From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) by sourceware.org (Postfix) with ESMTPS id 48D343858298 for ; Tue, 19 Jul 2022 16:26:00 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 48D343858298 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=SystematicSW.ab.ca Authentication-Results: sourceware.org; spf=none smtp.mailfrom=systematicsw.ab.ca Received: from shw-obgw-4002a.ext.cloudfilter.net ([10.228.9.250]) by cmsmtp with ESMTP id DmQJop4hZS8WrDq2poSV8t; Tue, 19 Jul 2022 16:25:59 +0000 Received: from localhost.localdomain ([184.64.124.72]) by cmsmtp with ESMTP id Dq2ooDVVJC3uhDq2oofSTq; Tue, 19 Jul 2022 16:25:59 +0000 X-Authority-Analysis: v=2.4 cv=a6MjSGeF c=1 sm=1 tr=0 ts=62d6db17 a=oHm12aVswOWz6TMtn9zYKg==:117 a=oHm12aVswOWz6TMtn9zYKg==:17 a=mDV3o1hIAAAA:8 a=RKaU6TgGzL_YVYKu_noA:9 a=_FVE-zBwftR9WsbkzFJk:22 From: "Cygwin gsasl Maintainer" To: "Cygwin Announcements" Reply-To: "Cygwin" Date: Tue, 19 Jul 2022 10:24:04 -0600 Message-Id: <20220719102404.19872-1-Brian.Inglis@SystematicSW.ab.ca> Subject: Test: gsasl, libgsasl{7,-common,-devel,-doc} 1.10 (TEST) X-CMAE-Envelope: MS4xfEYXu2yeZ5zZbmkYFuJRicqh8DhuVwnOh5NRiP/W6M+sgASV65bisfnkDXS0c3OCdJddxOHzJjKdq7h7o+TEGihO2nqTQGV6FJwlr/biDC5684RNF1eG n9EGZkKNISN4zelB5bU0R3fZhr/CrpYZpjrqFiakNsPT1esYUba5fAJHo1/LPvcROAY4qy+WCFXDeCFfOF2VjN1/rEXRUA22DjlQDwWybW5yCYk2Kb+nU0Wn X-Spam-Status: No, score=-1163.8 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, KAM_SHORT, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: cygwin-announce@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Read-only mailing list announcing new and updated Cygwin packages List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2022 16:26:02 -0000 The following packages have been uploaded for testing in Cygwin: * gsasl 1.10 * libgsasl7 1.10 * libgsasl-common 1.10 * libgsasl-devel 1.10 * libgsasl-doc 1.10 GNU SASL is an implementation of the Simple Authentication and Security Layer (SASL) framework, consisting of a library with several plugins, and command-line application. For more information see the project home page: https://www.gnu.org/software/gsasl/ See below or read /usr/share/doc/{,lib}gsasl/NEWS after installation for a summary of changes since the last Cygwin release, or read /usr/share/doc/{,lib}gsasl/ChangeLog after installation for details. Please test these packages as extensively as possible (especially if you are a Cygwin package maintainer) as this library has not been upgraded for a few years, although it is used by libcurl, and that is used in many libraries and utilities. Package maintainers should install this test release and rerun checks of as many libraries and packages depending on libcurl as possible. Checks of curl itself after installing these packages run with no issues. I have it locally installed so it is getting used by commands, scripts, cron jobs, and cygport builds, and has and is getting frequent exercise with no apparent issues so far. If no issues are reported within a couple of weeks the package will be upgraded to current. Version 1.10.0 (released 2021-01-01) [stable] This is a new major stable release. Brief changes compared to 1.8.x: * SCRAM-SHA-256 and SCRAM-SHA-256-PLUS support per RFC 7677. * SCRAM supports password-less usage (StoredKey/ServerKey). * New 'gsasl --mkpasswd' command to prepare SCRAM salted/hashed passwords. * Final warning that obsolete APIs will be removed. * Various cleanups, portability and other bug fixes. Version 1.9.3 (released 2021-01-01) [beta] * Fix build/portability problems. GnuTLS >= 3.4 is required. ` Version 1.9.2 (released 2020-12-24) [beta] * gsasl: Don't abort command on some expected TLS events (for TLS 1.3). * gsasl: The --mkpasswd output format follows Dovecot 'doveadm pw'. * gsasl: Use GnuTLS system trust settings by default for X.509 server certificate validation. Before it was documented behaviour that unless --x509-ca-file was used, no verification of the server-side certificate was performed. Now instead it will use the system trust settings, which on properly configured systems results in verification of the server certificate. As a result, you may now start to get server certificate verification errors in situations where you didn't expect them. Use --x509-ca-file with the empty string ("") as a file name to use the old behaviour to not abort on server certificate verification failures. * SCRAM, GS2 and GSSAPI retrieve properties later in the authentication process. Before the property GSASL_CB_TLS_UNIQUE was retrieved during SCRAM gsasl_client_start() and gsasl_server_start(), and the properties GSSAPI_SERVICE and GSSAPI_HOSTNAME was retrieved during GS2/GSSAPI gsasl_server_start(). Now they are retrieved during the first call to gsasl_step(). The only user-visible impact of this should be that 'gsasl --client-mechanisms' and 'gsasl --server-mechanisms' will now not query for parameters before giving a list of supported mechanisms, which arguably gives a better user experience. The downside of this is that SCRAM-*-PLUS, GS2 and GSSAPI may be advertised even though the server mechanism may not complete. The problem with calling callbacks in the start() function is that the callback will have no per-session context at that point, only a global context, so the only way to give per-session unique callback responses is to use a separate global handle per session. This was discovered in the Exim implementation of gsasl with SCRAM that used to request the GSASL_CB_TLS_UNIQUE property in the start() function. After noticing this design issue, and writing this self test, it was discovered that it also happened for the GSSAPI/GS2 server (not client) mechanism for the GSASL_SERVICE and GSASL_HOSTNAME properties. * Filenames of images in the manual are now prefixed with 'gsasl-'. This makes /usr/share/info more understandable, and it is suggested to do this in upstream. * Build changes. Some more compiler warnings used and code fixed. Improved ./configure diagnostics. Version 1.9.1 (released 2020-01-14) [beta] * gsasl: New --mkpasswd argument to prepare salted/hashed passwords. Currently mechanisms SCRAM-SHA-1 and SCRAM-SHA-256 are supported. New parameter --iteration-count to indicate number of PBKDF2 rounds, default being 65536. New parameter --salt to specify PBKDF2 salt. Version 1.9.0 (released 2020-01-03) [beta] * Client and server support for SCRAM-SHA-256 and SCRAM-SHA-256-PLUS. * gsasl: If PORT argument is "587" or "submission", SMTP mode is used. Further, unrecognized PORT arguments will now raise an error to specify --smtp or --imap. Version 1.8.1 (released 2019-08-02) [stable] * gsasl: IMAP client code now permits empty SASL tokens prefixed with '+'. Normally servers should send '+ '. Buggy servers include Microsoft Exchange. * GSSAPI client: Now retrieves GSASL_AUTHZID for authorization identity. * GSSAPI client: Can now transmit an empty/missing authorization identity. * i18n: Updated translations. * Build fixes. Update of gnulib, including how it is bootstrapped.