt5-qtsensors-5.15.3-1.el8.x86_64.rpm | - out-of-tree build, use %qmake_qt5 |
| - 5.7.1 dec5 snapshot | |
| - New final upstream release Qt 5.5.0 | |
| - 5.3.1 | |
| - Update to final release 5.5.1 | |
| - Rebuilt for GCC 5 C++11 ABI change | |
| - 5.4.0 (final) | |
| - 5.10.1 | |
| - 5.11.1 | |
| - Qt 5.7.0 release | |
| - -examples subpkg | |
| - first try | |
| - 5.9.3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Upstream beta 3 | |
| - 5.15.3 | |
| Resolves: bz#2061401 | |
| - Upstream Release Candidate retagged | |
| - build docs on all archs | |
| - 5.4.0-rc | |
| - 5.15.2 | |
| Resolves: bz#1930052 | |
| - Official beta release | |
| - Update for official RC1 released packages | |
| - 5.3.2 | |
| - Update RC release | |
| - New upstream version | |
| - 5.9.2 | |
| - 5.6.0 final release | |
| - Compiled with gcc | |
| - restore bootstrap macro support | |
| - only BR: qt5-qdoc in -doc subpkg | |
| - 5.4.1 | |
| - 5.10.0 | |
| - 5.3.0 | |
| - sanitize .prl files | |
| - 5.9.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Start to implement 5.6.0 beta | |
| - Rebuild (binutils) | |
| Resolves: bz#1930052 | |
| - Update to 5.6.1 | |
| - update source URL, BR: cmake, use %license | |
| - -docs: BuildRequires: qt5-qhelpgenerator, standardize bootstrapping | |
| - rebuild (gcc5) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - drop BR: cmake (handled by qt5-rpm-macros now) | |
| - rebuild | |
| - 5.12.5 | |
| Resolves: bz#1733148 | |
| - Rebuild to fix CET notes | |
| Resolves: bz#1657245 | |
| - restore bootstrap macro support | |
| - New upstream version | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - BR: pkgconfig(Qt5Qml) > 5.4.0 (#1177985) | |
| - filter provides, BR: qtbase-private-devel qtdeclarative explicitly | |
| - rebuild | |
| - 5.2.1 | |
| - 5.4.0-beta | |
| - drop shadow/out-of-tree builds (#1456211,QTBUG-37417) | |
| - Update to final RC | |
| - Update to Qt 5.5.1 RC1 | |
| - tighten qtbase dep (#1233829), (re)enable docs | |
| - Update to final beta release | |
| - rebuild (gcc5) | |
| - 5.4.2 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Upstream official release | |
|
|
|
| qt5-qtserialport-5.15.3-1.el8.x86_64.rpm | - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild |
| - Rebuild to fix CET notes | |
| Resolves: bz#1657236 | |
| - New final upstream release Qt 5.5.0 | |
| - Compiled with gcc | |
| - Update to final release 5.5.1 | |
| - 5.4.0 (final) | |
| - 5.10.1 | |
| - 5.11.1 | |
| - first try | |
| - Update to final beta3 release | |
| - update source URL, use %license, BR: cmake | |
| - Update RC release | |
| - 5.4.0-beta3 | |
| - 5.4.1 | |
| - 5.3.2 | |
| - Qt 5.5.0 RC1 | |
| - 5.9.3 | |
| - 5.15.3 | |
| Resolves: bz#2061404 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Upstream Release Candidate retagged | |
| - ready -examples subpkg | |
| - tighten qtbase dep (#1233829) | |
| - 5.4.0-rc | |
| - Official beta3 release | |
| - Rebuild (binutils) | |
| Resolves: bz#1930054 | |
| - Update for official RC1 released packages | |
| - 5.15.2 | |
| Resolves: bz#1930054 | |
| - out-of-tree build, use %qmake_qt5 | |
| - Upstream Release Candidate 1 | |
| - New upstream version | |
| - 5.9.2 | |
| - 5.6.0 final release | |
| - Update to final RC | |
| - 5.10.0 | |
| - 5.3.0 | |
| - 5.9.1 | |
| - Start to implement 5.6.0 beta3 | |
| - Update to 5.6.1 | |
| - -docs: BuildRequires: qt5-qhelpgenerator, standardize bootstrapping | |
| - 5.4.2 | |
| - Rebuild for broken CI | |
| Resolves: bz#1657236 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - rebuild | |
| - 5.12.5 | |
| Resolves: bz#1733150 | |
| - clean .prl files (buildroot, excessive deps) (#1091630) | |
| - New upstream version | |
| - Add qt5-qtserialport-examples (#1190202) | |
| - New upstream beta 3 version | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - rebuild | |
| - 5.2.1 | |
| - New upstream beta version | |
| - drop shadow/out-of-tree builds (#1456211,QTBUG-37417) | |
| - Update to Qt 5.5.1 RC1 | |
| - 5.7.1 dec5 snapshot | |
| - drop BR: cmake (handled by qt5-rpm-macros now) | |
| - BR: qt5-qtbase-private-devel | |
| - 5.3.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Qt 5.7.0 release | |
| - Upstream official release | |
|
|
|
| qt5-qtsvg-5.15.3-2.el8.x86_64.rpm | - rebuild (arm/qreal) |
| - New final upstream release Qt 5.5.0 | |
| - 5.3.1 | |
| - Update to final release 5.5.1 | |
| - Rebuild to fix CET notes | |
| Resolves: bz#1657241 | |
| - Rebuild (binutils) | |
| Resolves: bz#1930055 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Update to final RC | |
| - 5.10.1 | |
| - 5.11.1 | |
| - use macros in Source0, apply examples patch, +whitespace between .spec sections | |
| - build -doc unconditionally | |
| - Official beta3 release | |
| - Rebuilt for GCC 5 C++11 ABI change | |
| - 5.4.0 (final) | |
| - 5.15.3 | |
| Resolves: bz#2061405 | |
| - -examples subpkg | |
| - 5.4.0-beta3 | |
| - Fix out of bounds read in function QRadialFetchSimd from crafted svg file | |
| Resolves: bz#1945643 | |
| - 5.2.0 | |
| - 5.2.0-beta31 | |
| - 5.3.2 | |
| - Qt 5.5.0 RC1 | |
| - 5.9.3 | |
| - ppc bootstrap | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - 5.2.0-alpha | |
| - -doc subpkg | |
| - Upstream Release Candidate retagged | |
| - 5.15.2 | |
| Resolves: bz#1930055 | |
| - Update to final beta3 release | |
| - 5.1.1 | |
| - tighten qtbase dep (#1233829) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - 5.4.0-rc | |
| - New upstream beta3 release | |
| - 5.7.1 dec5 snapshot | |
| - drop BR: cmake (handled by qt5-rpm-macros now) | |
| - BR: qt5-qtbase-private-devel | |
| - Update for official RC1 released packages | |
| - first try | |
| - use standard (same as qtbase) .prl sanitation | |
| - out-of-tree build, use %qmake_qt5 | |
| - Upstream Release Candidate 1 | |
| - New upstream version | |
| - Fix out-of-bound write that may lead to DoS | |
| Resolves: bz#2038487 | |
| - 5.9.2 | |
| - Compiled with gcc | |
| - 5.6.0 final release | |
| - 5.4.1 | |
| - 5.10.0 | |
| - 5.3.0 | |
| - 5.9.1 | |
| - 5.12.5 | |
| Resolves: bz#1733151 | |
| - 5.2.0-rc1 | |
| - Update RC release | |
| - Start to implement 5.6.0 beta3 | |
| - update source URL, BR: cmake, use %license | |
| - Update to 5.6.1 | |
| - -docs: BuildRequires: qt5-qhelpgenerator, standardize bootstrapping | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - rebuild | |
| - rebuild | |
| - New upstream version | |
| - (re)add bootstrap macro support | |
| - Fix uninitialized variable usage in m_unitsPerEm (CVE-2023-32573) | |
| Resolves: bz#2208141 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - rebuild | |
| - drop shadow/out-of-tree builds (#1456211,QTBUG-37417) | |
| - 5.2.1 | |
| - Update to Qt 5.5.1 RC1 | |
| - rebuild (gcc5) | |
| - 5.4.2 | |
| - 5.0.2 | |
| - Qt 5.7.0 release | |
| - New upstream beta release | |
| - Upstream official release | |
|
|
|
| qt5-qttools-common-5.15.3-6.el8.noarch.rpm | - Qt 5.5.0 RC1 |
| - qttools-5.1.1 | |
| - qt5-assistant, qt5-qdbusviewer, qt5-designer-plugin-webkit subpkgs (to match qt4) | |
| - 5.3.1 | |
| - Official rc release | |
| - Rebuild (LLVM-14) | |
| Resolves: bz#2064527 | |
| - use system clucene09-core | |
| - 5.4.0 (final) | |
| - 5.2.0 | |
| - bootstrap 5.8.0 (rawhide) | |
| - Created a meta package called qt5-doctools to avoid the mess of multiple tools | |
| - Disable bootstrap | |
| - rebuild | |
| - BR: qt5-qtbase-private-devel | |
| - Qt 5 Designer has 128x128 icon in 32x32 folder (#1400972) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - 5.4.1 | |
| - BR: pkgconfig(zlib) | |
| - -static subpkg | |
| - 5.11.1 | |
| - 5.3.0 | |
| - system-clucene patch: create path recursively in QtCLucene, CLucene can't | |
| - -assistant: Provides: bundled(clucene09) (f26+) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - 5.12.5 | |
| Resolves: bz#1733152 | |
| - Rebuild (LLVM-10) | |
| Resolves: bz#1832857 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - de-bootstrap, enable -doc/-webkit | |
| - 5.2.0-alpha | |
| - -doc subpkg | |
| - 5.7.1 dec5 snapshot | |
| - rebuild (gcc5) | |
| - Reenable examples. Some interfaces marked as examples are needed from phonon | |
| - Update to second rc snapshot | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - fix icon name in qdbusviewer-qt5.desktop | |
| - Rebuild to fix CET notes | |
| Resolves: bz#1657229 | |
| - Rebuild for LLVM 8.0.0 | |
| Resolves: bz#1709949 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - New final upstream release Qt 5.5.0 | |
| - libQt5Designer should be in a subpackage (#1156685) | |
| - -doc: disable(boostrap for new clucene), drop dep on main pkg | |
| - Obsoletes: qt5-designer-plugin-webkit (upgrade path when webkit support is not enabled) | |
| - resurrect bootstrap macro (commented) | |
| - qt5-designer, qt5-linguist, qt5-qhelpgenerator subpkgs | |
| - 5.2.1 | |
| - rebuild (arm/qreal) | |
| - respin system-clucene.patch | |
| - fix Release, Obsoletes: qt5-qttools-libs-clucene (#1454531) | |
| - drop deprecated Encoding= key from .desktop files | |
| - add justification for desktop vendor usage | |
| - rebuild (gcc5) | |
| - 5.9.3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Rebuld for LLVM 7.0.1 | |
| Resolves: bz#1657229 | |
| - 5.4.0-rc | |
| - out-of-tree build, use %qmake_qt5 | |
| - disable bootstrap (reenable -doc) | |
| - system-clucene patch: drop -fpermissive flag | |
| - system-clucene patch: use toLocal8Bit instead of toStdString | |
| - system_clucene: BR clucene09-core-devel >= 0.9.21b-12 (-11 was broken) | |
| - bootstrap ppc | |
| - Second round of builds now with bootstrap enabled due new qttools | |
| - Rebuild (binutils) | |
| Resolves: bz#1930043 | |
| - lupdate can't find qmake configuration file default (#1009893) | |
| - first try | |
| - enable qdoc | |
| - Compiled with gcc | |
| - use upstream cmake fix(es) (QTBUG-32570, #1006254) | |
| - port QTBUG-43057 workaround | |
| - 5.4.0-rc | |
| - drop shadow/out-of-tree builds (#1456211,QTBUG-37417) | |
| - Update to Qt 5.5.1 RC1 | |
| - 5.0.2 | |
| - Upstream official release | |
| - -static: move qt_lib_uitools*.pri here (#1396836) | |
| - restore system-clucene patch, rm the bundled copy | |
| - -examples subpkg | |
| - Update RC release | |
| - Update to final RC | |
| - Rebuild (LLVM-16) | |
| Resolves: bz#2192951 | |
| - rebuild (gcc5) | |
| - 5.15.2 | |
| Resolves: bz#1930043 | |
| - Upstream beta 3 | |
| - enable -doc only on primary archs (allow secondary bootstrap) | |
| - Remove obsolete scriptlets | |
| - de-bootstrap | |
| - add .desktop/icons for assistant, designer, linguist, qdbusviewer | |
| - 5.3.2 | |
| - Rebuild (LLVM-12) | |
| Resolves: bz#1930043 | |
| - qt5-linguist: move lconvert,lrelease,lupdate, cmake Qt5LinguistTools here | |
| - BR and rebuild against reference-counting-enabled clucene09 (#1128293) | |
| - -devel: restore Requires: qt5-designer qt5-linguist | |
| - epel7 bootstrapped | |
| - ExclusiveArch: {ix86} x86_64 {arm} | |
| - epel-6 love | |
| - de-bootstrap | |
| - 5.2.0-rc1 | |
| - Rebuild only in CentOS Stream for the right llvm links | |
| - Add explicit -latomic on 32-bit MIPS | |
| - workaround Qt5Designer.pc reference to non-existent Qt5UiPlugin.pc | |
| - install Linguist icon as linguist-qt5.png, fixes file conflict (#1169127) | |
| - Rebuild (LLVM-17) | |
| Resolves: RHEL-10694 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Update to final rc release | |
| - rebuild | |
| - -devel: Requires: qt5-designer-plugin-webkit | |
| - 5.6.0 final release | |
| - Rebuild (LLVM-13) | |
| Resolves: bz#2001153 | |
| - Update to final release 5.5.1 | |
| - Start to implement 5.6.0 rc, bootstrapped | |
| - Add versioned dependencies between subpackages | |
| Resolves: bz#2144798 | |
| - 5.10.1 | |
| - 5.15.3 | |
| Resolves: bz#2061406 | |
| - Upstream Release Candidate retagged | |
| - Qt 5 Designer has 128x128 icon in 32x32 folder (#1400972) | |
| - New upstream version | |
| - (re)fix bootstrap macro | |
| - include qt5-qdoc/qt5-qhelpgenerator build dep deps in -doc subpkg only | |
| - fix whitespace | |
| - Update for official RC1 released packages | |
| - 5.9.2 | |
| - 5.6.0 final release | |
| - de-bootstrap | |
| - 5.10.0 | |
| - 5.2.0-rc1 | |
| - Downgrade llvm_toolset version | |
| - 5.9.1 | |
| - Create a tests subpkg with unit tests for gating | |
| Resolves: bz#1681905 | |
| - Fix unit tests for gating | |
| Resolves: bz#1681905 | |
| - disable system_lucene on f26+ (#1424227, #1424046) | |
| - rebuild | |
| - Rebuild (LLVM-15) | |
| Resolves: bz#2119038 | |
| - Prepare 5.7.0 | |
| - Fix unit tests for gating | |
| Resolves: bz#1681905 | |
| - update source URL, use %license | |
| - 5.4.2 | |
| - Qt 5.7.0 release | |
| - wrong path to lrelease (#1006254) | |
| - %check: first try | |
|
|
|
| qt5-qttools-libs-designer-5.15.3-6.el8.x86_64.rpm | - Qt 5.5.0 RC1 |
| - qttools-5.1.1 | |
| - qt5-assistant, qt5-qdbusviewer, qt5-designer-plugin-webkit subpkgs (to match qt4) | |
| - 5.3.1 | |
| - Official rc release | |
| - Rebuild (LLVM-14) | |
| Resolves: bz#2064527 | |
| - use system clucene09-core | |
| - 5.4.0 (final) | |
| - 5.2.0 | |
| - bootstrap 5.8.0 (rawhide) | |
| - Created a meta package called qt5-doctools to avoid the mess of multiple tools | |
| - Disable bootstrap | |
| - rebuild | |
| - BR: qt5-qtbase-private-devel | |
| - Qt 5 Designer has 128x128 icon in 32x32 folder (#1400972) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - 5.4.1 | |
| - BR: pkgconfig(zlib) | |
| - -static subpkg | |
| - 5.11.1 | |
| - 5.3.0 | |
| - system-clucene patch: create path recursively in QtCLucene, CLucene can't | |
| - -assistant: Provides: bundled(clucene09) (f26+) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - 5.12.5 | |
| Resolves: bz#1733152 | |
| - Rebuild (LLVM-10) | |
| Resolves: bz#1832857 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - de-bootstrap, enable -doc/-webkit | |
| - 5.2.0-alpha | |
| - -doc subpkg | |
| - 5.7.1 dec5 snapshot | |
| - rebuild (gcc5) | |
| - Reenable examples. Some interfaces marked as examples are needed from phonon | |
| - Update to second rc snapshot | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - fix icon name in qdbusviewer-qt5.desktop | |
| - Rebuild to fix CET notes | |
| Resolves: bz#1657229 | |
| - Rebuild for LLVM 8.0.0 | |
| Resolves: bz#1709949 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - New final upstream release Qt 5.5.0 | |
| - libQt5Designer should be in a subpackage (#1156685) | |
| - -doc: disable(boostrap for new clucene), drop dep on main pkg | |
| - Obsoletes: qt5-designer-plugin-webkit (upgrade path when webkit support is not enabled) | |
| - resurrect bootstrap macro (commented) | |
| - qt5-designer, qt5-linguist, qt5-qhelpgenerator subpkgs | |
| - 5.2.1 | |
| - rebuild (arm/qreal) | |
| - respin system-clucene.patch | |
| - fix Release, Obsoletes: qt5-qttools-libs-clucene (#1454531) | |
| - drop deprecated Encoding= key from .desktop files | |
| - add justification for desktop vendor usage | |
| - rebuild (gcc5) | |
| - 5.9.3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Rebuld for LLVM 7.0.1 | |
| Resolves: bz#1657229 | |
| - 5.4.0-rc | |
| - out-of-tree build, use %qmake_qt5 | |
| - disable bootstrap (reenable -doc) | |
| - system-clucene patch: drop -fpermissive flag | |
| - system-clucene patch: use toLocal8Bit instead of toStdString | |
| - system_clucene: BR clucene09-core-devel >= 0.9.21b-12 (-11 was broken) | |
| - bootstrap ppc | |
| - Second round of builds now with bootstrap enabled due new qttools | |
| - Rebuild (binutils) | |
| Resolves: bz#1930043 | |
| - lupdate can't find qmake configuration file default (#1009893) | |
| - first try | |
| - enable qdoc | |
| - Compiled with gcc | |
| - use upstream cmake fix(es) (QTBUG-32570, #1006254) | |
| - port QTBUG-43057 workaround | |
| - 5.4.0-rc | |
| - drop shadow/out-of-tree builds (#1456211,QTBUG-37417) | |
| - Update to Qt 5.5.1 RC1 | |
| - 5.0.2 | |
| - Upstream official release | |
| - -static: move qt_lib_uitools*.pri here (#1396836) | |
| - restore system-clucene patch, rm the bundled copy | |
| - -examples subpkg | |
| - Update RC release | |
| - Update to final RC | |
| - Rebuild (LLVM-16) | |
| Resolves: bz#2192951 | |
| - rebuild (gcc5) | |
| - 5.15.2 | |
| Resolves: bz#1930043 | |
| - Upstream beta 3 | |
| - enable -doc only on primary archs (allow secondary bootstrap) | |
| - Remove obsolete scriptlets | |
| - de-bootstrap | |
| - add .desktop/icons for assistant, designer, linguist, qdbusviewer | |
| - 5.3.2 | |
| - Rebuild (LLVM-12) | |
| Resolves: bz#1930043 | |
| - qt5-linguist: move lconvert,lrelease,lupdate, cmake Qt5LinguistTools here | |
| - BR and rebuild against reference-counting-enabled clucene09 (#1128293) | |
| - -devel: restore Requires: qt5-designer qt5-linguist | |
| - epel7 bootstrapped | |
| - ExclusiveArch: {ix86} x86_64 {arm} | |
| - epel-6 love | |
| - de-bootstrap | |
| - 5.2.0-rc1 | |
| - Rebuild only in CentOS Stream for the right llvm links | |
| - Add explicit -latomic on 32-bit MIPS | |
| - workaround Qt5Designer.pc reference to non-existent Qt5UiPlugin.pc | |
| - install Linguist icon as linguist-qt5.png, fixes file conflict (#1169127) | |
| - Rebuild (LLVM-17) | |
| Resolves: RHEL-10694 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Update to final rc release | |
| - rebuild | |
| - -devel: Requires: qt5-designer-plugin-webkit | |
| - 5.6.0 final release | |
| - Rebuild (LLVM-13) | |
| Resolves: bz#2001153 | |
| - Update to final release 5.5.1 | |
| - Start to implement 5.6.0 rc, bootstrapped | |
| - Add versioned dependencies between subpackages | |
| Resolves: bz#2144798 | |
| - 5.10.1 | |
| - 5.15.3 | |
| Resolves: bz#2061406 | |
| - Upstream Release Candidate retagged | |
| - Qt 5 Designer has 128x128 icon in 32x32 folder (#1400972) | |
| - New upstream version | |
| - (re)fix bootstrap macro | |
| - include qt5-qdoc/qt5-qhelpgenerator build dep deps in -doc subpkg only | |
| - fix whitespace | |
| - Update for official RC1 released packages | |
| - 5.9.2 | |
| - 5.6.0 final release | |
| - de-bootstrap | |
| - 5.10.0 | |
| - 5.2.0-rc1 | |
| - Downgrade llvm_toolset version | |
| - 5.9.1 | |
| - Create a tests subpkg with unit tests for gating | |
| Resolves: bz#1681905 | |
| - Fix unit tests for gating | |
| Resolves: bz#1681905 | |
| - disable system_lucene on f26+ (#1424227, #1424046) | |
| - rebuild | |
| - Rebuild (LLVM-15) | |
| Resolves: bz#2119038 | |
| - Prepare 5.7.0 | |
| - Fix unit tests for gating | |
| Resolves: bz#1681905 | |
| - update source URL, use %license | |
| - 5.4.2 | |
| - Qt 5.7.0 release | |
| - wrong path to lrelease (#1006254) | |
| - %check: first try | |
|
|
|
| qt5-qttools-libs-help-5.15.3-6.el8.x86_64.rpm | - Qt 5.5.0 RC1 |
| - qttools-5.1.1 | |
| - qt5-assistant, qt5-qdbusviewer, qt5-designer-plugin-webkit subpkgs (to match qt4) | |
| - 5.3.1 | |
| - Official rc release | |
| - Rebuild (LLVM-14) | |
| Resolves: bz#2064527 | |
| - use system clucene09-core | |
| - 5.4.0 (final) | |
| - 5.2.0 | |
| - bootstrap 5.8.0 (rawhide) | |
| - Created a meta package called qt5-doctools to avoid the mess of multiple tools | |
| - Disable bootstrap | |
| - rebuild | |
| - BR: qt5-qtbase-private-devel | |
| - Qt 5 Designer has 128x128 icon in 32x32 folder (#1400972) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - 5.4.1 | |
| - BR: pkgconfig(zlib) | |
| - -static subpkg | |
| - 5.11.1 | |
| - 5.3.0 | |
| - system-clucene patch: create path recursively in QtCLucene, CLucene can't | |
| - -assistant: Provides: bundled(clucene09) (f26+) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - 5.12.5 | |
| Resolves: bz#1733152 | |
| - Rebuild (LLVM-10) | |
| Resolves: bz#1832857 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - de-bootstrap, enable -doc/-webkit | |
| - 5.2.0-alpha | |
| - -doc subpkg | |
| - 5.7.1 dec5 snapshot | |
| - rebuild (gcc5) | |
| - Reenable examples. Some interfaces marked as examples are needed from phonon | |
| - Update to second rc snapshot | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - fix icon name in qdbusviewer-qt5.desktop | |
| - Rebuild to fix CET notes | |
| Resolves: bz#1657229 | |
| - Rebuild for LLVM 8.0.0 | |
| Resolves: bz#1709949 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - New final upstream release Qt 5.5.0 | |
| - libQt5Designer should be in a subpackage (#1156685) | |
| - -doc: disable(boostrap for new clucene), drop dep on main pkg | |
| - Obsoletes: qt5-designer-plugin-webkit (upgrade path when webkit support is not enabled) | |
| - resurrect bootstrap macro (commented) | |
| - qt5-designer, qt5-linguist, qt5-qhelpgenerator subpkgs | |
| - 5.2.1 | |
| - rebuild (arm/qreal) | |
| - respin system-clucene.patch | |
| - fix Release, Obsoletes: qt5-qttools-libs-clucene (#1454531) | |
| - drop deprecated Encoding= key from .desktop files | |
| - add justification for desktop vendor usage | |
| - rebuild (gcc5) | |
| - 5.9.3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Rebuld for LLVM 7.0.1 | |
| Resolves: bz#1657229 | |
| - 5.4.0-rc | |
| - out-of-tree build, use %qmake_qt5 | |
| - disable bootstrap (reenable -doc) | |
| - system-clucene patch: drop -fpermissive flag | |
| - system-clucene patch: use toLocal8Bit instead of toStdString | |
| - system_clucene: BR clucene09-core-devel >= 0.9.21b-12 (-11 was broken) | |
| - bootstrap ppc | |
| - Second round of builds now with bootstrap enabled due new qttools | |
| - Rebuild (binutils) | |
| Resolves: bz#1930043 | |
| - lupdate can't find qmake configuration file default (#1009893) | |
| - first try | |
| - enable qdoc | |
| - Compiled with gcc | |
| - use upstream cmake fix(es) (QTBUG-32570, #1006254) | |
| - port QTBUG-43057 workaround | |
| - 5.4.0-rc | |
| - drop shadow/out-of-tree builds (#1456211,QTBUG-37417) | |
| - Update to Qt 5.5.1 RC1 | |
| - 5.0.2 | |
| - Upstream official release | |
| - -static: move qt_lib_uitools*.pri here (#1396836) | |
| - restore system-clucene patch, rm the bundled copy | |
| - -examples subpkg | |
| - Update RC release | |
| - Update to final RC | |
| - Rebuild (LLVM-16) | |
| Resolves: bz#2192951 | |
| - rebuild (gcc5) | |
| - 5.15.2 | |
| Resolves: bz#1930043 | |
| - Upstream beta 3 | |
| - enable -doc only on primary archs (allow secondary bootstrap) | |
| - Remove obsolete scriptlets | |
| - de-bootstrap | |
| - add .desktop/icons for assistant, designer, linguist, qdbusviewer | |
| - 5.3.2 | |
| - Rebuild (LLVM-12) | |
| Resolves: bz#1930043 | |
| - qt5-linguist: move lconvert,lrelease,lupdate, cmake Qt5LinguistTools here | |
| - BR and rebuild against reference-counting-enabled clucene09 (#1128293) | |
| - -devel: restore Requires: qt5-designer qt5-linguist | |
| - epel7 bootstrapped | |
| - ExclusiveArch: {ix86} x86_64 {arm} | |
| - epel-6 love | |
| - de-bootstrap | |
| - 5.2.0-rc1 | |
| - Rebuild only in CentOS Stream for the right llvm links | |
| - Add explicit -latomic on 32-bit MIPS | |
| - workaround Qt5Designer.pc reference to non-existent Qt5UiPlugin.pc | |
| - install Linguist icon as linguist-qt5.png, fixes file conflict (#1169127) | |
| - Rebuild (LLVM-17) | |
| Resolves: RHEL-10694 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Update to final rc release | |
| - rebuild | |
| - -devel: Requires: qt5-designer-plugin-webkit | |
| - 5.6.0 final release | |
| - Rebuild (LLVM-13) | |
| Resolves: bz#2001153 | |
| - Update to final release 5.5.1 | |
| - Start to implement 5.6.0 rc, bootstrapped | |
| - Add versioned dependencies between subpackages | |
| Resolves: bz#2144798 | |
| - 5.10.1 | |
| - 5.15.3 | |
| Resolves: bz#2061406 | |
| - Upstream Release Candidate retagged | |
| - Qt 5 Designer has 128x128 icon in 32x32 folder (#1400972) | |
| - New upstream version | |
| - (re)fix bootstrap macro | |
| - include qt5-qdoc/qt5-qhelpgenerator build dep deps in -doc subpkg only | |
| - fix whitespace | |
| - Update for official RC1 released packages | |
| - 5.9.2 | |
| - 5.6.0 final release | |
| - de-bootstrap | |
| - 5.10.0 | |
| - 5.2.0-rc1 | |
| - Downgrade llvm_toolset version | |
| - 5.9.1 | |
| - Create a tests subpkg with unit tests for gating | |
| Resolves: bz#1681905 | |
| - Fix unit tests for gating | |
| Resolves: bz#1681905 | |
| - disable system_lucene on f26+ (#1424227, #1424046) | |
| - rebuild | |
| - Rebuild (LLVM-15) | |
| Resolves: bz#2119038 | |
| - Prepare 5.7.0 | |
| - Fix unit tests for gating | |
| Resolves: bz#1681905 | |
| - update source URL, use %license | |
| - 5.4.2 | |
| - Qt 5.7.0 release | |
| - wrong path to lrelease (#1006254) | |
| - %check: first try | |
|
|
|
| qt5-qtwebchannel-5.15.3-1.el8.x86_64.rpm | - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild |
| - Update for final qt 5.5.1 | |
| - Update to final RC | |
| - 5.10.1 | |
| - 5.11.1 | |
| - 5.15.3 | |
| Resolves: bz#2061409 | |
| - Update to final rc release | |
| - 5.4.2 | |
| - Start to implement 5.6.0 rc | |
| - 5.9.3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Upstream beta 3 | |
| - Rebuild to fix CET notes | |
| Resolves: bz#1657242 | |
| - Upstream Release Candidate retagged | |
| - update source URL, use %license, BR: cmake | |
| - tighten qtbase dep (#1233829) | |
| - Upstream official release | |
| - 5.12.5 | |
| Resolves: bz#1733155 | |
| - New upstream version | |
| - add versioned dep on qt5-qtbase due to private api usage | |
| - 5.9.2 | |
| - Compiled with gcc | |
| - 5.6.0 final release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - 5.10.0 | |
| - 5.9.1 | |
| - Rebuild (binutils) | |
| Resolves: bz#1930059 | |
| - Update RC release | |
| - 5.5.0 | |
| - Initial release. | |
| - Update to 5.6.1 | |
| - -docs: BuildRequires: qt5-qhelpgenerator, standardize bootstrapping | |
| - 5.15.2 | |
| Resolves: bz#1930059 | |
| - Official rc release | |
| - rebuild | |
| - restore bootstrap macro support | |
| - drop BR: cmake (handled by qt5-rpm-macros now) | |
| - 5.7.1 dec5 snapshot | |
| - New upstream version | |
| - rebuild | |
| - Update to Qt 5.5.1 RC1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - drop shadow/out-of-tree builds (#1456211,QTBUG-37417) | |
| - refer to other qt5- builddeps directly | |
| - Qt 5.7.0 release | |
|
|
|
| qt5-qtwebsockets-5.15.3-1.el8.x86_64.rpm | - 5.7.1 dec5 snapshot |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Update to final release 5.5.1 | |
| - Update to final RC | |
| - 5.10.1 | |
| - 5.11.1 | |
| - 5.4.2 | |
| - Rebuild to fix CET notes | |
| Resolves: bz#1657244 | |
| - update source URL, use %license, BR: cmake | |
| - 5.9.3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Upstream beta 3 | |
| - Upstream Release Candidate retagged | |
| - build docs on all archs | |
| - tighten qtbase dep (#1233829) | |
| - BR: qt5-qtbase-private-devel | |
| - 5.15.3 | |
| Resolves: bz#2061410 | |
| - Official beta release | |
| - Upstream official release | |
| - 5.12.5 | |
| Resolves: bz#1733156 | |
| - 5.4.1 | |
| - filter qml provides, BR: qtbase qtdeclarative explicitly | |
| - Rebuild (binutils) | |
| Resolves: bz#1930060 | |
| - 5.9.2 | |
| - 5.6.0 final release | |
| - Update to final beta release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - 5.10.0 | |
| - Add a public api to set max frame and message size | |
| Resolves: bz#1815187 | |
| - 5.9.1 | |
| - Start to implement 5.6.0 beta | |
| - 5.5.0 | |
| - Initial release. | |
| - Update to 5.6.1 | |
| - -docs: BuildRequires: qt5-qhelpgenerator, standardize bootstrapping | |
| - rebuild | |
| - restore bootstrap macro support | |
| - New upstream version | |
| - Integrate RC release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - rebuild | |
| - 5.15.2 | |
| Resolves: bz#1930060 | |
| - drop shadow/out-of-tree builds (#1456211,QTBUG-37417) | |
| - Update to Qt 5.5.1 RC1 | |
| - New upstream release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Qt 5.7.0 release | |
|
|
|
| qt5-qtx11extras-5.15.3-1.el8.x86_64.rpm | - out-of-tree build, use %qmake_qt5 |
| - Beta 3 release | |
| - New final upstream release Qt 5.5.0 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - 5.12.5 | |
| Resolves: bz#1733158 | |
| - Update to final release 5.5.1 | |
| - Rebuilt for GCC 5 C++11 ABI change | |
| - 5.3.1 | |
| - use %version macro in Source0, | |
| - use %autosetup | |
| - +whitespace between .spec sections | |
| - 5.10.1 | |
| - 5.11.1 | |
| - Update to final RC | |
| - 5.4.0 (final) | |
| - BR: cmake, update source URL, use %license | |
| - use standard (same as qtbase) .la/.prl sanitation | |
| - 5.2.0 | |
| - 5.3.2 | |
| - Qt 5.5.0 RC1 | |
| - 5.9.3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Upstream Release Candidate retagged | |
| - build docs on all archs | |
| - tighten qtbase dep (#1233829) | |
| - 5.4.0-rc | |
| - Remove ppc64 exclude | |
| - Update for official RC1 released packages | |
| - Upstream official release | |
| - Rebuild (binutils) | |
| Resolves: bz#1930062 | |
| - New upstream beta | |
| - 5.3.0 | |
| - Upstream Release Candidate 1 | |
| - 5.2.0-beta1 | |
| - 5.9.2 | |
| - 5.6.0 final release | |
| - Compiled with gcc | |
| - -doc subpkg | |
| - Official beta release | |
| - 5.10.0 | |
| - 5.4.1 | |
| - rebuild (arm/qreal) | |
| - 5.9.1 | |
| - 5.15.3 | |
| Resolves: bz#2061411 | |
| - Start to implement 5.6.0 beta | |
| - Rebuild to fix CET notes | |
| Resolves: bz#1657239 | |
| - Update to 5.6.1 | |
| - Initial packaging | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - rebuild | |
| - 5.7.1 dec5 snapshot | |
| - drop BR: cmake (handled by qt5-rpm-macros now) | |
| - New upstream version | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Bulk sad and useless attempt at consistent SPEC file formatting | |
| - rebuild | |
| - drop shadow/out-of-tree builds (#1456211,QTBUG-37417) | |
| - 5.2.1 | |
| - 5.15.2 | |
| Resolves: bz#1930062 | |
| - Update to Qt 5.5.1 RC1 | |
| - New upstream release | |
| - 5.4.0-beta | |
| - Update to final beta release | |
| - 5.2 alpha | |
| - Integrate rc packages | |
| - rebuild (gcc5) | |
| - 5.4.2 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Qt 5.7.0 release | |
|
|
|
| qt5-qtxmlpatterns-5.15.3-1.el8.x86_64.rpm | - New upstream version |
| - -examples subpkg | |
| - Rebuild to fix CET notes | |
| Resolves: bz#1657227 | |
| - rebuild | |
| - 5.4.0-beta3 | |
| - New final upstream release Qt 5.5.0 | |
| - 5.3.1 | |
| - 5.2.1 | |
| - Update to final release 5.5.1 | |
| - Rebuilt for GCC 5 C++11 ABI change | |
| - rebuild (arm/qreal) | |
| - 5.7.1 dec5 snapshot | |
| - Update to final beta3 release | |
| - 5.4.0 (final) | |
| - bootstrap | |
| - 5.2.0 | |
| - 5.2.0-beta31 | |
| - Qt 5.5.0 RC1 | |
| - 5.9.3 | |
| - 5.10.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - 5.2.0-alpha | |
| - -doc subpkg | |
| - Upstream Release Candidate retagged | |
| - Integrate RC builds. | |
| - 5.1.1 | |
| - tighten qtbase dep (#1233829) | |
| - BR: qt5-qtbase-private-devel, use %autosetup | |
| - 5.15.3 | |
| Resolves: bz#2061412 | |
| - Prepare 5.7.0 release | |
| - New upstream beta3 release | |
| - de-bootstap | |
| - 5.4.0-rc | |
| - bootstrap ppc | |
| - Update for official RC1 released packages | |
| - 5.3.2 | |
| - first try | |
| - de-bootstrap | |
| - use standard (same as qtbase) .prl sanitation | |
| - out-of-tree build, use %qmake_qt5 | |
| - Upstream Release Candidate 1 | |
| - 5.3.0 | |
| - update source URL, BR: cmake, use %license | |
| - Update to final RC | |
| - epel7 bootstrapped | |
| - 5.9.2 | |
| - 5.4.1 | |
| - Compiled with gcc | |
| - 5.10.0 | |
| - %doc LICENSE.GPL LICENSE.LGPL LGPL_EXCEPTION.txt | |
| - update Source URL | |
| - 5.9.1 | |
| - 5.6.0 release | |
| - 5.2.0-rc1 | |
| - Start to implement 5.6.0 beta3 | |
| - Update to 5.6.1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuild (binutils) | |
| Resolves: bz#1930061 | |
| - -docs: BuildRequires: qt5-qhelpgenerator, standardize bootstrapping | |
| - (re)enable bootstrap | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - 5.12.5 | |
| Resolves: bz#1733157 | |
| - New upstream version | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Add qt5-qtbase-doc as requires to doc creation. | |
| - Second round of builds now with bootstrap enabled due new qttools | |
| - rebuild | |
| - Official beta3 release | |
| - rebuild (gcc5) | |
| - 5.11.1 | |
| - drop BR: cmake (handled by qt5-rpm-macros now) | |
| - drop shadow/out-of-tree builds (#1456211,QTBUG-37417) | |
| - Update to Qt 5.5.1 RC1 | |
| - build -doc on all archs | |
| - 5.15.2 | |
| Resolves: bz#1930061 | |
| - rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - rebuild (gcc5) | |
| - 5.4.2 | |
| - 5.0.2 | |
| - Qt 5.7.0 release | |
| - New upstream beta release | |
| - Beta 2 | |
| - Upstream official release | |
|
|
|
| resource-agents-4.9.0-54.el8_10.27.x86_64.rpm | - bundled urllib3: fix CVE-2025-66471 |
| - bundled urllib3: fix CVE-2026-21441 | |
| Resolves: RHEL-139760, RHEL-140787 | |
| - db2: fix monitor_retries_sleep variable name | |
| Resolves: RHEL-124815 | |
| - bundled urllib3: fix CVE-2025-66418 | |
| Resolves: RHEL-136031 | |
| - nfsserver: add ability to set e.g. "pipefs-directory=/run/nfs/rpc_pipefs" | |
| in /etc/nfs.conf to avoid issues with non-clustered Kerberized mounts | |
| Resolves: RHEL-102979 | |
|
|
|
| samba-4.19.4-12.el8_10.x86_64.rpm | - fix init script |
| - Enable VFS support and compile the "recycling" module (#69796) | |
| - more selective includes of the examples dir | |
| - resolves: #1859277 - Allow a user to use gencache | |
| - resolves: #1018856 - Fix installation of pam_winbind after upgrade. | |
| - related: #1010722 - Split out a samba-winbind-modules package. | |
| - related: #985609 | |
| - Update to Samba 4.6.3 | |
| - fix condrestart stuff | |
| - Fix usrmove paths. | |
| - resolves: #829197 | |
| - resolves: #1995849 - [RFE] Change change password change prompt phrasing | |
| - resolves: #2029417 - virusfilter_vfs_openat: Not scanned: Directory or special file | |
| - Update to Samba 4.2.0rc5 | |
| - Rebuilt for new readline. | |
| - Update to 3.4.0rc1 | |
| - New upstream version. | |
| - Updated -pie and -logfiles patches for 3.0.3pre1 | |
| - add krb5-devel to buildrequires, fixes #116560 | |
| - Add patch from Miloslav Trmac (mitr@volny.cz) to allow non-root to run | |
| "service smb status". This fixes #116559 | |
| - resolves: rhbz#2190417 - Update to version 4.18.2 | |
| - resolves: #1802182 - Fix join using netbios name | |
| - Fix the AD build. | |
| - Create samba-client-libs subpackage. | |
| - Fix multiarch issues by splitting the samba-common package. | |
| - Fix ctdb and libcephfs dependencies. | |
| - Perl 5.24 rebuild | |
| - Fix LSASD daemon | |
| - resolves: #1217346 - FreeIPA trusts to AD broken due to Samba 4.2 failure to run LSARPC pipe externally | |
| - resolves: rhbz#2190417 - Add missing tests to fix osci.brew-build.tier0.functional | |
| - Update to Samba 4.1.12. | |
| - put smbpasswd in samba-common (#25429) | |
| - logrotate changes | |
| - resolves: #1513452 - Update to Samba 4.7.2 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - fixed logrotate script | |
| - Activate multi channel support (switched off by default) | |
| - Update to 3.6.0pre1 | |
| - epochs from deps, req exact release | |
| - rebuild against new openssl | |
| - updated to samba 2.2.0 | |
| - moved codepages to %{_datadir}/samba/codepages | |
| - use all available CPUs for building rpm packages | |
| - use %{_xxx} defines at most places in spec-file | |
| - "License:" replaces "Copyright:" | |
| - dropped excludearch sparc | |
| - de-activated japanese patches 100 and 200 for now | |
| (they need to be fixed and tested wth 2.2.0) | |
| - separated swat.desktop file from spec-file and added | |
| german translations | |
| - moved /etc/sysconfig/samba to a separate source-file | |
| - use htmlview instead of direct call to netscape in | |
| swat.desktop-file | |
| - New upstream release. | |
| - Use modified filter-requires-samba.sh from packaging/RHEL/setup/ | |
| to get rid of bogus dependency on perl(Unicode::MapUTF8) | |
| - Update the -logfiles and -smb.conf patches to work with 3.0.23 | |
| - resolves: rhbz#2221594 - Fix broken symlink for libwbclient | |
| - resolves: rhbz#2221600 - Fix segfault of winbind child when listing users with `winbind scan trusted domains = yes` | |
| - resolves: rhbz#2175385 - Fix access of Samba share with veto files = /.*/ | |
| - resolves: rhbz#2218237 - Fix Python tarfile extraction to avoid a warning | |
| - make winbindd start earlier in the init process, at the same time | |
| ypbind is usually started as well | |
| - add a sepoarate init script for nmbd called nmb, we need to be able | |
| to restart nmbd without dropping al smbd connections unnecessarily | |
| - update to 2.0.6 | |
| - resolves: RHEL-45842 - Fix idmap_ad with trusted domains | |
| - resolves: #1270568 - Samba fails to start after update to 4.3.0 | |
| - handle cases defined in #243766 | |
| - Update to Samba 4.0.1. | |
| - Fixes CVE-2013-0172. | |
| - Update to Samba 4.8.2 | |
| - related: rhbz#2132051 - Update to version 4.17.4 | |
| - resolves: rhbz#2154370 - Fix CVE-2022-38023 | |
| - resolves: rhbz#2142331 - Fix %U include directive for share listing (netshareenum) | |
| - resolves: rhbz#2148943 - Fix Winbind to retrieve user groups from Active Directory | |
| - Update to Samba 4.6.2 | |
| - related: #1435156 - Security fix for CVE-2017-2619 | |
| - related: #1878109 - Rebase Samba to version 4.13.3 | |
| - resolves: #1301002 - Enable avahi support | |
| - Make the talloc and ldb packages optionsl and disable their build within | |
| the samba3 package, they are now built as part of the samba4 package | |
| until they will both be released as independent packages. | |
| - related: #1638001 - Rebase to Samba version 4.10.4 | |
| - resolves: #1597298 - Build Samba with python3 | |
| - resolves: #1658558 - Add 'net ads leave --keep-account' option | |
| - resolves: #1669004 - Fix systemd status notifications | |
| - resolves: #1672167 - Fix printing cache timeout in debug output | |
| - resolves: #1696525 - Fix CVE-2019-3880 | |
| - rebuilt | |
| - resolves: #1337260 - Small fix to the example smb.conf file | |
| - update to 2.0.0 | |
| - resolves: #1868558 - cannot create a directory in home over SMB2, mkdirat returns EBADF | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - Update to 3.2.0rc1 | |
| - resolves: #919333 - Create /run/samba too. | |
| - Security Release, fixes CVE-2008-4314 | |
| - Call ldconfig at libwbclient and -winbind-clients post(un)install time. | |
| - Fix empty localization files, use %find_lang to find and %lang-mark them. | |
| - Escape macros in %changelog. | |
| - Fix source tarball URL. | |
| - resolves: #1476175 - Create seperate package for bind_dlz module | |
| - Update to Samba 4.2.0rc3 | |
| + Samba provides ctdb packages now. | |
| - Build Samba with Active Directory support! | |
| - resolves: #1300038 - PANIC: Bad talloc magic value - wrong talloc version used/mixed | |
| - related: rhbz#1980346 - Rebuild for libtalloc 0.11.0 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - upgrade to the latest upstream realease | |
| - includes security fixes released today in 3.0.26 | |
| - Remove samba-common-tools from samba-client package as it brings back Python 2.7 | |
| - go back to stop/start for restart (-HUP didn't work in testing) | |
| - resolves: #1207381 - Fix libsystemd detection. | |
| - turn on -DLDAP_DEPRECATED to allow access to ldap functions that have | |
| been depricated in 2.3.11, but which don't have well-documented | |
| replacements (ldap_simple_bind_s(), for example). | |
| - Upgrade to 3.0.20b, which includes all the previous upstream patches. | |
| - Updated the -warnings patch for 3.0.20a. | |
| - Include --with-shared-modules=idmap_ad,idmap_rid to close | |
| bz#156810 --with-shared-modules=idmap_ad,idmap_rid | |
| - Include the new samba.pamd from Tomas Mraz (tmraz@redhat.com) to close | |
| bz#170259 pam_stack is deprecated | |
| - logrotate fixes (#65007) | |
| - rebuilt with new gnutls | |
| - Perl 5.22 rebuild | |
| - resolves: #1878109 - Rebase Samba to version 4.13.2 | |
| - resolves: #1872833 - Add samba-winexe subpackage | |
| - resolves: #1891688 - Fix CVE-2020-14323 | |
| - resolves: #1892633 - Fix CVE-2020-14318 | |
| - resolves: #1892639 - Fix CVE-2020-14383 | |
| - resolves: #1879835 - Fix CVE-2020-1472 | |
| - resolves: #1888990 - Update smb.conf manpages to describe how to apply | |
| config changes. | |
| - resolves: #1869702 - Fix %U substitution for 'valid users' option | |
| - resolves: #1818038 - Improve FIPS compliance | |
| - resolves: #1855711 - Fix 'require_membership_of' documentation in | |
| pam_winbind manpage | |
| - resolves: #1520163 - Link libaesni-intel-samba4.so with -z noexecstack | |
| - Upgrade to new upstream version | |
| - Perl 5.20 rebuild | |
| - Update to Samba 4.7.0rc5 | |
| - Create a libwbclient package. | |
| - Replace winbind-devel with libwbclient-devel package. | |
| - resolves: #1174412 - Build VFS Ceph module. | |
| - resolves: #1169067 - Move libsamba-cluster-support.so to samba-libs package. | |
| - resolves: #1016122 - Move smbpasswd to samba-common package. | |
| - Backport base64_decode patche to close CAN-2004-0500 | |
| - Backport hash patch to close CAN-2004-0686 | |
| - use_authtok patch from Nalin Dahyabhai |
|
| - smbclient-kerberos patch from Alexander Larsson |
|
| - passwd patch uses "*" instead of "x" for "hashed" passwords for | |
| accounts created by winbind. "x" means "password is in /etc/shadow" to | |
| brain-damaged pam_unix module. | |
| - resolves: #870630 - Fix scriptlets interpeting a comment as argument. | |
| - Rebuild for openldap bump | |
| - Fix systemd library detection (incomplete patch upstream) | |
| - Update to Samba 4.1.8. | |
| - resolves: #1102528 - CVE-2014-0178. | |
| - related: #1842844 - Fix TLS connections with GnuTLS | |
| - Fix #64804 | |
| - turn off mmap. ;) | |
| - resolves: #1642092 - Harden [homes] share export | |
| - resolves: #1648846 - Fix out of bound array access in ctdb | |
| - resolves: #1657266 - Fix tmp directory creation in /run | |
| - resolves: #1282931 - Fix DCE/RPC bind nak parsing | |
| - resolves: #1902198 - Document weak crypto output of testparm | |
| - Update to Samba 4.5.0rc1 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Update to 3.5.0pre2 | |
| - Remove umount.cifs | |
| - Include disable-sendfile patch to default "use sendfile" to "no". | |
| This closes #132779 | |
| - Upgrade to 2.2.8 | |
| - removed commented out patches. | |
| - removed old patches and .md5 files from the repository. | |
| - remove duplicate /sbin/chkconfig --del winbind which causes | |
| warnings when removing samba. | |
| - Fixed minor bug in smbprint that causes it to fail when called with | |
| more than 10 parameters: the accounting file (and spool directory | |
| derived from it) were being set wrong due to missing {}. This closes | |
| bug #86473. | |
| - updated smb.conf patch, includes new defaults to close bug #84822. | |
| - fixes in the spec file | |
| - moved to 3.0.25rc1 | |
| - addedd patches (merged upstream so they will be removed in 3.0.25rc2) | |
| - initscript munging | |
| - New upstream version | |
| - updated spec file to make libsmbclient.so executable. This closes | |
| bugzilla #121356 | |
| - i18n improvements in initscript (#26537) | |
| - resolves: #1781232 - Fix smbclient debug message | |
| - Update to Samba 4.5.1 | |
| - fix logrotate script (#13698) | |
| - Update to Samba 4.0.5. | |
| - Add UPN enumeration to passdb internal API (bso #9779). | |
| - resolves: #928947 - samba-doc is obsolete now. | |
| - resolves: #948606 - LogRotate should be optional, and not a hard "Requires". | |
| - Update to 4.0.0rc1. | |
| - rebuilt | |
| - Removed '-pie' patch - 3.0.5 uses -fPIC/-PIC, and the combination | |
| - resulted in executables getting corrupt stacks, causing smbmnt to | |
| - get a SIGBUS in the mount() call (bug 127420). | |
| - Fix typo in winbind-krb-locator post uninstall script. | |
| - rebuilt | |
| - Update to Samba 4.0.0rc5. | |
| - Fix nmbd init script nmbd reload was causing smbd not nmbd to reload the | |
| configuration | |
| - Fix upstream bug 6224, nmbd was waiting 5+ minutes before running elections on | |
| startup, causing your own machine not to show up in the network for 5 minutes | |
| if it was the only client in that workgroup (fix committed upstream) | |
| - enable encypted passwords by default | |
| - bump again for double-long bug on ppc(64) | |
| - Fix rpminspect abidiff | |
| - related: rhbz#2077468 - Rebase Samba to 4.16.2 | |
| - add samba.schema to /etc/openldap/schema | |
| - Update to Samba 4.8.0rc2 | |
| - Move tmpfiles.d config to common package as it is needed for smbd and | |
| winbind. | |
| - Make sure tmpfiles get created after installation. | |
| - resolves: rhbz#1979959 - Improve idmap autorid sanity checks and documentation | |
| - Correctly use system iniparser library | |
| - Convert more rpc modules to python3 | |
| - Explicitly specify Python artifacts in the spec to be able to catch unpackaged ones | |
| - Split 'make test' Python code into separate python2-samba-test/python3-samba-test sub-packages | |
| - Remove embedded python2-dns version, require python{2,3}-dns instead | |
| - resolves: #966130 - Fix build with MIT Kerberos. | |
| - List vfs modules in spec file. | |
| - Add dependencies for ctdb. | |
| - Use the updated filter-requires-samba.sh file, so we don't accidentally | |
| pick up a dependency on perl(Crypt::SmbHash) | |
| - Rebuild with krb5 1.18 | |
| - Resolves: #1817578 - support krb5 1.18 | |
| - resolves: RHEL-16483 - Update to version 4.19.2 | |
| - resolves: #1658690 - Add smbc_setOptionProtocols() | |
| - resolves: #1658678 - Fix spoolss client operations against Windows | |
| - Update to Samba 4.8.0rc1 | |
| - Update to 3.3.0 final | |
| - Add upstream fix for ldap connections to AD (Bug #6073) | |
| - Remove bogus perl dependencies (resolves: #473051) | |
| - Patch to allow password changes from machines patched with | |
| Microsoft hotfix MS04-011. | |
| - Include patches for https://bugzilla.samba.org/show_bug.cgi?id=1302 | |
| and https://bugzilla.samba.org/show_bug.cgi?id=1309 | |
| - related: #1499140 - Fix several dependency issues | |
| - Fix building with MIT Kerberos 1.16 | |
| - turn of SSL, kerberos | |
| - Add the /etc/samba directory to samba-common | |
| - Upgrade to new upstream 3.0.23a | |
| - include upstream samr_alias patch | |
| - Fix issues with conflicting DEBUG macros. | |
| - Teach smbadduser about "getent passwd" | |
| - Fix more pid-file references | |
| - Add (conditional) winbindd startup to the initscript, configured in | |
| /etc/sysconfig/samba | |
| - Rescue the install.mount.smbfs patch from Juanjo Villaplana | |
| (villapla@si.uji.es) to prevent building the srpm from trashing your | |
| installed /usr/bin/smbmount | |
| - Created a samba-test-libs package. | |
| - automated rebuild | |
| - update to 3.0.25b | |
| - better error codes for init scripts: #244823 | |
| - Update to Samba 4.6.0rc2 | |
| - resolves: #1214973 - Fix libwbclient alternatives link. | |
| - Fix printing tdb upgrade for 3.6.6 | |
| - resolves: #841609 | |
| - so many releases, so little time | |
| - explicitly uncomment 'printing = bsd' in sample config | |
| - Rebuilt for Python 3.7 | |
| - (these changes are from the non-head version) | |
| - Don't include /usr/sbin/samba, it's the same as the initscript | |
| - unset TMPDIR, as samba can't write into a TMPDIR owned | |
| by root (#41193) | |
| - Add pidfile: lines for smbd and nmbd and a config: line | |
| in the initscript (#15343) | |
| - don't use make -j | |
| - explicitly include /usr/share/samba, not just the files in it | |
| - Rename ldb* tools to ldb3* to avoid conflicts with newer ldb releases | |
| - resolves: #1020329 - Build glusterfs VFS plguin. | |
| - New upstream release | |
| Includes five upstream patches -bug3010_v1, -groupname_enumeration_v3, | |
| -regcreatekey_winxp_v1, -usrmgr_groups_v1, and -winbindd_v1 | |
| This obsoletes the -pie and -delim patches | |
| the -warning and -gcc4 patches are obsolete too | |
| The -man, -passwd, and -smbspool patches were updated to match 3.0.20pre1 | |
| Also, the -quoting patch was implemented differently upstream | |
| There is now a umount.cifs executable and manpage | |
| We run autogen.sh as part of the build phase | |
| The testprns command is now gone | |
| libsmbclient now has a man page | |
| - Include -bug106483 patch to close | |
| bz#106483 smbclient: -N negates the provided password, despite documentation | |
| - Added the -warnings patch to quiet some compiler warnings. | |
| - Removed many obsolete patches from CVS. | |
| - related: rhbz#2077468 - Rebase Samba to 4.16.3 | |
| - resolves: rhbz#2106672 - The pcap background queue process should not be stopped | |
| - resolves: rhbz#2106263 - Fix crash in rpcd_classic | |
| - resolves: rhbz#2100093 - Fix net ads info returns LDAP server and LDAP server name | |
| - fix pam_smbpass patch. | |
| - Create separate packages for samba-winbind and samba-winbind-devel | |
| - Add cifs.spnego helper | |
| - resolves: #1754409 - Rebase to Samba version 4.11.2 | |
| - resolves: #1776312 - Winbind is not restarted on upgrade | |
| - resolves: #1764469 - Fix CVE-2019-10218 | |
| - resolves: #1746241 - Fix CVE-2019-10197 | |
| - resolves: #1710980 - Add support for KCM ccache in pam_winbind | |
| - resolves: #1261230 - Update to Samba 4.3.1 | |
| - Update to upstream Samba 4.1.11 release | |
| - resolves: #1126015 - Fix CVE-2014-3560 | |
| - Fix pidfile locations so it runs properly again (2.2.4 | |
| added a new directtive - #65007) | |
| - Create python[2|3]-samba-dc packages | |
| - Fix resolving trusted domain users on domain member | |
| - Rebase to version 4.16.4 | |
| - resolves: rhbz#2108331 - Fix CVE-2022-32742 | |
| - Update to Samba 4.1.5. | |
| - Fix required talloc version number | |
| - resolves: #516086 | |
| - Update to Samba 4.4.3 | |
| - resolves: #1332178 | |
| - add fix reported upstream for heavy idmap_ldap memleak | |
| - resolves: #1899113 - Fix following dfs links with smb clients | |
| - resolves: RHEL-16483 - Update to version 4.19.4 | |
| - Security Release, fixes CVE-2012-2111 | |
| - resolves: #817551 | |
| - /usr/lib was used in place of %{_libdir} in three locations (#72554) | |
| - Update to Samba 4.8.0rc4 | |
| - related: rbhz#2019674 - Fix CVE-2020-25717 | |
| - Add missing checks for IPA DC server role | |
| - Enable AES acceleration on Intel compatible CPUs by default | |
| - resolves: #1499140 - Move libdfs-server-ad to the correct subpackage | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Update to 3.2.0pre2 | |
| - Add talloc and tdb lib and devel packages | |
| - Add domainjoin-gui package | |
| - resolves: rhbz#2070522 - Fix UPNs handling in lookup_name*() calls | |
| - munge post scripts slightly | |
| - fix a few places were "open" is used an interfere with the new glibc | |
| - configure the swat stuff usefully | |
| - re-integrate some specfile tweaks that got lost somewhere | |
| - rename samba logs (#11606) | |
| - 2.2.1, which should work better for XP | |
| - Add smbclient fix (BZO #5452) | |
| - Fix libnetconf, libnetapi and msrpc DSSETUP call | |
| - resolves: #985985 - Fix file conflict between samba and wine. | |
| - resolves: #985107 - Add support for new default location for Kerberos | |
| credential caches. | |
| - resolves: rhbz#2013596 - Rebase to version 4.15.2 | |
| - resolves: rhbz#1999294 - Remove noisy error message in winbindd | |
| - resolves: rhbz#1958881 - Don't require winbind being online for krb5 auth | |
| with one-way trusts | |
| - resolves: rhbz#2019461 - Fix deleting directories with dangling symlinks | |
| - related: rhbz#2190417 - Update to version 4.18.6 | |
| - resolves: rhbz#2232564 - Fix the rpc dsgetinfo command | |
| - rebuild with openssl-0.9.7e | |
| - Use separate lockdir | |
| - related: #884169 - Fix strict aliasing warnings. | |
| - related: #985609 - Update to Samba 4.1.0rc4. | |
| - resolves: #1010722 - Split out a samba-winbind-modules package. | |
| - Fix glfs_realpath allocation in vfs_glusterfs | |
| - add i18n support, japanese patch (#26253) | |
| - Rename samba-python to python2-samba | |
| - Update build requirement for libcephfs | |
| - Update to 3.4.0 | |
| - Add printadmin group for printer driver handling | |
| - swat swat | |
| - Update to Samba 4.1.2. | |
| - resolves: #1856315 - Fix net-ads-join with LDAP over TLS | |
| - make it possible to print against Vista and XP SP3 as servers | |
| - resolves: #439154 | |
| - Update to 3.2.1 | |
| - remove swat.desktop file | |
| - set passdb backend = tdbsam as default in smb.conf | |
| - remove samba-docs dependency from swat, that was a mistake | |
| - put back COPYING and other files in samba-common | |
| - put examples in samba not in samba-docs | |
| - leave only stuff under docs/ in samba-doc | |
| - resolves: #923765 - Improve packaging of README files. | |
| - Update to Samba 4.6.0rc1 | |
| - New upstream version. | |
| - include interfaces.o in pam_smbpass.so, which needs symbols from interfaces.o | |
| (patch posted to samba-list by Ilia Chipitsine) | |
| - resolves: #1574177 - Fix smbspool command line argument handling | |
| - Use workaround for winbind default domain only when set. | |
| - Build with old ctdb support. | |
| - Update to Samba 4.4.5 | |
| - resolves: #1353504 - CVE-2016-2119 | |
| - Update to Samba 4.3.3 | |
| - resolves: #1292069 | |
| - CVE-2015-3223 Remote DoS in Samba (AD) LDAP server | |
| - CVE-2015-5252 Insufficient symlink verification in smbd | |
| - CVE-2015-5296 Samba client requesting encryption vulnerable to | |
| downgrade attack | |
| - CVE-2015-5299 Missing access control check in shadow copy code | |
| - CVE-2015-7540 DoS to AD-DC due to insufficient checking of asn1 | |
| memory allocation | |
| - resolves: RHEL-101902 - Fix DC discovery after Windows netlogon hardening - follow-up | |
| - resolves: RHEL-111318 - Fix winbind fork bomb in 'IPA with AD trust' environment | |
| - related: #1638001 - Rebase to Samba version 4.10.3 | |
| - related: #1817557 - Move DECRPC mdssvc data files to correct package | |
| - resolves: #1856676 - Fix lookuprids in winbind | |
| - related: #884169 - Add direct dependency to samba-libs in the | |
| glusterfs package. | |
| - resolves: #996567 - Fix userPrincipalName composition. | |
| - related: #884169 - Fix memset call with zero length in in ntdb. | |
| - initscript munging | |
| - move initscript back | |
| - remove 'Using Samba' book from %doc | |
| - move stuff to /etc/samba (#13708) | |
| - default configuration tweaks (#13704) | |
| - some logrotate tweaks | |
| - fix swat only_from line (#18726, others) | |
| - fix attempt to write outside buildroot on install (#17943) | |
| - Fix dependencies to samba-common | |
| - resolves: RHEL-115067 - Fix regression with symlinks inside shares | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Rebuilt for rpm dependency generator failure (#1131892) | |
| - Update to Samba 4.7.0rc6 | |
| - Update to Samba 4.0.6. | |
| - Remove SWAT. | |
| - Fix libsystemd patch (#1125086) so that it actually works | |
| - Perl 5.26 rebuild | |
| - update to 3.0.25c | |
| - related: #1754409 - Fix pidl packaging | |
| - resolves: #1024544 - Fix CVE-2013-4475. | |
| - Update to Samba 4.1.1. | |
| - Fix winbind cache upgrade. | |
| - resolves: #760137 | |
| - Update to 3.6.0rc2 | |
| - Fix CVE-2013-4496 and CVE-2013-6442. | |
| - Fix installation of pidl. | |
| - Update to 3.0.1 | |
| - Removed testparm patch as it's already merged | |
| - Removed Samba.7* man pages | |
| - Fixed .buildroot patch | |
| - Fixed .pie patch | |
| - Added new /usr/bin/tdbdump file | |
| - Add systemd integration to the service daemons. | |
| - Fix DC discovery after Windows netlogon hardening | |
| - resolves: RHEL-101902 | |
| - turn on quota support | |
| - related: #1614232 - Update to Samba 4.9.0rc3 | |
| - resolves: #1554753 - Fix CVE-2018-1050 | |
| - resolves: #1617912 - Fix CVE-2018-10858 | |
| - resolves: #1617913 - Fix CVE-2018-10918 | |
| - resolves: #1617914 - Fix CVE-2018-10919 | |
| - resolves: #1617915 - Fix CVE-2018-1139 | |
| - resolves: #1612522 - Manpage fixes | |
| - Directories reorg, tdb files must go to /var/lib, not | |
| to /var/cache, add migration script in %post common | |
| - Split out libsmbclient, devel and doc packages | |
| - Remove libmsrpc.[h|so] for now as they are not really usable | |
| - Remove kill -HUP from rotate, samba use -HUP for other things | |
| noit to reopen logs | |
| - Fix Bug #6551 (vuid and tid not set in sessionsetupX and tconX) | |
| - Specify required talloc and tdb version for BuildRequires | |
| - related: #1637861 - Fix trust creation if weak crypto is disallowed | |
| - Perl 5.18 rebuild | |
| - made the %postun script a tad less agressive; no reason to remove | |
| the logs or lock file (after all, if the lock file is still there, | |
| samba is still running) | |
| - the %postun and %preun should only exectute if this is the final | |
| removal | |
| - migrated %triggerpostun from Red Hat's samba package to work around | |
| packaging problems in some Red Hat samba releases | |
| - Add missing Requries for python modules. | |
| - Add NetworkManager dispatcher script for winbind. | |
| - resolves: RHEL-63770 - Fix notifyd performance issue | |
| - upgrade to 2.2.8a | |
| - remove old .md5 files | |
| - add "pid directory = /var/run" to the smb.conf file. Fixes #88495 | |
| - Patch from jra@dp.samba.org to fix a delete-on-close regression | |
| - resolves: #1319098 - Add missing Requires for pre-required packages | |
| - Update to Samba 4.6.0rc4 | |
| - Move pam_winbind.conf and the manpages to the right package. | |
| - Update to 3.6.4 | |
| - Fixes CVE-2012-1182 | |
| - Add fixes for libsmbclient and support for r/o relocations | |
| - Add patch from Jeremy Allison to fix IA64 alignment problems (#51497) | |
| - tweak logrotate configurations to use the PID file in /var/lock/samba | |
| - resolves: RHEL-17283 - Fix smbget password interactive authentication | |
| - Update to Samba 4.5.3 | |
| - resolves: #1405984 - CVE-2016-2123,CVE-2016-2125 and CVE-2016-2126 | |
| - Update to 3.3.4 | |
| - Update to Samba 4.8.3 | |
| - Remove python(2|3)-subunit dependency | |
| - related: rbhz#2019674 - Fix regression with 'allow trusted domains = no' | |
| - shift some files into -client | |
| - remove /home/samba from package. | |
| - new upstream release. This obsoletes the ldapsam_compat patches. | |
| - New upstream RC release. | |
| - Update the -logfiles, and -passwd patches for | |
| 3.0.23rc3 | |
| - Include the change to smb.init from Bastien Nocera |
|
| to close | |
| bz#182560 Wrong retval for initscript when smbd is dead | |
| - Update this spec file to build with 3.0.23rc3 | |
| - Remove the -install.mount.smbfs patch, since we don't install | |
| mount.smbfs any more. | |
| - related: #985609 - Update to Samba 4.1.0. | |
| - update to 3.0.25a as it contains many fixes | |
| - add a fix for pam_smbpass made by Günther but committed upstream after 3.0.25a was cut. | |
| - add proper ldconfig calls | |
| - exit successfully from preun script (bug #30644). | |
| - Update to 3.4.3 | |
| - split off clients into separate package | |
| - don't run samba by default | |
| - convert to systemd | |
| - restore epoch from f15 | |
| - Upgrade to 3.0.5, which is a regression from 3.0.5pre1 for a | |
| security fix. | |
| - Include the 3.0.4-backport patch from the 3E branch. This restores | |
| some of the 3.0.5pre1 and 3.0.5rc1 functionality. | |
| - fix yp_get_default_domain in autoconf | |
| - only link against readline for smbclient | |
| - fix log rotation (#9909) | |
| - Make sure ncacn_ip_tcp client code looks for NBT_NAME_SERVER name types. | |
| - New major relase, minor switched from 0 to 2 | |
| - License change, the code is now GPLv3+ | |
| - Numerous improvements and bugfixes included | |
| - package libsmbsharemodes too | |
| - remove smbldap-tools as they are already packaged separately in Fedora | |
| - Fix bug 245506 | |
| - Update to 3.4.0pre1 | |
| - 2.2.3a | |
| - Update to Samba 4.3.0rc4 | |
| - Update to Samba 4.7.0rc1 | |
| - New upstream version. | |
| - Since the rawhide kernel has dropped support for smbfs, remove smbmount | |
| and smbumount. Users should use mount.cifs instead. | |
| - Upgrade to 3.0.21b | |
| - 2.2.4 | |
| - Removed some zero-length and CVS internal files | |
| - Make it build | |
| - resolves: rhbz#2084162 - Fix printer displays only after 300 seconds timeout | |
| - updated init script to use graceful restart (not stop/start) | |
| - resolves: #1033595 - Fix segfault in winbind. | |
| - Enable build of idmap_tdb2 for clustered setups | |
| - resolves: rhbz#1944657 - Update to version 4.14.4 | |
| - resolves: rhbz#1949445 - Fix CVE-2021-20254 | |
| - resolves: rhbz#1947945 - Fix libsmbldap.so.2 not being a symbolic link | |
| - resolves: rhbz#1908506 - Fix creating the gencache user directory | |
| - resolves: rhbz#1901029 - Build the vfs_io_uring module | |
| - resolves: #1823612 - Fix segfault in 'net ads dns gethostbyname' | |
| - resolves: #1792553 - Fix 'net ads join createcomputer=OU' | |
| - Perl 5.20 mass | |
| - Update to Samba 4.7.0rc3 | |
| - Initscript fix (#70720) | |
| - related: rhbz#2013596 - Remove unneeded lmdb dependency | |
| - resolves: #1666737 - Add a new smbc_readdirplus2() function to libsmbclient | |
| - resolves: #1842844 - Fix GnuTLS priority list for TLS connections | |
| - resolves: RHEL-19753 - Fix smbget interactive authentication | |
| - Fix library dependencies of libnetapi. | |
| - Fix Obsoletes/Provides for update from samba4. | |
| - Bump release number to be bigger than samba4. | |
| - resolves: #1712378 - Fix smbspool CUPS backend | |
| - resolves: #1696612 - Fix 'net ads join -U admin@parentdomain' | |
| - Update to 3.5.0rc3 | |
| - Update to 3.2.4 | |
| - resolves: #456889 | |
| - move cifs.upcall to /usr/sbin | |
| - version 2.0.7 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Update to Samba 4.5.0rc3 | |
| - Require samba-common-tools in samba package | |
| - Require samba-common-tools in samba-client package | |
| - resolves: #1215631 - /usr/bin/net moved to samba-common-tools but the package is not required by samba | |
| - Update to 3.2.2 | |
| - final 3.0.25 | |
| - includes security fixes for CVE-2007-2444,CVE-2007-2446,CVE-2007-2447 | |
| - Update to Samba 4.7.0 | |
| - resolves: #1493441 - Security fix for CVE-2017-12150 CVE-2017-12151 CVE-2017-12163 | |
| - related: rbhz#2019674 - Fix CVE-2020-25717 | |
| - Fix running ktest (selftest) | |
| - fix typo in mount.smb | |
| - update to 2.0.5 | |
| - fix mount.smb - smbmount options changed again......... | |
| - fix postun. oops. | |
| - update some stuff from the samba team's spec file. | |
| - rebuild in new environment | |
| - Update to Samba 4.6.5 | |
| - Update to 3.4.2 | |
| - Security Release, fixes CVE-2009-2813, CVE-2009-2948 and CVE-2009-2906 | |
| - Use alternatives to configure winbind_krb5_locator.so | |
| - Fix Requires for winbind. | |
| - New upstream version: 3.0.2 final includes security fix for #114995 | |
| (CAN-2004-0082) | |
| - Edit postun script for the -common package to restart winbind when | |
| appropriate. Fixes bugzilla #114051. | |
| - fixes for ia64 | |
| - New upstream release. | |
| - the -64bit-timestamps, -clitar, -establish_trust, user_rights_v1, | |
| winbind_find_dc_v2 patches are now obsolete. | |
| - resolves: rhbz#1974792 - Create a subpackage for vfs-io-uring | |
| - resolves: rhbz#1965397 - Raise log level for dfs ENOENT debug message | |
| - Update to 3.4.0pre2 | |
| - resolves: #1614232 - Update to Samba 4.9.1 | |
| - Update to Samba 4.0.3. | |
| - resolves: #907544 - Add unowned directory /usr/lib64/samba. | |
| - resolves: #906517 - Fix pidl code generation with gcc 4.8. | |
| - resolves: #908353 - Fix passdb backend ldapsam as module. | |
| - resolves: #1778130 - Remove usage of DES encryption types in krb5 | |
| - update to 2.0.2 | |
| - resolves: #1430761 - credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case | |
| - rebuild (libldb) | |
| - Update to Samba 4.2.0rc2. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Update to 3.3.3 | |
| - resolves: #872818 - Fix perl dependencies. | |
| - Update to 3.2.0pre3 | |
| - Fixes: #1219832: Samba 4.2 broke FreeIPA trusts to AD | |
| - Remove usage of deprecated API from gnutls | |
| - New upstream release. | |
| - Fix provides for of libwclient-devel for samba-winbind-devel. | |
| - Fix requirement generation for shared libraries | |
| - fix tempfile security problems (patch from |
|
| - New upstream version fixes CAN-2004-0930. This obsoletes the | |
| disable-sendfile, salt, signing-shortkey and fqdn patches. | |
| - Add my |
|
| - Updated the pie patch for 3.0.8. | |
| - Updated the logfiles patch for 3.0.8. | |
| - resolves: #1790353 - Fix access check in DsRGetForestTrustInformation | |
| - resolves: #1791209 - Fix CVE-2019-14907 | |
| - resolves: #1261230 - Update to Samba 4.3.2 | |
| - Various updates to inline documentation in default smb.conf file | |
| - resolves: #483703 | |
| - Many optimisations (some suggested by Manoj Kasichainula |
|
| - Use of chkconfig in place of individual symlinks to /etc/rc.d/init/smb | |
| - Compounded make line | |
| - Updated smb.init restart mechanism | |
| - Use compound mkdir -p line instead of individual calls to mkdir | |
| - Fixed smb.conf file path for log files | |
| - Fixed smb.conf file path for incoming smb print spool directory | |
| - Added a number of options to smb.conf file | |
| - Added smbadduser command (missed from all previous RPMs) - Doooh! | |
| - Added smbuser file and smb.conf file updates for username map | |
| - Update to Samba 4.0.0rc6. | |
| - Add /etc/pam.d/samba for swat to work correctly. | |
| - resolves #882700 | |
| - Force samba-dc to use the same libldb version as LDB modules compiled | |
| - resolves: #1507420 - LDB / Samba module version mismatch | |
| - Update docs section to not carryover the docs/manpages directory | |
| This moved many files from /usr/share/doc/samba-3.0.7/docs/* to | |
| /usr/share/doc/samba-3.0.7/* | |
| - Modify spec file as suggested by Rex Dieter (rdieter@math.unl.edu) | |
| to correctly create libsmbclient.so.0 and to use %_initrddir instead | |
| of rolling our own. This closes #132642 | |
| - Add patch to default "use sendfile" to no, since sendfile appears to | |
| be broken | |
| - Add patch from Volker Lendecke |
|
| ldapsam_compat work again. | |
| - Add patch from "Vince Brimhall" |
|
| These two patches close bugzilla #132169 | |
| - Update to Samba 4.8.1 | |
| - Update to Samba 4.4.0rc4 | |
| - resolves: #1315942 - CVE-2015-7560 Incorrect ACL get/set allowed on symlink path | |
| - fix quota support, and quotas with the 2.4 kernel (#31362, #33915) | |
| - auto rebuild in the new build environment (release 3) | |
| - Update to Samba 4.2.0 | |
| - resolves: #1042845 - Do not build with libbsd. | |
| - Update to Samba 4.2.0rc4 | |
| - resolves: #1154600 - Install missing samba pam.d configuration file. | |
| - Include patch from Steven Lawrance (slawrance@yahoo.com) that modifies | |
| smbmnt to work with 32-bit uids. | |
| - resolves: RHEL-84117 - fd_handle_destructor() can panic within an smbd_smb2_close() | |
| - resolves: #972692 - Build with PIE and full RELRO. | |
| - resolves: #884169 - Add explicit dependencies suggested by rpmdiff. | |
| - resolves: #981033 - Local user's krb5cc deleted by winbind. | |
| - resolves: #984331 - Fix samba-common tmpfiles configuration file in wrong | |
| directory. | |
| - Escape macros in %changelog | |
| - #resolves: #1451486 - Add source tarball comment | |
| - New upstream version. | |
| - Include post 3.0.6 patch from "Gerald (Jerry) Carter" |
|
| to fix a duplicate in the LDAP schema. | |
| - Include 64-bit timestamp patch from Ravikumar (rkumar@hp.com) | |
| to allow correct timestamp handling on 64-bit platforms and fix #126109. | |
| - reenable the -pie patch. Samba is too widely used, and too vulnerable | |
| to potential security holes to disable an important security feature | |
| like -pie. The correct fix is to have the toolchain not create broken | |
| executables when programs compiled -pie are stripped. | |
| - Remove obsolete patches. | |
| - Modify this spec file to put libsmbclient.{a,so} in the right place on | |
| x86_64 machines. | |
| - device-remove security fix again ( |
|
| - remove old source | |
| - add patch to fix samba bugzilla 4772 | |
| - Enable ACLs | |
| - related: #1614232 - Update to Samba 4.9.0rc5 | |
| - resolves: #1610909 - Re-enable glubsterfs vfs module | |
| - resolves: #1624170 - Build with -fstack-protectore-strong if available | |
| - resolves: #1602685 - Fixed issues found by covscan | |
| - resolves: #1817557 - Rebase to version 4.12.3 | |
| - resolves: #1813833 - Fix 'net ads join createupn=' | |
| - related: #985609 - Update to Samba 4.1.0rc3. | |
| - resolves: #1005422 - Add support for KEYRING ccache type in pam_winbindd. | |
| - Update to 3.5.0rc1 | |
| - make sure all binaries are stripped | |
| - Update to Samba 4.4.0rc1 | |
| - Bump Epoch to fix a problem with a Samba4 update in testing. | |
| - resolves: rhbz#2019662 - Fix CVE-2016-2124 | |
| - resolves: rhbz#2019668 - Fix CVE-2021-23192 | |
| - resolves: rbhz#2019674 - Fix CVE-2020-25717 | |
| - Update to Samba 4.1.0rc1. | |
| - edited spec file to put .so files in the correct directories | |
| on 64-bit platforms that have 32-bit compatability issues | |
| (sparc64, x86_64, etc). This fixes bugzilla #83782. | |
| - Added samba-2.2.7a-error.patch from twaugh. This fixes | |
| bugzilla #82454. | |
| - More spec file fixes | |
| - Update to 3.6.3 | |
| - Fixes CVE-2012-0817 | |
| - Update to 3.6.0rc1 | |
| - More spec file fixes | |
| - separate out CIFS tools into cifs-utils package | |
| - Fix the cache dir to be /var/lib/samba to support upgrades. | |
| - resolves: #1850980 - Add "additional dns hostname" to keytab | |
| - resolves: #1850981 - Add net-ads-join dnshostname=fqdn option | |
| - Move dsdb libs to python2-samba-dc | |
| - Update to 4.0.0rc2. | |
| - Update to 3.6.6 | |
| - Re-enable the x_fclose patch that was accidentally disabled | |
| in 3.0.8-0.pre1.1. This closes #135832 | |
| - include Nalin's -fqdn and -salt patches. | |
| - Avoid private krb5_locate_kdc usage | |
| - resolves: #754783 | |
| - 2.2.3 | |
| - Update to 3.6.1 | |
| - related: #1614232 - Add CTDB examples with a config migration script | |
| - resolves: #1637861 - Use GnuTLS for crypto | |
| - Update to Samba 4.7.4 | |
| - Update to Samba 4.6.4 | |
| - resolves: #1455050 - Security fix for CVE-2017-7494 | |
| - Update to Samba 4.0.0. | |
| - update to 2.0.3 | |
| - resolves: #1227911 - Enable tar support for smbclient | |
| - resolves: #1234908 - Own the /var/lib/samba directory | |
| - Enable hardened build | |
| - Package smbprint again. | |
| - Update to Samba 4.5.0 | |
| - resolves: #867893 - Move /var/log/samba to samba-common package for | |
| winbind which requires it. | |
| - Update the -man patch to fix ntlm_auth.1 too. | |
| - Move pam_smbpass.so to the -common package, so both the 32 | |
| and 64-bit versions will be installed on multiarch platforms. | |
| This closes bz#143617 | |
| - Added new -delim patch to fix mount.cifs so it can accept | |
| passwords with commas in them (via environment or credentials | |
| file) to close bz#144198 | |
| - Update to Samba 4.2.2 | |
| - updated japanese stuff (#27683) | |
| - resolves: 1375973 - Fix tevent incompatibility issue | |
| - add a patch to fix dropped reconnection attempts | |
| - Update to Samba 4.0.0rc4. | |
| - Update to 2.2.7a | |
| - Change default printing system to CUPS | |
| - Turn on pam_smbpass | |
| - Turn on msdfs | |
| - don't use rpms internal dep generator | |
| - Update to 3.5.0rc2 | |
| - automated rebuild | |
| - patch configure.ing (patch11) to disable cups test | |
| - turn off swat by default | |
| - 2.2.2 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Remove cifs.upcall and mount.cifs entirely | |
| - mount.smb/mount.smbfs go in /sbin, *not* %{_sbindir} | |
| - resolves: #1924615 - Fix a memcache bug when cache is full | |
| - resolves: #1924571 - Ensure that libwbclient has been updated before | |
| restarting services | |
| - Fix security=server | |
| - resolves: #449038, #449039 | |
| - use cp rather than mv to preserve /etc/services perms (#4938 et al). | |
| - use mktemp to generate /etc/tmp.XXXXXX file name. | |
| - add prereqs on sed/mktemp/killall (need to move killall to /bin). | |
| - fix trigger syntax (i.e. "samba < 1.9.18p7" not "samba < samba-1.9.18p7") | |
| - add a chmod in %postun so /etc/services & inetd.conf don't become unreadable | |
| - Don't include smbpasswd in samba, it's in samba-common (#51598) | |
| - Add a disabled "obey pam restrictions" statement - it's not | |
| active, as we use encrypted passwords, but if the admin turns | |
| encrypted passwords off the choice is available. (#31351) | |
| - Add python3 support | |
| - Fix %posttrans for libwbclient-devel | |
| - resolves: #1261230 - Update to Samba 4.3.4 | |
| - Update to 3.5.0 | |
| - bugfix for smbadduser script (#15148) | |
| - Update to 3.5.2 | |
| - Reduce dependencies of samba-devel and create samba-test-devel package. | |
| - Update to Samba 4.0.2. | |
| - Fixes CVE-2013-0213. | |
| - Fixes CVE-2013-0214. | |
| - resolves: #906002 | |
| - resolves: #905700 | |
| - resolves: #905704 | |
| - Fix conn->share_access which is reset between user switches. | |
| - resolves: #903806 | |
| - Add missing example and make sure we don't introduce perl dependencies. | |
| - resolves: #639470 | |
| - Enable cluster support | |
| - Add improvements to the smb.conf as suggested in #16931 | |
| - Update to Samba 4.0.7. | |
| - Update to 3.2.0 final | |
| - resolves: #452622 | |
| - integrate most of merge review proposed changes (bug #226387) | |
| - remove libsmbclient-devel-static and simply stop shipping the | |
| static version of smbclient as it seem this is deprecated and | |
| actively discouraged | |
| - resolves: RHEL-16483 - Update to version 4.19.3 | |
| - resolves: RHEL-11361 | |
| - Fix CVE-2023-3961 CVE-2023-4091 CVE-2023-42669 | |
| - resolves: RHEL-2228 - Logging Format Enhancement | |
| - resolves: RHEL-1965 - Fix smbget issues with DFS shares | |
| - resolves: RHEL-2108 - Fix force user/group issues with 'allow trusted domains = yes' | |
| - resolves: RHEL-17122 - Fix memory corruption in libnss_winbind | |
| - Fix release number | |
| - Spec file cleanup | |
| - Fix sources upstream location | |
| - Remove conditionals to build talloc and tdb, now they are completely indepent | |
| packages in Fedora | |
| - Add defattr() where missing | |
| - Turn all tabs into 4 spaces | |
| - Remove unused migration script | |
| - Split winbind-clients out of main winbind package to avoid multilib to include | |
| huge packages for no good reason | |
| - Make it not depend on Net::LDAP - those are doc files and examples | |
| - Update to 3.6.0rc3 | |
| - i18n-ize initscript | |
| - add a sysconfig file for daemon options (#23550) | |
| - clarify smbpasswd man page (#23370) | |
| - build with LFS support (#22388) | |
| - avoid extraneous pam error messages (#10666) | |
| - add Urban Widmark's bug fixes for smbmount (#19623) | |
| - fix setgid directory modes (#11911) | |
| - split swat into subpackage (#19706) | |
| - Updated version and codepage info. | |
| - Release to test name resolve order | |
| - add -gcc4 patch to compile with gcc 4. | |
| - remove the now obsolete -smbclient-kerberos.patch | |
| - Include four upstream patches from | |
| http://samba.org/~jerry/patches/post-3.0.11/ | |
| (Slightly modified the winbind_find_dc_v2 patch to apply easily with | |
| rpmbuild). | |
| - rebuild | |
| - Update to Samba 4.1.9. | |
| - resolves: #1112251 - Fix CVE-2014-0244 and CVE-2014-3493. | |
| - Update to Samba 4.4.0rc2 | |
| - change PAM setup to use system-auth | |
| - Use alternatives for libwbclient. | |
| - Add cwrap to BuildRequires. | |
| - Update to 3.6.0pre3 | |
| - Remove old crufty coreutils requires | |
| - Update to Samba 4.1.3. | |
| - resolves: #1039454 - CVE-2013-4408. | |
| - resolves: #1039500 - CVE-2012-6150. | |
| - Add kerberos AES support. | |
| - Fix printing initialization. | |
| - Export arcfour_crypt_blob to Python as samba.crypto.arcfour_encrypt | |
| - Makes possible to run trust to AD in FreeIPA in FIPS mode | |
| - resolves: RHEL-33813 - Add option to request only POSIX groups from AD in idmap_ad | |
| - resolves: #1554754, #1554756 - Security fixes for CVE-2018-1050 CVE-2018-1057 | |
| - resolves: #1555112 - Update to Samba 4.8.0 | |
| - fix unresolved symbols in libsmbclient which caused applications | |
| such as KDE's konqueror to fail when accessing smb:// URLs. #139894 | |
| - resolves: #1088911 - Update to Samba 4.3.0 | |
| - Fix deamon startup with systemd | |
| - related: rhbz#2132051 - Update to version 4.17.5 | |
| - Samba 3.0.3 released. | |
| - Security update to 3.5.1 | |
| - Fixes CVE-2010-0728 | |
| - rebuild with AD DNS Update support | |
| - fix ownership in -common package | |
| - Rebuild to drop libsystemd-daemon dependency (#1125086) | |
| - Update to 3.2.0rc2 | |
| - resolves: #449522 | |
| - resolves: #448107 | |
| - turn of 64-bit locking on 32-bit platforms | |
| - Fix awk as a dependency (and require gawk) | |
| - Improve dependencies of vfs-glusterfs and vfs-cephfs. | |
| - Remove unused python_libdir. | |
| - Fix malformed changelog entries. | |
| - More spec file fixes | |
| - resolves: #1306542 - scriptlet failure because of comments | |
| - related: rhbz#1979959 - Fix typo in testparm output | |
| - resolves: rhbz#2057503 - Fix winbind kerberos ticket refresh | |
| - resolves: #1638001 - Rebase Samba to version 4.10 | |
| - Update systemd Requires to reflect latest packaging guidelines. | |
| - Add fix for CVE-2008-1105 | |
| - resolves: #446724 | |
| - minor tidy up in preparation for release of 1.9.18p5 | |
| - added findsmb utility from SGI package | |
| - fixes in smb.conf | |
| - advice in smb.conf to put scripts in /var/lib/samba/scripts | |
| - create /var/lib/samba/scripts so that selinux can be happy | |
| - fix Vista problems with msdfs errors | |
| - resolves: rhbz#2132051 - Update to version 4.17.2 | |
| - resolves: rhbz#2126174 - Fix CVE-2022-1615 | |
| - resolves: rhbz#2108487 - ctdb: Add dependency to samba-winbind-clients | |
| - use internal dep generator. | |
| - Update to 3.3.2 | |
| - resolves: #489547 | |
| - Update to Samba 4.4.2, fix badlock security bug | |
| - resolves: #1326453 - CVE-2015-5370 | |
| - resolves: #1326453 - CVE-2016-2110 | |
| - resolves: #1326453 - CVE-2016-2111 | |
| - resolves: #1326453 - CVE-2016-2112 | |
| - resolves: #1326453 - CVE-2016-2113 | |
| - resolves: #1326453 - CVE-2016-2114 | |
| - resolves: #1326453 - CVE-2016-2115 | |
| - resolves: #1326453 - CVE-2016-2118 | |
| - resolves: #1019469 - Fix winbind debug message NULL pointer derreference. | |
| - resolves: rhbz#2222884 - Fix trust relationship between workstation and DC | |
| - automatic rebuild | |
| - rebuild to get rid of cups dependency | |
| - Update to Samba 4.4.0rc5 | |
| - initscript oopsie. killproc |
|
| - fix bash2 breakage in post script | |
| - Fix systemd dependencies | |
| - resolves: #751397 | |
| - related: rhbz#1944657 - Update to version 4.14.5 | |
| - resolves: rhbz#1969787 - Fix memory leak in RPC server | |
| - resolves: rhbz#1954974 - Validate smb.conf option for domain members with testparm | |
| - resolves: rhbz#1963298 - Fix smbd trying to delete files with wrong permissions | |
| - resolves: rhbz#1890008 - Update rpcclient manpage to list all available commands | |
| - resolves: rhbz#1857254 - Update smbcacls manpage to document inhertance flags | |
| - switch to %configure | |
| - update to 2.0.4a | |
| - fix mount.smb arg ordering | |
| - rebuild | |
| - Update to 3.5.3 | |
| - Make sure nmb and smb initscripts return LSB compliant return codes | |
| - Fix winbind over ipv6 | |
| - New upstream version | |
| - Add Nalin's signing-shortkey patch. | |
| - Fix creation of /var/run/samba. | |
| - resolves: #751625 | |
| - related: #1754409 - Add patch to avoid overlinking with libnsl and libsocket | |
| - related: #1754409 - Fix permissions for pidl | |
| - related: #1754409 - Fix logrotate script | |
| - related: #1754409 - Add missing README files | |
| - resolves: rhbz#2222894 - Fix CVE-2022-2127 CVE-2023-3347 CVE-2023-34966 CVE-2023-34967 CVE-2023-34968 | |
| - simplify preun | |
| - add a %trigger to work around (sort of) broken scripts in | |
| previous releases | |
| - Autorebuild for GCC 4.3 | |
| - rebuild to fox dependencies | |
| - man pages are compressed | |
| - resolves: #1348899 - Import of samba.ntacls fails | |
| - do not put comments inline on smb.conf options, they may be read | |
| as part of the value (for example log files names) | |
| - 2.2.5 | |
| - related: #1781232 - Improve debug output of smbclient | |
| - resolves: #1794461 - Do not return bogus inode numbers in | |
| cli_qpathinfo2()/cli_qpathinfo3() for SMB1 | |
| - resolves: #1794442 - Fix segfault in smbd_do_qfilepathinfo() | |
| - fix tempfile security problems, officially ( |
|
| - update to 2.0.8 | |
| - resolves: rhbz#2021425 - Add missing PAC buffer types to krb5pac.idl | |
| - Add %ghost entry for /var/run using tmpfs | |
| - resolves: #656685 | |
| - Fix the -logfiles patch to close | |
| bz#199607 Samba compiled with wrong log path. | |
| bz#199206 smb.conf has incorrect log file path | |
| - resolves: #1909647 - Fix winbind in trust scenarios with connection issues | |
| - related: #1869702 - Fix spoolss crash | |
| - resolves: #1896736 - Fix name lookups of FreeIPA users | |
| - resolves: #1899113 - Fix DFS links | |
| - 2.2.0a security fix | |
| - Mark lograte and pam configuration files as noreplace | |
| - rebuild in new environment | |
| - resolves: RHEL-119843 - Fix stale sharemode entries which can cause deadlocks | |
| - disable the -salt patch, because it causes undefined references in | |
| libsmbclient that prevent gnome-vfs from building. | |
| - resolves: #907915 - libreplace.so => not found | |
| - Apply the DEBUG patch | |
| - Move /usr/lib{64,}/samba/libdsdb-garbage-collect-tombstones-samba4.so to samba-dc-libs | |
| - Rebuild in rawhide against new krb5 1.16 and docbook-xml | |
| - Rebuilt for switch to libxcrypt | |
| - related: #1856315 - Fix net-ads-join with LDAP over TLS | |
| - Update to Samba 4.4.4 | |
| - resolves: #1343529 | |
| - new i18n stuff | |
| - Include the corrected docs tarball, and use it instead of the | |
| obsolete docs from the upstream 3.0.8 tarball. | |
| - Update the logfiles patch to work with the updated docs. | |
| - Change all requires lines to list an explicit epoch. Closes #102715 | |
| - Add an explicit Epoch so that %{epoch} is defined. | |
| - Move winbind files to samba-common. Add separate initscript for | |
| winbind | |
| - Fixes for winbind - protect global variables with mutex, use | |
| more secure getenv | |
| - related: rhbz#1944657 - Fix possible upgrade issues | |
| - Enable PAM session controll and password sync | |
| - add smbspool back in (#15827) | |
| - fix absolute symlinks (#16125) | |
| - Move the post/preun of winbind into the -common subpackage, | |
| where the script is (#66128) | |
| - Update to 4.0.0rc3. | |
| - resolves: #805562 - Unable to share print queues. | |
| - resolves: #863388 - Unable to reload smbd configuration with systemctl. | |
| - New upstream release | |
| - add my -quoting patch, to fix swat with strings that contain | |
| html meta-characters, and to use correct quote characters in | |
| lists, closing bz#134310 | |
| - include the upstream winbindd_2k3sp1 patch | |
| - include the -smbclient patch. | |
| - include the -hang patch from upstream. | |
| - Update to Samba 4.15.4 | |
| - related: rhbz#2013596 - Rebase Samba to the the latest 4.15.x release | |
| - resolves: rhbz#2039153 - Fix CVE-2021-20316 | |
| - resolves: rhbz#1912549 - Winexe: Kerberos flag not invoking Kerberos Auth | |
| - resolves: rhbz#2039157 - Fix CVE-2021-43566 | |
| - resolves: rhbz#2038148 - Failed to authenticate users after upgrade samba package to release samba-4.14.5-7 | |
| - resolves: rhbz#2035528 - [smb] Segmentation fault when joining the domain | |
| - resolves: rhbz#2038796 - filename_convert_internal: open_pathref_fsp [xxx] failed: NT_STATUS_ACCESS_DENIED | |
| - Try to fix GCC 4.3 build | |
| - Add --with-dnsupdate flag and also make sure other flags are required just to | |
| be sure the features are included without relying on autodetection to be | |
| successful | |
| - set a default CA certificate path in smb.conf (#19010) | |
| - require openssl >= 0.9.5a-20 to make sure we have a ca-bundle.crt file | |
| - resolves: #1904174 - Fix ldap timeout with 'net ads join' | |
| - New upstream release that closes CAN-2004-1154 bz#142544 | |
| - Include the -64bit patch from Nalin. This closes bz#142873 | |
| - Update the -logfiles patch to work with 3.0.10 | |
| - Create /var/run/winbindd and make it part of the -common rpm to close | |
| bz#142242 | |
| - Update to Samba 4.15.5 | |
| - related: rhbz#2013596 - Rebase Samba to the the latest 4.15.x release | |
| - resolves: rhbz#2046127 - Fix CVE-2021-44141 | |
| - resolves: rhbz#2046153 - Fix CVE-2021-44142 | |
| - resolves: rhbz#2044404 - Printing no longer works on Windows 7 | |
| - resolves: rhbz#2043154 - Fix systemd notifications | |
| - resolves: rhbz#2049602 - Disable NTLMSSP for ldap client connections (e.g. libads) | |
| - Don't build dns and dsdb-related modules without AD DC | |
| - revert dependencies to samba-common and -tools | |
| - auth/credentials: Always set the the realm if we set the principal from the ccache | |
| - resolves: #1430761 - credentials_crb5: use gss_acquire_cred for client-side GSSAPI use case | |
| - resolves: #1491137 - dcerpc/__init__.py is not packaged for py3 | |
| - Security fix for CVE-2008-3789 | |
| - Perl 5.18 rebuild | |
| - New upstream release. | |
| - sed "s|nawk|gawk|" /usr/bin/convert_smbpasswd | |
| - Add commented out 'max protocol' to the default config. | |
| - update to 1.9.18p10. | |
| - fix %triggerpostun. | |
| - Use /var/cache/samba instead of /var/lock/samba | |
| - Remove "domain controller" keyword from smb.conf, it's | |
| deprecated (from #13704) | |
| - Sync some examples with smb.conf.default | |
| - Fix password synchronization (#16987) | |
| - resolves: #1508871 - Update to Samba 4.7.1 | |
| - resolves: #1508092 - Add missing dependency for tdbbackup | |
| - resolves: rhbz#2190417 - Rebuild to trigger distrobaker sync | |
| - Update to Samba 4.5.0rc2 | |
| - resolves: rhbz#2169339 - Fix winbind memory leak | |
| - resolves: rhbz#2152899 - Fix Samba shares not accessible issue | |
| - Update to Samba 4.9.0rc2 | |
| - New upstream release | |
| - Fix packaging issue wrt idmap modules used only by smbd | |
| - Addedd Vista Patchset for compatibility with Windows Vista | |
| - Change default of "msdfs root", it seem to cause problems with | |
| some applications and it has been proposed to change it for | |
| 3.0.25 upstream | |
| - Fix typo in winbind-krb-locator post uninstall script. | |
| - Rebuild | |
| - Update to Samba 4.4.0 | |
| - fix for bug #176649 | |
| - Fix missing doc files. | |
| - Fix multilib issues | |
| - Update to Samba 4.3.0rc3 | |
| - Fix cli_read() | |
| - resolves: #516165 | |
| - Add "net ads join createcomputer=ou1/ou2/ou3" fix (BZO #5465) | |
| - Fix ldonfig. | |
| - Require systemd for samba-common package. | |
| - resolves: #829197 | |
| - resolves: #1088911 - Update to Samba 4.2.3 | |
| - related: #985609 - Update to Samba 4.1.0rc2. | |
| - Update to 3.6.0 final | |
| - Fix pid-file reference in logrotate script | |
| - include pam and nss modules for winbind | |
| - updated postun triggerscript to check $0 | |
| - clear /etc/codepages from %preun instead of %postun | |
| - add %dir entries for %{_libdir}/samba and %{_libdir}/samba/charset | |
| - Upgrade to new upstream version | |
| - build mount.cifs for the new cifs filesystem in the 2.6 kernel. | |
| - add copytruncate to logrotate file (#14360) | |
| - fix init script (#13708) | |
| - Update to Samba 4.6.0rc3 | |
| - turn on mmap again. Wheee. | |
| - ship smbmount on alpha | |
| - Update to Samba 4.0.4. | |
| - fix trigger. | |
| - Update to 3.3.1 | |
| - New upstream release. This obsoletes the -secret patch. | |
| Include my changetrustpw patch to make "net ads changetrustpw" stop | |
| aborting. This closes #134694 | |
| - Remove obsolete triggers for ancient samba versions. | |
| - Move /var/log/samba to the -common rpm. This closes #76628 | |
| - Remove the hack needed to get around the bad docs files in the | |
| 3.0.8 tarball. | |
| - Change the comment in winbind.init to point at the correct pidfile. | |
| This closes #76641 | |
| - resolves: rhbz#2076505 - PAM Kerberos authentication fails with a clock skew error | |
| - fix trigger (#26859) | |
| - fix initscripts req (prereq /etc/init.d) | |
| - resolves: #1663421 - Fix perl interpreter dependencies | |
| - Rebuild with binutils fix for ppc64le (#1475636) | |
| - resolves: #996160 - Fix winbind with trusted domains. | |
| - Add back the AES patches which didn't make it in rc3. | |
| - Update to 3.5.4 | |
| - add "reload" to the usage string in the startup script | |
| - related: rhbz#2132051 - Create package dc-libs also for 'non-dc build' | |
| - Always add epoch to samba_depver to fix osci.brew-build.rpmdeplint.functional | |
| - related: rhbz#2132051 | |
| - Add vfs snapper module. | |
| - Add UPN enumeration to passdb internal API (bso #9779). | |
| - Use password-auth common PAM configuration instead of system-auth | |
| - New 3.0.0 final release | |
| - merge nmbd-netbiosname and testparm patches from 3E branch | |
| - updated the -logfiles patch to work against 3.0.0 | |
| - updated the pie patch | |
| - update the VERSION file during build | |
| - use make -j if avaliable | |
| - merge the winbindd_privileged change from 3E | |
| - merge the "rm /usr/lib" patch that allows Samba to build on 64-bit | |
| platforms despite the broken Makefile | |
| - rebuilt | |
| - adjust the Requires: for the scripts, add "chkconfig --add smb" | |
| - fix trigger, again. | |
| - Temporarily remove smbtorture from samba-test due to Python 2 linkage | |
| - related: #1609661 - samba-test package cannot be installed due to unresolved dependencies | |
| - Explicitly BR: rpcsvc-proto-devel | |
| - resolves: #1552652 - Fix usage of nc in ctdb tests and only recommned it | |
| - Upgrade to 3.0.2a | |
| - 2.2.1a bugfix release | |
| - Update to Samba 4.7.3 | |
| - resolves: #1515692 - Security fix for CVE-2017-14746 and CVE-2017-15275 | |
| - resolves: RHEL-87030 - Fix winbind memory leak | |
| - 32/64bit padding fix (affects multilib installations) | |
| - script cleanups. Again. | |
| - related: #1614232 - Fix some spec file issues detected by rpmdiff | |
| - actually use the correct samba.pamd file not the old samba.pamd.stack file | |
| - fix logifles and use upstream convention of log.* instead of our old *.log | |
| Winbindd creates its own log.* files anyway so we will be more consistent | |
| - install our own (enhanced) default smb.conf file | |
| - Fix pam_winbind acct_mgmt PAM result code (prevented local users from | |
| logging in). Fixed by Guenther. | |
| - move some files from samba to samba-common as they are used with winbindd | |
| as well | |
| - related: #1638001 - Fix package upgrades | |
| - Update to Samba 4.6.0 | |
| - remove patch for bug 106483 as it introduces a new bug that prevents | |
| the use of a credentials file with the smbclient tar command | |
| - move the samba private dir from being the same as the config dir | |
| (/etc/samba) to /var/lib/samba/private | |
| - related: #1760824 - Removed additional issues with overlinking | |
| - Update to Samba 4.1.4. | |
| - resolves: #996160 - Fix winbind nbt name lookup segfault. | |
| - update to 2.2.7 | |
| - add patch for LFS in smbclient ( |
|
| - fix one problem with mount.smb script | |
| - fix smbpasswd on sparc with a really ugly kludge | |
| - Update to 3.4.1 | |
| - Don't use /etc/samba.d in smbadduser, it should be /etc/samba | |
| - New pam configuration file for samba | |
| - Update to Samba 4.2.1 | |
| - resolves: #1213373 - Fix DEBUG macro issues in public headers | |
| - resolves: rhbz#2190417 - Update to version 4.18.4 | |
| - add a "exit 0" to the postun of the main samba package | |
| - New upstream version | |
| - use % { SOURCE1 } instead of a hardcoded path | |
| - include -winbind patch from Gerald (Jerry) Carter (jerry@samba.org) | |
| https://bugzilla.samba.org/show_bug.cgi?id=1315 | |
| to make winbindd work against Windows versions that do not have | |
| 128 bit encryption enabled. | |
| - Moved %{_bindir}/net to the -common package, so that folks who just | |
| want to use winbind, etc don't have to install -client in order to | |
| "net join" their domain. | |
| - New upstream version obsoletes the patches added in 3.0.3-5 | |
| - Remove smbgetrc.5 man page, since we don't ship smbget. | |
| - resolves: rhbz#2120956 - Do not require samba package in python3-samba | |
| - Put winbind krb5 locator plugin into a separate rpm | |
| - resolves: #627181 | |
| - related: #884169 - Fix the upgrade path. | |
| - Add fix for CUPS problem, fixes bug #453951 | |
| - New upstream version | |
| - Updated configure line to remove --with-fhs and to explicitly set all | |
| the directories that --with-fhs was setting. We were overriding most of | |
| them anyway. This closes #118598 | |
| - Add "--with-utmp" to configure options (#55372) | |
| - Include winbind, pam_smbpass.so, rpcclient and smbcacls | |
| - start using /var/cache/samba, we need to keep state and there is | |
| more than just locks involved | |
| - Fix smbspool alternatives handling during samba-client uninstall | |
| - add domain parsing to mount.smb | |
| - fix arch macro which reported Vista to Samba clients. | |
| - Upgrade to 3.0.7, which fixes CAN-2004-0807 CAN-2004-0808 | |
| This obsoletes the 3.0.6-schema patch. | |
| - Update BuildRequires line to include openldap-devel openssl-devel | |
| and cups-devel | |
| - resolves: #1644327 - Segfault if wrong 'passdb backend' is configured | |
| - resolves: #1647959 - Segfault in the debug system with hardended build | |
| - Update to Samba 4.16.1 | |
| - resolves: rhbz#2077468 Rebase Samba to the the latest 4.16.x release | |
| - add a %defattr for -common | |
| - resolves: #919405 - Fix and improve large_readx handling for broken clients. | |
| - resolves: #924525 - Don't use waf caching. | |
| - Use %{__python2}, not "python", as the Python2 interpreter | |
| - Add workaround to allow building with Python 2 | |
| - Change unversioned python macros to python2 | |
| - Disable gluster temporarily | |
| - Do not package Python 2 artefacts by default | |
| - Enable quota support | |
| - Fix piddir to match with systemd files. | |
| - Fix crash bug in the debug system. | |
| - resolves: #754525 | |
| - Update to 3.6.0pre2 | |
| - Update to Samba 4.4.0rc3 | |
| - enable PAM and NSS dlopen checks during build | |
| - fix unresolved symbols in libnss_wins.so (bug #198230) | |
| - Update to Samba 4.5.2 | |
| - resolves: #717484 - Enable profiling data support. | |
| - add libsmbclient.so for gnome-vfs-extras | |
| - Edit specfile to specify /var/run for pid files | |
| - Move /tmp/.winbindd/socket to /var/run/winbindd/socket | |
| - resolves: #1785134 - Fix libwbclient manual alternative settings | |
| - Do not install conflicting file _ldb_text.py | |
| - related: rhbz#2013596 - Rebase to version 4.15.3 | |
| - resolves: rhbz#2028029 - Fix possible null pointer dereference in winbind | |
| - resolves: rhbz#1912549 - Winexe: Kerberos Auth is respected via --use-kerberos=desired | |
| - rebuilt | |
| - resolves: #1754575 - Avoid overlinking with librt and libpthread | |
| - resolves: #1755440 - Fix forest trusts enumeration | |
| - resolves: #1755445 - Fix CUPS username/password authentication with smbspool | |
| - Compile default auth methods into smbd. | |
| - Merge from 3.0.0-2beta3.3E | |
| - (Correct log file names (#100981).) | |
| - (Fix pidfile directory in samab.log) | |
| - (Remove obsolete samba-3.0.0beta2.tar.bz2.md5 file) | |
| - (Move libsmbclient to the -common package (#99449)) | |
| - Use Python 2 explicitly for samba-tool and other Python-based tools | |
| - Install samba.service as it is required for the AD DC case | |
| - Add libsmbclient.a w/headerfile for KDE (#62202) | |
| - add a mount.smb to make smb mounting a little easier. | |
| - smb filesystems apparently don't work on alpha. Oops. | |
| - resolves: rhbz#2059151 - Fix username map for unix groups | |
| - resolves: rhbz#2065212 - Fix 'create krb5 conf = yes` when a KDC has a single IP address. | |
| - Add libcap-devel to requires list (resolves: #488559) | |
| - Tweaks of BuildRequires (#49581) | |
| - Fix the lpq parser for better handling of LPRng systems (#69352) | |
| - add a -common package, shuffle files around. | |
| - rebuilt | |
| - Update to Samba 4.9.0rc1 | |
| - Update to Samba 4.8.0rc3 | |
| - rebuilt | |
| - resolves: rhbz#2190417 - Update to version 4.18.3 | |
| - add initdir macro to handle the initscript directory | |
| - add a new macro to handle /etc/pam.d/system-auth | |
| - Update to 3.3.0rc1 | |
| - Merge from samba-3E-branch after samba-3.0.0rc1 was released | |
| - Make the logrotate script look the correct place for the pid files | |
| - Update to 3.6.7 | |
| - relink libnss_wins.so with SHLD="%{__cc} -lnsl" to force libnss_wins.so to | |
| link with libnsl, avoiding unresolved symbol errors on functions in libnsl | |
| - include -smbspool patch to close bz#104136 | |
| - resolves: #948509 - Fix manpage correctness. | |
| - tweak the PAM code some more to try to do a setcred() after initgroups() | |
| - pull in all of the optflags on i386 and sparc | |
| - don't explicitly enable Kerberos support -- it's only used for password | |
| checking, and if PAM is enabled it's a no-op anyway | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Fix error in PREIN scriptlet in rpm package samba-common | |
| - related: RHEL-16483 - Update to version 4.19.4 | |
| - move to 3.0.25rc3 | |
| - always create codepages | |
| - desktop file fixes (#69505) | |
| - Fix nmbd startup | |
| - resolves: #741630 | |
| - Update to Samba 4.6.1 | |
| - resolves: #1435156 - Security fix for CVE-2017-2619 | |
| - enable Kerberos 5 and SSL support | |
| - patch for duplicate profile.h headers | |
| - resolves: rhbz#2167691 - Create package samba-tools | |
| - build as 2.2.0-1 release | |
| - skip the documentation-directories docbook, manpages and yodldocs | |
| - don't include *.sgml documentation in package | |
| - moved codepage-directory to /usr/share/samba/codepages | |
| - make it compile with glibc-2.2.3-10 and kernel-headers-2.4.2-2 | |
| - change /var/log/samba to 0700 | |
| - turn on mmap support | |
|
|
|
| setools-4.3.0-5.el8.x86_64.rpm | - Support old boolean names in policy queries (#1595572, #1581848) |
| - SETools 4.2.0 release | |
| - Disable/remove neverallow options in frontends (#2184141) | |
| - AVRuleXperm: Fix permission set creation for AVTAB_XPERMS_IOCTLDRIVER (#2174376) | |
| - Make seinfo output predictable (#2019961) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Python 2 binary package renamed to python2-setools | |
| See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 | |
| - Python 3 binary package renamed to python3-setools | |
| - bswap_* macros are defined in byteswap.h | |
| - Don't build the Python 2 subpackage (#1567362) | |
| - Update upstream source to 4.2.0-rc | |
| - setools-python{,3} packages should have a weak dependency on libselinux-python{,3} | |
| (#1447747) | |
| - New upstream release | |
| - SETools 4.3.0 release (#1820079) | |
| - Revised sediff method for TE rules. This drastically reduced memory and run time. | |
| - Added infiniband context support to seinfo, sediff, and apol. | |
| - Added apol configuration for location of Qt assistant. | |
| - Fixed sediff issue where properties header would display when not requested. | |
| - Fixed sediff issue with type_transition file name comparison. | |
| - Fixed permission map socket sendto information flow direction. | |
| - Added methods to TypeAttribute class to make it a complete Python collection. | |
| - Genfscon now will look up classes rather than using fixed values which | |
| were dropped from libsepol. | |
| - setools requires -console, -console-analyses and -gui packages (#1820078) | |
| - SELinuxPolicy: Create a map of aliases on policy load (#1672631) | |
| - Disable/remove neverallow options in sediff (#2184141) | |
| - Use | |
| CFLAGS="${CFLAGS:--O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection}" ; export CFLAGS ; | |
| CXXFLAGS="${CXXFLAGS:--O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection}" ; export CXXFLAGS ; | |
| FFLAGS="${FFLAGS:--O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -I/usr/lib64/gfortran/modules}" ; export FFLAGS ; | |
| FCFLAGS="${FCFLAGS:--O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -I/usr/lib64/gfortran/modules}" ; export FCFLAGS ; | |
| LDFLAGS="${LDFLAGS:--Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld}" ; export LDFLAGS instead of -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - SETools 4.2.1 release (#1581761, #1595582) | |
| - Add support for SCTP protocol (#1568333) | |
| - Move python networkx dependency to -gui and -console-analyses | |
| - Ship sedta and seinfoflow in setools-console-analyses | |
| - New upstream release. | |
| - Move gui python files to -gui subpackage | |
| - Do not build gui and console-analyses by default | |
| - Fix SCTP patch - https://github.com/SELinuxProject/setools/issues/9 | |
| - SETools 4.2.2 release | |
| - Require platform-python-setuptools instead of python3-setuptools | |
| - Resolves: rhbz#1650548 | |
| - Build setools-console-analyses and setools-gui (#1731519) | |
| - Add Provides for the old name without %_isa | |
| - Update Python 2 dependency declarations to new packaging standards | |
| (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) | |
| - setools-python2 requires python2-enum34 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
|
|
|
| setools-console-4.3.0-5.el8.x86_64.rpm | - Support old boolean names in policy queries (#1595572, #1581848) |
| - SETools 4.2.0 release | |
| - Disable/remove neverallow options in frontends (#2184141) | |
| - AVRuleXperm: Fix permission set creation for AVTAB_XPERMS_IOCTLDRIVER (#2174376) | |
| - Make seinfo output predictable (#2019961) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Python 2 binary package renamed to python2-setools | |
| See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 | |
| - Python 3 binary package renamed to python3-setools | |
| - bswap_* macros are defined in byteswap.h | |
| - Don't build the Python 2 subpackage (#1567362) | |
| - Update upstream source to 4.2.0-rc | |
| - setools-python{,3} packages should have a weak dependency on libselinux-python{,3} | |
| (#1447747) | |
| - New upstream release | |
| - SETools 4.3.0 release (#1820079) | |
| - Revised sediff method for TE rules. This drastically reduced memory and run time. | |
| - Added infiniband context support to seinfo, sediff, and apol. | |
| - Added apol configuration for location of Qt assistant. | |
| - Fixed sediff issue where properties header would display when not requested. | |
| - Fixed sediff issue with type_transition file name comparison. | |
| - Fixed permission map socket sendto information flow direction. | |
| - Added methods to TypeAttribute class to make it a complete Python collection. | |
| - Genfscon now will look up classes rather than using fixed values which | |
| were dropped from libsepol. | |
| - setools requires -console, -console-analyses and -gui packages (#1820078) | |
| - SELinuxPolicy: Create a map of aliases on policy load (#1672631) | |
| - Disable/remove neverallow options in sediff (#2184141) | |
| - Use | |
| CFLAGS="${CFLAGS:--O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection}" ; export CFLAGS ; | |
| CXXFLAGS="${CXXFLAGS:--O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection}" ; export CXXFLAGS ; | |
| FFLAGS="${FFLAGS:--O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -I/usr/lib64/gfortran/modules}" ; export FFLAGS ; | |
| FCFLAGS="${FCFLAGS:--O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -I/usr/lib64/gfortran/modules}" ; export FCFLAGS ; | |
| LDFLAGS="${LDFLAGS:--Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld}" ; export LDFLAGS instead of -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - SETools 4.2.1 release (#1581761, #1595582) | |
| - Add support for SCTP protocol (#1568333) | |
| - Move python networkx dependency to -gui and -console-analyses | |
| - Ship sedta and seinfoflow in setools-console-analyses | |
| - New upstream release. | |
| - Move gui python files to -gui subpackage | |
| - Do not build gui and console-analyses by default | |
| - Fix SCTP patch - https://github.com/SELinuxProject/setools/issues/9 | |
| - SETools 4.2.2 release | |
| - Require platform-python-setuptools instead of python3-setuptools | |
| - Resolves: rhbz#1650548 | |
| - Build setools-console-analyses and setools-gui (#1731519) | |
| - Add Provides for the old name without %_isa | |
| - Update Python 2 dependency declarations to new packaging standards | |
| (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) | |
| - setools-python2 requires python2-enum34 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
|
|
|
| setools-console-analyses-4.3.0-5.el8.x86_64.rpm | - Support old boolean names in policy queries (#1595572, #1581848) |
| - SETools 4.2.0 release | |
| - Disable/remove neverallow options in frontends (#2184141) | |
| - AVRuleXperm: Fix permission set creation for AVTAB_XPERMS_IOCTLDRIVER (#2174376) | |
| - Make seinfo output predictable (#2019961) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Python 2 binary package renamed to python2-setools | |
| See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 | |
| - Python 3 binary package renamed to python3-setools | |
| - bswap_* macros are defined in byteswap.h | |
| - Don't build the Python 2 subpackage (#1567362) | |
| - Update upstream source to 4.2.0-rc | |
| - setools-python{,3} packages should have a weak dependency on libselinux-python{,3} | |
| (#1447747) | |
| - New upstream release | |
| - SETools 4.3.0 release (#1820079) | |
| - Revised sediff method for TE rules. This drastically reduced memory and run time. | |
| - Added infiniband context support to seinfo, sediff, and apol. | |
| - Added apol configuration for location of Qt assistant. | |
| - Fixed sediff issue where properties header would display when not requested. | |
| - Fixed sediff issue with type_transition file name comparison. | |
| - Fixed permission map socket sendto information flow direction. | |
| - Added methods to TypeAttribute class to make it a complete Python collection. | |
| - Genfscon now will look up classes rather than using fixed values which | |
| were dropped from libsepol. | |
| - setools requires -console, -console-analyses and -gui packages (#1820078) | |
| - SELinuxPolicy: Create a map of aliases on policy load (#1672631) | |
| - Disable/remove neverallow options in sediff (#2184141) | |
| - Use | |
| CFLAGS="${CFLAGS:--O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection}" ; export CFLAGS ; | |
| CXXFLAGS="${CXXFLAGS:--O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection}" ; export CXXFLAGS ; | |
| FFLAGS="${FFLAGS:--O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -I/usr/lib64/gfortran/modules}" ; export FFLAGS ; | |
| FCFLAGS="${FCFLAGS:--O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -I/usr/lib64/gfortran/modules}" ; export FCFLAGS ; | |
| LDFLAGS="${LDFLAGS:--Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld}" ; export LDFLAGS instead of -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - SETools 4.2.1 release (#1581761, #1595582) | |
| - Add support for SCTP protocol (#1568333) | |
| - Move python networkx dependency to -gui and -console-analyses | |
| - Ship sedta and seinfoflow in setools-console-analyses | |
| - New upstream release. | |
| - Move gui python files to -gui subpackage | |
| - Do not build gui and console-analyses by default | |
| - Fix SCTP patch - https://github.com/SELinuxProject/setools/issues/9 | |
| - SETools 4.2.2 release | |
| - Require platform-python-setuptools instead of python3-setuptools | |
| - Resolves: rhbz#1650548 | |
| - Build setools-console-analyses and setools-gui (#1731519) | |
| - Add Provides for the old name without %_isa | |
| - Update Python 2 dependency declarations to new packaging standards | |
| (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) | |
| - setools-python2 requires python2-enum34 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
|
|
|
| setools-gui-4.3.0-5.el8.x86_64.rpm | - Support old boolean names in policy queries (#1595572, #1581848) |
| - SETools 4.2.0 release | |
| - Disable/remove neverallow options in frontends (#2184141) | |
| - AVRuleXperm: Fix permission set creation for AVTAB_XPERMS_IOCTLDRIVER (#2174376) | |
| - Make seinfo output predictable (#2019961) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Python 2 binary package renamed to python2-setools | |
| See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 | |
| - Python 3 binary package renamed to python3-setools | |
| - bswap_* macros are defined in byteswap.h | |
| - Don't build the Python 2 subpackage (#1567362) | |
| - Update upstream source to 4.2.0-rc | |
| - setools-python{,3} packages should have a weak dependency on libselinux-python{,3} | |
| (#1447747) | |
| - New upstream release | |
| - SETools 4.3.0 release (#1820079) | |
| - Revised sediff method for TE rules. This drastically reduced memory and run time. | |
| - Added infiniband context support to seinfo, sediff, and apol. | |
| - Added apol configuration for location of Qt assistant. | |
| - Fixed sediff issue where properties header would display when not requested. | |
| - Fixed sediff issue with type_transition file name comparison. | |
| - Fixed permission map socket sendto information flow direction. | |
| - Added methods to TypeAttribute class to make it a complete Python collection. | |
| - Genfscon now will look up classes rather than using fixed values which | |
| were dropped from libsepol. | |
| - setools requires -console, -console-analyses and -gui packages (#1820078) | |
| - SELinuxPolicy: Create a map of aliases on policy load (#1672631) | |
| - Disable/remove neverallow options in sediff (#2184141) | |
| - Use | |
| CFLAGS="${CFLAGS:--O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection}" ; export CFLAGS ; | |
| CXXFLAGS="${CXXFLAGS:--O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection}" ; export CXXFLAGS ; | |
| FFLAGS="${FFLAGS:--O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -I/usr/lib64/gfortran/modules}" ; export FFLAGS ; | |
| FCFLAGS="${FCFLAGS:--O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -I/usr/lib64/gfortran/modules}" ; export FCFLAGS ; | |
| LDFLAGS="${LDFLAGS:--Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld}" ; export LDFLAGS instead of -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - SETools 4.2.1 release (#1581761, #1595582) | |
| - Add support for SCTP protocol (#1568333) | |
| - Move python networkx dependency to -gui and -console-analyses | |
| - Ship sedta and seinfoflow in setools-console-analyses | |
| - New upstream release. | |
| - Move gui python files to -gui subpackage | |
| - Do not build gui and console-analyses by default | |
| - Fix SCTP patch - https://github.com/SELinuxProject/setools/issues/9 | |
| - SETools 4.2.2 release | |
| - Require platform-python-setuptools instead of python3-setuptools | |
| - Resolves: rhbz#1650548 | |
| - Build setools-console-analyses and setools-gui (#1731519) | |
| - Add Provides for the old name without %_isa | |
| - Update Python 2 dependency declarations to new packaging standards | |
| (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) | |
| - setools-python2 requires python2-enum34 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
|
|
|
| soundtouch-2.0.0-3.el8.x86_64.rpm | - Rebuilt for GCC 5 C++11 ABI change |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Fix building with automake-1.10 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - fix pkgconfig links | |
| - Autorebuild for GCC 4.3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Fix compilation with gcc 4.3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Rebuild for buildId | |
| - Update license tag for new license guidelines compliance | |
| - Add Requires: pkgconfig to -devel subpackage | |
| - Replace installed autoheader generated header file with our own version | |
| which contains only the nescesarry soundtouch specific defines, thus avoiding | |
| possible conflicts with other autoheader generated headers. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - New upstream release 1.4.0 | |
| - Patch makefiles so that our RPM_OPT_FLAGS get used instead of the custom | |
| upstream CFLAGS. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Add license tag. | |
| - Add back sed on -O3 . | |
| - Not modify soundtouch_config.h because looks correct, just have one line !. | |
| - Add BR: automake, because upstream uses symlinks to instead of copies of some | |
| needed automake files. | |
| - Add BR libtool | |
| - FE6 Rebuild | |
| - Update soundtouch to 2.0.0 | |
| - Fix compilation with libtool 2.x | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Rebuild for the annobin fixes | |
| - Remove an unused patch | |
| - Resolves: rhbz#1704123 | |
| - initial build. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Rebuilt for Fedora 23 Change | |
| https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code | |
| - New upstream version 1.3.1 | |
| - Minor specfile cleanups for livna submission. | |
| - Give the .so a proper version instead of 0.0.0 | |
| - Don't use rpath in soundstretch binary | |
| - Update to 1.9.2 (#961876). | |
| - Modernize spec file. | |
| - Makefile.am handles mmx and sse flags well, so no need patch 01 and sed anymore. | |
| - Patch 02 disabled, I hope we already have asm fixed on X86_64. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
|
|
|
| sssd-dbus-2.9.4-5.el8_10.3.x86_64.rpm | - Fix regressions with ipa and SELinux |
| - Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security | |
| context on client is staff_u | |
| - Rebuild against new libldb | |
| - Resolves: rhbz#1792331 - sssd_be crashes when krb5_realm and krb5_server is | |
| omitted and auth_provider is krb5 | |
| - Fix missing file permissions for sssd-clients | |
| - added sss_client | |
| - New upstream release 1.11.2 | |
| - Remove upstreamed patches | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 | |
| - Fix build issues: Update expided certificate in unit tests | |
| - New upstream release 1.10 beta1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1 | |
| - Resolves: rhbz#1900733 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() | |
| - Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process | |
| - Resolves: rhbz#1894540 - sssd component logging is now too generic in syslog/journal | |
| - Resolves: rhbz#1828483 - filtered ID is appearing due to strange negative cache behavior | |
| - Resolves: rhbz#1713368 - Add sssd-dbus package as a dependency of sssd-tools | |
| - New upstream release 1.11.5 | |
| - Remove upstreamed patch | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.5 | |
| - New upstream stable release 1.0.0 | |
| - New upstream release 1.9.4 | |
| - Resolves: rhbz#Bug 1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command. | |
| - Resolves: rhbz#1369130 - nss_sss should not link against libpthread | |
| - Resolves: rhbz#1392916 - sssd failes to start after update | |
| - Resolves: rhbz#1398789 - SELinux is preventing sssd from 'write' accesses | |
| on the directory /etc/sssd | |
| - Fix uninitialized value bug causing crashes throughout the code | |
| - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup | |
| - Resolves: rhbz#1628503 - sssd only sets the SELinux login context if it | |
| differs from the default | |
| - Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 | |
| - Add workaround patch for RHBZ #1366403 | |
| - Fix slow login with ipa and SELinux | |
| - Resolves: upstream #2624 - Only set the selinux context if the context | |
| differs from the local one | |
| - New upstream release 1.10.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1 | |
| - New upstream release 1.13 alpha | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0alpha | |
| - New upstream release 0.5.0 | |
| - Resolves: rhbz#1673443 - sssd man pages: The default value of | |
| "ldap_user_home_directory" is not mentioned | |
| with AD server configuration | |
| - New upstream release 1.5.1 | |
| - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins | |
| - Vast performance improvements when enumerate = true | |
| - All PAM actions will now perform a forced initgroups lookup instead of just | |
| - a user information lookup | |
| - This guarantees that all group information is available to other | |
| - providers, such as the simple provider. | |
| - For backwards-compatibility, DNS lookups will also fall back to trying the | |
| - SSSD domain name as a DNS discovery domain. | |
| - Support for more password expiration policies in LDAP | |
| - 389 Directory Server | |
| - FreeIPA | |
| - ActiveDirectory | |
| - Support for ldap_tls_{cert,key,cipher_suite} config options | |
| -Assorted bugfixes | |
| - Resolves: rhbz#752495 - Crash when apply settings | |
| - Fix regression with krb5_map_user | |
| - Resolves: rhbz#1375552 - krb5_map_user doesn't seem effective anymore | |
| - Resolves: rhbz#1349286 - authconfig fails with SSSDConfig.NoDomainError: | |
| default if nonexistent domain is mentioned | |
| - New upstream release 1.11 beta 2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 | |
| - Resolves: upstream#3684 - A group is not updated if its member is removed | |
| with the cleanup task, but the group does not | |
| change | |
| - Resolves: upstream#3558 - sudo: report error when two rules share cn | |
| - Tone down shutdown messages for socket activated responders | |
| - IPA: Qualify the externalUser sudo attribute | |
| - Resolves: upstream#3550 - refresh_expired_interval does not work with | |
| netgrous in 1.15 | |
| - Resolves: upstream#3402 - Support alternative sources for the files provider | |
| - Resolves: upstream#3646 - SSSD's GPO code ignores ad_site option | |
| - Resolves: upstream#3679 - Make nss netgroup requests more robust | |
| - Resolves: upstream#3634 - sssctl COMMAND --help fails if sssd is not | |
| configured | |
| - Resolves: upstream#3469 - extend sss-certmap man page regarding priority | |
| processing | |
| - Improve docs/debug message about GC detection | |
| - Resolves: upstream#3715 - ipa 389-ds-base crash in krb5-libs - k5_copy_etypes | |
| list out of bound? | |
| - Resolves: upstream#2653 - Group renaming issue when "id_provider = ldap" is | |
| set. | |
| - Document which principal does the AD provider use | |
| - Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is | |
| defined, but contains no SIDs | |
| - Resolves: upstream#3520 - Files provider supports only BE_FILTER_ENUM | |
| - Resolves: rhbz#1540703 - FreeIPA/SSSD implicit_file sssd_nss error: The Data | |
| Provider returned an error | |
| [org.freedesktop.sssd.Error.DataProvider.Fatal] | |
| - Fix licenses in sources and on RPMs | |
| - Make LDB dependency a strict equivalency | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Resolves: RHEL-14070 - sssd-2.9.2-1.el8 breaks smart card authentication | |
| - Resolves: RHEL-3665 - Unexplainable error "Unable to find primary gid [2]: No such file or directory" when SSSD performs lookup for an AD user | |
| - Fix regression on 64-bit platforms | |
| - Resolves: rhbz#1657979 - SSSD's LDAP authentication provider does not work | |
| if ID provider is authenticated with GSSAPI | |
| - New stable upstream version 1.2.1 | |
| - Resolves: rhbz#595529 - spec file should eschew %define in favor of | |
| - %global | |
| - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service | |
| - to fail while restart. | |
| - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel | |
| - keyring | |
| - Resolves: rhbz#599724 - sssd is broken on Rawhide | |
| - Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 | |
| - Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed) | |
| - Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket | |
| - Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7 | |
| - Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name | |
| - Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable") | |
| - Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username # | |
| - New upstream release 1.11.4 | |
| - Remove upstreamed patch | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.4 | |
| - Move sssd_pac to the sssd-krb5 subpackage | |
| - python-sssdconfig: Fix parssing sssd.conf without config_file_version | |
| - Resolves: upstream #2837 - REGRESSION: ipa-client-automout failed | |
| - Resolves: rhbz#1754996 - [sssd] Tier 0 Localization | |
| - Fix building of sssd-nfs-idmap with libnfsidmap.so.1 | |
| - Fix multicast checks in the SSSD | |
| - Resolves: rhbz#1007475 - The multicast check is wrong in the sudo source | |
| code getting the host info | |
| - New upstream release 1.5.4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 | |
| - Fixes for Active Directory when not all users and groups have POSIX attributes | |
| - Fixes for handling users and groups that have name aliases (aliases are ignored) | |
| - Fix group memberships after initgroups in the IPA provider | |
| - Resolves: rhbz#1328108 - Protocol error with FreeIPA on CentOS 6 | |
| - New upstream release 1.8.0 beta 3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 | |
| - Fixed a regression in group enumeration since 1.7.0 | |
| - Fixed several memory-corruption bugs | |
| - Finalized the ABI for the autofs support | |
| - Fixed a regression in the proxy provider | |
| - New upstream release 1.5.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 | |
| - Fixes for support of FreeIPA v2 | |
| - Fixes for failover if DNS entries change | |
| - Improved sss_obfuscate tool with better interactive mode | |
| - Fix several crash bugs | |
| - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this | |
| - Delete users from the local cache if initgroups calls return 'no such user' | |
| - (previously only worked for getpwnam/getpwuid) | |
| - Use new Transifex.net translations | |
| - Better support for automatic TGT renewal (now survives restart) | |
| - Netgroup fixes | |
| - Fix incorrect tarball URL | |
| - Backport more sbus2 fixes | |
| - Related: rhbz#1623878 - crash related to sbus_router_destructor() | |
| - Resolves: rhbz#1718193 - p11_child should have an option to skip | |
| C_WaitForSlotEvent if the PKCS#11 module | |
| does not implement it properly | |
| - Rebuild against libldb 1.11 | |
| error messages with line numbers | |
| - Fix typo in libwbclient-devel %preun | |
| - Fix broken ARM build | |
| - Add missing DP_OPTION_TERMINATOR in AD provider options | |
| - Rebuild SSSD against ding-libs 0.3.0beta1 | |
| - Fix endianness bug in service map protocol | |
| - New stable upstream version 1.2.0 | |
| - Support ServiceGroups for FreeIPA v2 HBAC rules | |
| - Fix long-standing issue with auth_provider = proxy | |
| - Better logging for TLS issues in LDAP | |
| - Relax libldb BuildRequires to be greater-or-equal | |
| - Remove the ability to create public ccachedir (#1015089) | |
| - Fix ipa-migration bug | |
| - Resolves: upstream #2719 - IPA: returned unknown dp error code with disabled | |
| migration mode | |
| - Only create the SELinux login file if there are SELinux mappings on | |
| the IPA server | |
| - Fixes a serious memory hierarchy bug causing unpredictable behavior in the | |
| LDAP provider. | |
| - New upstream release 1.6.4 | |
| - Rolls up previous patches applied to the 1.6.3 tarball | |
| - Fixes a rare issue causing crashes in the failover logic | |
| - Fixes an issue where SSSD would return the wrong PAM error code for users | |
| that it does not recognize. | |
| - Also relax libldb Requires | |
| - Remove --enable-ldb-version-check | |
| - New upstream release 1.9.0 beta7 | |
| - obsoletes patches #1-#3 | |
| - Handle OTP response from FreeIPA server gracefully | |
| -Resolves: rhbz#1659498 - Re-setting the trusted AD domain fails due to wrong | |
| subdomain service name being used | |
| - Apply a number of patches from upstream to fix issues found post-beta, | |
| in particular: | |
| -- segfault with a high DEBUG level | |
| -- Fix IPA password migration (upstream #1873) | |
| -- Fix fail over when retrying SRV resolution (upstream #1886) | |
| - Small cleanup and fixes in the spec file | |
| - New upstream release 1.16.1 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_1.html | |
| - New upstream release 1.1.1 | |
| - Fixed the IPA provider (which was segfaulting at start) | |
| - Fixed a bug in the SSSDConfig API causing some options to revert to | |
| - their defaults | |
| - This impacted the Authconfig UI | |
| - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal | |
| - New upstream release 1.5.3 | |
| - Support for libldb >= 1.0.0 | |
| - Recreate Kerberos ccache directory if it's missing | |
| - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache | |
| directory /run/user/UID/ccdir does not exist | |
| - Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 | |
| - Resolves: rhbz#1942387 - Wrong default debug level of sssd tools | |
| - Resolves: rhbz#1917444 - SSSD Error Msg Improvement: Server resolution failed: [2]: No such file or directory | |
| - Resolves: rhbz#1917511 - SSSD Error Msg Improvement: Failed to resolve server 'server.example.com': Error reading file | |
| - Resolves: rhbz#1917535 - sssd.conf man page: parameter dns_resolver_server_timeout and dns_resolver_op_timeout | |
| - Resolves: rhbz#1940509 - [RFE] Health and Support Analyzer: Link frontend to backend requests | |
| - Resolves: rhbz#1649464 - auto_private_groups not working as expected with posix ipa/ad trust | |
| - Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection | |
| - Resolves: rhbz#1961215 - Invalid sssd-kcm return code if requested operation is not found | |
| - Resolves: rhbz#1837090 - SSSD fails nss_getby_name for IPA user with SID if the user has user private group | |
| - Resolves: rhbz#1879869 - sudo commands incorrectly exports the KRB5CCNAME environment variable | |
| - Resolves: rhbz#1962550 - sss_pac_make_request fails on systems joined to Active Directory. | |
| - Resolves: rhbz#1737489 - [RFE] SSSD should honor default Kerberos settings (keytab name) in /etc/krb5.conf | |
| - New upstream release 1.5.9 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 | |
| - Support for overriding home directory, shell and primary GID locally | |
| - Properly honor TTL values from SRV record lookups | |
| - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP | |
| - servers) | |
| - Properly escape IPv6 addresses in the failover code | |
| - Do not crash if inotify fails (e.g. resource exhaustion) | |
| - Don't add multiple TGT renewal callbacks (too many log messages) | |
| - Resolves: RHEL-78300 - 'sssd_kcm' leaks memory [rhel-8.10.z] | |
| - Resolves: RHEL-82420 - Disk cache failure with large db sizes [rhel-8.10.z] | |
| - Resolves: RHEL-76022 - Use the DN from existing entry when updating a cached group [rhel-8.10.z] | |
| - Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy" | |
| - Resolves: rhbz#1736265 - Smart Card auth of local user: endless | |
| loop if wrong PIN was provided | |
| - Resolves: rhbz#1615417 - [RFE] Add Smart Card authentication for local | |
| users | |
| - Resolves: rhbz#2149241 - [sssd] SSSD enters failed state after heavy load in the system | |
| - New upstream release 1.13.4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.4 | |
| - Fix tests on big-endian | |
| - Fix previous changelog entry | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Resolves: rhbz#1382750 - Conflicting default timeout values | |
| - Resolves: rhbz#1669407 - MAN: Document that PAM stack contains the | |
| systemd-user service in the account phase in RHEL-8 | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Resolves: RHEL-1680 - auto_private_groups does not create cache in IPA server SSSD cache | |
| - Resolves: RHEL-10092 - logfile rotation for sssd_kcm not working properly, sssd_kcm never receives a 'kill -HUP' | |
| - Resolves: RHEL-17495 - New sssd.conf seems not to be backwards compatible (wrt SmartCard auth of local users using 'files provider') | |
| - Resolves: RHEL-18431 - Excessive logging to sssd_nss and sssd_be in multi-domain AD forest | |
| - Resolves: RHEL-5033 - Incorrect IdM product name in man sssd.conf | |
| - Resolves: RHEL-15368 - SSSD GPO lacks group resolution on hosts [rhel-8] | |
| - Resolves: RHEL-10721 - very bad performance when requesting service tickets | |
| - Resolves: RHEL-19011 - Invalid handling groups from child domain | |
| - Resolves: RHEL-19949 - latest sssd breaks logging in via XDMCP for LDAP/Kerberos users [rhel-8] | |
| - Rebuild for Python 3.6 | |
| - Fix Obsoletes: to account for dist tag | |
| - Convert post and pre scripts to run on the sssd-common subpackage | |
| - Remove old conversion from SYSV | |
| - Add a patch to fix krb5 unit tests | |
| raise(): /usr/libexec/sssd/sssd_autofs killed by 6 | |
| - New upstream release 1.12 beta2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0beta2 | |
| - New upstream release 1.14.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.1 | |
| - Patch SSSDConfig API to address | |
| - https://bugzilla.redhat.com/show_bug.cgi?id=549482 | |
| - Move the sss_cache tool to the main package | |
| - Resolves: rhbz#1625842 id_provider= local causes SSSD to abort startup | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Resolves: rhbz#1821719 - sssd (sssd_be) is consuming 100% CPU, partially due to failing mem-cache | |
| - Fixed "requires/provides" rpmdiff warning | |
| - Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites | |
| - cached password with predicatable filename | |
| - New upstream release 1.12 beta1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0beta1 | |
| - Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during | |
| realm join | |
| - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by | |
| default for AD Provider | |
| - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file | |
| parent directory when logging in | |
| - Resolves: rhbz#1855323 - When ad_gpo_implicit_deny is True, it is permitting users to login when no gpo is applied | |
| - Switch unicode library from libunistring to Glib | |
| - Drop unnecessary explicit Requires on keyutils | |
| - Guarantee that versioned Requires include the correct architecture | |
| - Fix OTP bug | |
| - Resolves: upstream #2729 - Do not send SSS_OTP if both factors were | |
| entered separately | |
| - Backport upstream patches required by FreeIPA 4.2.1 | |
| - the cmocka toolkit exists only on selected arches | |
| - Backport few upstream patches/fixes | |
| - Fix double free in monitor | |
| - Resolves: rhbz#1186887 [abrt] sssd-common: talloc_abort(): | |
| sssd killed by SIGABRT | |
| - New upstream release 1.14 alpha | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0alpha | |
| - Resolves: rhbz#1615460 - Rebase SSSD to the latest released version | |
| - Split internal helper libraries into a shared object | |
| - Significantly reduce disk-space usage | |
| - Resolves: rhbz#1657980 - sssd_nss memory leak | |
| - Fix a couple of segfaults that may happen on reload | |
| - New upstream release 1.9.3 | |
| - Resolves: rhbz#2116488 - virsh command will hang after the host run several auto test cases | |
| - Resolves: rhbz#2116486 - [regression] sssctl analyze fails to parse PAM related sssd logs | |
| - Resolves: rhbz#2116487 - cache_req_data_set_hybrid_lookup: cache_req_data should never be NULL | |
| - Related: rhbz#1638006 - Files: The files provider always enumerates | |
| which causes duplicate when running getent passwd | |
| - Cherry-pick patches from upstream that enable the files provider | |
| - Enable the files domain | |
| - Retire patch 0501-Partially-revert-CONFIG-Use-default-config-when-none.patch | |
| which is superseded by the files domain autoconfiguration | |
| - Related: rhbz#1357418 - SSSD fast cache for local users | |
| - Resolves: rhbz#1767514 - sssd requires timed sudoers ldap entries to be | |
| specified up to the seconds | |
| - Rebuild against PCRE 8.30 | |
| - Resolves: upstream#3573 - sssd won't show netgroups with blank domain | |
| - Resolves: upstream#3660 - confdb_expand_app_domains() always fails | |
| - Resolves: upstream#3658 - Application domain is not interpreted correctly | |
| - Resolves: upstream#3687 - KCM: Don't pass a non null terminated string to | |
| json_loads() | |
| - Resolves: upstream#3386 - KCM: Payload buffer is too small | |
| - Resolves: upstream#3666 - Fix usage of str.decode() in our tests | |
| - A few KCM misc fixes | |
| - Related: rhbz#1637131 - pam_unix unable to match fully qualified username | |
| provided by sssd during smartcard auth using gdm | |
| - sssd-tools should require sssd-common, not sssd | |
| - Fix systemd conversion. Upgrades from SysV to systemd weren't properly | |
| - enabling the systemd service. | |
| - Fix a serious memory leak in the memberOf plugin | |
| - Fix an issue where the user's full name would sometimes be removed | |
| - from the cache | |
| - Resolves: rhbz#1652563 - incorrect example in the man page of idmap_sss | |
| suggests using * for backend sss | |
| - Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during | |
| - rpmbuild | |
| - Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile | |
| with no specific host/hostgroup set | |
| - Resolves: upstream#3621 - FleetCommander integration must not require | |
| capability DAC_OVERRIDE | |
| - latest upstream release. | |
| - also add a patch that fixes debugging output (potential segfault) | |
| - Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib | |
| - New upstream release | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 | |
| - Fix two minor manpage bugs | |
| - Include the IPA AutoFS provider | |
| - Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate | |
| - against LDAP | |
| - New upstream release 1.9.0 beta 3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 | |
| - Add a new PAC responder for dealing with cross-realm Kerberos trusts | |
| - Terminate idle connections to the NSS and PAM responders | |
| - New upstream release 1.6.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 | |
| - Fixes a serious issue with LDAP connections when the communication is | |
| dropped (e.g. VPN disconnection, waking from sleep) | |
| - SSSD is now less strict when dealing with users/groups with multiple names | |
| when a definitive primary name cannot be determined | |
| - The LDAP provider will no longer attempt to canonicalize by default when | |
| using SASL. An option to re-enable this has been provided. | |
| - Fixes for non-standard LDAP attribute names (e.g. those used by Active | |
| Directory) | |
| - Three HBAC regressions have been fixed. | |
| - Fix for an infinite loop in the deref code | |
| - Resolves: rhbz#1578014 - sssd does not work under non-root user | |
| - Note: Actually the patches were in the 2.0.0-37, this one just adds this | |
| changelog because it was missing. | |
| - Resolves: rhbz#1164156 - libsss_simpleifp should pull sssd-dbus | |
| - Resolves: rhbz#1179379 - gzip: stdin: file size changed while | |
| zipping when rotating logfile | |
| - Add a patch to fix krb5 ccache creation issue with krb5 1.11 | |
| - Fix %postun | |
| - Related: rhbz#2132051 - Rebase Samba to the the latest 4.17.x release | |
| Rebuild against Samba rebase. | |
| - New upstream release 1.9.0 beta 5 | |
| - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 | |
| - Many fixes for the support for setting default SELinux user context from | |
| FreeIPA, most notably fixed the specificity evaluation | |
| - Fixed an incorrect default in the krb5_canonicalize option of the AD | |
| provider which was preventing password change operation | |
| - The shadowLastChange attribute value is now correctly updated with the | |
| number of days since the Epoch, not seconds | |
| - Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 | |
| - Resolves: rhbz#2098620 - sdap_nested_group_deref_direct_process() triggers internal watchdog for large data sets | |
| - Resolves: rhbz#2098619 - [Improvement] add SSSD support for more than one CRL PEM file name with parameters certificate_verification and crl_file | |
| - Resolves: rhbz#2088817 - pam_sss_gss ceased to work after upgrade to 8.6 | |
| - Resolves: rhbz#2098616 - Add idp authentication indicator in man page of sssd.conf | |
| - Resolves: rhbz#2056035 - 'getent hosts' not return hosts if they have more than one CN in LDAP | |
| - Resolves: rhbz#2098615 - Regression "Missing internal domain data." when setting ad_domain to incorrect | |
| - Resolves: rhbz#2098617 - Harden kerberos ticket validation | |
| - Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol | |
| - Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8 | |
| - Resolves: rhbz#2136701 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level. | |
| - Resolves: rhbz#2139760 - [sssd] RHEL 8.8 Tier 0 Localization | |
| - Resolves: rhbz#2139865 - Analyzer: Optimize and remove duplicate messages in verbose list | |
| - Resolves: rhbz#2142795 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged | |
| - Resolves: rhbz#2144491 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around | |
| - Resolves: rhbz#2150357 - Smart Card auth does not work with p11_uri (with-smartcard-required) | |
| - Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 | |
| - Resolves: rhbz#2196521 - [RHEL8] sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy | |
| - Resolves: rhbz#2195919 - sssd-be tends to run out of system resources, hitting the maximum number of open files | |
| - Resolves: rhbz#2192708 - [RHEL8] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed' | |
| - Resolves: rhbz#2139467 - [RHEL8] sssd attempts LDAP password modify extended op after BIND failure | |
| - Resolves: rhbz#2054825 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 error 4 in libc-2.28.so[7f16b5e72000+1bc000] | |
| - Resolves: rhbz#2189583 - [sssd] RHEL 8.9 Tier 0 Localization | |
| - Resolves: rhbz#2170720 - [RHEL8] When adding attributes in sssd.conf that we have already, the cross-forest query just stop working | |
| - Resolves: rhbz#2096183 - BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides | |
| - Resolves: rhbz#2151450 - [RHEL8] SSSD missing group membership when evaluating GPO policy with 'auto_private_groups = true' | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuild sssd against libldb 1.0.2 so the memberof module loads again. | |
| - Related: rhbz#677425 | |
| - Related: rhbz#1637513 - sssd crashes when refreshing expired sudo rules | |
| - Fix memberOf install path | |
| - Resolves: upstream#3618 - selinux_child segfaults in a docker container | |
| - Don't duplicate libsss_autofs.so in two packages | |
| - Set explicit package contents instead of globbing | |
| - New upstream release 1.10 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0 | |
| - Release SSSD 1.1.0 final | |
| - Fix two potential segfaults | |
| - Fix memory leak in monitor | |
| - Better error message for unusable confdb | |
| - Resolves: rhbz#1868387 - system not enforcing GPO rule restriction. ad_gpo_implicit_deny = True is not working | |
| - Resolves: rhbz#1854951 - sss-certmap man page change to add clarification for userPrincipalName attribute from AD schema | |
| - Resolves: rhbz#1856861 - False errors/warnings are logged in sssd.log file after enabling 2FA prompting settings in sssd.conf | |
| - Resolves: rhbz#1869683 - p11_child: default value of ocsp_dgst == sha256 doesn't conform RFC5019 and has to be changed to sha1 | |
| - New upstream release 1.16.0 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_0.html | |
| - Rebuild against new ding-libs | |
| - Resolves: rhbz#677768 - name service caches names, so id command shows | |
| - recently deleted users | |
| - Backport several patches from upstream. | |
| - Fix a potential crash against old (pre-4.0) IPA servers | |
| - Release candidate for SSSD 1.1 | |
| - Add simple access provider | |
| - Create subpackages for libcollection, libini_config, libdhash and librefarray | |
| - Support IPv6 | |
| - Support LDAP referrals | |
| - Fix cache issues | |
| - Better feedback from PAM when offline | |
| - Resolves: rhbz#1646113 - Missing concise documentation about valid options | |
| for sssd-files-provider | |
| - Fix segfault in TGT renewal | |
| - Improved handling of users and groups with multi-valued name attributes | |
| (aliases) | |
| - Performance enhancements | |
| Initgroups on RFC2307bis/FreeIPA | |
| HBAC rule processing | |
| - Improved process-hang detection and restarting | |
| - Enabled the midpoint cache refresh by default (fewer cache misses on | |
| commonly-used entries) | |
| - Cleaned up the example configuration | |
| - New tool to change debug level on the fly | |
| - New upstream release 1.5.8 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 | |
| - Support for the LDAP paging control | |
| - Support for multiple DNS servers for name resolution | |
| - Fixes for several group membership bugs | |
| - Fixes for rare crash bugs | |
| - Resolves: rhbz#1881992 - Rebase SSSD for RHEL 8.4 | |
| - Resolves: rhbz#1722842 - sssd-kcm does not store TGT with ssh login using GSSAPI | |
| - Resolves: rhbz#1734040 - sssd crash in ad_get_account_domain_search() | |
| - Resolves: rhbz#1784459 - [RFE] tlog does not allow to exclude some users from session recording | |
| - Resolves: rhbz#1791300 - sporadic sssd_be crash on s390x | |
| - Resolves: rhbz#1817122 - 'getent group ldapgroupname' doesn't show any LDAP users or some LDAP users when 'rfc2307bis' schema is used with SSSD. | |
| - Resolves: rhbz#1819012 - [RFE] Improve AD site discovery process | |
| - Resolves: rhbz#1846778 - [RfE] `/usr/libexec/sssd/p11_child` cmdline argument '--nssdb' might be confusing when SSSD was built against OpenSSL | |
| - Resolves: rhbz#1873715 - automount sssd issue when 2 automount maps have the same key (one un uppercase, one in lowercase) | |
| - Resolves: rhbz#1879860 - correction in sssd.conf:pam_response_filter man page | |
| - Resolves: rhbz#1881336 - [RFE] sssd-ldap man page modification for parameter "ldap_referrals" | |
| - Resolves: rhbz#1883488 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains | |
| - Resolves: rhbz#1884196 - [RFE] Add "enabled" option to domain section in config file | |
| - Resolves: rhbz#1884205 - KCM: Increase client idle timeout to 5 minutes | |
| - Resolves: rhbz#1884207 - [RFE] ldap: add new option ldap_library_debug_level | |
| - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff | |
| - Resolves: rhbz#1884281 - Secondary LDAP group go missing from 'id' command | |
| - Resolves: rhbz#1884301 - [RFE] dyndns: suport asymmetric auth for nsupdate | |
| - Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 | |
| - Resolves: rhbz#1693379 - sssd_be and sss_cache too heavy on CPU | |
| - Resolves: rhbz#1909373 - Missing search index for `originalADgidNumber` | |
| - Resolves: rhbz#1954630 - [RFE] Improve debug messages by adding a unique tag for each request the backend is handling | |
| - Resolves: rhbz#1936891 - SSSD Error Msg Improvement: Bad address | |
| - Resolves: rhbz#1364596 - sssd still showing ipa user after removed from last group | |
| - Resolves: rhbz#1979404 - Changes made to /etc/pam.d/sssd-shadowutils are overwritten back to default on sssd-common package upgrade | |
| - Resolves: rhbz#1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command. | |
| - Resolves: rhbz#1780404 - smartcards: special characters must be escaped when building search filter | |
| - Fix regressions and bugs in sssd upstream 1.12.2 | |
| - https://fedorahosted.org/sssd/ticket/{id} | |
| - Regressions: #2471, #2475, #2483, #2487, #2529, #2535 | |
| - Bugs: #2287, #2445 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Resolves: rhbz#1974257 - 'debug_microseconds' config option is broken | |
| - Resolves: rhbz#1936902 - SSSD Error Msg Improvement: Invalid argument | |
| - Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm (additional patches and rebuild) | |
| - Resolves: rhbz#1625670 - sssd needs to require a newer version of libtalloc | |
| and libtevent to avoid an issue in GPO processing | |
| - Related: rhbz#1620123 - [RFE] Add option to specify a Smartcard with a | |
| PKCS#11 URI | |
| - Resolves: rhbz#697057 - kpasswd fails when using sssd and | |
| - kadmin server != kdc server | |
| - Upgrades from SysV should now maintain enabled/disabled status | |
| - Related: rhbz#2190417 - Rebase Samba to the latest 4.18.x release | |
| Rebuild against rebased Samba libs | |
| - Resolves: rhbz#1175511 - sssd-libwbclient conflicts with Samba's and causes | |
| crash in wbinfo | |
| - in addition to the patch libwbclient.so is | |
| filtered out of the Provides list of the package | |
| - New upstream release 1.9.0 beta 2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 | |
| - Add support for the Kerberos DIR cache for storing multiple TGTs | |
| automatically | |
| - Major performance enhancement when storing large groups in the cache | |
| - Major performance enhancement when performing initgroups() against Active | |
| Directory | |
| - SSSDConfig data file default locations can now be set during configure for | |
| easier packaging | |
| - Add plugin for cifs-utils | |
| - Resolves: rhbz#998544 | |
| - Rebuild due to rhbz#2013596 - Rebase Samba to the the latest 4.15.x release | |
| - Resolves: #967012 - [abrt] sssd-1.9.5-1.fc18: sss_mmap_cache_gr_invalidate_gid: | |
| Process /usr/libexec/sssd/sssd_nss was killed by | |
| signal 11 (SIGSEGV) | |
| - Resolves: #996214 - sssd proxy_child segfault | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Resolves: RHEL-112455 - p11_child currently has an infinite timeout [rhel-8.10.z] | |
| - Resolves: RHEL-120292 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems [rhel-8.10.z] | |
| - Resolves: rhbz#1744134 - New defect found in sssd-2.2.0-16.el8 | |
| - Also sync. kcm multihost tests with master | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - New upstream release 1.9.0 rc1 | |
| - New upstream release 0.99.0 | |
| - Fix segfault in sssd_pam when cache_credentials was enabled | |
| - Update the sample configuration | |
| - Fix upgrade issues caused by data provider service removal | |
| - Fix systemd executions/requirements | |
| - Related: rhbz#1635595 - Cant login with smartcard with multiple certs | |
| - New upstream release 1.8.1 | |
| - Resolve issue where we could enter an infinite loop trying to connect to an | |
| auth server | |
| - Fix serious issue with complex (3+ levels) nested groups | |
| - Fix netgroup support for case-insensitivity and aliases | |
| - Fix serious issue with lookup bundling resulting in requests never | |
| completing | |
| - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt | |
| in addition to pam_authenticate | |
| - Fix several regressions in the proxy provider | |
| - Resolves: rhbz#743133 - Performance regression with Kerberos authentication | |
| against AD | |
| - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work | |
| - Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6 | |
| - Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files | |
| - Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries | |
| - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set. | |
| - Resolves: rhbz#1961182 - Passwordless (GSSAPI) SSH not working due to missing "includedir /var/lib/sss/pubconf/krb5.include.d" directive in /etc/krb5.conf | |
| - Resolves: rhbz#2008829 - sssd_be segfault due to empty forest root name | |
| - Resolves: rhbz#2012263 - pam responder does not call initgroups to refresh the user entry | |
| - Resolves: rhbz#2012308 - Add client certificate validation D-Bus API | |
| - Resolves: rhbz#2012327 - Groups are missing while performing id lookup as SSSD switching to offline mode due to the wrong domain name in the ldap-pings(netlogon). | |
| - Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs | |
| - Resolves: rhbz#2013259 - [RHEL8] Add tevent chain ID logic into responders | |
| - Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization | |
| - Rebuild for libldb 1.1.19 | |
| - Fix failover from Global Catalog to LDAP in case GC is not available | |
| - Rebuilt for libnfsidmap.so.1 | |
| - New upstream release 1.6.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 | |
| - Add host access control support for LDAP (similar to pam_host_attr) | |
| - Finer-grained control on principals used with Kerberos (such as for FAST or | |
| - validation) | |
| - Added a new tool sss_cache to allow selective expiring of cached entries | |
| - Added support for LDAP DEREF and ASQ controls | |
| - Added access control features for Novell Directory Server | |
| - FreeIPA dynamic DNS update now checks first to see if an update is needed | |
| - Complete rewrite of the HBAC library | |
| - New libraries: libipa_hbac and libipa_hbac-python | |
| - Resolves: rhbz#1661183 - SSSD 2.0 has drastically lower sbus timeout than | |
| 1.x, this can result in time outs | |
| - Fix release version for upgrades | |
| - Decrease priority of sssd-libwbclient 20 -> 5 | |
| - It should be lower than priority of samba veriosn of libwbclient. | |
| - https://bugzilla.redhat.com/show_bug.cgi?id=1175511#c18 | |
| - Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the | |
| username in getpwnam() | |
| - Resolves: rhbz#758425 - LDAP failover not working if server refuses | |
| connections | |
| - Resolves: rhbz#1642372 - SSSD Python getgrouplist API was removed but required for IPA | |
| - New LDAP access provider allows for filtering user access by LDAP attribute | |
| - Reduced default timeout for detecting offline status with LDAP | |
| - GSSAPI ticket lifetime made configurable | |
| - Better offline->online transition support in Kerberos | |
| - Change the default ccache location to DIR:/run/user/${UID}/krb5cc | |
| and patch man page accordingly | |
| - Resolves: rhbz#851304 | |
| - Handle new error code for IPA password migration | |
| - Only BuildRequire libcmocka on Fedora | |
| - New upstream release 1.4.1 | |
| - Add support for netgroups to the proxy provider | |
| - Fixes a minor bug with UIDs/GIDs >= 2^31 | |
| - Fixes a segfault in the kerberos provider | |
| - Fixes a segfault in the NSS responder if a data provider crashes | |
| - Correctly use sdap_netgroup_search_base | |
| - Resolves: rhbz#1672780 - gdm login not prompting for username when smart | |
| card maps to multiple users | |
| - New upstream release 1.11.5.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.5.1 | |
| - Resolves: #906427 - Do not use %{_lib} in specfile for the nss and | |
| pam libraries | |
| - Use mcpath insted of mcachepath macro to be consistent with | |
| upsteam spec file | |
| - Initial release (based on version 0.1.0 upstream code) | |
| - Move sssd_pac to the sssd-ipa and sssd-ad subpackages | |
| - Trim out RHEL5-specific macros since we don't build on RHEL 5 | |
| - Trim out macros for Fedora older than F18 | |
| - Update libldb requirement to 1.1.16 | |
| - Trim RPM changelog down to the last year | |
| - Version 0.2.1 | |
| - New upstream release 1.9.2 | |
| - Resolves: rhbz#1335639 - [abrt] sssd-dbus: ldb_msg_find_element(): | |
| sssd_ifp killed by SIGSEGV | |
| - Resolves: rhbz#1645566 - SSSD 2.x does not sanitize domain name properly | |
| for D-bus, resulting in a crash | |
| - Rebuild with libldb-1.2.0 | |
| - New upstream release 1.15.3 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_3.html | |
| - New upstream release 1.13.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.2 | |
| - Resolves: RHEL-39085 - [RfE] SSSD Failover Enhancements | |
| - Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online | |
| - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests | |
| - Several segfault bugfixes | |
| - Resolves: rhbz#1642508 - sssd ifp crash when trying to access ipa webui | |
| with smart card | |
| - Add support for libldb 1.0.0 | |
| - Resolves: rhbz#1920001 - Do not add '%' to group names already prefixed with '%' in IPA sudo rules | |
| - Resolves: rhbz#1918433 - sssd unable to lookup certmap rules | |
| - Resolves: rhbz#1917382 - [abrt] [faf] sssd: dp_client_handshake_timeout(): /usr/libexec/sssd/sssd_be killed by 11 | |
| - bugfix release 0.3.2 | |
| - includes previous release patches | |
| - change permissions of the /etc/sssd/sssd.conf to 0600 | |
| - Fix regression in endianness patch | |
| - Resolves: rhbz#1623878 - crash related to sbus_router_destructor() | |
| - Add last minute bug fixes, found in testing the package | |
| - New upstream release 1.7.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 | |
| - Support for case-insensitive domains | |
| - Support for multiple search bases in the LDAP provider | |
| - Support for the native FreeIPA netgroup implementation | |
| - Reliability improvements to the process monitor | |
| - New DEBUG facility with more consistent log levels | |
| - New tool to change debug log levels without restarting SSSD | |
| - SSSD will now disconnect from LDAP server when idle | |
| - FreeIPA HBAC rules can choose to ignore srchost options for significant | |
| performance gains | |
| - Assorted performance improvements in the LDAP provider | |
| - New upstream release 1.4.0 | |
| - Added support for netgroups to the LDAP provider | |
| - Performance improvements made to group processing of RFC2307 LDAP servers | |
| - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin | |
| - Build-system improvements to support Gentoo | |
| - Split out several libraries into the ding-libs tarball | |
| - Manpage reviewed and updated | |
| - New upstream release 1.12.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0 | |
| - Fix CVE-2010-0014 | |
| - Rebuild against libldb 1.10 | |
| - New upstream release 1.11.3 | |
| - Remove upstreamed patches | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.3 | |
| - Resolves: rhbz#1736483 - Sudo prompt for smart card authentication is missing | |
| the trailing colon | |
| - Resolves: rhbz#1256849 - SUDO: Support the IPA schema | |
| - Resolves: upstream#3621 - backport bug found by static analyzers | |
| - Own several directories create during make install (#839782) | |
| - New upstream release 1.13.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.3 | |
| - New upstream release 1.11.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 | |
| - Log startup errors to the syslog | |
| - Allow cache cleanup to be disabled in sssd.conf | |
| - Resolves: rhbz#1631410 - Can't login with smartcard with multiple certs having same ID value | |
| - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff (additional patches) | |
| - Resolves: rhbz#1893159 - Default debug level should report all errors / failures | |
| - Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication | |
| - Resolves: rhbz#1646168 - sssctl access-report always prints an error message | |
| - Resolves: rhbz#1643053 - Restarting the sssd-kcm service should reload the | |
| configuration without having to restart the whole | |
| sssd | |
| - Resolves: rhbz#1640576 - sssctl reports incorrect information about local | |
| user's cache entry expiration time | |
| - Resolves: rhbz#1645238 - Unable to su to root when logged in as a local user | |
| - Resolves: rhbz#1639411 - sssd support for for smartcards using ECC keys | |
| - require the latest libldb | |
| - Change default kerberos credential cache location to /run/user/ |
|
| - Resolves: rhbz#1725168 - sssd-proxy crashes resolving groups with | |
| no members | |
| - Rebuild against libldb 1.1.4 | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild | |
| - Resolves: rhbz#1676385 - pam_sss with smartcard auth does not create gnome | |
| keyring | |
| - Also apply a patch to fix gating tests issue | |
| - Resolves: rhbz#1113639 - autofs: return a connection failure until maps have been fetched | |
| - Resolves: rhbz#1915395 - Memory leak in the simple access provider | |
| - Resolves: rhbz#1915319 - SSSD: SBUS: failures during servers startup | |
| - Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication (additional patches) | |
| - Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8] | |
| - Resolves: rhbz#1962042 - [sssd] RHEL 8.5 Tier 0 Localization | |
| - Fixes link error on platforms that do not do implicit linking | |
| - Fixes double-free segfault in PAM | |
| - Fixes double-free error in async resolver | |
| - Fixes support for TCP-based DNS lookups in async resolver | |
| - Fixes memory alignment issues on ARM processors | |
| - Manpage fixes | |
| - Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8 | |
| - Resolves: rhbz#2119726 - sssctl analyze --logdir option requires sssd to be configured | |
| - Resolves: rhbz#2120669 - Incorrect request ID tracking from responder to backend | |
| - Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in | |
| setnetgrent_result_timeout | |
| - Resolves: upstream#3588 - sssd_nss consumes more memory until restarted | |
| or machine swaps | |
| - Resolves: failure in glibc tests | |
| https://sourceware.org/bugzilla/show_bug.cgi?id=22530 | |
| - Resolves: upstream#3451 - When sssd is configured with id_provider proxy and | |
| auth_provider ldap, login fails if the LDAP server | |
| is not allowing anonymous binds | |
| - Resolves: upstream#3285 - SSSD needs restart after incorrect clock is | |
| corrected with AD | |
| - Resolves: upstream#3586 - Give a more detailed debug and system-log message | |
| if krb5_init_context() failed | |
| - Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet | |
| in /etc/systemd/system | |
| - Backport few upstream features from 1.16.1 | |
| - New upstream release 1.14.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.2 | |
| - Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication | |
| - New upstream release 1.12.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.2 | |
| - Resolves: rhbz#1636397 - SSSD not fetching all sudo rules from AD | |
| - Resolves: rhbz#1711318 - p11_child::sign_data() function implementation is | |
| not FIPS140 compliant | |
| - New upstream release 1.14.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0 | |
| - Do not crash on resolving a group SID in IPA server mode | |
| - New upstream release 1.8.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 | |
| - Several fixes to case-insensitive domain functions | |
| - Fix for GSSAPI binds when the keytab contains unrelated principals | |
| - Fixed several segfaults | |
| - Workarounds added for LDAP servers with unreadable RootDSE | |
| - SSH knownhostproxy will no longer enter an infinite loop preventing login | |
| - The provided SYSV init script now starts SSSD earlier at startup and stops | |
| it later during shutdown | |
| - Assorted minor fixes for issues discovered by static analysis tools | |
| - Resolves: rhbz#1655459 - [abrt] [faf] sssd: raise(): | |
| /usr/libexec/sssd/proxy_child killed by 6 | |
| - Resolves: rhbz#1628126 - [abrt] [faf] sssd: unknown function(): | |
| /usr/libexec/sssd/sssd_be killed by 11 crash | |
| func _dbus_list_unlink | |
| - New upstream release 1.15.2 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html | |
| - Related: rhbz#1638150 - session not recording for local user when groups defined | |
| - Also add silence a Coverity warning, which is related to rhbz#1637131 | |
| for match rules sss-certmap | |
| - New upstream release 1.13.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.1 | |
| - Fix the Kerberos password expiration warning (#912223) | |
| - Try to fix build adding automake as an explicit BuildRequire | |
| - Add also a couple of last minute patches from upstream | |
| - Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8 | |
| - Resolves: rhbz#2144581 - [RFE] provide dbus method to find users by attr | |
| - Resolves: rhbz#2144579 - sssd timezone issues sudonotafter | |
| - Resolves: rhbz#2144519 - [RFE] SSSD does not support to change the user’s password when option ldap_pwd_policy equals to shadow in sssd.conf file | |
| - Resolves: rhbz#2127822 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict) | |
| - Resolves: rhbz#2111393 - authenticating against external IdP services okta (native app) with OAuth client secret failed | |
| -Resolves: rhbz#1660083 - extraAttributes is org.freedesktop.DBus.Error. | |
| UnknownProperty: Unknown property | |
| - Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard | |
| certificate EKU and perform an action based | |
| on value when generating SSH key from a certificate | |
| (additional patch) | |
| - Version 0.3.0 | |
| - Provides file based configuration and lots of improvements | |
| - Build with _hardened_build macro | |
| - release out of the official 0.3.2 tarball | |
| - Resolves: upstream#3529 - sssd-kcm Fix restart during/after upgrade | |
| - Resolves: rhbz#1810634 - id command taking 1+ minute for returning user | |
| information | |
| - Resolves: rhbz#1448094 - sssd-kcm cannot handle big tickets | |
| - New upstream bugfix release 0.99.1 | |
| - Fix few segfaults | |
| - Resolves: upstream #2811 - PAM responder crashed if user was not set | |
| - Resolves: upstream #2810 - sssd_be crashed in ipa_srv_ad_acct_lookup_step | |
| - New upstream release 1.5.11 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 | |
| - Fix a serious regression that prevented SSSD from working with ldaps:// URIs | |
| - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 | |
| - address being saved to the AAAA record | |
| - Resolves: 1657898 - SSSD must be cleared/restarted periodically in order to | |
| retrieve AD users through IPA Trust | |
| - New upstream release 1.10 beta2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 | |
| - BuildRequire libcmocka-devel in order to run all upstream tests during build | |
| - BuildRequire libnl3 instead of libnl1 | |
| - No longer BuildRequire initscripts, we no longer use /sbin/service | |
| - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any | |
| older krb5-libs version | |
| - Switch hardcoded python3 shebangs into the %{__python3} macro | |
| - Fix upgrade issues from old (pre-0.5.0) releases of SSSD | |
| - New upstream release 1.10 alpha1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1 | |
| - Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard | |
| certificate EKU and perform an action based | |
| on value when generating SSH key from a certificate | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Rebuild for libldb 1.1.3 | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process | |
| - Resolves: rhbz#1876658 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [RHEL 8] | |
| - Resolves: rhbz#1895001 - User lookups over the InfoPipe responder fail intermittently | |
| - Fix pre and post script requirements | |
| - Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug | |
| in ding-libs | |
| - Fix SSH integration with fully-qualified domains | |
| - Add the ability to dynamically discover the NetBIOS name | |
| - Backport important patches from upstream 1.14.2 prerelease | |
| - Resolves: upstream #3154 - sssd exits if clock is adjusted backwards after | |
| boot | |
| - Resolves: upstream #3163 - resolving IPA nested user group is broken in 1.14 | |
| - Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication | |
| - Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with | |
| file from package sssd-common-1.15.1-1.fc25.x86_64 | |
| - Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4 | |
| - New upstream release 1.8.0 | |
| - Support for the service map in NSS | |
| - Support for setting default SELinux user context from FreeIPA | |
| - Support for retrieving SSH user and host keys from LDAP (Experimental) | |
| - Support for caching autofs LDAP requests (Experimental) | |
| - Support for caching SUDO rules (Experimental) | |
| - Include the IPA AutoFS provider | |
| - Fixed several memory-corruption bugs | |
| - Fixed a regression in group enumeration since 1.7.0 | |
| - Fixed a regression in the proxy provider | |
| - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD | |
| - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is | |
| logged at each login | |
| - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process | |
| /usr/sbin/sssd was killed by signal 11 (SIGSEGV) | |
| - Resolves: rhbz#743133 - Performance regression with Kerberos authentication | |
| against AD | |
| - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for | |
| new LDAP features | |
| - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc | |
| - Fix build with new automake versions | |
| - Change selinux policy requirement to Conflicts: with the old version, | |
| rather than Requires: the supported version. | |
| - Fix building on rawhide. Remove -Wl,-z,defs from LDFLAGS | |
| - Release new upstream version 1.1.91 | |
| - Enhancements when using SSSD with FreeIPA v2 | |
| - Support for deferred kinit | |
| - Support for DNS SRV records for failover | |
| - Resolves: rhbz#1624785 - Remove references of sss_user/group/add/del | |
| commands in man pages since local provider | |
| is deprecated | |
| - Additional upstream fixes | |
| - Fix building pac responder with the krb5-1.14 | |
| - Resolves: rhbz#1622026 - sssd 2.0 regression: Kerberos authentication | |
| fails with the KCM ccache | |
| - Backport extended NSS API from upstream master branch | |
| - Enable hardened build for RHEL7 | |
| - Resolves: rhbz#1276868 - Sudo PAM Login should support multiple password | |
| prompts (e.g. Password + Token) | |
| - Resolves: rhbz#1313041 - ssh with sssd proxy fails with "Connection closed | |
| by remote host" if locale not available | |
| - Add explicit requirement on selinux-policy version to address new SBUS | |
| symlinks. | |
| - Rebuild for libldb 1.1.18 | |
| - Fix issue with IPA + SELinux in containers | |
| - Resolves: upstream https://fedorahosted.org/sssd/ticket/3297 | |
| - Solve a shutdown race-condition that sometimes left processes running | |
| - Resolves: rhbz#606887 - SSSD stops on upgrade | |
| - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for | |
| new LDAP features | |
| - Fix for CVE-2009-2410 - Native SSSD users with no password set could log in | |
| without a password. (Patch by Stephen Gallagher) | |
| - New upstream release 1.12.4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.4 | |
| - Rebuild against new libldb | |
| - Add support for python3 bindings | |
| - Add requirement to python3 or python3 bindings | |
| - Resolves: rhbz#1014594 - sssd: Support Python 3 | |
| - Ensure that the configuration upgrade script always writes the config | |
| file with 0600 permissions | |
| - Eliminate an infinite loop in group enumerations | |
| - Fix bug in generation of systemd unit file | |
| - New upstream release 1.5.5 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 | |
| - Fixes for several crash bugs | |
| - LDAP group lookups will no longer abort if there is a zero-length member | |
| - attribute | |
| - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist | |
| - Bump up release number to avoid library sub-packages version issues with | |
| previous releases. | |
| - Unify return type of list_active_domains for python{2,3} | |
| - Ensure that SSSD builds against libldb-1.0.0 on F15 and later | |
| - Remove .la for memberOf | |
| - Add SSSDConfig API | |
| - Update polish translation for 0.6.0 | |
| - Fix long timeout on ldap operation | |
| - Make dp requests more robust | |
| - Resolves: rhbz#1628122 - Printing incorrect information about domain | |
| with sssctl utility | |
| connection timeout | |
| - New upstream release 1.12.5 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.5 | |
| - Apply a couple of patches from upstream git that resolve crashes when | |
| ID mapping object was not initialized properly but needed later | |
| - Resolves: rhbz#1283798 - sssd failover does not work on connecting to | |
| non-responsive ldaps:// server | |
| - Rebuild against new libtevent | |
| - Version 0.3.1 | |
| - includes previous release patches | |
| - Re-add manpage translations | |
| - Resolves: rhbz#606887 - sssd stops on upgrade | |
| - Resolves: rhbz#1466503 - Snippets are not used when sssd.conf does not exist | |
| - Fix several regressions since 1.5.x | |
| - Ensure that the RPM creates the /var/lib/sss/mc directory | |
| - Add support for Netscape password warning expiration control | |
| - Rebuild against libldb 1.1.6 | |
| - New upstream release 1.8.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 | |
| - Numerous manpage and translation updates | |
| - LDAP: Handle situations where the RootDSE isn't available anonymously | |
| - LDAP: Fix regression for users using non-standard LDAP attributes for user | |
| information | |
| - Resolves: rhbz#1699480 - Include libsss_nss_idmap-devel in the Builder | |
| repository | |
| - This just required a raise in release number | |
| and changelog for the record. | |
| - Install systemd unit file instead of sysv init script | |
| - Check the validity of naming context | |
| - Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8 | |
| - New upstream release 1.12.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.1 | |
| - Resolves: rhbz#1494002 - sssd_nss crashed in cache_req_search_domains_next | |
| - Resolves: rhbz#1499354 - CVE-2017-12173 sssd: unsanitized input when | |
| searching in local cache database access on | |
| the sock_file system_bus_socket | |
| - Resolves: rhbz#1726945 - negative cache does not use values from | |
| 'filter_users' config option for known domains | |
| - Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d | |
| - Make sure to properly convert to systemd if upgrading from newer | |
| - updates for Fedora 14 | |
| - Backport patches with Python3 support from upstream | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - New upstream release 0.7.0 | |
| - Include upstream patch to build with krb5-1.11 | |
| - Rebuilt for Python3.5 rebuild | |
| - Resolves: rhbz#1820574 - [sssd] RHEL 8.3 Tier 0 Localization | |
| - Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files (additional patch) | |
| - New upstream release 1.5.6 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 | |
| - Fixed a serious memory leak in the memberOf plugin | |
| - Fixed a regression with the negative cache that caused it to be essentially | |
| - nonfunctional | |
| - Fixed an issue where the user's full name would sometimes be removed from | |
| - the cache | |
| - Fixed an issue with password changes in the kerberos provider not working | |
| - with kpasswd | |
| - Resolves: rhbz#1310664 - [RFE] IPA: resolve external group memberships of IPA | |
| groups during getgrnam and getgrgid | |
| - Resolves: rhbz#1301303 - sss_obfuscate: SyntaxError: Missing parentheses | |
| in call to 'print' | |
| - New upstream release 1.9.1 | |
| - Fix accidental disabling of the DIR cache support | |
| - Resolves: rhbz#1729055 - sssd does not pass correct rules to sudo | |
| - Resolves: rhbz#1645291 - Perform some basic ccache initialization as part | |
| of gen_new to avoid a subsequent switch call | |
| failure | |
| - Resolves: rhbz#1733372 - permission denied on logs when running sssd as | |
| non-root user | |
| - Resolves: rhbz#1652719 - [SECURITY] sssd returns '/' for emtpy home directories | |
| - New upstream release 1.13.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0 | |
| - New upstream version 1.2.91 (1.3.0rc1) | |
| - Improved LDAP failover | |
| - Synchronous sysdb API (provides performance enhancements) | |
| - Better online reconnection detection | |
| - New upstream release 1.9.0 beta 4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 | |
| - Add a new AD provider to improve integration with Active Directory 2008 R2 | |
| or later servers | |
| - SUDO integration was completely rewritten. The new implementation works | |
| with multiple domains and uses an improved refresh mechanism to download | |
| only the necessary rules | |
| - The IPA authentication provider now supports subdomains | |
| - Fixed regression for setups that were setting default_tkt_enctypes | |
| manually by reverting a previous workaround. | |
| - New upstream release 1.9.0 | |
| - New upstream release 1.14 beta | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0beta | |
| - Resolves: rhbz#1736796 - sssd config option "default_domain_suffix" | |
| should not cause files domain entries to be | |
| qualified, this can break sudo access | |
| - Resolves: rhbz#1488327 - SELinux is preventing selinux_child from write | |
| access on the sock_file system_bus_socket | |
| - Resolves: rhbz#1490402 - SSSD does not create /var/lib/sss/deskprofile and | |
| fails to download desktop profile data | |
| - Resolves: upstream#3485 - getsidbyid does not work with 1.15.3 | |
| - Resolves: upstream#3488 - SUDO doesn't work for IPA users on IPA clients | |
| after applying ID Views for them in IPA server | |
| - Resolves: upstream#3501 - Accessing IdM kerberos ticket fails while id | |
| mapping is applied | |
| - Remove %files reference to sss_debuglevel copied from wrong upstreeam | |
| spec file. | |
| - Resolves: RHEL-25064 - AD users are unable to log in due to case sensitivity of user because the domain is found as an alias to the email address. [rhel-8] | |
| - Resolves: RHEL-25066 - gdm smartcard login fails with sssd-2.9.3 in case of multiple identities [rhel-8] | |
| - Resolves: RHEL-25065 - ssh pubkey stored in ldap/AD no longer works to authenticate via sssd [rhel-8] | |
| - fixed items found during review | |
| - added initscript | |
| - Resolves: rhbz#1687281 | |
| Rebase sssd in RHEL-8.1 to the latest upstream release | |
| - Resolves: rhbz#1139962 - Fedora 21, FreeIPA 4.0.2: sssd does not find user | |
| private group from server | |
| - Resolves: RHEL-27205 - Race condition during authorization leads to GPO policies functioning inconsistently | |
| - New upstream release 0.6.0 | |
| - Resolves: rhbz#1815584 - id_provider = proxy proxy_lib_name = files returns * in password field, breaking PAM authentication | |
| - Resolves: rhbz#1794607 - SSSD must be able to resolve membership involving root with files provider | |
| - Resolves: rhbz#1803134 - Improve "unlock" time when user session already active | |
| - Resolves: rhbz#626205 - Unable to unlock screen | |
| - Use alternatives for libwbclient | |
| - Add missing %license macro | |
| - BuildRequire recent libini_config to ensure consistent behaviour | |
| - Resolves: rhbz#1926622 - Add support to verify authentication indicators in pam_sss_gss | |
| - Resolves: rhbz#1926454 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0. | |
| - Resolves: rhbz#1893159 - Default debug level should report all errors / failures (additional patch) | |
| - Related: rhbz#1611011 - Support for "require smartcard for login option" | |
| - Backport patches from upstream 1.12.5 prerelease - contains many fixes | |
| - Resolves: 1658813 - PKINIT with KCM does not work | |
| - New upstream release 1.15.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.15.0 | |
| - New upstream release 1.9.0 beta 6 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 | |
| - A new option, override_shell was added. If this option is set, all users | |
| managed by SSSD will have their shell set to its value. | |
| - Fixes for the support for setting default SELinux user context from FreeIPA. | |
| - Fixed a regression introduced in beta 5 that broke LDAP SASL binds | |
| - The SSSD supports the concept of a Primary Server and a Back Up Server in | |
| failover | |
| - A new command-line tool sss_seed is available to help prime the cache with | |
| a user record when deploying a new machine | |
| - SSSD is now able to discover and save the domain-realm mappings | |
| between an IPA server and a trusted Active Directory server. | |
| - Packaging changes to fix ldconfig usage in subpackages (#843995) | |
| - Rebuild against libldb 1.1.9 | |
| - Do not write out dots in the domain-realm mapping file (#905650) | |
| - Resolves: rhbz#1622008 - Error message when IPA server uninstall calls | |
| kdestroy caused by KCM returning a wrong error | |
| code during the delete operation | |
| - New upstream release 1.12.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.3 | |
| - Fix spelling errors in description (fedpkg lint) | |
| - Backport important patches from upstream 1.13 prerelease | |
| - Resolves: rhbz#1060325 - Does sssd-ad use the most suitable | |
| attribute for group name | |
| - Resolves: upstream #2335 - Investigate using the krb5 responder | |
| for driving the PAM conversation with OTPs | |
| - Enable cmocka tests for secondary architectures | |
| - Rebuild against libldb 1.12 | |
| - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for | |
| new LDAP features - fix netgroups and sudo as well | |
| - Resolves: rhbz#1736861 - dyndns_update = True is no longer enough to get | |
| the IP address of the machine updated in IPA upon | |
| sssd.service startup | |
| - Resolves: rhbz#1626001 - SSSD should log to syslog if a domain is not | |
| started due to a misconfiguration | |
| - This is to bump version to allow rebuild against rebased libldb. | |
| - New upstream release 1.11.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 | |
| - New upstream release 1.5.0 | |
| - Fixed issues with LDAP search filters that needed to be escaped | |
| - Add Kerberos FAST support on platforms that support it | |
| - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials | |
| - Added a Kerberos access provider to honor .k5login | |
| - Addressed several thread-safety issues in the sss_client code | |
| - Improved support for delayed online Kerberos auth | |
| - Significantly reduced time between connecting to the network/VPN and | |
| - acquiring a TGT | |
| - Added feature for automatic Kerberos ticket renewal | |
| - Provides the kerberos ticket for long-lived processes or cron jobs | |
| - even when the user logs out | |
| - Added several new features to the LDAP access provider | |
| - Support for 'shadow' access control | |
| - Support for authorizedService access control | |
| - Ability to mix-and-match LDAP access control features | |
| - Added an option for a separate password-change LDAP server for those | |
| - platforms where LDAP referrals are not supported | |
| - Added support for manpage translations | |
| - Resolves: rhbz#1839037 - Rebase SSSD for RHEL 8.3 | |
| - Resolves: rhbz#1843872 - sssd 2.3.0 breaks AD auth due to GPO parsing failure | |
| - Resolves: rhbz#1834156 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working | |
| - Fix nested group member filter sanitization for RFC2307bis | |
| - Put translated tool manpages into the sssd-tools subpackage | |
| - Resolve groups from AD correctly | |
| - Fix changelog dates to make F19 rpmbuild happy | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - Resolves: rhbz#1829470 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package | |
| - Resolves: rhbz#1544457 - sssd fails to release file descriptor on child logs after receiving HUP | |
| - Resolves: rhbz#1824323 - SSSD user filtering is failing on RHEL 8 after "files" provider rebuilds cache | |
| - Resolves: rhbz#1827432 - When the passwd or group files are replaced, sssd stops monitoring the file for | |
| inotify events, and no updates are triggered | |
| - Resolves: rhbz#1835710 - Change the message "Please enter smart card" to "Please insert smart card" | |
| on GDM login with smart-card | |
| - Resolves: rhbz#1838037 - Oddjob-mkhomedir fails when using NSS compat | |
| - Resolves: rhbz#1845904 - gdm smart card authentication does not work shortly after disconnecting from network. | |
| - Resolves: rhbz#1845975 - sssd doesn't follow the link order of AD Group Policy Management | |
| - Resolves: rhbz#1845980 - sssd is failing to discover other subdomains in the forest | |
| if LDAP entries do not contain AD forest root information | |
| - Resolves: rhbz#1845987 - Document how to prevent invalid selinux context for default home directories | |
| in SSSD-AD direct integration. | |
| - Resolves: rhbz#1845994 - GDM failure loop when no user mapped for smart card | |
| - Resolves: rhbz#1846003 - GDM password prompt when cert mapped to multiple users and promptusername is False | |
| - Resolves: rhbz#1850961 - /usr/share/systemtap/tapset/sssd_functions.stp missing a comma | |
| - Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6 | |
| - Resolves: rhbz#1968340 - 'exclude_groups' option provided in SSSD for session recording (tlog) doesn't work as expected | |
| - Resolves: rhbz#1952569 - SSSD should use "hidden" temporary file in its krb locator | |
| - Resolves: rhbz#1917970 - proxy provider: secondary group is showing in sssd cache after group is removed | |
| - Resolves: rhbz#1636002 - socket-activated services start as the sssd user and then are unable to read the confdb | |
| - Resolves: rhbz#2021196 - Make backtrace less "chatty" (avoid duplicate backtraces) | |
| - Resolves: rhbz#2018432 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest) | |
| - Resolves: rhbz#2015070 - Consistency in defaults between OpenSSH and SSSD | |
| - Resolves: rhbz#2013297 - disabled root ad domain causes subdomains to be marked offline | |
| - Resolves: rhbz#2013294 - Lookup with fully-qualified name does not work with 'cache_first = True' | |
| - Resolves: rhbz#2013218 - autofs lookups for unknown mounts are delayed for 50s | |
| - Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs | |
| - Resolves: rhbz#2013024 - Add support for CKM_RSA_PKCS in smart card authentication. | |
| - Resolves: rhbz#2013006 - [RFE] support subid ranges managed by FreeIPA | |
| - Resolves: rhbz#2012308 - Add client certificate validation D-Bus API | |
| - Resolves: rhbz#2012122 - tps tests fail with cross dependency on sssd debuginfo package: removal of 'sssd-libwbclient-debuginfo' is missing | |
| - Rebuild for new libldb | |
| - Resolves: rhbz#1687281 | |
| Rebase sssd in RHEL-8.1 to the latest upstream release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Replace ARRAY_SIZE with N_ELEMENTS to reflect samba changes. This is | |
| done here in order to unblock gating changes before rebase. | |
| - Related: rhbz#1682305 | |
| - Backport important patches from upstream 1.13 prerelease | |
| - Fix libwbclient alternatives | |
| - Apply a number of patches from upstream to fix issues found 1.12.3 | |
| - Resolves: rhbz#1176373 - dyndns_iface does not accept multiple | |
| interfaces, or isn't documented to be able to | |
| - Resolves: rhbz#988068 - getpwnam_r fails for non-existing users when sssd is | |
| not running | |
| - Resolves: upstream #2557 authentication failure with user from AD | |
| - Resolves: rhbz#1615590 - Do not rely on "python" for el8 | |
| - Backport upstream patches for 1.15.3 pre-release | |
| - required for building freeipa-4.5.x in rawhide | |
| - Rebuilt for glibc bug#747377 | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Resolves: rhbz#2226021 - dbus and crond getting terminated with SIGBUS in sss_client code | |
| - Resolves: rhbz#2237253 - SSSD runs multiples lookup search for each NFS request (SBUS req chaining stopped working in sssd-2.7) | |
| - Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names | |
| - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set. | |
| - Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries | |
| - Resolves: rhbz#2035245 - AD Domain in the AD Forest Missing after sssd latest update | |
| - Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization | |
| - Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but | |
| - doesn't require it | |
| - New upstream release 1.9.0 beta 1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 | |
| - Add native support for autofs to the IPA provider | |
| - Support for ID-mapping when connecting to Active Directory | |
| - Support for handling very large (> 1500 users) groups in Active Directory | |
| - Support for sub-domains (will be used for dealing with trust relationships) | |
| - Add a new fast in-memory cache to speed up lookups of cached data on | |
| repeated requests | |
| - Include couple of patches from upstream 1.11 branch | |
| - Resolves: rhbz#1431153 - sssd: libsss_proxy.so needs to be linked with -ldl | |
| - add missing configure check that broke stopping the daemon | |
| - also fix default config to add a missing required option | |
| - CVE-2010-4341 - DoS in sssd PAM responder can prevent logins | |
| - Add OSCP checks for p11_child | |
| - Related: rhbz#1615417 - [RFE] Add Smart Card authentication for local | |
| users | |
| - Update to 1.16.2 release | |
| - Cleanup unused global definitions | |
| - Remove python2 references from the spec file | |
| - Resolves: rhbz#1585313 - Kerberos with sssd-kcm is not working on s390x | |
| - Include the 1.9.2 tarball | |
| - Resolves: RHEL-33957 - ad: refresh root domain when read directly | |
| - New upstream release 1.6.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 | |
| - Fixes a major cache performance issue introduced in 1.6.2 | |
| - Fixes a potential infinite-loop with certain LDAP layouts | |
| - Fix potential crash with external groups in trusted IPA-AD setup | |
| - libwbclient-sssd: update interface to version 0.13 | |
| - Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 | |
| - Resolves: rhbz#1930535 - [abrt] [faf] sssd: monitor_service_shutdown(): /usr/sbin/sssd killed by 11 | |
| - Resolves: rhbz#1942387 - Wrong default debug level of sssd tools | |
| - Resolves: rhbz#1945888 - Inconsistant debug level for connection logging | |
| - Resolves: rhbz#1948657 - pam_sss_gss.so doesn't work with large kerberos tickets | |
| - Resolves: rhbz#1949149 - [RFE] Poor man's backtrace | |
| - Resolves: rhbz#1920500 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR | |
| - Resolves: rhbz#1923964 - [RFE] SSSD Error Msg Improvement: write_krb5info_file failed, authentication might fail. | |
| - Resolves: rhbz#1928648 - SSSD logs improvements: clarify which config option applies to each timeout in the logs | |
| - Resolves: rhbz#1632159 - sssd-kcm starts successfully for non existent socket_path | |
| - Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm | |
| - Resolves: rhbz#1925505 - [RFE] improve the sssd refresh timers for SUDO queries | |
| - Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection | |
| - Resolves: rhbz#1925561 - sssd-ldap(5) does not report how to disable the SUDO smart queries | |
| - Resolves: rhbz#1925621 - document impact of indices and of scope on performance of LDAP queries | |
| - Resolves: rhbz#1855320 - [RFE] RHEL8 sssd: inheritance of the case_sensitive parameter for subdomains. | |
| - Resolves: rhbz#1925608 - [RFE] make 'random_offset' addon to 'offline_timeout' option configurable | |
| - Resolves: rhbz#1447945 - man page / docs update required: if two certificate matching rules with the same priority match only one is used | |
| - Resolves: rhbz#1703436 - sssd not thread-safe in innetgr() | |
| - Resolves: rhbz#1713143 - SSSD does not translate the 2FA text labels("first factor" / "second factor") on GDM login and screensaver unlock screen | |
| - Resolves: rhbz#1888977 - sss_override: Usage limitations clarification in man page | |
| - Resolves: rhbz#1890177 - Clarify "single_prompt" option in "PROMPTING CONFIGURATION SECTION" section of sssd.conf man page | |
| - Resolves: rhbz#1902280 - fix sss_cache to also reset cached timestamp | |
| - Resolves: rhbz#1935683 - SSSD not detecting subdomain from AD forest (RHEL 8.3) | |
| - Resolves: rhbz#1937919 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 | |
| - Resolves: rhbz#1944665 - No gpo found and ad_gpo_implicit_deny set to True still permits user login | |
| - Resolves: rhbz#1919942 - sss_override does not take precedence over override_homedir directive | |
| - Version 0.2.0 | |
| - Resolves: rhbz#1712875 - Old kerberos credentials active instead of valid | |
| new ones (kcm) | |
| - New upstream release 1.15.1 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html | |
| - Backport simplification of ccache management from 1.11.1 | |
| - Resolves: rhbz#1010553 - sssd setting KRB5CCNAME=(null) on login | |
| - New upstream release 1.5.10 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 | |
| - Fixed a regression introduced in 1.5.9 that could result in blocking calls | |
| - to LDAP | |
| - package git snapshot | |
| - Fix typo in Requires that prevented an upgrade (#973916) | |
| - Use a hardcoded version in Conflicts, not less-than-current | |
| - Resolves: RHEL-67671 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option [rhel-8.10.z] | |
| - Resolves: RHEL-68507 - sssd backend process segfaults when krb5.conf is invalid [rhel-8.10.z] | |
| - Resolves: RHEL-66267 - SSSD needs an option to indicate if the LDAP server can run the exop with an anonymous bind or not [rhel-8.10.z] | |
| - Resolves: RHEL-67128 - Excessive "Domain not found' messages logged to sssd_nss & sssd_be in multidomain AD forest [rhel-8.10.z] | |
| - Resolves: RHEL-66272 - sssd is skipping GPO evaluation with auto_private_groups [rhel-8.10.z] | |
| - Resolves: RHEL-66277 - possible regression of rhbz#2196521 [rhel-8.10.z] | |
| - Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 | |
| - Resolves: rhbz#2063016 - [sssd] RHEL 8.7 Tier 0 Localization | |
| - Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 | |
| - Resolves: rhbz#2026799 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options) | |
| - Resolves: rhbz#2033347 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file. | |
| - Resolves: rhbz#2056483 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2 | |
| - Resolves: rhbz#2062689 - [Improvement] Add user and group version of sss_nss_getorigbyname() | |
| - Resolves: rhbz#2065692 - [RHEL8] Ship new sub-package called sssd-idp into sssd | |
| - Resolves: rhbz#2072050 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop | |
| - Resolves: rhbz#2072931 - Use right sdap_domain in ad_domain_info_send | |
| - Resolves: rhbz#2087088 - sssd does not enforce smartcard auth for kde screen locker | |
| - Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol | |
| - Resolves: rhbz#2087745 - 2FA prompting setting ineffective | |
| - Resolves: rhbz#2087746 - sssd fails GPO-based access if AD have setup with Japanese language | |
| - New upstream release | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 | |
| - Support for the service map in NSS | |
| - Support for setting default SELinux user context from FreeIPA | |
| - Support for retrieving SSH user and host keys from LDAP (Experimental) | |
| - Support for caching autofs LDAP requests (Experimental) | |
| - Support for caching SUDO rules (Experimental) | |
| - Don't discard HBAC rule processing result if SELinux is on | |
| Resolves: rhbz#846792 (CVE-2012-3462) | |
|
|
|
| sssd-idp-2.9.4-5.el8_10.3.x86_64.rpm | - Fix regressions with ipa and SELinux |
| - Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security | |
| context on client is staff_u | |
| - Rebuild against new libldb | |
| - Resolves: rhbz#1792331 - sssd_be crashes when krb5_realm and krb5_server is | |
| omitted and auth_provider is krb5 | |
| - Fix missing file permissions for sssd-clients | |
| - added sss_client | |
| - New upstream release 1.11.2 | |
| - Remove upstreamed patches | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 | |
| - Fix build issues: Update expided certificate in unit tests | |
| - New upstream release 1.10 beta1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1 | |
| - Resolves: rhbz#1900733 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() | |
| - Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process | |
| - Resolves: rhbz#1894540 - sssd component logging is now too generic in syslog/journal | |
| - Resolves: rhbz#1828483 - filtered ID is appearing due to strange negative cache behavior | |
| - Resolves: rhbz#1713368 - Add sssd-dbus package as a dependency of sssd-tools | |
| - New upstream release 1.11.5 | |
| - Remove upstreamed patch | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.5 | |
| - New upstream stable release 1.0.0 | |
| - New upstream release 1.9.4 | |
| - Resolves: rhbz#Bug 1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command. | |
| - Resolves: rhbz#1369130 - nss_sss should not link against libpthread | |
| - Resolves: rhbz#1392916 - sssd failes to start after update | |
| - Resolves: rhbz#1398789 - SELinux is preventing sssd from 'write' accesses | |
| on the directory /etc/sssd | |
| - Fix uninitialized value bug causing crashes throughout the code | |
| - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup | |
| - Resolves: rhbz#1628503 - sssd only sets the SELinux login context if it | |
| differs from the default | |
| - Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 | |
| - Add workaround patch for RHBZ #1366403 | |
| - Fix slow login with ipa and SELinux | |
| - Resolves: upstream #2624 - Only set the selinux context if the context | |
| differs from the local one | |
| - New upstream release 1.10.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1 | |
| - New upstream release 1.13 alpha | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0alpha | |
| - New upstream release 0.5.0 | |
| - Resolves: rhbz#1673443 - sssd man pages: The default value of | |
| "ldap_user_home_directory" is not mentioned | |
| with AD server configuration | |
| - New upstream release 1.5.1 | |
| - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins | |
| - Vast performance improvements when enumerate = true | |
| - All PAM actions will now perform a forced initgroups lookup instead of just | |
| - a user information lookup | |
| - This guarantees that all group information is available to other | |
| - providers, such as the simple provider. | |
| - For backwards-compatibility, DNS lookups will also fall back to trying the | |
| - SSSD domain name as a DNS discovery domain. | |
| - Support for more password expiration policies in LDAP | |
| - 389 Directory Server | |
| - FreeIPA | |
| - ActiveDirectory | |
| - Support for ldap_tls_{cert,key,cipher_suite} config options | |
| -Assorted bugfixes | |
| - Resolves: rhbz#752495 - Crash when apply settings | |
| - Fix regression with krb5_map_user | |
| - Resolves: rhbz#1375552 - krb5_map_user doesn't seem effective anymore | |
| - Resolves: rhbz#1349286 - authconfig fails with SSSDConfig.NoDomainError: | |
| default if nonexistent domain is mentioned | |
| - New upstream release 1.11 beta 2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 | |
| - Resolves: upstream#3684 - A group is not updated if its member is removed | |
| with the cleanup task, but the group does not | |
| change | |
| - Resolves: upstream#3558 - sudo: report error when two rules share cn | |
| - Tone down shutdown messages for socket activated responders | |
| - IPA: Qualify the externalUser sudo attribute | |
| - Resolves: upstream#3550 - refresh_expired_interval does not work with | |
| netgrous in 1.15 | |
| - Resolves: upstream#3402 - Support alternative sources for the files provider | |
| - Resolves: upstream#3646 - SSSD's GPO code ignores ad_site option | |
| - Resolves: upstream#3679 - Make nss netgroup requests more robust | |
| - Resolves: upstream#3634 - sssctl COMMAND --help fails if sssd is not | |
| configured | |
| - Resolves: upstream#3469 - extend sss-certmap man page regarding priority | |
| processing | |
| - Improve docs/debug message about GC detection | |
| - Resolves: upstream#3715 - ipa 389-ds-base crash in krb5-libs - k5_copy_etypes | |
| list out of bound? | |
| - Resolves: upstream#2653 - Group renaming issue when "id_provider = ldap" is | |
| set. | |
| - Document which principal does the AD provider use | |
| - Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is | |
| defined, but contains no SIDs | |
| - Resolves: upstream#3520 - Files provider supports only BE_FILTER_ENUM | |
| - Resolves: rhbz#1540703 - FreeIPA/SSSD implicit_file sssd_nss error: The Data | |
| Provider returned an error | |
| [org.freedesktop.sssd.Error.DataProvider.Fatal] | |
| - Fix licenses in sources and on RPMs | |
| - Make LDB dependency a strict equivalency | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Resolves: RHEL-14070 - sssd-2.9.2-1.el8 breaks smart card authentication | |
| - Resolves: RHEL-3665 - Unexplainable error "Unable to find primary gid [2]: No such file or directory" when SSSD performs lookup for an AD user | |
| - Fix regression on 64-bit platforms | |
| - Resolves: rhbz#1657979 - SSSD's LDAP authentication provider does not work | |
| if ID provider is authenticated with GSSAPI | |
| - New stable upstream version 1.2.1 | |
| - Resolves: rhbz#595529 - spec file should eschew %define in favor of | |
| - %global | |
| - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service | |
| - to fail while restart. | |
| - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel | |
| - keyring | |
| - Resolves: rhbz#599724 - sssd is broken on Rawhide | |
| - Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 | |
| - Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed) | |
| - Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket | |
| - Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7 | |
| - Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name | |
| - Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable") | |
| - Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username # | |
| - New upstream release 1.11.4 | |
| - Remove upstreamed patch | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.4 | |
| - Move sssd_pac to the sssd-krb5 subpackage | |
| - python-sssdconfig: Fix parssing sssd.conf without config_file_version | |
| - Resolves: upstream #2837 - REGRESSION: ipa-client-automout failed | |
| - Resolves: rhbz#1754996 - [sssd] Tier 0 Localization | |
| - Fix building of sssd-nfs-idmap with libnfsidmap.so.1 | |
| - Fix multicast checks in the SSSD | |
| - Resolves: rhbz#1007475 - The multicast check is wrong in the sudo source | |
| code getting the host info | |
| - New upstream release 1.5.4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 | |
| - Fixes for Active Directory when not all users and groups have POSIX attributes | |
| - Fixes for handling users and groups that have name aliases (aliases are ignored) | |
| - Fix group memberships after initgroups in the IPA provider | |
| - Resolves: rhbz#1328108 - Protocol error with FreeIPA on CentOS 6 | |
| - New upstream release 1.8.0 beta 3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 | |
| - Fixed a regression in group enumeration since 1.7.0 | |
| - Fixed several memory-corruption bugs | |
| - Finalized the ABI for the autofs support | |
| - Fixed a regression in the proxy provider | |
| - New upstream release 1.5.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 | |
| - Fixes for support of FreeIPA v2 | |
| - Fixes for failover if DNS entries change | |
| - Improved sss_obfuscate tool with better interactive mode | |
| - Fix several crash bugs | |
| - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this | |
| - Delete users from the local cache if initgroups calls return 'no such user' | |
| - (previously only worked for getpwnam/getpwuid) | |
| - Use new Transifex.net translations | |
| - Better support for automatic TGT renewal (now survives restart) | |
| - Netgroup fixes | |
| - Fix incorrect tarball URL | |
| - Backport more sbus2 fixes | |
| - Related: rhbz#1623878 - crash related to sbus_router_destructor() | |
| - Resolves: rhbz#1718193 - p11_child should have an option to skip | |
| C_WaitForSlotEvent if the PKCS#11 module | |
| does not implement it properly | |
| - Rebuild against libldb 1.11 | |
| error messages with line numbers | |
| - Fix typo in libwbclient-devel %preun | |
| - Fix broken ARM build | |
| - Add missing DP_OPTION_TERMINATOR in AD provider options | |
| - Rebuild SSSD against ding-libs 0.3.0beta1 | |
| - Fix endianness bug in service map protocol | |
| - New stable upstream version 1.2.0 | |
| - Support ServiceGroups for FreeIPA v2 HBAC rules | |
| - Fix long-standing issue with auth_provider = proxy | |
| - Better logging for TLS issues in LDAP | |
| - Relax libldb BuildRequires to be greater-or-equal | |
| - Remove the ability to create public ccachedir (#1015089) | |
| - Fix ipa-migration bug | |
| - Resolves: upstream #2719 - IPA: returned unknown dp error code with disabled | |
| migration mode | |
| - Only create the SELinux login file if there are SELinux mappings on | |
| the IPA server | |
| - Fixes a serious memory hierarchy bug causing unpredictable behavior in the | |
| LDAP provider. | |
| - New upstream release 1.6.4 | |
| - Rolls up previous patches applied to the 1.6.3 tarball | |
| - Fixes a rare issue causing crashes in the failover logic | |
| - Fixes an issue where SSSD would return the wrong PAM error code for users | |
| that it does not recognize. | |
| - Also relax libldb Requires | |
| - Remove --enable-ldb-version-check | |
| - New upstream release 1.9.0 beta7 | |
| - obsoletes patches #1-#3 | |
| - Handle OTP response from FreeIPA server gracefully | |
| -Resolves: rhbz#1659498 - Re-setting the trusted AD domain fails due to wrong | |
| subdomain service name being used | |
| - Apply a number of patches from upstream to fix issues found post-beta, | |
| in particular: | |
| -- segfault with a high DEBUG level | |
| -- Fix IPA password migration (upstream #1873) | |
| -- Fix fail over when retrying SRV resolution (upstream #1886) | |
| - Small cleanup and fixes in the spec file | |
| - New upstream release 1.16.1 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_1.html | |
| - New upstream release 1.1.1 | |
| - Fixed the IPA provider (which was segfaulting at start) | |
| - Fixed a bug in the SSSDConfig API causing some options to revert to | |
| - their defaults | |
| - This impacted the Authconfig UI | |
| - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal | |
| - New upstream release 1.5.3 | |
| - Support for libldb >= 1.0.0 | |
| - Recreate Kerberos ccache directory if it's missing | |
| - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache | |
| directory /run/user/UID/ccdir does not exist | |
| - Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 | |
| - Resolves: rhbz#1942387 - Wrong default debug level of sssd tools | |
| - Resolves: rhbz#1917444 - SSSD Error Msg Improvement: Server resolution failed: [2]: No such file or directory | |
| - Resolves: rhbz#1917511 - SSSD Error Msg Improvement: Failed to resolve server 'server.example.com': Error reading file | |
| - Resolves: rhbz#1917535 - sssd.conf man page: parameter dns_resolver_server_timeout and dns_resolver_op_timeout | |
| - Resolves: rhbz#1940509 - [RFE] Health and Support Analyzer: Link frontend to backend requests | |
| - Resolves: rhbz#1649464 - auto_private_groups not working as expected with posix ipa/ad trust | |
| - Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection | |
| - Resolves: rhbz#1961215 - Invalid sssd-kcm return code if requested operation is not found | |
| - Resolves: rhbz#1837090 - SSSD fails nss_getby_name for IPA user with SID if the user has user private group | |
| - Resolves: rhbz#1879869 - sudo commands incorrectly exports the KRB5CCNAME environment variable | |
| - Resolves: rhbz#1962550 - sss_pac_make_request fails on systems joined to Active Directory. | |
| - Resolves: rhbz#1737489 - [RFE] SSSD should honor default Kerberos settings (keytab name) in /etc/krb5.conf | |
| - New upstream release 1.5.9 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 | |
| - Support for overriding home directory, shell and primary GID locally | |
| - Properly honor TTL values from SRV record lookups | |
| - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP | |
| - servers) | |
| - Properly escape IPv6 addresses in the failover code | |
| - Do not crash if inotify fails (e.g. resource exhaustion) | |
| - Don't add multiple TGT renewal callbacks (too many log messages) | |
| - Resolves: RHEL-78300 - 'sssd_kcm' leaks memory [rhel-8.10.z] | |
| - Resolves: RHEL-82420 - Disk cache failure with large db sizes [rhel-8.10.z] | |
| - Resolves: RHEL-76022 - Use the DN from existing entry when updating a cached group [rhel-8.10.z] | |
| - Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy" | |
| - Resolves: rhbz#1736265 - Smart Card auth of local user: endless | |
| loop if wrong PIN was provided | |
| - Resolves: rhbz#1615417 - [RFE] Add Smart Card authentication for local | |
| users | |
| - Resolves: rhbz#2149241 - [sssd] SSSD enters failed state after heavy load in the system | |
| - New upstream release 1.13.4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.4 | |
| - Fix tests on big-endian | |
| - Fix previous changelog entry | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Resolves: rhbz#1382750 - Conflicting default timeout values | |
| - Resolves: rhbz#1669407 - MAN: Document that PAM stack contains the | |
| systemd-user service in the account phase in RHEL-8 | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Resolves: RHEL-1680 - auto_private_groups does not create cache in IPA server SSSD cache | |
| - Resolves: RHEL-10092 - logfile rotation for sssd_kcm not working properly, sssd_kcm never receives a 'kill -HUP' | |
| - Resolves: RHEL-17495 - New sssd.conf seems not to be backwards compatible (wrt SmartCard auth of local users using 'files provider') | |
| - Resolves: RHEL-18431 - Excessive logging to sssd_nss and sssd_be in multi-domain AD forest | |
| - Resolves: RHEL-5033 - Incorrect IdM product name in man sssd.conf | |
| - Resolves: RHEL-15368 - SSSD GPO lacks group resolution on hosts [rhel-8] | |
| - Resolves: RHEL-10721 - very bad performance when requesting service tickets | |
| - Resolves: RHEL-19011 - Invalid handling groups from child domain | |
| - Resolves: RHEL-19949 - latest sssd breaks logging in via XDMCP for LDAP/Kerberos users [rhel-8] | |
| - Rebuild for Python 3.6 | |
| - Fix Obsoletes: to account for dist tag | |
| - Convert post and pre scripts to run on the sssd-common subpackage | |
| - Remove old conversion from SYSV | |
| - Add a patch to fix krb5 unit tests | |
| raise(): /usr/libexec/sssd/sssd_autofs killed by 6 | |
| - New upstream release 1.12 beta2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0beta2 | |
| - New upstream release 1.14.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.1 | |
| - Patch SSSDConfig API to address | |
| - https://bugzilla.redhat.com/show_bug.cgi?id=549482 | |
| - Move the sss_cache tool to the main package | |
| - Resolves: rhbz#1625842 id_provider= local causes SSSD to abort startup | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Resolves: rhbz#1821719 - sssd (sssd_be) is consuming 100% CPU, partially due to failing mem-cache | |
| - Fixed "requires/provides" rpmdiff warning | |
| - Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites | |
| - cached password with predicatable filename | |
| - New upstream release 1.12 beta1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0beta1 | |
| - Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during | |
| realm join | |
| - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by | |
| default for AD Provider | |
| - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file | |
| parent directory when logging in | |
| - Resolves: rhbz#1855323 - When ad_gpo_implicit_deny is True, it is permitting users to login when no gpo is applied | |
| - Switch unicode library from libunistring to Glib | |
| - Drop unnecessary explicit Requires on keyutils | |
| - Guarantee that versioned Requires include the correct architecture | |
| - Fix OTP bug | |
| - Resolves: upstream #2729 - Do not send SSS_OTP if both factors were | |
| entered separately | |
| - Backport upstream patches required by FreeIPA 4.2.1 | |
| - the cmocka toolkit exists only on selected arches | |
| - Backport few upstream patches/fixes | |
| - Fix double free in monitor | |
| - Resolves: rhbz#1186887 [abrt] sssd-common: talloc_abort(): | |
| sssd killed by SIGABRT | |
| - New upstream release 1.14 alpha | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0alpha | |
| - Resolves: rhbz#1615460 - Rebase SSSD to the latest released version | |
| - Split internal helper libraries into a shared object | |
| - Significantly reduce disk-space usage | |
| - Resolves: rhbz#1657980 - sssd_nss memory leak | |
| - Fix a couple of segfaults that may happen on reload | |
| - New upstream release 1.9.3 | |
| - Resolves: rhbz#2116488 - virsh command will hang after the host run several auto test cases | |
| - Resolves: rhbz#2116486 - [regression] sssctl analyze fails to parse PAM related sssd logs | |
| - Resolves: rhbz#2116487 - cache_req_data_set_hybrid_lookup: cache_req_data should never be NULL | |
| - Related: rhbz#1638006 - Files: The files provider always enumerates | |
| which causes duplicate when running getent passwd | |
| - Cherry-pick patches from upstream that enable the files provider | |
| - Enable the files domain | |
| - Retire patch 0501-Partially-revert-CONFIG-Use-default-config-when-none.patch | |
| which is superseded by the files domain autoconfiguration | |
| - Related: rhbz#1357418 - SSSD fast cache for local users | |
| - Resolves: rhbz#1767514 - sssd requires timed sudoers ldap entries to be | |
| specified up to the seconds | |
| - Rebuild against PCRE 8.30 | |
| - Resolves: upstream#3573 - sssd won't show netgroups with blank domain | |
| - Resolves: upstream#3660 - confdb_expand_app_domains() always fails | |
| - Resolves: upstream#3658 - Application domain is not interpreted correctly | |
| - Resolves: upstream#3687 - KCM: Don't pass a non null terminated string to | |
| json_loads() | |
| - Resolves: upstream#3386 - KCM: Payload buffer is too small | |
| - Resolves: upstream#3666 - Fix usage of str.decode() in our tests | |
| - A few KCM misc fixes | |
| - Related: rhbz#1637131 - pam_unix unable to match fully qualified username | |
| provided by sssd during smartcard auth using gdm | |
| - sssd-tools should require sssd-common, not sssd | |
| - Fix systemd conversion. Upgrades from SysV to systemd weren't properly | |
| - enabling the systemd service. | |
| - Fix a serious memory leak in the memberOf plugin | |
| - Fix an issue where the user's full name would sometimes be removed | |
| - from the cache | |
| - Resolves: rhbz#1652563 - incorrect example in the man page of idmap_sss | |
| suggests using * for backend sss | |
| - Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during | |
| - rpmbuild | |
| - Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile | |
| with no specific host/hostgroup set | |
| - Resolves: upstream#3621 - FleetCommander integration must not require | |
| capability DAC_OVERRIDE | |
| - latest upstream release. | |
| - also add a patch that fixes debugging output (potential segfault) | |
| - Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib | |
| - New upstream release | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 | |
| - Fix two minor manpage bugs | |
| - Include the IPA AutoFS provider | |
| - Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate | |
| - against LDAP | |
| - New upstream release 1.9.0 beta 3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 | |
| - Add a new PAC responder for dealing with cross-realm Kerberos trusts | |
| - Terminate idle connections to the NSS and PAM responders | |
| - New upstream release 1.6.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 | |
| - Fixes a serious issue with LDAP connections when the communication is | |
| dropped (e.g. VPN disconnection, waking from sleep) | |
| - SSSD is now less strict when dealing with users/groups with multiple names | |
| when a definitive primary name cannot be determined | |
| - The LDAP provider will no longer attempt to canonicalize by default when | |
| using SASL. An option to re-enable this has been provided. | |
| - Fixes for non-standard LDAP attribute names (e.g. those used by Active | |
| Directory) | |
| - Three HBAC regressions have been fixed. | |
| - Fix for an infinite loop in the deref code | |
| - Resolves: rhbz#1578014 - sssd does not work under non-root user | |
| - Note: Actually the patches were in the 2.0.0-37, this one just adds this | |
| changelog because it was missing. | |
| - Resolves: rhbz#1164156 - libsss_simpleifp should pull sssd-dbus | |
| - Resolves: rhbz#1179379 - gzip: stdin: file size changed while | |
| zipping when rotating logfile | |
| - Add a patch to fix krb5 ccache creation issue with krb5 1.11 | |
| - Fix %postun | |
| - Related: rhbz#2132051 - Rebase Samba to the the latest 4.17.x release | |
| Rebuild against Samba rebase. | |
| - New upstream release 1.9.0 beta 5 | |
| - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 | |
| - Many fixes for the support for setting default SELinux user context from | |
| FreeIPA, most notably fixed the specificity evaluation | |
| - Fixed an incorrect default in the krb5_canonicalize option of the AD | |
| provider which was preventing password change operation | |
| - The shadowLastChange attribute value is now correctly updated with the | |
| number of days since the Epoch, not seconds | |
| - Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 | |
| - Resolves: rhbz#2098620 - sdap_nested_group_deref_direct_process() triggers internal watchdog for large data sets | |
| - Resolves: rhbz#2098619 - [Improvement] add SSSD support for more than one CRL PEM file name with parameters certificate_verification and crl_file | |
| - Resolves: rhbz#2088817 - pam_sss_gss ceased to work after upgrade to 8.6 | |
| - Resolves: rhbz#2098616 - Add idp authentication indicator in man page of sssd.conf | |
| - Resolves: rhbz#2056035 - 'getent hosts' not return hosts if they have more than one CN in LDAP | |
| - Resolves: rhbz#2098615 - Regression "Missing internal domain data." when setting ad_domain to incorrect | |
| - Resolves: rhbz#2098617 - Harden kerberos ticket validation | |
| - Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol | |
| - Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8 | |
| - Resolves: rhbz#2136701 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level. | |
| - Resolves: rhbz#2139760 - [sssd] RHEL 8.8 Tier 0 Localization | |
| - Resolves: rhbz#2139865 - Analyzer: Optimize and remove duplicate messages in verbose list | |
| - Resolves: rhbz#2142795 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged | |
| - Resolves: rhbz#2144491 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around | |
| - Resolves: rhbz#2150357 - Smart Card auth does not work with p11_uri (with-smartcard-required) | |
| - Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 | |
| - Resolves: rhbz#2196521 - [RHEL8] sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy | |
| - Resolves: rhbz#2195919 - sssd-be tends to run out of system resources, hitting the maximum number of open files | |
| - Resolves: rhbz#2192708 - [RHEL8] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed' | |
| - Resolves: rhbz#2139467 - [RHEL8] sssd attempts LDAP password modify extended op after BIND failure | |
| - Resolves: rhbz#2054825 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 error 4 in libc-2.28.so[7f16b5e72000+1bc000] | |
| - Resolves: rhbz#2189583 - [sssd] RHEL 8.9 Tier 0 Localization | |
| - Resolves: rhbz#2170720 - [RHEL8] When adding attributes in sssd.conf that we have already, the cross-forest query just stop working | |
| - Resolves: rhbz#2096183 - BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides | |
| - Resolves: rhbz#2151450 - [RHEL8] SSSD missing group membership when evaluating GPO policy with 'auto_private_groups = true' | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuild sssd against libldb 1.0.2 so the memberof module loads again. | |
| - Related: rhbz#677425 | |
| - Related: rhbz#1637513 - sssd crashes when refreshing expired sudo rules | |
| - Fix memberOf install path | |
| - Resolves: upstream#3618 - selinux_child segfaults in a docker container | |
| - Don't duplicate libsss_autofs.so in two packages | |
| - Set explicit package contents instead of globbing | |
| - New upstream release 1.10 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0 | |
| - Release SSSD 1.1.0 final | |
| - Fix two potential segfaults | |
| - Fix memory leak in monitor | |
| - Better error message for unusable confdb | |
| - Resolves: rhbz#1868387 - system not enforcing GPO rule restriction. ad_gpo_implicit_deny = True is not working | |
| - Resolves: rhbz#1854951 - sss-certmap man page change to add clarification for userPrincipalName attribute from AD schema | |
| - Resolves: rhbz#1856861 - False errors/warnings are logged in sssd.log file after enabling 2FA prompting settings in sssd.conf | |
| - Resolves: rhbz#1869683 - p11_child: default value of ocsp_dgst == sha256 doesn't conform RFC5019 and has to be changed to sha1 | |
| - New upstream release 1.16.0 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_0.html | |
| - Rebuild against new ding-libs | |
| - Resolves: rhbz#677768 - name service caches names, so id command shows | |
| - recently deleted users | |
| - Backport several patches from upstream. | |
| - Fix a potential crash against old (pre-4.0) IPA servers | |
| - Release candidate for SSSD 1.1 | |
| - Add simple access provider | |
| - Create subpackages for libcollection, libini_config, libdhash and librefarray | |
| - Support IPv6 | |
| - Support LDAP referrals | |
| - Fix cache issues | |
| - Better feedback from PAM when offline | |
| - Resolves: rhbz#1646113 - Missing concise documentation about valid options | |
| for sssd-files-provider | |
| - Fix segfault in TGT renewal | |
| - Improved handling of users and groups with multi-valued name attributes | |
| (aliases) | |
| - Performance enhancements | |
| Initgroups on RFC2307bis/FreeIPA | |
| HBAC rule processing | |
| - Improved process-hang detection and restarting | |
| - Enabled the midpoint cache refresh by default (fewer cache misses on | |
| commonly-used entries) | |
| - Cleaned up the example configuration | |
| - New tool to change debug level on the fly | |
| - New upstream release 1.5.8 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 | |
| - Support for the LDAP paging control | |
| - Support for multiple DNS servers for name resolution | |
| - Fixes for several group membership bugs | |
| - Fixes for rare crash bugs | |
| - Resolves: rhbz#1881992 - Rebase SSSD for RHEL 8.4 | |
| - Resolves: rhbz#1722842 - sssd-kcm does not store TGT with ssh login using GSSAPI | |
| - Resolves: rhbz#1734040 - sssd crash in ad_get_account_domain_search() | |
| - Resolves: rhbz#1784459 - [RFE] tlog does not allow to exclude some users from session recording | |
| - Resolves: rhbz#1791300 - sporadic sssd_be crash on s390x | |
| - Resolves: rhbz#1817122 - 'getent group ldapgroupname' doesn't show any LDAP users or some LDAP users when 'rfc2307bis' schema is used with SSSD. | |
| - Resolves: rhbz#1819012 - [RFE] Improve AD site discovery process | |
| - Resolves: rhbz#1846778 - [RfE] `/usr/libexec/sssd/p11_child` cmdline argument '--nssdb' might be confusing when SSSD was built against OpenSSL | |
| - Resolves: rhbz#1873715 - automount sssd issue when 2 automount maps have the same key (one un uppercase, one in lowercase) | |
| - Resolves: rhbz#1879860 - correction in sssd.conf:pam_response_filter man page | |
| - Resolves: rhbz#1881336 - [RFE] sssd-ldap man page modification for parameter "ldap_referrals" | |
| - Resolves: rhbz#1883488 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains | |
| - Resolves: rhbz#1884196 - [RFE] Add "enabled" option to domain section in config file | |
| - Resolves: rhbz#1884205 - KCM: Increase client idle timeout to 5 minutes | |
| - Resolves: rhbz#1884207 - [RFE] ldap: add new option ldap_library_debug_level | |
| - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff | |
| - Resolves: rhbz#1884281 - Secondary LDAP group go missing from 'id' command | |
| - Resolves: rhbz#1884301 - [RFE] dyndns: suport asymmetric auth for nsupdate | |
| - Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 | |
| - Resolves: rhbz#1693379 - sssd_be and sss_cache too heavy on CPU | |
| - Resolves: rhbz#1909373 - Missing search index for `originalADgidNumber` | |
| - Resolves: rhbz#1954630 - [RFE] Improve debug messages by adding a unique tag for each request the backend is handling | |
| - Resolves: rhbz#1936891 - SSSD Error Msg Improvement: Bad address | |
| - Resolves: rhbz#1364596 - sssd still showing ipa user after removed from last group | |
| - Resolves: rhbz#1979404 - Changes made to /etc/pam.d/sssd-shadowutils are overwritten back to default on sssd-common package upgrade | |
| - Resolves: rhbz#1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command. | |
| - Resolves: rhbz#1780404 - smartcards: special characters must be escaped when building search filter | |
| - Fix regressions and bugs in sssd upstream 1.12.2 | |
| - https://fedorahosted.org/sssd/ticket/{id} | |
| - Regressions: #2471, #2475, #2483, #2487, #2529, #2535 | |
| - Bugs: #2287, #2445 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Resolves: rhbz#1974257 - 'debug_microseconds' config option is broken | |
| - Resolves: rhbz#1936902 - SSSD Error Msg Improvement: Invalid argument | |
| - Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm (additional patches and rebuild) | |
| - Resolves: rhbz#1625670 - sssd needs to require a newer version of libtalloc | |
| and libtevent to avoid an issue in GPO processing | |
| - Related: rhbz#1620123 - [RFE] Add option to specify a Smartcard with a | |
| PKCS#11 URI | |
| - Resolves: rhbz#697057 - kpasswd fails when using sssd and | |
| - kadmin server != kdc server | |
| - Upgrades from SysV should now maintain enabled/disabled status | |
| - Related: rhbz#2190417 - Rebase Samba to the latest 4.18.x release | |
| Rebuild against rebased Samba libs | |
| - Resolves: rhbz#1175511 - sssd-libwbclient conflicts with Samba's and causes | |
| crash in wbinfo | |
| - in addition to the patch libwbclient.so is | |
| filtered out of the Provides list of the package | |
| - New upstream release 1.9.0 beta 2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 | |
| - Add support for the Kerberos DIR cache for storing multiple TGTs | |
| automatically | |
| - Major performance enhancement when storing large groups in the cache | |
| - Major performance enhancement when performing initgroups() against Active | |
| Directory | |
| - SSSDConfig data file default locations can now be set during configure for | |
| easier packaging | |
| - Add plugin for cifs-utils | |
| - Resolves: rhbz#998544 | |
| - Rebuild due to rhbz#2013596 - Rebase Samba to the the latest 4.15.x release | |
| - Resolves: #967012 - [abrt] sssd-1.9.5-1.fc18: sss_mmap_cache_gr_invalidate_gid: | |
| Process /usr/libexec/sssd/sssd_nss was killed by | |
| signal 11 (SIGSEGV) | |
| - Resolves: #996214 - sssd proxy_child segfault | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Resolves: RHEL-112455 - p11_child currently has an infinite timeout [rhel-8.10.z] | |
| - Resolves: RHEL-120292 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems [rhel-8.10.z] | |
| - Resolves: rhbz#1744134 - New defect found in sssd-2.2.0-16.el8 | |
| - Also sync. kcm multihost tests with master | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - New upstream release 1.9.0 rc1 | |
| - New upstream release 0.99.0 | |
| - Fix segfault in sssd_pam when cache_credentials was enabled | |
| - Update the sample configuration | |
| - Fix upgrade issues caused by data provider service removal | |
| - Fix systemd executions/requirements | |
| - Related: rhbz#1635595 - Cant login with smartcard with multiple certs | |
| - New upstream release 1.8.1 | |
| - Resolve issue where we could enter an infinite loop trying to connect to an | |
| auth server | |
| - Fix serious issue with complex (3+ levels) nested groups | |
| - Fix netgroup support for case-insensitivity and aliases | |
| - Fix serious issue with lookup bundling resulting in requests never | |
| completing | |
| - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt | |
| in addition to pam_authenticate | |
| - Fix several regressions in the proxy provider | |
| - Resolves: rhbz#743133 - Performance regression with Kerberos authentication | |
| against AD | |
| - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work | |
| - Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6 | |
| - Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files | |
| - Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries | |
| - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set. | |
| - Resolves: rhbz#1961182 - Passwordless (GSSAPI) SSH not working due to missing "includedir /var/lib/sss/pubconf/krb5.include.d" directive in /etc/krb5.conf | |
| - Resolves: rhbz#2008829 - sssd_be segfault due to empty forest root name | |
| - Resolves: rhbz#2012263 - pam responder does not call initgroups to refresh the user entry | |
| - Resolves: rhbz#2012308 - Add client certificate validation D-Bus API | |
| - Resolves: rhbz#2012327 - Groups are missing while performing id lookup as SSSD switching to offline mode due to the wrong domain name in the ldap-pings(netlogon). | |
| - Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs | |
| - Resolves: rhbz#2013259 - [RHEL8] Add tevent chain ID logic into responders | |
| - Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization | |
| - Rebuild for libldb 1.1.19 | |
| - Fix failover from Global Catalog to LDAP in case GC is not available | |
| - Rebuilt for libnfsidmap.so.1 | |
| - New upstream release 1.6.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 | |
| - Add host access control support for LDAP (similar to pam_host_attr) | |
| - Finer-grained control on principals used with Kerberos (such as for FAST or | |
| - validation) | |
| - Added a new tool sss_cache to allow selective expiring of cached entries | |
| - Added support for LDAP DEREF and ASQ controls | |
| - Added access control features for Novell Directory Server | |
| - FreeIPA dynamic DNS update now checks first to see if an update is needed | |
| - Complete rewrite of the HBAC library | |
| - New libraries: libipa_hbac and libipa_hbac-python | |
| - Resolves: rhbz#1661183 - SSSD 2.0 has drastically lower sbus timeout than | |
| 1.x, this can result in time outs | |
| - Fix release version for upgrades | |
| - Decrease priority of sssd-libwbclient 20 -> 5 | |
| - It should be lower than priority of samba veriosn of libwbclient. | |
| - https://bugzilla.redhat.com/show_bug.cgi?id=1175511#c18 | |
| - Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the | |
| username in getpwnam() | |
| - Resolves: rhbz#758425 - LDAP failover not working if server refuses | |
| connections | |
| - Resolves: rhbz#1642372 - SSSD Python getgrouplist API was removed but required for IPA | |
| - New LDAP access provider allows for filtering user access by LDAP attribute | |
| - Reduced default timeout for detecting offline status with LDAP | |
| - GSSAPI ticket lifetime made configurable | |
| - Better offline->online transition support in Kerberos | |
| - Change the default ccache location to DIR:/run/user/${UID}/krb5cc | |
| and patch man page accordingly | |
| - Resolves: rhbz#851304 | |
| - Handle new error code for IPA password migration | |
| - Only BuildRequire libcmocka on Fedora | |
| - New upstream release 1.4.1 | |
| - Add support for netgroups to the proxy provider | |
| - Fixes a minor bug with UIDs/GIDs >= 2^31 | |
| - Fixes a segfault in the kerberos provider | |
| - Fixes a segfault in the NSS responder if a data provider crashes | |
| - Correctly use sdap_netgroup_search_base | |
| - Resolves: rhbz#1672780 - gdm login not prompting for username when smart | |
| card maps to multiple users | |
| - New upstream release 1.11.5.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.5.1 | |
| - Resolves: #906427 - Do not use %{_lib} in specfile for the nss and | |
| pam libraries | |
| - Use mcpath insted of mcachepath macro to be consistent with | |
| upsteam spec file | |
| - Initial release (based on version 0.1.0 upstream code) | |
| - Move sssd_pac to the sssd-ipa and sssd-ad subpackages | |
| - Trim out RHEL5-specific macros since we don't build on RHEL 5 | |
| - Trim out macros for Fedora older than F18 | |
| - Update libldb requirement to 1.1.16 | |
| - Trim RPM changelog down to the last year | |
| - Version 0.2.1 | |
| - New upstream release 1.9.2 | |
| - Resolves: rhbz#1335639 - [abrt] sssd-dbus: ldb_msg_find_element(): | |
| sssd_ifp killed by SIGSEGV | |
| - Resolves: rhbz#1645566 - SSSD 2.x does not sanitize domain name properly | |
| for D-bus, resulting in a crash | |
| - Rebuild with libldb-1.2.0 | |
| - New upstream release 1.15.3 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_3.html | |
| - New upstream release 1.13.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.2 | |
| - Resolves: RHEL-39085 - [RfE] SSSD Failover Enhancements | |
| - Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online | |
| - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests | |
| - Several segfault bugfixes | |
| - Resolves: rhbz#1642508 - sssd ifp crash when trying to access ipa webui | |
| with smart card | |
| - Add support for libldb 1.0.0 | |
| - Resolves: rhbz#1920001 - Do not add '%' to group names already prefixed with '%' in IPA sudo rules | |
| - Resolves: rhbz#1918433 - sssd unable to lookup certmap rules | |
| - Resolves: rhbz#1917382 - [abrt] [faf] sssd: dp_client_handshake_timeout(): /usr/libexec/sssd/sssd_be killed by 11 | |
| - bugfix release 0.3.2 | |
| - includes previous release patches | |
| - change permissions of the /etc/sssd/sssd.conf to 0600 | |
| - Fix regression in endianness patch | |
| - Resolves: rhbz#1623878 - crash related to sbus_router_destructor() | |
| - Add last minute bug fixes, found in testing the package | |
| - New upstream release 1.7.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 | |
| - Support for case-insensitive domains | |
| - Support for multiple search bases in the LDAP provider | |
| - Support for the native FreeIPA netgroup implementation | |
| - Reliability improvements to the process monitor | |
| - New DEBUG facility with more consistent log levels | |
| - New tool to change debug log levels without restarting SSSD | |
| - SSSD will now disconnect from LDAP server when idle | |
| - FreeIPA HBAC rules can choose to ignore srchost options for significant | |
| performance gains | |
| - Assorted performance improvements in the LDAP provider | |
| - New upstream release 1.4.0 | |
| - Added support for netgroups to the LDAP provider | |
| - Performance improvements made to group processing of RFC2307 LDAP servers | |
| - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin | |
| - Build-system improvements to support Gentoo | |
| - Split out several libraries into the ding-libs tarball | |
| - Manpage reviewed and updated | |
| - New upstream release 1.12.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0 | |
| - Fix CVE-2010-0014 | |
| - Rebuild against libldb 1.10 | |
| - New upstream release 1.11.3 | |
| - Remove upstreamed patches | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.3 | |
| - Resolves: rhbz#1736483 - Sudo prompt for smart card authentication is missing | |
| the trailing colon | |
| - Resolves: rhbz#1256849 - SUDO: Support the IPA schema | |
| - Resolves: upstream#3621 - backport bug found by static analyzers | |
| - Own several directories create during make install (#839782) | |
| - New upstream release 1.13.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.3 | |
| - New upstream release 1.11.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 | |
| - Log startup errors to the syslog | |
| - Allow cache cleanup to be disabled in sssd.conf | |
| - Resolves: rhbz#1631410 - Can't login with smartcard with multiple certs having same ID value | |
| - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff (additional patches) | |
| - Resolves: rhbz#1893159 - Default debug level should report all errors / failures | |
| - Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication | |
| - Resolves: rhbz#1646168 - sssctl access-report always prints an error message | |
| - Resolves: rhbz#1643053 - Restarting the sssd-kcm service should reload the | |
| configuration without having to restart the whole | |
| sssd | |
| - Resolves: rhbz#1640576 - sssctl reports incorrect information about local | |
| user's cache entry expiration time | |
| - Resolves: rhbz#1645238 - Unable to su to root when logged in as a local user | |
| - Resolves: rhbz#1639411 - sssd support for for smartcards using ECC keys | |
| - require the latest libldb | |
| - Change default kerberos credential cache location to /run/user/ |
|
| - Resolves: rhbz#1725168 - sssd-proxy crashes resolving groups with | |
| no members | |
| - Rebuild against libldb 1.1.4 | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild | |
| - Resolves: rhbz#1676385 - pam_sss with smartcard auth does not create gnome | |
| keyring | |
| - Also apply a patch to fix gating tests issue | |
| - Resolves: rhbz#1113639 - autofs: return a connection failure until maps have been fetched | |
| - Resolves: rhbz#1915395 - Memory leak in the simple access provider | |
| - Resolves: rhbz#1915319 - SSSD: SBUS: failures during servers startup | |
| - Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication (additional patches) | |
| - Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8] | |
| - Resolves: rhbz#1962042 - [sssd] RHEL 8.5 Tier 0 Localization | |
| - Fixes link error on platforms that do not do implicit linking | |
| - Fixes double-free segfault in PAM | |
| - Fixes double-free error in async resolver | |
| - Fixes support for TCP-based DNS lookups in async resolver | |
| - Fixes memory alignment issues on ARM processors | |
| - Manpage fixes | |
| - Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8 | |
| - Resolves: rhbz#2119726 - sssctl analyze --logdir option requires sssd to be configured | |
| - Resolves: rhbz#2120669 - Incorrect request ID tracking from responder to backend | |
| - Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in | |
| setnetgrent_result_timeout | |
| - Resolves: upstream#3588 - sssd_nss consumes more memory until restarted | |
| or machine swaps | |
| - Resolves: failure in glibc tests | |
| https://sourceware.org/bugzilla/show_bug.cgi?id=22530 | |
| - Resolves: upstream#3451 - When sssd is configured with id_provider proxy and | |
| auth_provider ldap, login fails if the LDAP server | |
| is not allowing anonymous binds | |
| - Resolves: upstream#3285 - SSSD needs restart after incorrect clock is | |
| corrected with AD | |
| - Resolves: upstream#3586 - Give a more detailed debug and system-log message | |
| if krb5_init_context() failed | |
| - Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet | |
| in /etc/systemd/system | |
| - Backport few upstream features from 1.16.1 | |
| - New upstream release 1.14.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.2 | |
| - Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication | |
| - New upstream release 1.12.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.2 | |
| - Resolves: rhbz#1636397 - SSSD not fetching all sudo rules from AD | |
| - Resolves: rhbz#1711318 - p11_child::sign_data() function implementation is | |
| not FIPS140 compliant | |
| - New upstream release 1.14.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0 | |
| - Do not crash on resolving a group SID in IPA server mode | |
| - New upstream release 1.8.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 | |
| - Several fixes to case-insensitive domain functions | |
| - Fix for GSSAPI binds when the keytab contains unrelated principals | |
| - Fixed several segfaults | |
| - Workarounds added for LDAP servers with unreadable RootDSE | |
| - SSH knownhostproxy will no longer enter an infinite loop preventing login | |
| - The provided SYSV init script now starts SSSD earlier at startup and stops | |
| it later during shutdown | |
| - Assorted minor fixes for issues discovered by static analysis tools | |
| - Resolves: rhbz#1655459 - [abrt] [faf] sssd: raise(): | |
| /usr/libexec/sssd/proxy_child killed by 6 | |
| - Resolves: rhbz#1628126 - [abrt] [faf] sssd: unknown function(): | |
| /usr/libexec/sssd/sssd_be killed by 11 crash | |
| func _dbus_list_unlink | |
| - New upstream release 1.15.2 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html | |
| - Related: rhbz#1638150 - session not recording for local user when groups defined | |
| - Also add silence a Coverity warning, which is related to rhbz#1637131 | |
| for match rules sss-certmap | |
| - New upstream release 1.13.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.1 | |
| - Fix the Kerberos password expiration warning (#912223) | |
| - Try to fix build adding automake as an explicit BuildRequire | |
| - Add also a couple of last minute patches from upstream | |
| - Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8 | |
| - Resolves: rhbz#2144581 - [RFE] provide dbus method to find users by attr | |
| - Resolves: rhbz#2144579 - sssd timezone issues sudonotafter | |
| - Resolves: rhbz#2144519 - [RFE] SSSD does not support to change the user’s password when option ldap_pwd_policy equals to shadow in sssd.conf file | |
| - Resolves: rhbz#2127822 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict) | |
| - Resolves: rhbz#2111393 - authenticating against external IdP services okta (native app) with OAuth client secret failed | |
| -Resolves: rhbz#1660083 - extraAttributes is org.freedesktop.DBus.Error. | |
| UnknownProperty: Unknown property | |
| - Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard | |
| certificate EKU and perform an action based | |
| on value when generating SSH key from a certificate | |
| (additional patch) | |
| - Version 0.3.0 | |
| - Provides file based configuration and lots of improvements | |
| - Build with _hardened_build macro | |
| - release out of the official 0.3.2 tarball | |
| - Resolves: upstream#3529 - sssd-kcm Fix restart during/after upgrade | |
| - Resolves: rhbz#1810634 - id command taking 1+ minute for returning user | |
| information | |
| - Resolves: rhbz#1448094 - sssd-kcm cannot handle big tickets | |
| - New upstream bugfix release 0.99.1 | |
| - Fix few segfaults | |
| - Resolves: upstream #2811 - PAM responder crashed if user was not set | |
| - Resolves: upstream #2810 - sssd_be crashed in ipa_srv_ad_acct_lookup_step | |
| - New upstream release 1.5.11 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 | |
| - Fix a serious regression that prevented SSSD from working with ldaps:// URIs | |
| - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 | |
| - address being saved to the AAAA record | |
| - Resolves: 1657898 - SSSD must be cleared/restarted periodically in order to | |
| retrieve AD users through IPA Trust | |
| - New upstream release 1.10 beta2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 | |
| - BuildRequire libcmocka-devel in order to run all upstream tests during build | |
| - BuildRequire libnl3 instead of libnl1 | |
| - No longer BuildRequire initscripts, we no longer use /sbin/service | |
| - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any | |
| older krb5-libs version | |
| - Switch hardcoded python3 shebangs into the %{__python3} macro | |
| - Fix upgrade issues from old (pre-0.5.0) releases of SSSD | |
| - New upstream release 1.10 alpha1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1 | |
| - Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard | |
| certificate EKU and perform an action based | |
| on value when generating SSH key from a certificate | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Rebuild for libldb 1.1.3 | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process | |
| - Resolves: rhbz#1876658 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [RHEL 8] | |
| - Resolves: rhbz#1895001 - User lookups over the InfoPipe responder fail intermittently | |
| - Fix pre and post script requirements | |
| - Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug | |
| in ding-libs | |
| - Fix SSH integration with fully-qualified domains | |
| - Add the ability to dynamically discover the NetBIOS name | |
| - Backport important patches from upstream 1.14.2 prerelease | |
| - Resolves: upstream #3154 - sssd exits if clock is adjusted backwards after | |
| boot | |
| - Resolves: upstream #3163 - resolving IPA nested user group is broken in 1.14 | |
| - Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication | |
| - Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with | |
| file from package sssd-common-1.15.1-1.fc25.x86_64 | |
| - Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4 | |
| - New upstream release 1.8.0 | |
| - Support for the service map in NSS | |
| - Support for setting default SELinux user context from FreeIPA | |
| - Support for retrieving SSH user and host keys from LDAP (Experimental) | |
| - Support for caching autofs LDAP requests (Experimental) | |
| - Support for caching SUDO rules (Experimental) | |
| - Include the IPA AutoFS provider | |
| - Fixed several memory-corruption bugs | |
| - Fixed a regression in group enumeration since 1.7.0 | |
| - Fixed a regression in the proxy provider | |
| - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD | |
| - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is | |
| logged at each login | |
| - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process | |
| /usr/sbin/sssd was killed by signal 11 (SIGSEGV) | |
| - Resolves: rhbz#743133 - Performance regression with Kerberos authentication | |
| against AD | |
| - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for | |
| new LDAP features | |
| - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc | |
| - Fix build with new automake versions | |
| - Change selinux policy requirement to Conflicts: with the old version, | |
| rather than Requires: the supported version. | |
| - Fix building on rawhide. Remove -Wl,-z,defs from LDFLAGS | |
| - Release new upstream version 1.1.91 | |
| - Enhancements when using SSSD with FreeIPA v2 | |
| - Support for deferred kinit | |
| - Support for DNS SRV records for failover | |
| - Resolves: rhbz#1624785 - Remove references of sss_user/group/add/del | |
| commands in man pages since local provider | |
| is deprecated | |
| - Additional upstream fixes | |
| - Fix building pac responder with the krb5-1.14 | |
| - Resolves: rhbz#1622026 - sssd 2.0 regression: Kerberos authentication | |
| fails with the KCM ccache | |
| - Backport extended NSS API from upstream master branch | |
| - Enable hardened build for RHEL7 | |
| - Resolves: rhbz#1276868 - Sudo PAM Login should support multiple password | |
| prompts (e.g. Password + Token) | |
| - Resolves: rhbz#1313041 - ssh with sssd proxy fails with "Connection closed | |
| by remote host" if locale not available | |
| - Add explicit requirement on selinux-policy version to address new SBUS | |
| symlinks. | |
| - Rebuild for libldb 1.1.18 | |
| - Fix issue with IPA + SELinux in containers | |
| - Resolves: upstream https://fedorahosted.org/sssd/ticket/3297 | |
| - Solve a shutdown race-condition that sometimes left processes running | |
| - Resolves: rhbz#606887 - SSSD stops on upgrade | |
| - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for | |
| new LDAP features | |
| - Fix for CVE-2009-2410 - Native SSSD users with no password set could log in | |
| without a password. (Patch by Stephen Gallagher) | |
| - New upstream release 1.12.4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.4 | |
| - Rebuild against new libldb | |
| - Add support for python3 bindings | |
| - Add requirement to python3 or python3 bindings | |
| - Resolves: rhbz#1014594 - sssd: Support Python 3 | |
| - Ensure that the configuration upgrade script always writes the config | |
| file with 0600 permissions | |
| - Eliminate an infinite loop in group enumerations | |
| - Fix bug in generation of systemd unit file | |
| - New upstream release 1.5.5 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 | |
| - Fixes for several crash bugs | |
| - LDAP group lookups will no longer abort if there is a zero-length member | |
| - attribute | |
| - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist | |
| - Bump up release number to avoid library sub-packages version issues with | |
| previous releases. | |
| - Unify return type of list_active_domains for python{2,3} | |
| - Ensure that SSSD builds against libldb-1.0.0 on F15 and later | |
| - Remove .la for memberOf | |
| - Add SSSDConfig API | |
| - Update polish translation for 0.6.0 | |
| - Fix long timeout on ldap operation | |
| - Make dp requests more robust | |
| - Resolves: rhbz#1628122 - Printing incorrect information about domain | |
| with sssctl utility | |
| connection timeout | |
| - New upstream release 1.12.5 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.5 | |
| - Apply a couple of patches from upstream git that resolve crashes when | |
| ID mapping object was not initialized properly but needed later | |
| - Resolves: rhbz#1283798 - sssd failover does not work on connecting to | |
| non-responsive ldaps:// server | |
| - Rebuild against new libtevent | |
| - Version 0.3.1 | |
| - includes previous release patches | |
| - Re-add manpage translations | |
| - Resolves: rhbz#606887 - sssd stops on upgrade | |
| - Resolves: rhbz#1466503 - Snippets are not used when sssd.conf does not exist | |
| - Fix several regressions since 1.5.x | |
| - Ensure that the RPM creates the /var/lib/sss/mc directory | |
| - Add support for Netscape password warning expiration control | |
| - Rebuild against libldb 1.1.6 | |
| - New upstream release 1.8.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 | |
| - Numerous manpage and translation updates | |
| - LDAP: Handle situations where the RootDSE isn't available anonymously | |
| - LDAP: Fix regression for users using non-standard LDAP attributes for user | |
| information | |
| - Resolves: rhbz#1699480 - Include libsss_nss_idmap-devel in the Builder | |
| repository | |
| - This just required a raise in release number | |
| and changelog for the record. | |
| - Install systemd unit file instead of sysv init script | |
| - Check the validity of naming context | |
| - Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8 | |
| - New upstream release 1.12.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.1 | |
| - Resolves: rhbz#1494002 - sssd_nss crashed in cache_req_search_domains_next | |
| - Resolves: rhbz#1499354 - CVE-2017-12173 sssd: unsanitized input when | |
| searching in local cache database access on | |
| the sock_file system_bus_socket | |
| - Resolves: rhbz#1726945 - negative cache does not use values from | |
| 'filter_users' config option for known domains | |
| - Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d | |
| - Make sure to properly convert to systemd if upgrading from newer | |
| - updates for Fedora 14 | |
| - Backport patches with Python3 support from upstream | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - New upstream release 0.7.0 | |
| - Include upstream patch to build with krb5-1.11 | |
| - Rebuilt for Python3.5 rebuild | |
| - Resolves: rhbz#1820574 - [sssd] RHEL 8.3 Tier 0 Localization | |
| - Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files (additional patch) | |
| - New upstream release 1.5.6 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 | |
| - Fixed a serious memory leak in the memberOf plugin | |
| - Fixed a regression with the negative cache that caused it to be essentially | |
| - nonfunctional | |
| - Fixed an issue where the user's full name would sometimes be removed from | |
| - the cache | |
| - Fixed an issue with password changes in the kerberos provider not working | |
| - with kpasswd | |
| - Resolves: rhbz#1310664 - [RFE] IPA: resolve external group memberships of IPA | |
| groups during getgrnam and getgrgid | |
| - Resolves: rhbz#1301303 - sss_obfuscate: SyntaxError: Missing parentheses | |
| in call to 'print' | |
| - New upstream release 1.9.1 | |
| - Fix accidental disabling of the DIR cache support | |
| - Resolves: rhbz#1729055 - sssd does not pass correct rules to sudo | |
| - Resolves: rhbz#1645291 - Perform some basic ccache initialization as part | |
| of gen_new to avoid a subsequent switch call | |
| failure | |
| - Resolves: rhbz#1733372 - permission denied on logs when running sssd as | |
| non-root user | |
| - Resolves: rhbz#1652719 - [SECURITY] sssd returns '/' for emtpy home directories | |
| - New upstream release 1.13.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0 | |
| - New upstream version 1.2.91 (1.3.0rc1) | |
| - Improved LDAP failover | |
| - Synchronous sysdb API (provides performance enhancements) | |
| - Better online reconnection detection | |
| - New upstream release 1.9.0 beta 4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 | |
| - Add a new AD provider to improve integration with Active Directory 2008 R2 | |
| or later servers | |
| - SUDO integration was completely rewritten. The new implementation works | |
| with multiple domains and uses an improved refresh mechanism to download | |
| only the necessary rules | |
| - The IPA authentication provider now supports subdomains | |
| - Fixed regression for setups that were setting default_tkt_enctypes | |
| manually by reverting a previous workaround. | |
| - New upstream release 1.9.0 | |
| - New upstream release 1.14 beta | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0beta | |
| - Resolves: rhbz#1736796 - sssd config option "default_domain_suffix" | |
| should not cause files domain entries to be | |
| qualified, this can break sudo access | |
| - Resolves: rhbz#1488327 - SELinux is preventing selinux_child from write | |
| access on the sock_file system_bus_socket | |
| - Resolves: rhbz#1490402 - SSSD does not create /var/lib/sss/deskprofile and | |
| fails to download desktop profile data | |
| - Resolves: upstream#3485 - getsidbyid does not work with 1.15.3 | |
| - Resolves: upstream#3488 - SUDO doesn't work for IPA users on IPA clients | |
| after applying ID Views for them in IPA server | |
| - Resolves: upstream#3501 - Accessing IdM kerberos ticket fails while id | |
| mapping is applied | |
| - Remove %files reference to sss_debuglevel copied from wrong upstreeam | |
| spec file. | |
| - Resolves: RHEL-25064 - AD users are unable to log in due to case sensitivity of user because the domain is found as an alias to the email address. [rhel-8] | |
| - Resolves: RHEL-25066 - gdm smartcard login fails with sssd-2.9.3 in case of multiple identities [rhel-8] | |
| - Resolves: RHEL-25065 - ssh pubkey stored in ldap/AD no longer works to authenticate via sssd [rhel-8] | |
| - fixed items found during review | |
| - added initscript | |
| - Resolves: rhbz#1687281 | |
| Rebase sssd in RHEL-8.1 to the latest upstream release | |
| - Resolves: rhbz#1139962 - Fedora 21, FreeIPA 4.0.2: sssd does not find user | |
| private group from server | |
| - Resolves: RHEL-27205 - Race condition during authorization leads to GPO policies functioning inconsistently | |
| - New upstream release 0.6.0 | |
| - Resolves: rhbz#1815584 - id_provider = proxy proxy_lib_name = files returns * in password field, breaking PAM authentication | |
| - Resolves: rhbz#1794607 - SSSD must be able to resolve membership involving root with files provider | |
| - Resolves: rhbz#1803134 - Improve "unlock" time when user session already active | |
| - Resolves: rhbz#626205 - Unable to unlock screen | |
| - Use alternatives for libwbclient | |
| - Add missing %license macro | |
| - BuildRequire recent libini_config to ensure consistent behaviour | |
| - Resolves: rhbz#1926622 - Add support to verify authentication indicators in pam_sss_gss | |
| - Resolves: rhbz#1926454 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0. | |
| - Resolves: rhbz#1893159 - Default debug level should report all errors / failures (additional patch) | |
| - Related: rhbz#1611011 - Support for "require smartcard for login option" | |
| - Backport patches from upstream 1.12.5 prerelease - contains many fixes | |
| - Resolves: 1658813 - PKINIT with KCM does not work | |
| - New upstream release 1.15.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.15.0 | |
| - New upstream release 1.9.0 beta 6 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 | |
| - A new option, override_shell was added. If this option is set, all users | |
| managed by SSSD will have their shell set to its value. | |
| - Fixes for the support for setting default SELinux user context from FreeIPA. | |
| - Fixed a regression introduced in beta 5 that broke LDAP SASL binds | |
| - The SSSD supports the concept of a Primary Server and a Back Up Server in | |
| failover | |
| - A new command-line tool sss_seed is available to help prime the cache with | |
| a user record when deploying a new machine | |
| - SSSD is now able to discover and save the domain-realm mappings | |
| between an IPA server and a trusted Active Directory server. | |
| - Packaging changes to fix ldconfig usage in subpackages (#843995) | |
| - Rebuild against libldb 1.1.9 | |
| - Do not write out dots in the domain-realm mapping file (#905650) | |
| - Resolves: rhbz#1622008 - Error message when IPA server uninstall calls | |
| kdestroy caused by KCM returning a wrong error | |
| code during the delete operation | |
| - New upstream release 1.12.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.3 | |
| - Fix spelling errors in description (fedpkg lint) | |
| - Backport important patches from upstream 1.13 prerelease | |
| - Resolves: rhbz#1060325 - Does sssd-ad use the most suitable | |
| attribute for group name | |
| - Resolves: upstream #2335 - Investigate using the krb5 responder | |
| for driving the PAM conversation with OTPs | |
| - Enable cmocka tests for secondary architectures | |
| - Rebuild against libldb 1.12 | |
| - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for | |
| new LDAP features - fix netgroups and sudo as well | |
| - Resolves: rhbz#1736861 - dyndns_update = True is no longer enough to get | |
| the IP address of the machine updated in IPA upon | |
| sssd.service startup | |
| - Resolves: rhbz#1626001 - SSSD should log to syslog if a domain is not | |
| started due to a misconfiguration | |
| - This is to bump version to allow rebuild against rebased libldb. | |
| - New upstream release 1.11.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 | |
| - New upstream release 1.5.0 | |
| - Fixed issues with LDAP search filters that needed to be escaped | |
| - Add Kerberos FAST support on platforms that support it | |
| - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials | |
| - Added a Kerberos access provider to honor .k5login | |
| - Addressed several thread-safety issues in the sss_client code | |
| - Improved support for delayed online Kerberos auth | |
| - Significantly reduced time between connecting to the network/VPN and | |
| - acquiring a TGT | |
| - Added feature for automatic Kerberos ticket renewal | |
| - Provides the kerberos ticket for long-lived processes or cron jobs | |
| - even when the user logs out | |
| - Added several new features to the LDAP access provider | |
| - Support for 'shadow' access control | |
| - Support for authorizedService access control | |
| - Ability to mix-and-match LDAP access control features | |
| - Added an option for a separate password-change LDAP server for those | |
| - platforms where LDAP referrals are not supported | |
| - Added support for manpage translations | |
| - Resolves: rhbz#1839037 - Rebase SSSD for RHEL 8.3 | |
| - Resolves: rhbz#1843872 - sssd 2.3.0 breaks AD auth due to GPO parsing failure | |
| - Resolves: rhbz#1834156 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working | |
| - Fix nested group member filter sanitization for RFC2307bis | |
| - Put translated tool manpages into the sssd-tools subpackage | |
| - Resolve groups from AD correctly | |
| - Fix changelog dates to make F19 rpmbuild happy | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - Resolves: rhbz#1829470 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package | |
| - Resolves: rhbz#1544457 - sssd fails to release file descriptor on child logs after receiving HUP | |
| - Resolves: rhbz#1824323 - SSSD user filtering is failing on RHEL 8 after "files" provider rebuilds cache | |
| - Resolves: rhbz#1827432 - When the passwd or group files are replaced, sssd stops monitoring the file for | |
| inotify events, and no updates are triggered | |
| - Resolves: rhbz#1835710 - Change the message "Please enter smart card" to "Please insert smart card" | |
| on GDM login with smart-card | |
| - Resolves: rhbz#1838037 - Oddjob-mkhomedir fails when using NSS compat | |
| - Resolves: rhbz#1845904 - gdm smart card authentication does not work shortly after disconnecting from network. | |
| - Resolves: rhbz#1845975 - sssd doesn't follow the link order of AD Group Policy Management | |
| - Resolves: rhbz#1845980 - sssd is failing to discover other subdomains in the forest | |
| if LDAP entries do not contain AD forest root information | |
| - Resolves: rhbz#1845987 - Document how to prevent invalid selinux context for default home directories | |
| in SSSD-AD direct integration. | |
| - Resolves: rhbz#1845994 - GDM failure loop when no user mapped for smart card | |
| - Resolves: rhbz#1846003 - GDM password prompt when cert mapped to multiple users and promptusername is False | |
| - Resolves: rhbz#1850961 - /usr/share/systemtap/tapset/sssd_functions.stp missing a comma | |
| - Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6 | |
| - Resolves: rhbz#1968340 - 'exclude_groups' option provided in SSSD for session recording (tlog) doesn't work as expected | |
| - Resolves: rhbz#1952569 - SSSD should use "hidden" temporary file in its krb locator | |
| - Resolves: rhbz#1917970 - proxy provider: secondary group is showing in sssd cache after group is removed | |
| - Resolves: rhbz#1636002 - socket-activated services start as the sssd user and then are unable to read the confdb | |
| - Resolves: rhbz#2021196 - Make backtrace less "chatty" (avoid duplicate backtraces) | |
| - Resolves: rhbz#2018432 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest) | |
| - Resolves: rhbz#2015070 - Consistency in defaults between OpenSSH and SSSD | |
| - Resolves: rhbz#2013297 - disabled root ad domain causes subdomains to be marked offline | |
| - Resolves: rhbz#2013294 - Lookup with fully-qualified name does not work with 'cache_first = True' | |
| - Resolves: rhbz#2013218 - autofs lookups for unknown mounts are delayed for 50s | |
| - Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs | |
| - Resolves: rhbz#2013024 - Add support for CKM_RSA_PKCS in smart card authentication. | |
| - Resolves: rhbz#2013006 - [RFE] support subid ranges managed by FreeIPA | |
| - Resolves: rhbz#2012308 - Add client certificate validation D-Bus API | |
| - Resolves: rhbz#2012122 - tps tests fail with cross dependency on sssd debuginfo package: removal of 'sssd-libwbclient-debuginfo' is missing | |
| - Rebuild for new libldb | |
| - Resolves: rhbz#1687281 | |
| Rebase sssd in RHEL-8.1 to the latest upstream release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Replace ARRAY_SIZE with N_ELEMENTS to reflect samba changes. This is | |
| done here in order to unblock gating changes before rebase. | |
| - Related: rhbz#1682305 | |
| - Backport important patches from upstream 1.13 prerelease | |
| - Fix libwbclient alternatives | |
| - Apply a number of patches from upstream to fix issues found 1.12.3 | |
| - Resolves: rhbz#1176373 - dyndns_iface does not accept multiple | |
| interfaces, or isn't documented to be able to | |
| - Resolves: rhbz#988068 - getpwnam_r fails for non-existing users when sssd is | |
| not running | |
| - Resolves: upstream #2557 authentication failure with user from AD | |
| - Resolves: rhbz#1615590 - Do not rely on "python" for el8 | |
| - Backport upstream patches for 1.15.3 pre-release | |
| - required for building freeipa-4.5.x in rawhide | |
| - Rebuilt for glibc bug#747377 | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Resolves: rhbz#2226021 - dbus and crond getting terminated with SIGBUS in sss_client code | |
| - Resolves: rhbz#2237253 - SSSD runs multiples lookup search for each NFS request (SBUS req chaining stopped working in sssd-2.7) | |
| - Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names | |
| - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set. | |
| - Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries | |
| - Resolves: rhbz#2035245 - AD Domain in the AD Forest Missing after sssd latest update | |
| - Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization | |
| - Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but | |
| - doesn't require it | |
| - New upstream release 1.9.0 beta 1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 | |
| - Add native support for autofs to the IPA provider | |
| - Support for ID-mapping when connecting to Active Directory | |
| - Support for handling very large (> 1500 users) groups in Active Directory | |
| - Support for sub-domains (will be used for dealing with trust relationships) | |
| - Add a new fast in-memory cache to speed up lookups of cached data on | |
| repeated requests | |
| - Include couple of patches from upstream 1.11 branch | |
| - Resolves: rhbz#1431153 - sssd: libsss_proxy.so needs to be linked with -ldl | |
| - add missing configure check that broke stopping the daemon | |
| - also fix default config to add a missing required option | |
| - CVE-2010-4341 - DoS in sssd PAM responder can prevent logins | |
| - Add OSCP checks for p11_child | |
| - Related: rhbz#1615417 - [RFE] Add Smart Card authentication for local | |
| users | |
| - Update to 1.16.2 release | |
| - Cleanup unused global definitions | |
| - Remove python2 references from the spec file | |
| - Resolves: rhbz#1585313 - Kerberos with sssd-kcm is not working on s390x | |
| - Include the 1.9.2 tarball | |
| - Resolves: RHEL-33957 - ad: refresh root domain when read directly | |
| - New upstream release 1.6.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 | |
| - Fixes a major cache performance issue introduced in 1.6.2 | |
| - Fixes a potential infinite-loop with certain LDAP layouts | |
| - Fix potential crash with external groups in trusted IPA-AD setup | |
| - libwbclient-sssd: update interface to version 0.13 | |
| - Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 | |
| - Resolves: rhbz#1930535 - [abrt] [faf] sssd: monitor_service_shutdown(): /usr/sbin/sssd killed by 11 | |
| - Resolves: rhbz#1942387 - Wrong default debug level of sssd tools | |
| - Resolves: rhbz#1945888 - Inconsistant debug level for connection logging | |
| - Resolves: rhbz#1948657 - pam_sss_gss.so doesn't work with large kerberos tickets | |
| - Resolves: rhbz#1949149 - [RFE] Poor man's backtrace | |
| - Resolves: rhbz#1920500 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR | |
| - Resolves: rhbz#1923964 - [RFE] SSSD Error Msg Improvement: write_krb5info_file failed, authentication might fail. | |
| - Resolves: rhbz#1928648 - SSSD logs improvements: clarify which config option applies to each timeout in the logs | |
| - Resolves: rhbz#1632159 - sssd-kcm starts successfully for non existent socket_path | |
| - Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm | |
| - Resolves: rhbz#1925505 - [RFE] improve the sssd refresh timers for SUDO queries | |
| - Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection | |
| - Resolves: rhbz#1925561 - sssd-ldap(5) does not report how to disable the SUDO smart queries | |
| - Resolves: rhbz#1925621 - document impact of indices and of scope on performance of LDAP queries | |
| - Resolves: rhbz#1855320 - [RFE] RHEL8 sssd: inheritance of the case_sensitive parameter for subdomains. | |
| - Resolves: rhbz#1925608 - [RFE] make 'random_offset' addon to 'offline_timeout' option configurable | |
| - Resolves: rhbz#1447945 - man page / docs update required: if two certificate matching rules with the same priority match only one is used | |
| - Resolves: rhbz#1703436 - sssd not thread-safe in innetgr() | |
| - Resolves: rhbz#1713143 - SSSD does not translate the 2FA text labels("first factor" / "second factor") on GDM login and screensaver unlock screen | |
| - Resolves: rhbz#1888977 - sss_override: Usage limitations clarification in man page | |
| - Resolves: rhbz#1890177 - Clarify "single_prompt" option in "PROMPTING CONFIGURATION SECTION" section of sssd.conf man page | |
| - Resolves: rhbz#1902280 - fix sss_cache to also reset cached timestamp | |
| - Resolves: rhbz#1935683 - SSSD not detecting subdomain from AD forest (RHEL 8.3) | |
| - Resolves: rhbz#1937919 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 | |
| - Resolves: rhbz#1944665 - No gpo found and ad_gpo_implicit_deny set to True still permits user login | |
| - Resolves: rhbz#1919942 - sss_override does not take precedence over override_homedir directive | |
| - Version 0.2.0 | |
| - Resolves: rhbz#1712875 - Old kerberos credentials active instead of valid | |
| new ones (kcm) | |
| - New upstream release 1.15.1 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html | |
| - Backport simplification of ccache management from 1.11.1 | |
| - Resolves: rhbz#1010553 - sssd setting KRB5CCNAME=(null) on login | |
| - New upstream release 1.5.10 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 | |
| - Fixed a regression introduced in 1.5.9 that could result in blocking calls | |
| - to LDAP | |
| - package git snapshot | |
| - Fix typo in Requires that prevented an upgrade (#973916) | |
| - Use a hardcoded version in Conflicts, not less-than-current | |
| - Resolves: RHEL-67671 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option [rhel-8.10.z] | |
| - Resolves: RHEL-68507 - sssd backend process segfaults when krb5.conf is invalid [rhel-8.10.z] | |
| - Resolves: RHEL-66267 - SSSD needs an option to indicate if the LDAP server can run the exop with an anonymous bind or not [rhel-8.10.z] | |
| - Resolves: RHEL-67128 - Excessive "Domain not found' messages logged to sssd_nss & sssd_be in multidomain AD forest [rhel-8.10.z] | |
| - Resolves: RHEL-66272 - sssd is skipping GPO evaluation with auto_private_groups [rhel-8.10.z] | |
| - Resolves: RHEL-66277 - possible regression of rhbz#2196521 [rhel-8.10.z] | |
| - Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 | |
| - Resolves: rhbz#2063016 - [sssd] RHEL 8.7 Tier 0 Localization | |
| - Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 | |
| - Resolves: rhbz#2026799 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options) | |
| - Resolves: rhbz#2033347 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file. | |
| - Resolves: rhbz#2056483 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2 | |
| - Resolves: rhbz#2062689 - [Improvement] Add user and group version of sss_nss_getorigbyname() | |
| - Resolves: rhbz#2065692 - [RHEL8] Ship new sub-package called sssd-idp into sssd | |
| - Resolves: rhbz#2072050 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop | |
| - Resolves: rhbz#2072931 - Use right sdap_domain in ad_domain_info_send | |
| - Resolves: rhbz#2087088 - sssd does not enforce smartcard auth for kde screen locker | |
| - Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol | |
| - Resolves: rhbz#2087745 - 2FA prompting setting ineffective | |
| - Resolves: rhbz#2087746 - sssd fails GPO-based access if AD have setup with Japanese language | |
| - New upstream release | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 | |
| - Support for the service map in NSS | |
| - Support for setting default SELinux user context from FreeIPA | |
| - Support for retrieving SSH user and host keys from LDAP (Experimental) | |
| - Support for caching autofs LDAP requests (Experimental) | |
| - Support for caching SUDO rules (Experimental) | |
| - Don't discard HBAC rule processing result if SELinux is on | |
| Resolves: rhbz#846792 (CVE-2012-3462) | |
|
|
|
| sssd-tools-2.9.4-5.el8_10.3.x86_64.rpm | - Fix regressions with ipa and SELinux |
| - Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security | |
| context on client is staff_u | |
| - Rebuild against new libldb | |
| - Resolves: rhbz#1792331 - sssd_be crashes when krb5_realm and krb5_server is | |
| omitted and auth_provider is krb5 | |
| - Fix missing file permissions for sssd-clients | |
| - added sss_client | |
| - New upstream release 1.11.2 | |
| - Remove upstreamed patches | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 | |
| - Fix build issues: Update expided certificate in unit tests | |
| - New upstream release 1.10 beta1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1 | |
| - Resolves: rhbz#1900733 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() | |
| - Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process | |
| - Resolves: rhbz#1894540 - sssd component logging is now too generic in syslog/journal | |
| - Resolves: rhbz#1828483 - filtered ID is appearing due to strange negative cache behavior | |
| - Resolves: rhbz#1713368 - Add sssd-dbus package as a dependency of sssd-tools | |
| - New upstream release 1.11.5 | |
| - Remove upstreamed patch | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.5 | |
| - New upstream stable release 1.0.0 | |
| - New upstream release 1.9.4 | |
| - Resolves: rhbz#Bug 1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command. | |
| - Resolves: rhbz#1369130 - nss_sss should not link against libpthread | |
| - Resolves: rhbz#1392916 - sssd failes to start after update | |
| - Resolves: rhbz#1398789 - SELinux is preventing sssd from 'write' accesses | |
| on the directory /etc/sssd | |
| - Fix uninitialized value bug causing crashes throughout the code | |
| - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup | |
| - Resolves: rhbz#1628503 - sssd only sets the SELinux login context if it | |
| differs from the default | |
| - Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 | |
| - Add workaround patch for RHBZ #1366403 | |
| - Fix slow login with ipa and SELinux | |
| - Resolves: upstream #2624 - Only set the selinux context if the context | |
| differs from the local one | |
| - New upstream release 1.10.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1 | |
| - New upstream release 1.13 alpha | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0alpha | |
| - New upstream release 0.5.0 | |
| - Resolves: rhbz#1673443 - sssd man pages: The default value of | |
| "ldap_user_home_directory" is not mentioned | |
| with AD server configuration | |
| - New upstream release 1.5.1 | |
| - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins | |
| - Vast performance improvements when enumerate = true | |
| - All PAM actions will now perform a forced initgroups lookup instead of just | |
| - a user information lookup | |
| - This guarantees that all group information is available to other | |
| - providers, such as the simple provider. | |
| - For backwards-compatibility, DNS lookups will also fall back to trying the | |
| - SSSD domain name as a DNS discovery domain. | |
| - Support for more password expiration policies in LDAP | |
| - 389 Directory Server | |
| - FreeIPA | |
| - ActiveDirectory | |
| - Support for ldap_tls_{cert,key,cipher_suite} config options | |
| -Assorted bugfixes | |
| - Resolves: rhbz#752495 - Crash when apply settings | |
| - Fix regression with krb5_map_user | |
| - Resolves: rhbz#1375552 - krb5_map_user doesn't seem effective anymore | |
| - Resolves: rhbz#1349286 - authconfig fails with SSSDConfig.NoDomainError: | |
| default if nonexistent domain is mentioned | |
| - New upstream release 1.11 beta 2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 | |
| - Resolves: upstream#3684 - A group is not updated if its member is removed | |
| with the cleanup task, but the group does not | |
| change | |
| - Resolves: upstream#3558 - sudo: report error when two rules share cn | |
| - Tone down shutdown messages for socket activated responders | |
| - IPA: Qualify the externalUser sudo attribute | |
| - Resolves: upstream#3550 - refresh_expired_interval does not work with | |
| netgrous in 1.15 | |
| - Resolves: upstream#3402 - Support alternative sources for the files provider | |
| - Resolves: upstream#3646 - SSSD's GPO code ignores ad_site option | |
| - Resolves: upstream#3679 - Make nss netgroup requests more robust | |
| - Resolves: upstream#3634 - sssctl COMMAND --help fails if sssd is not | |
| configured | |
| - Resolves: upstream#3469 - extend sss-certmap man page regarding priority | |
| processing | |
| - Improve docs/debug message about GC detection | |
| - Resolves: upstream#3715 - ipa 389-ds-base crash in krb5-libs - k5_copy_etypes | |
| list out of bound? | |
| - Resolves: upstream#2653 - Group renaming issue when "id_provider = ldap" is | |
| set. | |
| - Document which principal does the AD provider use | |
| - Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is | |
| defined, but contains no SIDs | |
| - Resolves: upstream#3520 - Files provider supports only BE_FILTER_ENUM | |
| - Resolves: rhbz#1540703 - FreeIPA/SSSD implicit_file sssd_nss error: The Data | |
| Provider returned an error | |
| [org.freedesktop.sssd.Error.DataProvider.Fatal] | |
| - Fix licenses in sources and on RPMs | |
| - Make LDB dependency a strict equivalency | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Resolves: RHEL-14070 - sssd-2.9.2-1.el8 breaks smart card authentication | |
| - Resolves: RHEL-3665 - Unexplainable error "Unable to find primary gid [2]: No such file or directory" when SSSD performs lookup for an AD user | |
| - Fix regression on 64-bit platforms | |
| - Resolves: rhbz#1657979 - SSSD's LDAP authentication provider does not work | |
| if ID provider is authenticated with GSSAPI | |
| - New stable upstream version 1.2.1 | |
| - Resolves: rhbz#595529 - spec file should eschew %define in favor of | |
| - %global | |
| - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service | |
| - to fail while restart. | |
| - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel | |
| - keyring | |
| - Resolves: rhbz#599724 - sssd is broken on Rawhide | |
| - Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 | |
| - Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed) | |
| - Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket | |
| - Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7 | |
| - Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name | |
| - Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable") | |
| - Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username # | |
| - New upstream release 1.11.4 | |
| - Remove upstreamed patch | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.4 | |
| - Move sssd_pac to the sssd-krb5 subpackage | |
| - python-sssdconfig: Fix parssing sssd.conf without config_file_version | |
| - Resolves: upstream #2837 - REGRESSION: ipa-client-automout failed | |
| - Resolves: rhbz#1754996 - [sssd] Tier 0 Localization | |
| - Fix building of sssd-nfs-idmap with libnfsidmap.so.1 | |
| - Fix multicast checks in the SSSD | |
| - Resolves: rhbz#1007475 - The multicast check is wrong in the sudo source | |
| code getting the host info | |
| - New upstream release 1.5.4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 | |
| - Fixes for Active Directory when not all users and groups have POSIX attributes | |
| - Fixes for handling users and groups that have name aliases (aliases are ignored) | |
| - Fix group memberships after initgroups in the IPA provider | |
| - Resolves: rhbz#1328108 - Protocol error with FreeIPA on CentOS 6 | |
| - New upstream release 1.8.0 beta 3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 | |
| - Fixed a regression in group enumeration since 1.7.0 | |
| - Fixed several memory-corruption bugs | |
| - Finalized the ABI for the autofs support | |
| - Fixed a regression in the proxy provider | |
| - New upstream release 1.5.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 | |
| - Fixes for support of FreeIPA v2 | |
| - Fixes for failover if DNS entries change | |
| - Improved sss_obfuscate tool with better interactive mode | |
| - Fix several crash bugs | |
| - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this | |
| - Delete users from the local cache if initgroups calls return 'no such user' | |
| - (previously only worked for getpwnam/getpwuid) | |
| - Use new Transifex.net translations | |
| - Better support for automatic TGT renewal (now survives restart) | |
| - Netgroup fixes | |
| - Fix incorrect tarball URL | |
| - Backport more sbus2 fixes | |
| - Related: rhbz#1623878 - crash related to sbus_router_destructor() | |
| - Resolves: rhbz#1718193 - p11_child should have an option to skip | |
| C_WaitForSlotEvent if the PKCS#11 module | |
| does not implement it properly | |
| - Rebuild against libldb 1.11 | |
| error messages with line numbers | |
| - Fix typo in libwbclient-devel %preun | |
| - Fix broken ARM build | |
| - Add missing DP_OPTION_TERMINATOR in AD provider options | |
| - Rebuild SSSD against ding-libs 0.3.0beta1 | |
| - Fix endianness bug in service map protocol | |
| - New stable upstream version 1.2.0 | |
| - Support ServiceGroups for FreeIPA v2 HBAC rules | |
| - Fix long-standing issue with auth_provider = proxy | |
| - Better logging for TLS issues in LDAP | |
| - Relax libldb BuildRequires to be greater-or-equal | |
| - Remove the ability to create public ccachedir (#1015089) | |
| - Fix ipa-migration bug | |
| - Resolves: upstream #2719 - IPA: returned unknown dp error code with disabled | |
| migration mode | |
| - Only create the SELinux login file if there are SELinux mappings on | |
| the IPA server | |
| - Fixes a serious memory hierarchy bug causing unpredictable behavior in the | |
| LDAP provider. | |
| - New upstream release 1.6.4 | |
| - Rolls up previous patches applied to the 1.6.3 tarball | |
| - Fixes a rare issue causing crashes in the failover logic | |
| - Fixes an issue where SSSD would return the wrong PAM error code for users | |
| that it does not recognize. | |
| - Also relax libldb Requires | |
| - Remove --enable-ldb-version-check | |
| - New upstream release 1.9.0 beta7 | |
| - obsoletes patches #1-#3 | |
| - Handle OTP response from FreeIPA server gracefully | |
| -Resolves: rhbz#1659498 - Re-setting the trusted AD domain fails due to wrong | |
| subdomain service name being used | |
| - Apply a number of patches from upstream to fix issues found post-beta, | |
| in particular: | |
| -- segfault with a high DEBUG level | |
| -- Fix IPA password migration (upstream #1873) | |
| -- Fix fail over when retrying SRV resolution (upstream #1886) | |
| - Small cleanup and fixes in the spec file | |
| - New upstream release 1.16.1 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_1.html | |
| - New upstream release 1.1.1 | |
| - Fixed the IPA provider (which was segfaulting at start) | |
| - Fixed a bug in the SSSDConfig API causing some options to revert to | |
| - their defaults | |
| - This impacted the Authconfig UI | |
| - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal | |
| - New upstream release 1.5.3 | |
| - Support for libldb >= 1.0.0 | |
| - Recreate Kerberos ccache directory if it's missing | |
| - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache | |
| directory /run/user/UID/ccdir does not exist | |
| - Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 | |
| - Resolves: rhbz#1942387 - Wrong default debug level of sssd tools | |
| - Resolves: rhbz#1917444 - SSSD Error Msg Improvement: Server resolution failed: [2]: No such file or directory | |
| - Resolves: rhbz#1917511 - SSSD Error Msg Improvement: Failed to resolve server 'server.example.com': Error reading file | |
| - Resolves: rhbz#1917535 - sssd.conf man page: parameter dns_resolver_server_timeout and dns_resolver_op_timeout | |
| - Resolves: rhbz#1940509 - [RFE] Health and Support Analyzer: Link frontend to backend requests | |
| - Resolves: rhbz#1649464 - auto_private_groups not working as expected with posix ipa/ad trust | |
| - Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection | |
| - Resolves: rhbz#1961215 - Invalid sssd-kcm return code if requested operation is not found | |
| - Resolves: rhbz#1837090 - SSSD fails nss_getby_name for IPA user with SID if the user has user private group | |
| - Resolves: rhbz#1879869 - sudo commands incorrectly exports the KRB5CCNAME environment variable | |
| - Resolves: rhbz#1962550 - sss_pac_make_request fails on systems joined to Active Directory. | |
| - Resolves: rhbz#1737489 - [RFE] SSSD should honor default Kerberos settings (keytab name) in /etc/krb5.conf | |
| - New upstream release 1.5.9 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 | |
| - Support for overriding home directory, shell and primary GID locally | |
| - Properly honor TTL values from SRV record lookups | |
| - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP | |
| - servers) | |
| - Properly escape IPv6 addresses in the failover code | |
| - Do not crash if inotify fails (e.g. resource exhaustion) | |
| - Don't add multiple TGT renewal callbacks (too many log messages) | |
| - Resolves: RHEL-78300 - 'sssd_kcm' leaks memory [rhel-8.10.z] | |
| - Resolves: RHEL-82420 - Disk cache failure with large db sizes [rhel-8.10.z] | |
| - Resolves: RHEL-76022 - Use the DN from existing entry when updating a cached group [rhel-8.10.z] | |
| - Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy" | |
| - Resolves: rhbz#1736265 - Smart Card auth of local user: endless | |
| loop if wrong PIN was provided | |
| - Resolves: rhbz#1615417 - [RFE] Add Smart Card authentication for local | |
| users | |
| - Resolves: rhbz#2149241 - [sssd] SSSD enters failed state after heavy load in the system | |
| - New upstream release 1.13.4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.4 | |
| - Fix tests on big-endian | |
| - Fix previous changelog entry | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Resolves: rhbz#1382750 - Conflicting default timeout values | |
| - Resolves: rhbz#1669407 - MAN: Document that PAM stack contains the | |
| systemd-user service in the account phase in RHEL-8 | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Resolves: RHEL-1680 - auto_private_groups does not create cache in IPA server SSSD cache | |
| - Resolves: RHEL-10092 - logfile rotation for sssd_kcm not working properly, sssd_kcm never receives a 'kill -HUP' | |
| - Resolves: RHEL-17495 - New sssd.conf seems not to be backwards compatible (wrt SmartCard auth of local users using 'files provider') | |
| - Resolves: RHEL-18431 - Excessive logging to sssd_nss and sssd_be in multi-domain AD forest | |
| - Resolves: RHEL-5033 - Incorrect IdM product name in man sssd.conf | |
| - Resolves: RHEL-15368 - SSSD GPO lacks group resolution on hosts [rhel-8] | |
| - Resolves: RHEL-10721 - very bad performance when requesting service tickets | |
| - Resolves: RHEL-19011 - Invalid handling groups from child domain | |
| - Resolves: RHEL-19949 - latest sssd breaks logging in via XDMCP for LDAP/Kerberos users [rhel-8] | |
| - Rebuild for Python 3.6 | |
| - Fix Obsoletes: to account for dist tag | |
| - Convert post and pre scripts to run on the sssd-common subpackage | |
| - Remove old conversion from SYSV | |
| - Add a patch to fix krb5 unit tests | |
| raise(): /usr/libexec/sssd/sssd_autofs killed by 6 | |
| - New upstream release 1.12 beta2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0beta2 | |
| - New upstream release 1.14.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.1 | |
| - Patch SSSDConfig API to address | |
| - https://bugzilla.redhat.com/show_bug.cgi?id=549482 | |
| - Move the sss_cache tool to the main package | |
| - Resolves: rhbz#1625842 id_provider= local causes SSSD to abort startup | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Resolves: rhbz#1821719 - sssd (sssd_be) is consuming 100% CPU, partially due to failing mem-cache | |
| - Fixed "requires/provides" rpmdiff warning | |
| - Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites | |
| - cached password with predicatable filename | |
| - New upstream release 1.12 beta1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0beta1 | |
| - Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during | |
| realm join | |
| - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by | |
| default for AD Provider | |
| - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file | |
| parent directory when logging in | |
| - Resolves: rhbz#1855323 - When ad_gpo_implicit_deny is True, it is permitting users to login when no gpo is applied | |
| - Switch unicode library from libunistring to Glib | |
| - Drop unnecessary explicit Requires on keyutils | |
| - Guarantee that versioned Requires include the correct architecture | |
| - Fix OTP bug | |
| - Resolves: upstream #2729 - Do not send SSS_OTP if both factors were | |
| entered separately | |
| - Backport upstream patches required by FreeIPA 4.2.1 | |
| - the cmocka toolkit exists only on selected arches | |
| - Backport few upstream patches/fixes | |
| - Fix double free in monitor | |
| - Resolves: rhbz#1186887 [abrt] sssd-common: talloc_abort(): | |
| sssd killed by SIGABRT | |
| - New upstream release 1.14 alpha | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0alpha | |
| - Resolves: rhbz#1615460 - Rebase SSSD to the latest released version | |
| - Split internal helper libraries into a shared object | |
| - Significantly reduce disk-space usage | |
| - Resolves: rhbz#1657980 - sssd_nss memory leak | |
| - Fix a couple of segfaults that may happen on reload | |
| - New upstream release 1.9.3 | |
| - Resolves: rhbz#2116488 - virsh command will hang after the host run several auto test cases | |
| - Resolves: rhbz#2116486 - [regression] sssctl analyze fails to parse PAM related sssd logs | |
| - Resolves: rhbz#2116487 - cache_req_data_set_hybrid_lookup: cache_req_data should never be NULL | |
| - Related: rhbz#1638006 - Files: The files provider always enumerates | |
| which causes duplicate when running getent passwd | |
| - Cherry-pick patches from upstream that enable the files provider | |
| - Enable the files domain | |
| - Retire patch 0501-Partially-revert-CONFIG-Use-default-config-when-none.patch | |
| which is superseded by the files domain autoconfiguration | |
| - Related: rhbz#1357418 - SSSD fast cache for local users | |
| - Resolves: rhbz#1767514 - sssd requires timed sudoers ldap entries to be | |
| specified up to the seconds | |
| - Rebuild against PCRE 8.30 | |
| - Resolves: upstream#3573 - sssd won't show netgroups with blank domain | |
| - Resolves: upstream#3660 - confdb_expand_app_domains() always fails | |
| - Resolves: upstream#3658 - Application domain is not interpreted correctly | |
| - Resolves: upstream#3687 - KCM: Don't pass a non null terminated string to | |
| json_loads() | |
| - Resolves: upstream#3386 - KCM: Payload buffer is too small | |
| - Resolves: upstream#3666 - Fix usage of str.decode() in our tests | |
| - A few KCM misc fixes | |
| - Related: rhbz#1637131 - pam_unix unable to match fully qualified username | |
| provided by sssd during smartcard auth using gdm | |
| - sssd-tools should require sssd-common, not sssd | |
| - Fix systemd conversion. Upgrades from SysV to systemd weren't properly | |
| - enabling the systemd service. | |
| - Fix a serious memory leak in the memberOf plugin | |
| - Fix an issue where the user's full name would sometimes be removed | |
| - from the cache | |
| - Resolves: rhbz#1652563 - incorrect example in the man page of idmap_sss | |
| suggests using * for backend sss | |
| - Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during | |
| - rpmbuild | |
| - Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile | |
| with no specific host/hostgroup set | |
| - Resolves: upstream#3621 - FleetCommander integration must not require | |
| capability DAC_OVERRIDE | |
| - latest upstream release. | |
| - also add a patch that fixes debugging output (potential segfault) | |
| - Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib | |
| - New upstream release | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 | |
| - Fix two minor manpage bugs | |
| - Include the IPA AutoFS provider | |
| - Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate | |
| - against LDAP | |
| - New upstream release 1.9.0 beta 3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 | |
| - Add a new PAC responder for dealing with cross-realm Kerberos trusts | |
| - Terminate idle connections to the NSS and PAM responders | |
| - New upstream release 1.6.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 | |
| - Fixes a serious issue with LDAP connections when the communication is | |
| dropped (e.g. VPN disconnection, waking from sleep) | |
| - SSSD is now less strict when dealing with users/groups with multiple names | |
| when a definitive primary name cannot be determined | |
| - The LDAP provider will no longer attempt to canonicalize by default when | |
| using SASL. An option to re-enable this has been provided. | |
| - Fixes for non-standard LDAP attribute names (e.g. those used by Active | |
| Directory) | |
| - Three HBAC regressions have been fixed. | |
| - Fix for an infinite loop in the deref code | |
| - Resolves: rhbz#1578014 - sssd does not work under non-root user | |
| - Note: Actually the patches were in the 2.0.0-37, this one just adds this | |
| changelog because it was missing. | |
| - Resolves: rhbz#1164156 - libsss_simpleifp should pull sssd-dbus | |
| - Resolves: rhbz#1179379 - gzip: stdin: file size changed while | |
| zipping when rotating logfile | |
| - Add a patch to fix krb5 ccache creation issue with krb5 1.11 | |
| - Fix %postun | |
| - Related: rhbz#2132051 - Rebase Samba to the the latest 4.17.x release | |
| Rebuild against Samba rebase. | |
| - New upstream release 1.9.0 beta 5 | |
| - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 | |
| - Many fixes for the support for setting default SELinux user context from | |
| FreeIPA, most notably fixed the specificity evaluation | |
| - Fixed an incorrect default in the krb5_canonicalize option of the AD | |
| provider which was preventing password change operation | |
| - The shadowLastChange attribute value is now correctly updated with the | |
| number of days since the Epoch, not seconds | |
| - Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 | |
| - Resolves: rhbz#2098620 - sdap_nested_group_deref_direct_process() triggers internal watchdog for large data sets | |
| - Resolves: rhbz#2098619 - [Improvement] add SSSD support for more than one CRL PEM file name with parameters certificate_verification and crl_file | |
| - Resolves: rhbz#2088817 - pam_sss_gss ceased to work after upgrade to 8.6 | |
| - Resolves: rhbz#2098616 - Add idp authentication indicator in man page of sssd.conf | |
| - Resolves: rhbz#2056035 - 'getent hosts' not return hosts if they have more than one CN in LDAP | |
| - Resolves: rhbz#2098615 - Regression "Missing internal domain data." when setting ad_domain to incorrect | |
| - Resolves: rhbz#2098617 - Harden kerberos ticket validation | |
| - Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol | |
| - Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8 | |
| - Resolves: rhbz#2136701 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level. | |
| - Resolves: rhbz#2139760 - [sssd] RHEL 8.8 Tier 0 Localization | |
| - Resolves: rhbz#2139865 - Analyzer: Optimize and remove duplicate messages in verbose list | |
| - Resolves: rhbz#2142795 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged | |
| - Resolves: rhbz#2144491 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around | |
| - Resolves: rhbz#2150357 - Smart Card auth does not work with p11_uri (with-smartcard-required) | |
| - Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 | |
| - Resolves: rhbz#2196521 - [RHEL8] sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy | |
| - Resolves: rhbz#2195919 - sssd-be tends to run out of system resources, hitting the maximum number of open files | |
| - Resolves: rhbz#2192708 - [RHEL8] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed' | |
| - Resolves: rhbz#2139467 - [RHEL8] sssd attempts LDAP password modify extended op after BIND failure | |
| - Resolves: rhbz#2054825 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 error 4 in libc-2.28.so[7f16b5e72000+1bc000] | |
| - Resolves: rhbz#2189583 - [sssd] RHEL 8.9 Tier 0 Localization | |
| - Resolves: rhbz#2170720 - [RHEL8] When adding attributes in sssd.conf that we have already, the cross-forest query just stop working | |
| - Resolves: rhbz#2096183 - BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides | |
| - Resolves: rhbz#2151450 - [RHEL8] SSSD missing group membership when evaluating GPO policy with 'auto_private_groups = true' | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuild sssd against libldb 1.0.2 so the memberof module loads again. | |
| - Related: rhbz#677425 | |
| - Related: rhbz#1637513 - sssd crashes when refreshing expired sudo rules | |
| - Fix memberOf install path | |
| - Resolves: upstream#3618 - selinux_child segfaults in a docker container | |
| - Don't duplicate libsss_autofs.so in two packages | |
| - Set explicit package contents instead of globbing | |
| - New upstream release 1.10 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0 | |
| - Release SSSD 1.1.0 final | |
| - Fix two potential segfaults | |
| - Fix memory leak in monitor | |
| - Better error message for unusable confdb | |
| - Resolves: rhbz#1868387 - system not enforcing GPO rule restriction. ad_gpo_implicit_deny = True is not working | |
| - Resolves: rhbz#1854951 - sss-certmap man page change to add clarification for userPrincipalName attribute from AD schema | |
| - Resolves: rhbz#1856861 - False errors/warnings are logged in sssd.log file after enabling 2FA prompting settings in sssd.conf | |
| - Resolves: rhbz#1869683 - p11_child: default value of ocsp_dgst == sha256 doesn't conform RFC5019 and has to be changed to sha1 | |
| - New upstream release 1.16.0 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_0.html | |
| - Rebuild against new ding-libs | |
| - Resolves: rhbz#677768 - name service caches names, so id command shows | |
| - recently deleted users | |
| - Backport several patches from upstream. | |
| - Fix a potential crash against old (pre-4.0) IPA servers | |
| - Release candidate for SSSD 1.1 | |
| - Add simple access provider | |
| - Create subpackages for libcollection, libini_config, libdhash and librefarray | |
| - Support IPv6 | |
| - Support LDAP referrals | |
| - Fix cache issues | |
| - Better feedback from PAM when offline | |
| - Resolves: rhbz#1646113 - Missing concise documentation about valid options | |
| for sssd-files-provider | |
| - Fix segfault in TGT renewal | |
| - Improved handling of users and groups with multi-valued name attributes | |
| (aliases) | |
| - Performance enhancements | |
| Initgroups on RFC2307bis/FreeIPA | |
| HBAC rule processing | |
| - Improved process-hang detection and restarting | |
| - Enabled the midpoint cache refresh by default (fewer cache misses on | |
| commonly-used entries) | |
| - Cleaned up the example configuration | |
| - New tool to change debug level on the fly | |
| - New upstream release 1.5.8 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 | |
| - Support for the LDAP paging control | |
| - Support for multiple DNS servers for name resolution | |
| - Fixes for several group membership bugs | |
| - Fixes for rare crash bugs | |
| - Resolves: rhbz#1881992 - Rebase SSSD for RHEL 8.4 | |
| - Resolves: rhbz#1722842 - sssd-kcm does not store TGT with ssh login using GSSAPI | |
| - Resolves: rhbz#1734040 - sssd crash in ad_get_account_domain_search() | |
| - Resolves: rhbz#1784459 - [RFE] tlog does not allow to exclude some users from session recording | |
| - Resolves: rhbz#1791300 - sporadic sssd_be crash on s390x | |
| - Resolves: rhbz#1817122 - 'getent group ldapgroupname' doesn't show any LDAP users or some LDAP users when 'rfc2307bis' schema is used with SSSD. | |
| - Resolves: rhbz#1819012 - [RFE] Improve AD site discovery process | |
| - Resolves: rhbz#1846778 - [RfE] `/usr/libexec/sssd/p11_child` cmdline argument '--nssdb' might be confusing when SSSD was built against OpenSSL | |
| - Resolves: rhbz#1873715 - automount sssd issue when 2 automount maps have the same key (one un uppercase, one in lowercase) | |
| - Resolves: rhbz#1879860 - correction in sssd.conf:pam_response_filter man page | |
| - Resolves: rhbz#1881336 - [RFE] sssd-ldap man page modification for parameter "ldap_referrals" | |
| - Resolves: rhbz#1883488 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains | |
| - Resolves: rhbz#1884196 - [RFE] Add "enabled" option to domain section in config file | |
| - Resolves: rhbz#1884205 - KCM: Increase client idle timeout to 5 minutes | |
| - Resolves: rhbz#1884207 - [RFE] ldap: add new option ldap_library_debug_level | |
| - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff | |
| - Resolves: rhbz#1884281 - Secondary LDAP group go missing from 'id' command | |
| - Resolves: rhbz#1884301 - [RFE] dyndns: suport asymmetric auth for nsupdate | |
| - Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 | |
| - Resolves: rhbz#1693379 - sssd_be and sss_cache too heavy on CPU | |
| - Resolves: rhbz#1909373 - Missing search index for `originalADgidNumber` | |
| - Resolves: rhbz#1954630 - [RFE] Improve debug messages by adding a unique tag for each request the backend is handling | |
| - Resolves: rhbz#1936891 - SSSD Error Msg Improvement: Bad address | |
| - Resolves: rhbz#1364596 - sssd still showing ipa user after removed from last group | |
| - Resolves: rhbz#1979404 - Changes made to /etc/pam.d/sssd-shadowutils are overwritten back to default on sssd-common package upgrade | |
| - Resolves: rhbz#1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command. | |
| - Resolves: rhbz#1780404 - smartcards: special characters must be escaped when building search filter | |
| - Fix regressions and bugs in sssd upstream 1.12.2 | |
| - https://fedorahosted.org/sssd/ticket/{id} | |
| - Regressions: #2471, #2475, #2483, #2487, #2529, #2535 | |
| - Bugs: #2287, #2445 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Resolves: rhbz#1974257 - 'debug_microseconds' config option is broken | |
| - Resolves: rhbz#1936902 - SSSD Error Msg Improvement: Invalid argument | |
| - Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm (additional patches and rebuild) | |
| - Resolves: rhbz#1625670 - sssd needs to require a newer version of libtalloc | |
| and libtevent to avoid an issue in GPO processing | |
| - Related: rhbz#1620123 - [RFE] Add option to specify a Smartcard with a | |
| PKCS#11 URI | |
| - Resolves: rhbz#697057 - kpasswd fails when using sssd and | |
| - kadmin server != kdc server | |
| - Upgrades from SysV should now maintain enabled/disabled status | |
| - Related: rhbz#2190417 - Rebase Samba to the latest 4.18.x release | |
| Rebuild against rebased Samba libs | |
| - Resolves: rhbz#1175511 - sssd-libwbclient conflicts with Samba's and causes | |
| crash in wbinfo | |
| - in addition to the patch libwbclient.so is | |
| filtered out of the Provides list of the package | |
| - New upstream release 1.9.0 beta 2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 | |
| - Add support for the Kerberos DIR cache for storing multiple TGTs | |
| automatically | |
| - Major performance enhancement when storing large groups in the cache | |
| - Major performance enhancement when performing initgroups() against Active | |
| Directory | |
| - SSSDConfig data file default locations can now be set during configure for | |
| easier packaging | |
| - Add plugin for cifs-utils | |
| - Resolves: rhbz#998544 | |
| - Rebuild due to rhbz#2013596 - Rebase Samba to the the latest 4.15.x release | |
| - Resolves: #967012 - [abrt] sssd-1.9.5-1.fc18: sss_mmap_cache_gr_invalidate_gid: | |
| Process /usr/libexec/sssd/sssd_nss was killed by | |
| signal 11 (SIGSEGV) | |
| - Resolves: #996214 - sssd proxy_child segfault | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Resolves: RHEL-112455 - p11_child currently has an infinite timeout [rhel-8.10.z] | |
| - Resolves: RHEL-120292 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems [rhel-8.10.z] | |
| - Resolves: rhbz#1744134 - New defect found in sssd-2.2.0-16.el8 | |
| - Also sync. kcm multihost tests with master | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - New upstream release 1.9.0 rc1 | |
| - New upstream release 0.99.0 | |
| - Fix segfault in sssd_pam when cache_credentials was enabled | |
| - Update the sample configuration | |
| - Fix upgrade issues caused by data provider service removal | |
| - Fix systemd executions/requirements | |
| - Related: rhbz#1635595 - Cant login with smartcard with multiple certs | |
| - New upstream release 1.8.1 | |
| - Resolve issue where we could enter an infinite loop trying to connect to an | |
| auth server | |
| - Fix serious issue with complex (3+ levels) nested groups | |
| - Fix netgroup support for case-insensitivity and aliases | |
| - Fix serious issue with lookup bundling resulting in requests never | |
| completing | |
| - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt | |
| in addition to pam_authenticate | |
| - Fix several regressions in the proxy provider | |
| - Resolves: rhbz#743133 - Performance regression with Kerberos authentication | |
| against AD | |
| - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work | |
| - Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6 | |
| - Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files | |
| - Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries | |
| - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set. | |
| - Resolves: rhbz#1961182 - Passwordless (GSSAPI) SSH not working due to missing "includedir /var/lib/sss/pubconf/krb5.include.d" directive in /etc/krb5.conf | |
| - Resolves: rhbz#2008829 - sssd_be segfault due to empty forest root name | |
| - Resolves: rhbz#2012263 - pam responder does not call initgroups to refresh the user entry | |
| - Resolves: rhbz#2012308 - Add client certificate validation D-Bus API | |
| - Resolves: rhbz#2012327 - Groups are missing while performing id lookup as SSSD switching to offline mode due to the wrong domain name in the ldap-pings(netlogon). | |
| - Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs | |
| - Resolves: rhbz#2013259 - [RHEL8] Add tevent chain ID logic into responders | |
| - Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization | |
| - Rebuild for libldb 1.1.19 | |
| - Fix failover from Global Catalog to LDAP in case GC is not available | |
| - Rebuilt for libnfsidmap.so.1 | |
| - New upstream release 1.6.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 | |
| - Add host access control support for LDAP (similar to pam_host_attr) | |
| - Finer-grained control on principals used with Kerberos (such as for FAST or | |
| - validation) | |
| - Added a new tool sss_cache to allow selective expiring of cached entries | |
| - Added support for LDAP DEREF and ASQ controls | |
| - Added access control features for Novell Directory Server | |
| - FreeIPA dynamic DNS update now checks first to see if an update is needed | |
| - Complete rewrite of the HBAC library | |
| - New libraries: libipa_hbac and libipa_hbac-python | |
| - Resolves: rhbz#1661183 - SSSD 2.0 has drastically lower sbus timeout than | |
| 1.x, this can result in time outs | |
| - Fix release version for upgrades | |
| - Decrease priority of sssd-libwbclient 20 -> 5 | |
| - It should be lower than priority of samba veriosn of libwbclient. | |
| - https://bugzilla.redhat.com/show_bug.cgi?id=1175511#c18 | |
| - Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the | |
| username in getpwnam() | |
| - Resolves: rhbz#758425 - LDAP failover not working if server refuses | |
| connections | |
| - Resolves: rhbz#1642372 - SSSD Python getgrouplist API was removed but required for IPA | |
| - New LDAP access provider allows for filtering user access by LDAP attribute | |
| - Reduced default timeout for detecting offline status with LDAP | |
| - GSSAPI ticket lifetime made configurable | |
| - Better offline->online transition support in Kerberos | |
| - Change the default ccache location to DIR:/run/user/${UID}/krb5cc | |
| and patch man page accordingly | |
| - Resolves: rhbz#851304 | |
| - Handle new error code for IPA password migration | |
| - Only BuildRequire libcmocka on Fedora | |
| - New upstream release 1.4.1 | |
| - Add support for netgroups to the proxy provider | |
| - Fixes a minor bug with UIDs/GIDs >= 2^31 | |
| - Fixes a segfault in the kerberos provider | |
| - Fixes a segfault in the NSS responder if a data provider crashes | |
| - Correctly use sdap_netgroup_search_base | |
| - Resolves: rhbz#1672780 - gdm login not prompting for username when smart | |
| card maps to multiple users | |
| - New upstream release 1.11.5.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.5.1 | |
| - Resolves: #906427 - Do not use %{_lib} in specfile for the nss and | |
| pam libraries | |
| - Use mcpath insted of mcachepath macro to be consistent with | |
| upsteam spec file | |
| - Initial release (based on version 0.1.0 upstream code) | |
| - Move sssd_pac to the sssd-ipa and sssd-ad subpackages | |
| - Trim out RHEL5-specific macros since we don't build on RHEL 5 | |
| - Trim out macros for Fedora older than F18 | |
| - Update libldb requirement to 1.1.16 | |
| - Trim RPM changelog down to the last year | |
| - Version 0.2.1 | |
| - New upstream release 1.9.2 | |
| - Resolves: rhbz#1335639 - [abrt] sssd-dbus: ldb_msg_find_element(): | |
| sssd_ifp killed by SIGSEGV | |
| - Resolves: rhbz#1645566 - SSSD 2.x does not sanitize domain name properly | |
| for D-bus, resulting in a crash | |
| - Rebuild with libldb-1.2.0 | |
| - New upstream release 1.15.3 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_3.html | |
| - New upstream release 1.13.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.2 | |
| - Resolves: RHEL-39085 - [RfE] SSSD Failover Enhancements | |
| - Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online | |
| - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests | |
| - Several segfault bugfixes | |
| - Resolves: rhbz#1642508 - sssd ifp crash when trying to access ipa webui | |
| with smart card | |
| - Add support for libldb 1.0.0 | |
| - Resolves: rhbz#1920001 - Do not add '%' to group names already prefixed with '%' in IPA sudo rules | |
| - Resolves: rhbz#1918433 - sssd unable to lookup certmap rules | |
| - Resolves: rhbz#1917382 - [abrt] [faf] sssd: dp_client_handshake_timeout(): /usr/libexec/sssd/sssd_be killed by 11 | |
| - bugfix release 0.3.2 | |
| - includes previous release patches | |
| - change permissions of the /etc/sssd/sssd.conf to 0600 | |
| - Fix regression in endianness patch | |
| - Resolves: rhbz#1623878 - crash related to sbus_router_destructor() | |
| - Add last minute bug fixes, found in testing the package | |
| - New upstream release 1.7.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 | |
| - Support for case-insensitive domains | |
| - Support for multiple search bases in the LDAP provider | |
| - Support for the native FreeIPA netgroup implementation | |
| - Reliability improvements to the process monitor | |
| - New DEBUG facility with more consistent log levels | |
| - New tool to change debug log levels without restarting SSSD | |
| - SSSD will now disconnect from LDAP server when idle | |
| - FreeIPA HBAC rules can choose to ignore srchost options for significant | |
| performance gains | |
| - Assorted performance improvements in the LDAP provider | |
| - New upstream release 1.4.0 | |
| - Added support for netgroups to the LDAP provider | |
| - Performance improvements made to group processing of RFC2307 LDAP servers | |
| - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin | |
| - Build-system improvements to support Gentoo | |
| - Split out several libraries into the ding-libs tarball | |
| - Manpage reviewed and updated | |
| - New upstream release 1.12.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0 | |
| - Fix CVE-2010-0014 | |
| - Rebuild against libldb 1.10 | |
| - New upstream release 1.11.3 | |
| - Remove upstreamed patches | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.3 | |
| - Resolves: rhbz#1736483 - Sudo prompt for smart card authentication is missing | |
| the trailing colon | |
| - Resolves: rhbz#1256849 - SUDO: Support the IPA schema | |
| - Resolves: upstream#3621 - backport bug found by static analyzers | |
| - Own several directories create during make install (#839782) | |
| - New upstream release 1.13.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.3 | |
| - New upstream release 1.11.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 | |
| - Log startup errors to the syslog | |
| - Allow cache cleanup to be disabled in sssd.conf | |
| - Resolves: rhbz#1631410 - Can't login with smartcard with multiple certs having same ID value | |
| - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff (additional patches) | |
| - Resolves: rhbz#1893159 - Default debug level should report all errors / failures | |
| - Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication | |
| - Resolves: rhbz#1646168 - sssctl access-report always prints an error message | |
| - Resolves: rhbz#1643053 - Restarting the sssd-kcm service should reload the | |
| configuration without having to restart the whole | |
| sssd | |
| - Resolves: rhbz#1640576 - sssctl reports incorrect information about local | |
| user's cache entry expiration time | |
| - Resolves: rhbz#1645238 - Unable to su to root when logged in as a local user | |
| - Resolves: rhbz#1639411 - sssd support for for smartcards using ECC keys | |
| - require the latest libldb | |
| - Change default kerberos credential cache location to /run/user/ |
|
| - Resolves: rhbz#1725168 - sssd-proxy crashes resolving groups with | |
| no members | |
| - Rebuild against libldb 1.1.4 | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild | |
| - Resolves: rhbz#1676385 - pam_sss with smartcard auth does not create gnome | |
| keyring | |
| - Also apply a patch to fix gating tests issue | |
| - Resolves: rhbz#1113639 - autofs: return a connection failure until maps have been fetched | |
| - Resolves: rhbz#1915395 - Memory leak in the simple access provider | |
| - Resolves: rhbz#1915319 - SSSD: SBUS: failures during servers startup | |
| - Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication (additional patches) | |
| - Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8] | |
| - Resolves: rhbz#1962042 - [sssd] RHEL 8.5 Tier 0 Localization | |
| - Fixes link error on platforms that do not do implicit linking | |
| - Fixes double-free segfault in PAM | |
| - Fixes double-free error in async resolver | |
| - Fixes support for TCP-based DNS lookups in async resolver | |
| - Fixes memory alignment issues on ARM processors | |
| - Manpage fixes | |
| - Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8 | |
| - Resolves: rhbz#2119726 - sssctl analyze --logdir option requires sssd to be configured | |
| - Resolves: rhbz#2120669 - Incorrect request ID tracking from responder to backend | |
| - Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in | |
| setnetgrent_result_timeout | |
| - Resolves: upstream#3588 - sssd_nss consumes more memory until restarted | |
| or machine swaps | |
| - Resolves: failure in glibc tests | |
| https://sourceware.org/bugzilla/show_bug.cgi?id=22530 | |
| - Resolves: upstream#3451 - When sssd is configured with id_provider proxy and | |
| auth_provider ldap, login fails if the LDAP server | |
| is not allowing anonymous binds | |
| - Resolves: upstream#3285 - SSSD needs restart after incorrect clock is | |
| corrected with AD | |
| - Resolves: upstream#3586 - Give a more detailed debug and system-log message | |
| if krb5_init_context() failed | |
| - Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet | |
| in /etc/systemd/system | |
| - Backport few upstream features from 1.16.1 | |
| - New upstream release 1.14.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.2 | |
| - Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication | |
| - New upstream release 1.12.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.2 | |
| - Resolves: rhbz#1636397 - SSSD not fetching all sudo rules from AD | |
| - Resolves: rhbz#1711318 - p11_child::sign_data() function implementation is | |
| not FIPS140 compliant | |
| - New upstream release 1.14.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0 | |
| - Do not crash on resolving a group SID in IPA server mode | |
| - New upstream release 1.8.2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 | |
| - Several fixes to case-insensitive domain functions | |
| - Fix for GSSAPI binds when the keytab contains unrelated principals | |
| - Fixed several segfaults | |
| - Workarounds added for LDAP servers with unreadable RootDSE | |
| - SSH knownhostproxy will no longer enter an infinite loop preventing login | |
| - The provided SYSV init script now starts SSSD earlier at startup and stops | |
| it later during shutdown | |
| - Assorted minor fixes for issues discovered by static analysis tools | |
| - Resolves: rhbz#1655459 - [abrt] [faf] sssd: raise(): | |
| /usr/libexec/sssd/proxy_child killed by 6 | |
| - Resolves: rhbz#1628126 - [abrt] [faf] sssd: unknown function(): | |
| /usr/libexec/sssd/sssd_be killed by 11 crash | |
| func _dbus_list_unlink | |
| - New upstream release 1.15.2 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html | |
| - Related: rhbz#1638150 - session not recording for local user when groups defined | |
| - Also add silence a Coverity warning, which is related to rhbz#1637131 | |
| for match rules sss-certmap | |
| - New upstream release 1.13.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.1 | |
| - Fix the Kerberos password expiration warning (#912223) | |
| - Try to fix build adding automake as an explicit BuildRequire | |
| - Add also a couple of last minute patches from upstream | |
| - Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8 | |
| - Resolves: rhbz#2144581 - [RFE] provide dbus method to find users by attr | |
| - Resolves: rhbz#2144579 - sssd timezone issues sudonotafter | |
| - Resolves: rhbz#2144519 - [RFE] SSSD does not support to change the user’s password when option ldap_pwd_policy equals to shadow in sssd.conf file | |
| - Resolves: rhbz#2127822 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict) | |
| - Resolves: rhbz#2111393 - authenticating against external IdP services okta (native app) with OAuth client secret failed | |
| -Resolves: rhbz#1660083 - extraAttributes is org.freedesktop.DBus.Error. | |
| UnknownProperty: Unknown property | |
| - Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard | |
| certificate EKU and perform an action based | |
| on value when generating SSH key from a certificate | |
| (additional patch) | |
| - Version 0.3.0 | |
| - Provides file based configuration and lots of improvements | |
| - Build with _hardened_build macro | |
| - release out of the official 0.3.2 tarball | |
| - Resolves: upstream#3529 - sssd-kcm Fix restart during/after upgrade | |
| - Resolves: rhbz#1810634 - id command taking 1+ minute for returning user | |
| information | |
| - Resolves: rhbz#1448094 - sssd-kcm cannot handle big tickets | |
| - New upstream bugfix release 0.99.1 | |
| - Fix few segfaults | |
| - Resolves: upstream #2811 - PAM responder crashed if user was not set | |
| - Resolves: upstream #2810 - sssd_be crashed in ipa_srv_ad_acct_lookup_step | |
| - New upstream release 1.5.11 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 | |
| - Fix a serious regression that prevented SSSD from working with ldaps:// URIs | |
| - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 | |
| - address being saved to the AAAA record | |
| - Resolves: 1657898 - SSSD must be cleared/restarted periodically in order to | |
| retrieve AD users through IPA Trust | |
| - New upstream release 1.10 beta2 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 | |
| - BuildRequire libcmocka-devel in order to run all upstream tests during build | |
| - BuildRequire libnl3 instead of libnl1 | |
| - No longer BuildRequire initscripts, we no longer use /sbin/service | |
| - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any | |
| older krb5-libs version | |
| - Switch hardcoded python3 shebangs into the %{__python3} macro | |
| - Fix upgrade issues from old (pre-0.5.0) releases of SSSD | |
| - New upstream release 1.10 alpha1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1 | |
| - Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard | |
| certificate EKU and perform an action based | |
| on value when generating SSH key from a certificate | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Rebuild for libldb 1.1.3 | |
| - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages | |
| - Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process | |
| - Resolves: rhbz#1876658 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [RHEL 8] | |
| - Resolves: rhbz#1895001 - User lookups over the InfoPipe responder fail intermittently | |
| - Fix pre and post script requirements | |
| - Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug | |
| in ding-libs | |
| - Fix SSH integration with fully-qualified domains | |
| - Add the ability to dynamically discover the NetBIOS name | |
| - Backport important patches from upstream 1.14.2 prerelease | |
| - Resolves: upstream #3154 - sssd exits if clock is adjusted backwards after | |
| boot | |
| - Resolves: upstream #3163 - resolving IPA nested user group is broken in 1.14 | |
| - Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication | |
| - Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with | |
| file from package sssd-common-1.15.1-1.fc25.x86_64 | |
| - Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4 | |
| - New upstream release 1.8.0 | |
| - Support for the service map in NSS | |
| - Support for setting default SELinux user context from FreeIPA | |
| - Support for retrieving SSH user and host keys from LDAP (Experimental) | |
| - Support for caching autofs LDAP requests (Experimental) | |
| - Support for caching SUDO rules (Experimental) | |
| - Include the IPA AutoFS provider | |
| - Fixed several memory-corruption bugs | |
| - Fixed a regression in group enumeration since 1.7.0 | |
| - Fixed a regression in the proxy provider | |
| - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD | |
| - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is | |
| logged at each login | |
| - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process | |
| /usr/sbin/sssd was killed by signal 11 (SIGSEGV) | |
| - Resolves: rhbz#743133 - Performance regression with Kerberos authentication | |
| against AD | |
| - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for | |
| new LDAP features | |
| - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc | |
| - Fix build with new automake versions | |
| - Change selinux policy requirement to Conflicts: with the old version, | |
| rather than Requires: the supported version. | |
| - Fix building on rawhide. Remove -Wl,-z,defs from LDFLAGS | |
| - Release new upstream version 1.1.91 | |
| - Enhancements when using SSSD with FreeIPA v2 | |
| - Support for deferred kinit | |
| - Support for DNS SRV records for failover | |
| - Resolves: rhbz#1624785 - Remove references of sss_user/group/add/del | |
| commands in man pages since local provider | |
| is deprecated | |
| - Additional upstream fixes | |
| - Fix building pac responder with the krb5-1.14 | |
| - Resolves: rhbz#1622026 - sssd 2.0 regression: Kerberos authentication | |
| fails with the KCM ccache | |
| - Backport extended NSS API from upstream master branch | |
| - Enable hardened build for RHEL7 | |
| - Resolves: rhbz#1276868 - Sudo PAM Login should support multiple password | |
| prompts (e.g. Password + Token) | |
| - Resolves: rhbz#1313041 - ssh with sssd proxy fails with "Connection closed | |
| by remote host" if locale not available | |
| - Add explicit requirement on selinux-policy version to address new SBUS | |
| symlinks. | |
| - Rebuild for libldb 1.1.18 | |
| - Fix issue with IPA + SELinux in containers | |
| - Resolves: upstream https://fedorahosted.org/sssd/ticket/3297 | |
| - Solve a shutdown race-condition that sometimes left processes running | |
| - Resolves: rhbz#606887 - SSSD stops on upgrade | |
| - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for | |
| new LDAP features | |
| - Fix for CVE-2009-2410 - Native SSSD users with no password set could log in | |
| without a password. (Patch by Stephen Gallagher) | |
| - New upstream release 1.12.4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.4 | |
| - Rebuild against new libldb | |
| - Add support for python3 bindings | |
| - Add requirement to python3 or python3 bindings | |
| - Resolves: rhbz#1014594 - sssd: Support Python 3 | |
| - Ensure that the configuration upgrade script always writes the config | |
| file with 0600 permissions | |
| - Eliminate an infinite loop in group enumerations | |
| - Fix bug in generation of systemd unit file | |
| - New upstream release 1.5.5 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 | |
| - Fixes for several crash bugs | |
| - LDAP group lookups will no longer abort if there is a zero-length member | |
| - attribute | |
| - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist | |
| - Bump up release number to avoid library sub-packages version issues with | |
| previous releases. | |
| - Unify return type of list_active_domains for python{2,3} | |
| - Ensure that SSSD builds against libldb-1.0.0 on F15 and later | |
| - Remove .la for memberOf | |
| - Add SSSDConfig API | |
| - Update polish translation for 0.6.0 | |
| - Fix long timeout on ldap operation | |
| - Make dp requests more robust | |
| - Resolves: rhbz#1628122 - Printing incorrect information about domain | |
| with sssctl utility | |
| connection timeout | |
| - New upstream release 1.12.5 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.5 | |
| - Apply a couple of patches from upstream git that resolve crashes when | |
| ID mapping object was not initialized properly but needed later | |
| - Resolves: rhbz#1283798 - sssd failover does not work on connecting to | |
| non-responsive ldaps:// server | |
| - Rebuild against new libtevent | |
| - Version 0.3.1 | |
| - includes previous release patches | |
| - Re-add manpage translations | |
| - Resolves: rhbz#606887 - sssd stops on upgrade | |
| - Resolves: rhbz#1466503 - Snippets are not used when sssd.conf does not exist | |
| - Fix several regressions since 1.5.x | |
| - Ensure that the RPM creates the /var/lib/sss/mc directory | |
| - Add support for Netscape password warning expiration control | |
| - Rebuild against libldb 1.1.6 | |
| - New upstream release 1.8.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 | |
| - Numerous manpage and translation updates | |
| - LDAP: Handle situations where the RootDSE isn't available anonymously | |
| - LDAP: Fix regression for users using non-standard LDAP attributes for user | |
| information | |
| - Resolves: rhbz#1699480 - Include libsss_nss_idmap-devel in the Builder | |
| repository | |
| - This just required a raise in release number | |
| and changelog for the record. | |
| - Install systemd unit file instead of sysv init script | |
| - Check the validity of naming context | |
| - Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8 | |
| - New upstream release 1.12.1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.1 | |
| - Resolves: rhbz#1494002 - sssd_nss crashed in cache_req_search_domains_next | |
| - Resolves: rhbz#1499354 - CVE-2017-12173 sssd: unsanitized input when | |
| searching in local cache database access on | |
| the sock_file system_bus_socket | |
| - Resolves: rhbz#1726945 - negative cache does not use values from | |
| 'filter_users' config option for known domains | |
| - Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d | |
| - Make sure to properly convert to systemd if upgrading from newer | |
| - updates for Fedora 14 | |
| - Backport patches with Python3 support from upstream | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - New upstream release 0.7.0 | |
| - Include upstream patch to build with krb5-1.11 | |
| - Rebuilt for Python3.5 rebuild | |
| - Resolves: rhbz#1820574 - [sssd] RHEL 8.3 Tier 0 Localization | |
| - Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files (additional patch) | |
| - New upstream release 1.5.6 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 | |
| - Fixed a serious memory leak in the memberOf plugin | |
| - Fixed a regression with the negative cache that caused it to be essentially | |
| - nonfunctional | |
| - Fixed an issue where the user's full name would sometimes be removed from | |
| - the cache | |
| - Fixed an issue with password changes in the kerberos provider not working | |
| - with kpasswd | |
| - Resolves: rhbz#1310664 - [RFE] IPA: resolve external group memberships of IPA | |
| groups during getgrnam and getgrgid | |
| - Resolves: rhbz#1301303 - sss_obfuscate: SyntaxError: Missing parentheses | |
| in call to 'print' | |
| - New upstream release 1.9.1 | |
| - Fix accidental disabling of the DIR cache support | |
| - Resolves: rhbz#1729055 - sssd does not pass correct rules to sudo | |
| - Resolves: rhbz#1645291 - Perform some basic ccache initialization as part | |
| of gen_new to avoid a subsequent switch call | |
| failure | |
| - Resolves: rhbz#1733372 - permission denied on logs when running sssd as | |
| non-root user | |
| - Resolves: rhbz#1652719 - [SECURITY] sssd returns '/' for emtpy home directories | |
| - New upstream release 1.13.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0 | |
| - New upstream version 1.2.91 (1.3.0rc1) | |
| - Improved LDAP failover | |
| - Synchronous sysdb API (provides performance enhancements) | |
| - Better online reconnection detection | |
| - New upstream release 1.9.0 beta 4 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 | |
| - Add a new AD provider to improve integration with Active Directory 2008 R2 | |
| or later servers | |
| - SUDO integration was completely rewritten. The new implementation works | |
| with multiple domains and uses an improved refresh mechanism to download | |
| only the necessary rules | |
| - The IPA authentication provider now supports subdomains | |
| - Fixed regression for setups that were setting default_tkt_enctypes | |
| manually by reverting a previous workaround. | |
| - New upstream release 1.9.0 | |
| - New upstream release 1.14 beta | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0beta | |
| - Resolves: rhbz#1736796 - sssd config option "default_domain_suffix" | |
| should not cause files domain entries to be | |
| qualified, this can break sudo access | |
| - Resolves: rhbz#1488327 - SELinux is preventing selinux_child from write | |
| access on the sock_file system_bus_socket | |
| - Resolves: rhbz#1490402 - SSSD does not create /var/lib/sss/deskprofile and | |
| fails to download desktop profile data | |
| - Resolves: upstream#3485 - getsidbyid does not work with 1.15.3 | |
| - Resolves: upstream#3488 - SUDO doesn't work for IPA users on IPA clients | |
| after applying ID Views for them in IPA server | |
| - Resolves: upstream#3501 - Accessing IdM kerberos ticket fails while id | |
| mapping is applied | |
| - Remove %files reference to sss_debuglevel copied from wrong upstreeam | |
| spec file. | |
| - Resolves: RHEL-25064 - AD users are unable to log in due to case sensitivity of user because the domain is found as an alias to the email address. [rhel-8] | |
| - Resolves: RHEL-25066 - gdm smartcard login fails with sssd-2.9.3 in case of multiple identities [rhel-8] | |
| - Resolves: RHEL-25065 - ssh pubkey stored in ldap/AD no longer works to authenticate via sssd [rhel-8] | |
| - fixed items found during review | |
| - added initscript | |
| - Resolves: rhbz#1687281 | |
| Rebase sssd in RHEL-8.1 to the latest upstream release | |
| - Resolves: rhbz#1139962 - Fedora 21, FreeIPA 4.0.2: sssd does not find user | |
| private group from server | |
| - Resolves: RHEL-27205 - Race condition during authorization leads to GPO policies functioning inconsistently | |
| - New upstream release 0.6.0 | |
| - Resolves: rhbz#1815584 - id_provider = proxy proxy_lib_name = files returns * in password field, breaking PAM authentication | |
| - Resolves: rhbz#1794607 - SSSD must be able to resolve membership involving root with files provider | |
| - Resolves: rhbz#1803134 - Improve "unlock" time when user session already active | |
| - Resolves: rhbz#626205 - Unable to unlock screen | |
| - Use alternatives for libwbclient | |
| - Add missing %license macro | |
| - BuildRequire recent libini_config to ensure consistent behaviour | |
| - Resolves: rhbz#1926622 - Add support to verify authentication indicators in pam_sss_gss | |
| - Resolves: rhbz#1926454 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0. | |
| - Resolves: rhbz#1893159 - Default debug level should report all errors / failures (additional patch) | |
| - Related: rhbz#1611011 - Support for "require smartcard for login option" | |
| - Backport patches from upstream 1.12.5 prerelease - contains many fixes | |
| - Resolves: 1658813 - PKINIT with KCM does not work | |
| - New upstream release 1.15.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.15.0 | |
| - New upstream release 1.9.0 beta 6 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 | |
| - A new option, override_shell was added. If this option is set, all users | |
| managed by SSSD will have their shell set to its value. | |
| - Fixes for the support for setting default SELinux user context from FreeIPA. | |
| - Fixed a regression introduced in beta 5 that broke LDAP SASL binds | |
| - The SSSD supports the concept of a Primary Server and a Back Up Server in | |
| failover | |
| - A new command-line tool sss_seed is available to help prime the cache with | |
| a user record when deploying a new machine | |
| - SSSD is now able to discover and save the domain-realm mappings | |
| between an IPA server and a trusted Active Directory server. | |
| - Packaging changes to fix ldconfig usage in subpackages (#843995) | |
| - Rebuild against libldb 1.1.9 | |
| - Do not write out dots in the domain-realm mapping file (#905650) | |
| - Resolves: rhbz#1622008 - Error message when IPA server uninstall calls | |
| kdestroy caused by KCM returning a wrong error | |
| code during the delete operation | |
| - New upstream release 1.12.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.3 | |
| - Fix spelling errors in description (fedpkg lint) | |
| - Backport important patches from upstream 1.13 prerelease | |
| - Resolves: rhbz#1060325 - Does sssd-ad use the most suitable | |
| attribute for group name | |
| - Resolves: upstream #2335 - Investigate using the krb5 responder | |
| for driving the PAM conversation with OTPs | |
| - Enable cmocka tests for secondary architectures | |
| - Rebuild against libldb 1.12 | |
| - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for | |
| new LDAP features - fix netgroups and sudo as well | |
| - Resolves: rhbz#1736861 - dyndns_update = True is no longer enough to get | |
| the IP address of the machine updated in IPA upon | |
| sssd.service startup | |
| - Resolves: rhbz#1626001 - SSSD should log to syslog if a domain is not | |
| started due to a misconfiguration | |
| - This is to bump version to allow rebuild against rebased libldb. | |
| - New upstream release 1.11.0 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 | |
| - New upstream release 1.5.0 | |
| - Fixed issues with LDAP search filters that needed to be escaped | |
| - Add Kerberos FAST support on platforms that support it | |
| - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials | |
| - Added a Kerberos access provider to honor .k5login | |
| - Addressed several thread-safety issues in the sss_client code | |
| - Improved support for delayed online Kerberos auth | |
| - Significantly reduced time between connecting to the network/VPN and | |
| - acquiring a TGT | |
| - Added feature for automatic Kerberos ticket renewal | |
| - Provides the kerberos ticket for long-lived processes or cron jobs | |
| - even when the user logs out | |
| - Added several new features to the LDAP access provider | |
| - Support for 'shadow' access control | |
| - Support for authorizedService access control | |
| - Ability to mix-and-match LDAP access control features | |
| - Added an option for a separate password-change LDAP server for those | |
| - platforms where LDAP referrals are not supported | |
| - Added support for manpage translations | |
| - Resolves: rhbz#1839037 - Rebase SSSD for RHEL 8.3 | |
| - Resolves: rhbz#1843872 - sssd 2.3.0 breaks AD auth due to GPO parsing failure | |
| - Resolves: rhbz#1834156 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working | |
| - Fix nested group member filter sanitization for RFC2307bis | |
| - Put translated tool manpages into the sssd-tools subpackage | |
| - Resolve groups from AD correctly | |
| - Fix changelog dates to make F19 rpmbuild happy | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - Resolves: rhbz#1829470 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package | |
| - Resolves: rhbz#1544457 - sssd fails to release file descriptor on child logs after receiving HUP | |
| - Resolves: rhbz#1824323 - SSSD user filtering is failing on RHEL 8 after "files" provider rebuilds cache | |
| - Resolves: rhbz#1827432 - When the passwd or group files are replaced, sssd stops monitoring the file for | |
| inotify events, and no updates are triggered | |
| - Resolves: rhbz#1835710 - Change the message "Please enter smart card" to "Please insert smart card" | |
| on GDM login with smart-card | |
| - Resolves: rhbz#1838037 - Oddjob-mkhomedir fails when using NSS compat | |
| - Resolves: rhbz#1845904 - gdm smart card authentication does not work shortly after disconnecting from network. | |
| - Resolves: rhbz#1845975 - sssd doesn't follow the link order of AD Group Policy Management | |
| - Resolves: rhbz#1845980 - sssd is failing to discover other subdomains in the forest | |
| if LDAP entries do not contain AD forest root information | |
| - Resolves: rhbz#1845987 - Document how to prevent invalid selinux context for default home directories | |
| in SSSD-AD direct integration. | |
| - Resolves: rhbz#1845994 - GDM failure loop when no user mapped for smart card | |
| - Resolves: rhbz#1846003 - GDM password prompt when cert mapped to multiple users and promptusername is False | |
| - Resolves: rhbz#1850961 - /usr/share/systemtap/tapset/sssd_functions.stp missing a comma | |
| - Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6 | |
| - Resolves: rhbz#1968340 - 'exclude_groups' option provided in SSSD for session recording (tlog) doesn't work as expected | |
| - Resolves: rhbz#1952569 - SSSD should use "hidden" temporary file in its krb locator | |
| - Resolves: rhbz#1917970 - proxy provider: secondary group is showing in sssd cache after group is removed | |
| - Resolves: rhbz#1636002 - socket-activated services start as the sssd user and then are unable to read the confdb | |
| - Resolves: rhbz#2021196 - Make backtrace less "chatty" (avoid duplicate backtraces) | |
| - Resolves: rhbz#2018432 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest) | |
| - Resolves: rhbz#2015070 - Consistency in defaults between OpenSSH and SSSD | |
| - Resolves: rhbz#2013297 - disabled root ad domain causes subdomains to be marked offline | |
| - Resolves: rhbz#2013294 - Lookup with fully-qualified name does not work with 'cache_first = True' | |
| - Resolves: rhbz#2013218 - autofs lookups for unknown mounts are delayed for 50s | |
| - Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs | |
| - Resolves: rhbz#2013024 - Add support for CKM_RSA_PKCS in smart card authentication. | |
| - Resolves: rhbz#2013006 - [RFE] support subid ranges managed by FreeIPA | |
| - Resolves: rhbz#2012308 - Add client certificate validation D-Bus API | |
| - Resolves: rhbz#2012122 - tps tests fail with cross dependency on sssd debuginfo package: removal of 'sssd-libwbclient-debuginfo' is missing | |
| - Rebuild for new libldb | |
| - Resolves: rhbz#1687281 | |
| Rebase sssd in RHEL-8.1 to the latest upstream release | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Replace ARRAY_SIZE with N_ELEMENTS to reflect samba changes. This is | |
| done here in order to unblock gating changes before rebase. | |
| - Related: rhbz#1682305 | |
| - Backport important patches from upstream 1.13 prerelease | |
| - Fix libwbclient alternatives | |
| - Apply a number of patches from upstream to fix issues found 1.12.3 | |
| - Resolves: rhbz#1176373 - dyndns_iface does not accept multiple | |
| interfaces, or isn't documented to be able to | |
| - Resolves: rhbz#988068 - getpwnam_r fails for non-existing users when sssd is | |
| not running | |
| - Resolves: upstream #2557 authentication failure with user from AD | |
| - Resolves: rhbz#1615590 - Do not rely on "python" for el8 | |
| - Backport upstream patches for 1.15.3 pre-release | |
| - required for building freeipa-4.5.x in rawhide | |
| - Rebuilt for glibc bug#747377 | |
| - Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 | |
| - Resolves: rhbz#2226021 - dbus and crond getting terminated with SIGBUS in sss_client code | |
| - Resolves: rhbz#2237253 - SSSD runs multiples lookup search for each NFS request (SBUS req chaining stopped working in sssd-2.7) | |
| - Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names | |
| - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set. | |
| - Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries | |
| - Resolves: rhbz#2035245 - AD Domain in the AD Forest Missing after sssd latest update | |
| - Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization | |
| - Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but | |
| - doesn't require it | |
| - New upstream release 1.9.0 beta 1 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 | |
| - Add native support for autofs to the IPA provider | |
| - Support for ID-mapping when connecting to Active Directory | |
| - Support for handling very large (> 1500 users) groups in Active Directory | |
| - Support for sub-domains (will be used for dealing with trust relationships) | |
| - Add a new fast in-memory cache to speed up lookups of cached data on | |
| repeated requests | |
| - Include couple of patches from upstream 1.11 branch | |
| - Resolves: rhbz#1431153 - sssd: libsss_proxy.so needs to be linked with -ldl | |
| - add missing configure check that broke stopping the daemon | |
| - also fix default config to add a missing required option | |
| - CVE-2010-4341 - DoS in sssd PAM responder can prevent logins | |
| - Add OSCP checks for p11_child | |
| - Related: rhbz#1615417 - [RFE] Add Smart Card authentication for local | |
| users | |
| - Update to 1.16.2 release | |
| - Cleanup unused global definitions | |
| - Remove python2 references from the spec file | |
| - Resolves: rhbz#1585313 - Kerberos with sssd-kcm is not working on s390x | |
| - Include the 1.9.2 tarball | |
| - Resolves: RHEL-33957 - ad: refresh root domain when read directly | |
| - New upstream release 1.6.3 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 | |
| - Fixes a major cache performance issue introduced in 1.6.2 | |
| - Fixes a potential infinite-loop with certain LDAP layouts | |
| - Fix potential crash with external groups in trusted IPA-AD setup | |
| - libwbclient-sssd: update interface to version 0.13 | |
| - Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 | |
| - Resolves: rhbz#1930535 - [abrt] [faf] sssd: monitor_service_shutdown(): /usr/sbin/sssd killed by 11 | |
| - Resolves: rhbz#1942387 - Wrong default debug level of sssd tools | |
| - Resolves: rhbz#1945888 - Inconsistant debug level for connection logging | |
| - Resolves: rhbz#1948657 - pam_sss_gss.so doesn't work with large kerberos tickets | |
| - Resolves: rhbz#1949149 - [RFE] Poor man's backtrace | |
| - Resolves: rhbz#1920500 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR | |
| - Resolves: rhbz#1923964 - [RFE] SSSD Error Msg Improvement: write_krb5info_file failed, authentication might fail. | |
| - Resolves: rhbz#1928648 - SSSD logs improvements: clarify which config option applies to each timeout in the logs | |
| - Resolves: rhbz#1632159 - sssd-kcm starts successfully for non existent socket_path | |
| - Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm | |
| - Resolves: rhbz#1925505 - [RFE] improve the sssd refresh timers for SUDO queries | |
| - Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection | |
| - Resolves: rhbz#1925561 - sssd-ldap(5) does not report how to disable the SUDO smart queries | |
| - Resolves: rhbz#1925621 - document impact of indices and of scope on performance of LDAP queries | |
| - Resolves: rhbz#1855320 - [RFE] RHEL8 sssd: inheritance of the case_sensitive parameter for subdomains. | |
| - Resolves: rhbz#1925608 - [RFE] make 'random_offset' addon to 'offline_timeout' option configurable | |
| - Resolves: rhbz#1447945 - man page / docs update required: if two certificate matching rules with the same priority match only one is used | |
| - Resolves: rhbz#1703436 - sssd not thread-safe in innetgr() | |
| - Resolves: rhbz#1713143 - SSSD does not translate the 2FA text labels("first factor" / "second factor") on GDM login and screensaver unlock screen | |
| - Resolves: rhbz#1888977 - sss_override: Usage limitations clarification in man page | |
| - Resolves: rhbz#1890177 - Clarify "single_prompt" option in "PROMPTING CONFIGURATION SECTION" section of sssd.conf man page | |
| - Resolves: rhbz#1902280 - fix sss_cache to also reset cached timestamp | |
| - Resolves: rhbz#1935683 - SSSD not detecting subdomain from AD forest (RHEL 8.3) | |
| - Resolves: rhbz#1937919 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 | |
| - Resolves: rhbz#1944665 - No gpo found and ad_gpo_implicit_deny set to True still permits user login | |
| - Resolves: rhbz#1919942 - sss_override does not take precedence over override_homedir directive | |
| - Version 0.2.0 | |
| - Resolves: rhbz#1712875 - Old kerberos credentials active instead of valid | |
| new ones (kcm) | |
| - New upstream release 1.15.1 | |
| - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html | |
| - Backport simplification of ccache management from 1.11.1 | |
| - Resolves: rhbz#1010553 - sssd setting KRB5CCNAME=(null) on login | |
| - New upstream release 1.5.10 | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 | |
| - Fixed a regression introduced in 1.5.9 that could result in blocking calls | |
| - to LDAP | |
| - package git snapshot | |
| - Fix typo in Requires that prevented an upgrade (#973916) | |
| - Use a hardcoded version in Conflicts, not less-than-current | |
| - Resolves: RHEL-67671 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option [rhel-8.10.z] | |
| - Resolves: RHEL-68507 - sssd backend process segfaults when krb5.conf is invalid [rhel-8.10.z] | |
| - Resolves: RHEL-66267 - SSSD needs an option to indicate if the LDAP server can run the exop with an anonymous bind or not [rhel-8.10.z] | |
| - Resolves: RHEL-67128 - Excessive "Domain not found' messages logged to sssd_nss & sssd_be in multidomain AD forest [rhel-8.10.z] | |
| - Resolves: RHEL-66272 - sssd is skipping GPO evaluation with auto_private_groups [rhel-8.10.z] | |
| - Resolves: RHEL-66277 - possible regression of rhbz#2196521 [rhel-8.10.z] | |
| - Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 | |
| - Resolves: rhbz#2063016 - [sssd] RHEL 8.7 Tier 0 Localization | |
| - Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 | |
| - Resolves: rhbz#2026799 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options) | |
| - Resolves: rhbz#2033347 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file. | |
| - Resolves: rhbz#2056483 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2 | |
| - Resolves: rhbz#2062689 - [Improvement] Add user and group version of sss_nss_getorigbyname() | |
| - Resolves: rhbz#2065692 - [RHEL8] Ship new sub-package called sssd-idp into sssd | |
| - Resolves: rhbz#2072050 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop | |
| - Resolves: rhbz#2072931 - Use right sdap_domain in ad_domain_info_send | |
| - Resolves: rhbz#2087088 - sssd does not enforce smartcard auth for kde screen locker | |
| - Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol | |
| - Resolves: rhbz#2087745 - 2FA prompting setting ineffective | |
| - Resolves: rhbz#2087746 - sssd fails GPO-based access if AD have setup with Japanese language | |
| - New upstream release | |
| - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 | |
| - Support for the service map in NSS | |
| - Support for setting default SELinux user context from FreeIPA | |
| - Support for retrieving SSH user and host keys from LDAP (Experimental) | |
| - Support for caching autofs LDAP requests (Experimental) | |
| - Support for caching SUDO rules (Experimental) | |
| - Don't discard HBAC rule processing result if SELinux is on | |
| Resolves: rhbz#846792 (CVE-2012-3462) | |
|
|
|
| systemd-239-82.el8_10.13.x86_64.rpm | - logind: fix crash in logind on user-specified message string (RHEL-132317) |
| - run: update checks to allow running with a user's bus (RHEL-118835) | |
| - hwdb: add ACCEL_LOCATION property to parse_hwdb.py (RHEL-130979) | |
| - hwdb: update ACCEL_LOCATION property to use Or instead of QuotedString (RHEL-130979) | |
| - test: support general properties in hwdb files (RHEL-130979) | |
| - hwdb: Relax parsing script to allow 0 and 1 for all ID_* properties (RHEL-130979) | |
| - hwdb: allow spaces in usb: matches and similar patterns (RHEL-130979) | |
| - test: fix parsing of 60-seat.hwdb and 60-keyboard.hwdb (RHEL-130979) | |
| - parse_hwdb: fix compatibility with pyparsing 2.4.* (RHEL-130979) | |
| - login: use parse_uid() when unmounting user runtime directory (RHEL-132175) | |
| - pid1: do not use generated strings as format strings (#19098) (RHEL-132317) | |
| - core/transaction: make merge_unit_ids() always return NUL-terminated string (RHEL-132317) | |
| - core/transaction: make merge_unit_ids() return non-NULL on success (RHEL-132317) | |
| - core/transaction: do not log "(null)" (RHEL-132317) | |
| - Revert "run: update checks to allow running with a user's bus" (RHEL-118835) | |
| - Remove support URL patch | |
| - Disable tests due to sigabrt in our environment | |
| - cryptsetup-generator: refactor add_crypttab_devices() (RHEL-38859) | |
| - cryptsetup-generator: continue parsing after error (RHEL-38859) | |
| - Remove support URL patch | |
|
|
|
| systemd-devel-239-82.el8_10.13.x86_64.rpm | - logind: fix crash in logind on user-specified message string (RHEL-132317) |
| - run: update checks to allow running with a user's bus (RHEL-118835) | |
| - hwdb: add ACCEL_LOCATION property to parse_hwdb.py (RHEL-130979) | |
| - hwdb: update ACCEL_LOCATION property to use Or instead of QuotedString (RHEL-130979) | |
| - test: support general properties in hwdb files (RHEL-130979) | |
| - hwdb: Relax parsing script to allow 0 and 1 for all ID_* properties (RHEL-130979) | |
| - hwdb: allow spaces in usb: matches and similar patterns (RHEL-130979) | |
| - test: fix parsing of 60-seat.hwdb and 60-keyboard.hwdb (RHEL-130979) | |
| - parse_hwdb: fix compatibility with pyparsing 2.4.* (RHEL-130979) | |
| - login: use parse_uid() when unmounting user runtime directory (RHEL-132175) | |
| - pid1: do not use generated strings as format strings (#19098) (RHEL-132317) | |
| - core/transaction: make merge_unit_ids() always return NUL-terminated string (RHEL-132317) | |
| - core/transaction: make merge_unit_ids() return non-NULL on success (RHEL-132317) | |
| - core/transaction: do not log "(null)" (RHEL-132317) | |
| - Revert "run: update checks to allow running with a user's bus" (RHEL-118835) | |
| - Remove support URL patch | |
| - Disable tests due to sigabrt in our environment | |
| - cryptsetup-generator: refactor add_crypttab_devices() (RHEL-38859) | |
| - cryptsetup-generator: continue parsing after error (RHEL-38859) | |
| - Remove support URL patch | |
|
|
|
| systemd-libs-239-82.el8_10.13.x86_64.rpm | - logind: fix crash in logind on user-specified message string (RHEL-132317) |
| - run: update checks to allow running with a user's bus (RHEL-118835) | |
| - hwdb: add ACCEL_LOCATION property to parse_hwdb.py (RHEL-130979) | |
| - hwdb: update ACCEL_LOCATION property to use Or instead of QuotedString (RHEL-130979) | |
| - test: support general properties in hwdb files (RHEL-130979) | |
| - hwdb: Relax parsing script to allow 0 and 1 for all ID_* properties (RHEL-130979) | |
| - hwdb: allow spaces in usb: matches and similar patterns (RHEL-130979) | |
| - test: fix parsing of 60-seat.hwdb and 60-keyboard.hwdb (RHEL-130979) | |
| - parse_hwdb: fix compatibility with pyparsing 2.4.* (RHEL-130979) | |
| - login: use parse_uid() when unmounting user runtime directory (RHEL-132175) | |
| - pid1: do not use generated strings as format strings (#19098) (RHEL-132317) | |
| - core/transaction: make merge_unit_ids() always return NUL-terminated string (RHEL-132317) | |
| - core/transaction: make merge_unit_ids() return non-NULL on success (RHEL-132317) | |
| - core/transaction: do not log "(null)" (RHEL-132317) | |
| - Revert "run: update checks to allow running with a user's bus" (RHEL-118835) | |
| - Remove support URL patch | |
| - Disable tests due to sigabrt in our environment | |
| - cryptsetup-generator: refactor add_crypttab_devices() (RHEL-38859) | |
| - cryptsetup-generator: continue parsing after error (RHEL-38859) | |
| - Remove support URL patch | |
|
|
|
| systemd-pam-239-82.el8_10.13.x86_64.rpm | - logind: fix crash in logind on user-specified message string (RHEL-132317) |
| - run: update checks to allow running with a user's bus (RHEL-118835) | |
| - hwdb: add ACCEL_LOCATION property to parse_hwdb.py (RHEL-130979) | |
| - hwdb: update ACCEL_LOCATION property to use Or instead of QuotedString (RHEL-130979) | |
| - test: support general properties in hwdb files (RHEL-130979) | |
| - hwdb: Relax parsing script to allow 0 and 1 for all ID_* properties (RHEL-130979) | |
| - hwdb: allow spaces in usb: matches and similar patterns (RHEL-130979) | |
| - test: fix parsing of 60-seat.hwdb and 60-keyboard.hwdb (RHEL-130979) | |
| - parse_hwdb: fix compatibility with pyparsing 2.4.* (RHEL-130979) | |
| - login: use parse_uid() when unmounting user runtime directory (RHEL-132175) | |
| - pid1: do not use generated strings as format strings (#19098) (RHEL-132317) | |
| - core/transaction: make merge_unit_ids() always return NUL-terminated string (RHEL-132317) | |
| - core/transaction: make merge_unit_ids() return non-NULL on success (RHEL-132317) | |
| - core/transaction: do not log "(null)" (RHEL-132317) | |
| - Revert "run: update checks to allow running with a user's bus" (RHEL-118835) | |
| - Remove support URL patch | |
| - Disable tests due to sigabrt in our environment | |
| - cryptsetup-generator: refactor add_crypttab_devices() (RHEL-38859) | |
| - cryptsetup-generator: continue parsing after error (RHEL-38859) | |
| - Remove support URL patch | |
|
|
|
| systemd-udev-239-82.el8_10.13.x86_64.rpm | - logind: fix crash in logind on user-specified message string (RHEL-132317) |
| - run: update checks to allow running with a user's bus (RHEL-118835) | |
| - hwdb: add ACCEL_LOCATION property to parse_hwdb.py (RHEL-130979) | |
| - hwdb: update ACCEL_LOCATION property to use Or instead of QuotedString (RHEL-130979) | |
| - test: support general properties in hwdb files (RHEL-130979) | |
| - hwdb: Relax parsing script to allow 0 and 1 for all ID_* properties (RHEL-130979) | |
| - hwdb: allow spaces in usb: matches and similar patterns (RHEL-130979) | |
| - test: fix parsing of 60-seat.hwdb and 60-keyboard.hwdb (RHEL-130979) | |
| - parse_hwdb: fix compatibility with pyparsing 2.4.* (RHEL-130979) | |
| - login: use parse_uid() when unmounting user runtime directory (RHEL-132175) | |
| - pid1: do not use generated strings as format strings (#19098) (RHEL-132317) | |
| - core/transaction: make merge_unit_ids() always return NUL-terminated string (RHEL-132317) | |
| - core/transaction: make merge_unit_ids() return non-NULL on success (RHEL-132317) | |
| - core/transaction: do not log "(null)" (RHEL-132317) | |
| - Revert "run: update checks to allow running with a user's bus" (RHEL-118835) | |
| - Remove support URL patch | |
| - Disable tests due to sigabrt in our environment | |
| - cryptsetup-generator: refactor add_crypttab_devices() (RHEL-38859) | |
| - cryptsetup-generator: continue parsing after error (RHEL-38859) | |
| - Remove support URL patch | |
|
|
|
| tzdata-java-2025b-1.el8.noarch.rpm | - Update to tzdata-2025c (RHEL-135159) |
| - Update leap seconds file expiration date | |
| - Included NEWS file with docs. (RHEL-102379) | |
|
|
|
| webrtc-audio-processing-0.3-10.el8.x86_64.rpm | - Rebuilt to fix broken binary possibly caused by broken toolchain |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for GCC 5 C++11 ABI change | |
| - set ExclusiveArch x86 and ARM for now | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Initial Fedora spec. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - add support big endian | |
| - webrtc-audio-processing-0.2 (#1335536) | |
| - %files: track ABI/API closer | |
| - better/upstreamable x86_msse2.patch | |
| - simpler/upstreamable no_undefined.patch (fdo#96244) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - ExclusiveArch primary archs, FTBFS on big endian arches (#1336466) | |
| - add url to upstream bug report | |
| - webrtc-fix-typedefs-on-other-arches.patch: fix ftbfs on non-x86/arm due to | |
| a build #error in typedefs.h, however, the defines are not used anywhere in | |
| the code. Fixes build on ppc{,64}, s390x, and aarch64. | |
| - 0.3 | |
| - link w/ --no-undefined | |
| - fix x86 sse2 runtime detection | |
| - Include devel package in CRB | |
| - Resolves: #2036956 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Add gcc/gcc-c++ build requires | |
| - Add aarch64 to NEON exception | |
| - Update License | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Rebuild to address Annobin coverage issues | |
| Resolves: #1704148 | |
| - pull in upstream fixes, use %autosetup | |
|
|
|
| xcb-util-0.4.0-10.el8.x86_64.rpm | - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild |
| - 0.3.3 | |
| - removed patches already in git (and 0.3.3) | |
| - 0.3.4; needed for Awesome 3.3 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - xcb-util 0.3.8 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - 0.3.6 | |
| - patch for exit() in aux library (Peter Harris) | |
| - slight changes in spec file | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - Update to 0.4.0. | |
| - Modernize spec file. | |
| - Include COPYING. | |
| - Update requirements. | |
| - xcb-util 0.3.9 (#828286) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - 0.3.1 | |
| - fix license issue (Jonathan Landis) | |
| - hack the sed lines after %configure out and hack chrpath in | |
| - make check is running again | |
| - Move NEWS to -devel. | |
| - xcb-util 0.3.5 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - 0.3.2 | |
| - remove rpath (x86-64) | |
| - xcb_keysyms: remove xcb_lookup_t | |
| - Revert "keysyms: use xcb_key_lookup_t type for col paramter" | |
| - temporary disabled %check due to RPATH regression | |
| - new build deps: gperf, pkgconfig, libxcb, m4, xorg-x11-proto-devel | |
| - not installing *.a files anymore | |
| - configure with --with-pic | |
| - bump to 0.3.0 | |
| - Mark license with %license. | |
| - Explicitly list DSOs so we're notified of version changes. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Use ldconfig scriptlet macros | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - initial package | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
|
|
|
| xcb-util-image-0.4.0-9.el8.x86_64.rpm | - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Include COPYING. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Specfile cleanups. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Mark license with %license. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - xcb-util-image 0.3.9 | |
| - Rebuilt for new xcb-util soname | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Fix explicit requires. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Update to 0.4.0. | |
| - New package. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
|
|
|
| xcb-util-keysyms-0.4.0-7.el8.x86_64.rpm | - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Specfile cleanups suggested in the review. | |
| - Fix explicit requires. | |
| - Update to 0.4.0. | |
| - Update to 0.3.9. | |
| - New package. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
|
|
|
| xcb-util-renderutil-0.3.9-10.el8.x86_64.rpm | - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - Include COPYING. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Mark license with %license. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Update to 0.3.9. | |
| - New package. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
|
|
|
| xcb-util-wm-0.4.1-12.el8.x86_64.rpm | - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - Disable silent build. | |
| - Mark license with %license. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Update to 0.4.1 (rhbz#1059674) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - New package. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - Include COPYING. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Update to 0.3.9. | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Specfile cleanups as suggested in the review. | |
| - Remove unneeded BR on pkgconfig. | |
| - Remove unneeded chrpath call. | |
|
|
|
| xmlrpc-c-1.51.0-11.el8_10.x86_64.rpm | - Autorebuild for GCC 4.3 |
| - updated to 1.06.09 | |
| - removed -typo patch since applied upstream | |
| - Restrict XML Entity Expansion Depth in libexpat CVE-2024-8176 | |
| - Address segfault found in CVE-2023-52425 (RHEL-24226) | |
| - updated to 1.26.0 | |
| - updated to 1.27.4 | |
| - updated to 1.27.0 | |
| - made it build with recent curl | |
| - updated to 1.28.1 | |
| - updated to 1.06.05 | |
| - merged + updated patches | |
| - Initial build. | |
| - Rebuilt for GCC 5 C++11 ABI change | |
| - updated to 1.25.0 | |
| - rebuilt for FC5 | |
| - Update to 1.48.0 | |
| - updated to 1.27.3 | |
| - updated to 1.27.5 | |
| - Switch to %ldconfig_scriptlets | |
| - Prevent integer overflow or wraparound, CVE-2024-4549 (RHEL-57519) | |
| - BuildRequire openssl by pkgconfig() | |
| - made linker scripts more 'ldconfig' friendly | |
| - updated to 1.21.00 (rev 1851) | |
| - removed curl-trace patch as applied upstream | |
| - rediffed patches | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - updated to 1.06.11 | |
| - Fix underlinking issue causing FTBFS | |
| - updated to 1.30.6 | |
| - updated to 1.26.3 | |
| - removed default-constructor patch; issue is solved upstream | |
| - updated to 1.30.5 (IPv6 server fixes) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - updated to 1.25.1 | |
| - moved to advanced branched; rediffed/updated existing cmake patch | |
| and fixed other compilation issues (#369841) | |
| - updated to 1.31.4 | |
| - fixed error handling when transfering too large files (#741980) | |
| - updated to 1.32.1 | |
| - Update to 1.49.02 | |
| - Build with openssl 1.1 | |
| - Add missing validation of encoding (CVE-2022-25235) (#2070481) | |
| - updated to rev1841 | |
| - rediffed patches | |
| - added patch to fix handling of wrong certificates (Nikola Pajkovsky) | |
| - added support for $XMLRPC_TRACE_CURL env (John Dennis) | |
| - updated to 1.16.4 | |
| - rediffed/updated patches | |
| - splitted some subpackages (c++, client) out of main package as they | |
| introduce additional dependencies (c++, curl) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - updated to 1.24.4 | |
| - rebuild against the new curl | |
| - updated to 1.31.0 | |
| - Update to 1.51.0 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - updated to 1.16.6; rediffed patches | |
| - fixed client headers (bug #475887) | |
| - Apply patches via git to preserve permissions | |
| - updated to 1.14.8 | |
| - updated to 1.32.2 | |
| - require the various subpackages explicitly for -devel; the ld linker | |
| scripts broke rpm's autodetection (#567400) | |
| - removed -devel Requires: which are covered by pkgconfig autodeps | |
| - added %{?_isa} annotations | |
| - updated to 1.23.01 | |
| - added patch to make curl follow HTTP POST 301 redirects (#618504) | |
| - updated to 1.30.4 | |
| - lib: Prevent more integer overflows (CVE-2022-22822 to CVE-2022-22827) | |
| (#2058567, #2058576, #2058582, #2058589, #2058595, #2058602) | |
| - Prevent integer overflow on m_groupSize in doProlog | |
| (CVE-2021-46143) (#2058560) | |
| - fix license tag | |
| - Address some Coverity issues in the patch set | |
| - use correct pkg-config script for 'xmlrpc-config abyss-server' | |
| output (#355411) | |
| - updated to 1.06.23 (#355411) | |
| - updated cmake patch | |
| - strip installed libraries | |
| - Add xmlrpc_client++.pc | |
| - disabled w3c-libwww because it does not exist anymore in FC5 and | |
| seems to be unmaintained upstream | |
| - added missing libxml2-devel | |
| - cleaned up list of %doc files | |
| - fixed gcc4.1 build issues | |
| - removed static libraries when there exists a corresponding dynamic one | |
| - replaced .so symlinks by linker scripts which add all implicit | |
| dependencies in AS_NEEDED() commands (#564607, #565577) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Fix Requires.private in xmlrpc_server++.pc | |
| - updated to 1.06.04 | |
| - patched the broken buildsystem | |
| - disabled libwww backend explicitely | |
| - updated to 1.06.16 | |
| - updated to 1.22.01 (svn 1907) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - updated to 1.30.1 | |
| - updated to 1.32.5 | |
| - updated to 1.23.02 (note: this breaks C++ ABI) | |
| - added vasprintf patch | |
| - updated to 1.05 | |
| - updated patches | |
| - updated to 1.06.17 | |
| - updated to 1.14.2 | |
| - rediffed patches | |
| - added patch to fix broken usage of 'long long' datatype | |
| - Add missing inter-package dependencies | |
| - Rename fedora directory to build | |
| - added libxml2-devel and openssl-devel Requires: for the -devel | |
| subpackage | |
| - ship doc/* instead of doc | |
| - initial Fedora Extras package (review 175840) | |
| - updated to 1.24.1 | |
| - set -Wno-uninitialized CFLAGS; code contains lot of constructs | |
| triggering this warning and the 'int a=a' defeaters have been | |
| removed in this version | |
| - updated to 1.14.6 | |
| - updated to 1.06.14 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Add patch to silence format-security compiler warning | |
| - Resolves: rhbz#1037399 | |
| - Rebuilt for c++ ABI breakage | |
| - fixed cmake quoting so that pkgconfig files get correct version number | |
| - fixed handling of 'server-util' and '--cflags' within xmlrpc-c-config | |
| - updated to 1.13.8 | |
| - removed some patches which were applied upstream | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - updated to 1.06.18 | |
| - Add patch for conversion from int to usnigned char | |
| - Resolves: rhbz#1308254 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - rediffed cmake patch against current version | |
| - made the xmlrpc-c-config compatible to the upstream version | |
| - added compatibility symlinks for some header files (thx to Robert de | |
| Vries for reporting these two issues) | |
| - updated to 1.29.0 | |
| - Backport upstream fix for console spam with debug messages (#1541868) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
|
|
|
| xmlrpc-c-client-1.51.0-11.el8_10.x86_64.rpm | - Autorebuild for GCC 4.3 |
| - updated to 1.06.09 | |
| - removed -typo patch since applied upstream | |
| - Restrict XML Entity Expansion Depth in libexpat CVE-2024-8176 | |
| - Address segfault found in CVE-2023-52425 (RHEL-24226) | |
| - updated to 1.26.0 | |
| - updated to 1.27.4 | |
| - updated to 1.27.0 | |
| - made it build with recent curl | |
| - updated to 1.28.1 | |
| - updated to 1.06.05 | |
| - merged + updated patches | |
| - Initial build. | |
| - Rebuilt for GCC 5 C++11 ABI change | |
| - updated to 1.25.0 | |
| - rebuilt for FC5 | |
| - Update to 1.48.0 | |
| - updated to 1.27.3 | |
| - updated to 1.27.5 | |
| - Switch to %ldconfig_scriptlets | |
| - Prevent integer overflow or wraparound, CVE-2024-4549 (RHEL-57519) | |
| - BuildRequire openssl by pkgconfig() | |
| - made linker scripts more 'ldconfig' friendly | |
| - updated to 1.21.00 (rev 1851) | |
| - removed curl-trace patch as applied upstream | |
| - rediffed patches | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild | |
| - updated to 1.06.11 | |
| - Fix underlinking issue causing FTBFS | |
| - updated to 1.30.6 | |
| - updated to 1.26.3 | |
| - removed default-constructor patch; issue is solved upstream | |
| - updated to 1.30.5 (IPv6 server fixes) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild | |
| - updated to 1.25.1 | |
| - moved to advanced branched; rediffed/updated existing cmake patch | |
| and fixed other compilation issues (#369841) | |
| - updated to 1.31.4 | |
| - fixed error handling when transfering too large files (#741980) | |
| - updated to 1.32.1 | |
| - Update to 1.49.02 | |
| - Build with openssl 1.1 | |
| - Add missing validation of encoding (CVE-2022-25235) (#2070481) | |
| - updated to rev1841 | |
| - rediffed patches | |
| - added patch to fix handling of wrong certificates (Nikola Pajkovsky) | |
| - added support for $XMLRPC_TRACE_CURL env (John Dennis) | |
| - updated to 1.16.4 | |
| - rediffed/updated patches | |
| - splitted some subpackages (c++, client) out of main package as they | |
| introduce additional dependencies (c++, curl) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | |
| - updated to 1.24.4 | |
| - rebuild against the new curl | |
| - updated to 1.31.0 | |
| - Update to 1.51.0 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild | |
| - updated to 1.16.6; rediffed patches | |
| - fixed client headers (bug #475887) | |
| - Apply patches via git to preserve permissions | |
| - updated to 1.14.8 | |
| - updated to 1.32.2 | |
| - require the various subpackages explicitly for -devel; the ld linker | |
| scripts broke rpm's autodetection (#567400) | |
| - removed -devel Requires: which are covered by pkgconfig autodeps | |
| - added %{?_isa} annotations | |
| - updated to 1.23.01 | |
| - added patch to make curl follow HTTP POST 301 redirects (#618504) | |
| - updated to 1.30.4 | |
| - lib: Prevent more integer overflows (CVE-2022-22822 to CVE-2022-22827) | |
| (#2058567, #2058576, #2058582, #2058589, #2058595, #2058602) | |
| - Prevent integer overflow on m_groupSize in doProlog | |
| (CVE-2021-46143) (#2058560) | |
| - fix license tag | |
| - Address some Coverity issues in the patch set | |
| - use correct pkg-config script for 'xmlrpc-config abyss-server' | |
| output (#355411) | |
| - updated to 1.06.23 (#355411) | |
| - updated cmake patch | |
| - strip installed libraries | |
| - Add xmlrpc_client++.pc | |
| - disabled w3c-libwww because it does not exist anymore in FC5 and | |
| seems to be unmaintained upstream | |
| - added missing libxml2-devel | |
| - cleaned up list of %doc files | |
| - fixed gcc4.1 build issues | |
| - removed static libraries when there exists a corresponding dynamic one | |
| - replaced .so symlinks by linker scripts which add all implicit | |
| dependencies in AS_NEEDED() commands (#564607, #565577) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild | |
| - Fix Requires.private in xmlrpc_server++.pc | |
| - updated to 1.06.04 | |
| - patched the broken buildsystem | |
| - disabled libwww backend explicitely | |
| - updated to 1.06.16 | |
| - updated to 1.22.01 (svn 1907) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild | |
| - updated to 1.30.1 | |
| - updated to 1.32.5 | |
| - updated to 1.23.02 (note: this breaks C++ ABI) | |
| - added vasprintf patch | |
| - updated to 1.05 | |
| - updated patches | |
| - updated to 1.06.17 | |
| - updated to 1.14.2 | |
| - rediffed patches | |
| - added patch to fix broken usage of 'long long' datatype | |
| - Add missing inter-package dependencies | |
| - Rename fedora directory to build | |
| - added libxml2-devel and openssl-devel Requires: for the -devel | |
| subpackage | |
| - ship doc/* instead of doc | |
| - initial Fedora Extras package (review 175840) | |
| - updated to 1.24.1 | |
| - set -Wno-uninitialized CFLAGS; code contains lot of constructs | |
| triggering this warning and the 'int a=a' defeaters have been | |
| removed in this version | |
| - updated to 1.14.6 | |
| - updated to 1.06.14 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild | |
| - Add patch to silence format-security compiler warning | |
| - Resolves: rhbz#1037399 | |
| - Rebuilt for c++ ABI breakage | |
| - fixed cmake quoting so that pkgconfig files get correct version number | |
| - fixed handling of 'server-util' and '--cflags' within xmlrpc-c-config | |
| - updated to 1.13.8 | |
| - removed some patches which were applied upstream | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild | |
| - updated to 1.06.18 | |
| - Add patch for conversion from int to usnigned char | |
| - Resolves: rhbz#1308254 | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild | |
| - rediffed cmake patch against current version | |
| - made the xmlrpc-c-config compatible to the upstream version | |
| - added compatibility symlinks for some header files (thx to Robert de | |
| Vries for reporting these two issues) | |
| - updated to 1.29.0 | |
| - Backport upstream fix for console spam with debug messages (#1541868) | |
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild | |
|
|
|
×