gsasl-2.0.1 released [stable]

help-gsasl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

gsasl-2.0.1 released [stable]

From:	Simon Josefsson
Subject:	gsasl-2.0.1 released [stable]
Date:	Fri, 15 Jul 2022 17:59:44 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)

GNU SASL is a modern C library that implement the network security
protocol Simple Authentication and Security Layer (SASL).  The framework
itself and a couple of common SASL mechanisms are implemented.  GNU SASL
can be used by network applications for IMAP, SMTP, XMPP and other
protocols to provide authentication services.  Supported mechanisms
include CRAM-MD5, EXTERNAL, GSSAPI, ANONYMOUS, PLAIN, SECURID,
DIGEST-MD5, SCRAM-SHA-1(-PLUS), SCRAM-SHA-256(-PLUS), GS2-KRB5, SAML20,
OPENID20, LOGIN, and NTLM.

The project's web page is available at:
  https://www.gnu.org/software/gsasl/

All manuals are available from:
  https://www.gnu.org/software/gsasl/manual/

The main manual:
  https://www.gnu.org/software/gsasl/manual/gsasl.html - HTML format
  https://www.gnu.org/software/gsasl/manual/gsasl.pdf - PDF format

API Reference manual:
  https://www.gnu.org/software/gsasl/reference/ - GTK-DOC HTML

Doxygen documentation:
  https://www.gnu.org/software/gsasl/doxygen/ - HTML format
  https://www.gnu.org/software/gsasl/doxygen/gsasl.pdf - PDF format

For code coverage, cyclomatic code complexity charts and clang analyzer see:
  https://gsasl.gitlab.io/gsasl/coverage/
  https://gsasl.gitlab.io/gsasl/cyclo/
  https://gsasl.gitlab.io/gsasl/clang-analyzer/

If you need help to use GNU SASL, or want to help others, you are
invited to join our help-gsasl mailing list, see:
  https://lists.gnu.org/mailman/listinfo/help-gsasl

Here are the compressed sources and a GPG detached signature[*]:
  https://ftpmirror.gnu.org/gsasl/gsasl-2.0.1.tar.gz
  https://ftpmirror.gnu.org/gsasl/gsasl-2.0.1.tar.gz.sig

Use a mirror for higher download bandwidth:
  https://www.gnu.org/order/ftp.html

Here are the SHA1 and SHA256 checksums:

34ebc42f5fcacfa810cf6ca3553963f09e74a99c  gsasl-2.0.1.tar.gz
Mix1QgCIQbzYukrgkzsiAhHRkKe1anDdYfZVbezAG3o  gsasl-2.0.1.tar.gz

The SHA256 checksum is base64 encoded, instead of the
hexadecimal encoding that most checksum tools default to.

[*] Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg --verify gsasl-2.0.1.tar.gz.sig

If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to update
or refresh it, and then rerun the 'gpg --verify' command.

  gpg --locate-external-key simon@josefsson.org

  gpg --recv-keys 51722B08FE4745A2

  wget -q -O- 
'https://savannah.gnu.org/project/release-gpgkeys.php?group=gsasl&download=1' | 
gpg --import -

This release was bootstrapped with the following tools:
  Autoconf 2.71
  Automake 1.16.5
  Libtoolize 2.4.6
  Gnulib v0.1-5254-gd35ebbb9c
  Makeinfo 6.7
  Help2man 1.48.1
  Gperf 3.1
  Gengetopt 2.23
  Gtkdocize 1.33.1
  Tar 1.34
  Gzip 1.10

NEWS

* Noteworthy changes in release 2.0.1 (2022-07-15) [stable]

** Support for the libgssglue GSS-API library were added.
We encourage you to build with libgssglue, as that allows system
administrators and end-users to chose between MIT Kerberos, Heimdal
and GNU GSS during run-time.  Read about the background here:
https://blog.josefsson.org/2022/07/14/towards-pluggable-gss-api-modules/

** GSSAPI client: don't use AUTHID as fallback for AUTHZID.
The code historically used the AUTHID as authorization identity, but
in 2012 we changed it to first query for AUTHZID, and only if that is
not available, fall back to using AUTHID as the authorization
identity.  The change was not released until version 1.8.1 on
2019-08-02, when it was properly documented to be removed 'after the
year 2012'.  While documented behaviour, this seems like just
surprising behaviour and we now finally make the change.

** GSSAPI server: don't set AUTHZID to empty string when absent.
The GSS-API SASL protocol does not differentiate between an absent
authorization identity and an authorization identity that is the empty
string.  Previously libgsasl would set it to the empty string but now
it is set to NULL.  The manual explains that this is a protocol
limitation.

** The examples/smtp-server.c now supports GSSAPI/GS2-KRB5.
The example is used during CI/CD testing of GNU SASL and thus it made
sense to extend it.  Some bugs related to getline error conditions
were also fixed.

** GSSAPI server: Fix out-of-bounds read.
A malicious client can after it has authenticated with Kerberos send a
specially crafted message that causes Libgsasl to read out of bounds
and cause a crash in the server.

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

gsasl-2.0.1 released [stable], Simon Josefsson <=

Next by Date: [SECURITY ADVISORY] gsasl: Server out-of-bounds read with authenticated malicious GSS-API client
Next by thread: [SECURITY ADVISORY] gsasl: Server out-of-bounds read with authenticated malicious GSS-API client
Index(es):
- Date
- Thread