1,574
edits
Changes
From SME Server
Jump to navigationJump to searchno edit summary
relating to eth0 and eth1.
relating to eth0 and eth1.
====Changes in this release====
Major changes in this release
=============================
Added functionality to use a Dummy NIC for the internal interface.
Set the check update frequency of smecontribs through the server-manager.
Disable SSLv3.
Added Windows 10 support for SME Domain.
Changes in this release
=======================
Only the changes since SME Server 9.0 are listed, mainly
autogenerated from the changelogs.
Packages altered by Centos, Redhat, and Fedora-associated developers are
Packages altered by Centos, Redhat, and Fedora-associated developers are
not included.
not included.
Backups
-------
- dar new upstream version
- dar add pkgconfig
- The mountpoint is tested before attempting the console backup
- Workstation Backup, do not fail backup for mtime/ctime mismatch
- Change the sub checkMount() to findmnt Ian Wells <esmith@wellsi.com>
- Add requires nfs-utils
- The nfs service is neither started or allowed to start
- Don't remove the apache group during restore
File Server
- Workstation Backup, do not exclude dar files by default in line with console backup.
-----------
- The samba performance registry is now added in the win10samba.reg
- Fix samba audit parameters
Patch from Jorge Gonzalez
Replace syslog template to rsyslog so samba audits are logged in the correct
file
- The samba performance registry is now added in the win10samba.reg
Corrected typo in patch of bad character '“', relative to roaming profile
e-smith-samba-2.4.0.bz9038.W10_registry.patch
Roaming profiles follow Windows version (.V2,.V3,.V4,.V5)
added W10 support to SME Domain
e-smith-samba-2.4.0.bz9038.W10_registry.patch
- Added e-smith-samba-2.4.0.bz9048.RoamingProfileForW8.patch
Modified the registry file for roaming profile with W8
Roaming profiles follow Windows version (.V2,.V3,.V4,.V5)
- Add dependency on perl(Crypt::Cracklib), needed for ftpasswd --use-cracklib
Add -utils subpackage for support tools (#1258440), using a sub-package to
ensure that the main package does not require perl
Update ftpasswd to version from proftpd 1.3.5a for additional functionality
(SHA passwords, locking and unlocking of accounts)
- Workstation Backup, new method to show files being restored is needed when using dar 2.4.
LDAP
----
- Remove size limit for search result
- Make pdbedit output independent from locale and timezone so it can be
parsed
- Symlink /etc/init.d/ldap to /usr/bin/sv
- Chown all DB files to ldap before staring slapd
- Set checkpoint in slapd.conf instead of DB_CONFIG
- Stop ldap on shutdown (rc0 and rc6)
- Don't overwrite the ldif dump if slapcat's output is empty
(code from Charlie Brady)
- Run db_recover on startup
- Don't wipe LDAP DB when the ldif dump is empty
- Simplify the workstation backup report.
Localisation
------------
- apply locale smeserver-locale-2.4.0-locale-2015-07-12.patch
- apply locale smeserver-locale-2.4.0-locale-2015-07-01.patch
- apply locale 2015-03-14 patch from pootle
- apply locale 2014-12-25 patch from pootle
- Workstation Backup, count backup sets from 1.
Mail Server
-----------
- ClamAV Updated to release 0.98.7
- Remove the patch e-smith-email-5.4.0-UEsDBBQDAAAIA-new-signature.patch
- Add new zip file signatures to default mailpatterns database : UEsDBBQDAAAIA
- Add new zip file signatures to default mailpatterns database : ZIPVOSX & ZIPV3
- Disable fips mode on stunnel
- Use stunnel instead of sslio to support TLS
- Revert forcing TLSv1 patch as it breaks some inbound delivery
- Revert whitelist_soft dnsbl as it hasn't been verified yet and we need to
push the fix for TLSv1
- Modify whitelist_soft transaction to interact with dnsbl filter
by John Crisp <jcrisp@safeandsoundit.co.uk>
- Force usage of TLSv1
- Increase MemLimit to 700M for clamav-0.98
- Allow custom passdb args
- allow IP relayclient stored by DB
Code from Stefano ZAmboni <zamboni@mind-at-work.it>
& Charlie Brady <charlieb-contribs-bugzilla@budge.apana.org.au>
- allow IP relayclient stored by DB
Code from Stefano ZAmboni <zamboni@mind-at-work.it>
- Update the text in the Backup panel.
Server manager
--------------
- fix gzfile accept paths with NUL character #1213407
- fix patch for CVE-2015-4024
- fix more functions accept paths with NUL character #1213407
- soap: missing fix for #1222538 and #1204868
- core: fix multipart/form-data request can use excessive
amount of CPU usage CVE-2015-4024
- fix various functions accept paths with NUL character
CVE-2015-4026, #1213407
- ftp: fix integer overflow leading to heap overflow when
reading FTP file listing CVE-2015-4022
- phar: fix buffer over-read in metadata parsing CVE-2015-2783
- phar: invalid pointer free() in phar_tar_process_metadata()
CVE-2015-3307
- phar: fix buffer overflow in phar_set_inode() CVE-2015-3329
- phar: fix memory corruption in phar_parse_tarfile caused by
empty entry file name CVE-2015-4021
- soap: more fix type confusion through unserialize #1222538
- soap: more fix type confusion through unserialize #1204868
- core: fix double in zend_ts_hash_graceful_destroy CVE-2014-9425
- core: fix use-after-free in unserialize CVE-2015-2787
- exif: fix free on unitialized pointer CVE-2015-0232
- gd: fix buffer read overflow in gd_gif.c CVE-2014-9709
- date: fix use after free vulnerability in unserialize CVE-2015-0273
- enchant: fix heap buffer overflow in enchant_broker_request_dict
CVE-2014-9705
- phar: use after free in phar_object.c CVE-2015-2301
- soap: fix type confusion through unserialize
- fileinfo: fix out-of-bounds read in elf note headers. CVE-2014-3710
- xmlrpc: fix out-of-bounds read flaw in mkgmtime() CVE-2014-3668
- core: fix integer overflow in unserialize() CVE-2014-3669
- exif: fix heap corruption issue in exif_thumbnail() CVE-2014-3670
- spl: fix use-after-free in ArrayIterator due to object
change during sorting. CVE-2014-4698
- spl: fix use-after-free in SPL Iterators. CVE-2014-4670
- gd: fix NULL pointer dereference in gdImageCreateFromXpm.
CVE-2014-2497
- fileinfo: fix incomplete fix for CVE-2012-1571 in
cdf_read_property_info. CVE-2014-3587
- core: fix incomplete fix for CVE-2014-4049 DNS TXT
record parsing. CVE-2014-3597
- core: type confusion issue in phpinfo(). CVE-2014-4721
- date: fix heap-based buffer over-read in DateInterval. CVE-2013-6712
- core: fix heap-based buffer overflow in DNS TXT record parsing.
CVE-2014-4049
- core: unserialize() SPL ArrayObject / SPLObjectStorage type
confusion flaw. CVE-2014-3515
- fileinfo: out-of-bounds memory access in fileinfo. CVE-2014-2270
- fileinfo: unrestricted recursion in handling of indirect type
rules. CVE-2014-1943
- fileinfo: out of bounds read in CDF parser. CVE-2012-1571
- fileinfo: cdf_check_stream_offset boundary check. CVE-2014-3479
- fileinfo: cdf_count_chain insufficient boundary check. CVE-2014-3480
- fileinfo: cdf_unpack_summary_info() excessive looping
DoS. CVE-2014-0237
- fileinfo: CDF property info parsing nelements infinite
loop. CVE-2014-0238
- add php_get_module_initialized internal function (#1053301)
- soap: fixRFC2616 transgression (#1045019)
- fix static calling in non-static method (#953786)
- fix autoload called from closing session (#954027)
- drop unneeded part of CVE-2006-724.patch and fileinfo.patch
extension not provided or git binary patches (#1064027)
- odbc: fix incompatible pointer type (#1053982)
- mysqli: fix possible segfault in mysqli_stmt::bind_result
php bug 66762 (#1069167)
- mysql: fix php_mysql_fetch_hash writes long value into int
php bug 52636 (#1054953)
- Allow more time for cifs mounts before reporting errors.
Web Server
----------
- DIsable SSLv3
- Revert CRIME mitigation patch, as it's not needed
- Mitigate CVE-2012-4929
- Turn SSLEngine on in the SSL vhost (ProxyPassVirtualHosts)
- Remove obsolete gpc_order setting from php.ini.
- Add an upload_tmp_folder setting by db command
- Thanks to Michael McCarn and Jean-philippe Pialasse
Other fixes and updates
-----------------------
- Workstation Backup, add a choice to delete old backup before or after backup.
- Update /etc/mime.types templates
- Use sha256 algorithm for signature of SSL cert.
- Workstation Backup, remove temporary directory on success.
- Added new createlinks function event_templates event_actions event_services
- Don't claim to own /sbin and /sbin/e-smith
- Refactor directory tree creation and removal.
- display variable name in the server-manager $domainName, $domainDesc $domain
- Revert the upload_tmp_folder patch as it needs some more work
- Workstation Backup, inconsistent formatting of host share name in messages.
- Add dummy NIC support as InternalInterface
- Only fire the ip-change event when IP is assigned to WAN nic
- Workstation Backup, more reliable catalog creation.
(Code by Charlie Brady and John Crisp)
- Only reset service access when switching to or from private server mode
- Workstation Backup, report cifs mount errors.
(Code by Charlie Brady)
- When quiting the console app with unsaved changes set the default selected
- Workstation Backup, do not access /proc/mounts
answer to NO
- Added a comment to specify the real configuration file of dhcpd
- Incremental backup fix.
- Modified the patch of daniel e-smith-base-5.6.0-ensure_apache_alias_www.patch
- Ensure www group exists and that apache is an alias of www
- Workstation Backup, allow spaces in the backup destination. Includes fix for disk usage broken with spaces.
- Check where running runlevel 4, not 7 in service wrapper
- Correctly update NIC configuration on single NIC systems
- Desktop Backup, allow user setting of compression level.
- Symlink udev-post service in rc7
- Fix PPPoE after a post-upgrade
- Use Wake on LAN before starting Backup with DAR.
- Remove dependency on microcode_ctl
- Prevent emailing about the normal, weekly, checks of RAID arrays, by Mark Casey
- NFS syntax is deprecated for CIFS mount.
- Don't claim to own /sbin and /sbin/e-smith
- Add an upload_tmp_folder setting by db command
- Require cifs-utils and use UNC paths for cifs mount.
Thanks to Michael McCarn and Jean-philippe Pialasse
- the folder /tmp is created by the event init-ibays
- Improve text in console backup for success and failure.
- the event ibay-modify create/chown/chmod the folder /tmp
- Add an upload_tmp_folder setting by db command
- Console USB Backup, allow user setting of compression level. Compression level of the console backup is now -6 by default.
Thanks to Michael McCarn and Jean-philippe Pialasse
- Force SSL following ibays settings to the relevant domain
- Patch to exclude trying to backup aquota.* files so that backups to tape will succeed.
- Perl::critic syntax modifications
- Add more PHP options to ibays only by db commands
- Update to the latest version of console restore.
- Add SSLRequireSSL to ibays when SSL is set to enabled
- Allow the admin upsd in /etc/hosts.allow
- Boostrap console should only offer restore if no password set.
- Creation Admin Privilege for use of upscmd & upsrw
- Remove obsolete directives {allowfrom}
- Delete items from dar catalog in descending order
- Access property created (default value is 'localhost')
- Remove obsolete directives {ACL,ACCEPT,REJECT} and switch to LISTEN
- Minor non-functional updates based on PerlCritic and review comments
in /etc/ups/upsd.conf
- Allow NUT in /etc/hosts.allow and in /etc/services
- Move console backup to e-smith-backup
Code change from Daniel B.<daniel@firewall-services.com>
- Revert the patch e-smith-tinydns-2.4.0_add_hostname_following_dhcpdleases_hostname.patch
- Workstation Backup, selective restore of deleted files
- Duplicate hostnames with different IP are not used, a warn in log is printed
- The server hostname can not be used by a dhcp client, a warning in log is printed
- Remove migrate fragment 30vfstype
- Changed the name of /tmp/dhcpd.leases to /tmp/tmpdhcpd.leases
when the dhcpd lease is modified
- Workstation Backup, Don't delete old sets, only empty them.
- Do template-expand of /var/service/tinydns/root/data
- Do sigus1 of dhcp-dns & dnscache
- Forked DHCPparse for parsing the end of lease and remove old entry of dnscache
- Require perl-Text-DHCPparse removed
- Workstation Backup, remove the need for a temporary directory, updated.
- Timestamp added in tinydns, the entry in dnscache is cleared when the lease is over
- Add new feature 'Parse dhcpd.leases and feed to tinydns'
- Workstation Backup, backupname includes seconds.
- e-smith-tinydns-2.4.0_add_hostname_following_dhcpdleases_hostname.patch
made from the solution of Stefano Zamboni
- Make slapd service an alias for ldap
- Switched to sysvinit from systemd (it's rhel-6)
- Workstation Backup, remove the need for a temporary directory.
- Fixed license tag Related: rhbz#632853
- pptpd New version
- Allow configuration of workstation backup if no removable disk present
- Dropped pppd-unbundle patch (upstreamed)
- Various fixes according to Fedora review Related: rhbz#632853
- Modified for Fedora Resolves: rhbz#632853
- Update to upstream version 2.3.4, which fixes CVE-2012-3478 and CVE-2012-2252
- Updated rsync-protocol.patch to fix CVE-2012-2251, and to apply on top of the
CVE-2012-3478 and CVE-2012-2252 fixes.
- Updated makefile.patch to preserve RPM CFLAGS.
- Added command-line-error.patch (from Debian), correcting error message
generated when insecure command line option is used (CVE-2012-3478 fix
regression).
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
- Add patch for rsync3 compat (#485946)
- Update runit to 2.1.2
- Remove now uneeded obsolete directives
- Remove openssl from the Exclude list of centos repo
- Add a default Yum db property for check4contribsupdates
- Added a check-update for the smecontribs repository
- Move protected package list to the correct location
- Add support for Windows 8 domain joining & user login.
- Add windows network performance enhancements registry file.
- Update default ServerName in 30smbServerName
- Only present one auth method at a time, in order, to NET::SMTP.
- Fetchmail multidrop mode follows TCPPort setting.
- Listen on loopback if disabled.
- Requires e-smith-cvm-unix-local.
- Fix how qpsmtpd tags spam email.
- Remove Packager and Vendor from spec file.
- Revert last change.
- Updates to release 0.98.1
- Remove insecure ciphers
- Remove workarounds for how qpsmtpd tags spam email
- Fix whitespace in 10required_score
- Update SBL and RBL Lists
- Remove log noise from Create starter web site panel.
- Add security fix for CVE-2013-4113.
- Don't use SSL over loopback.
- Replace last change with a default value for horde access
- Add ssh-autoblock for external interface.<br />
- Return nic names in probeAdapters so we can drop HWAddress.
- Remove HWAddress prop from interfaces.
- Provide the ability to force https per ibay.
- Add an audit for groups.<br />
- Update the full names of users added in %pre.
- Fix uid and gid to be the same for the users added in %pre.
- Changed Prereq to Requires(pre) as Prereq is deprecated.
- Patch to correct issue with not being able to access a password protected ibay.
- Remove old System Name from the Hosts DB.
- Fix group creation when LDAP auth is enabled.
- Disable IPv6 on a default install.
- Continue escaping control chars in rsyslog, just replace LF with space.
- Remove redundant parts of init-accounts.
- Require diald.
- Removal of rc.e-smith now functionality is in e-smith-service.
- Fix the way '.' works in bash.
- rename /etc/ldap.conf to /etc/pam_ldap.conf (and same for .secret).
- Change System Name from mitel-networks-server to sme-server.
- Patch to correct issue with not being able to access a password protected ibay.
- Correctly display accented letters in the console.
- Fix uid and gid to be the same in create-system-user.
- Ignore mysql.event table.
- Use mysql_upgrade instead of fix_privilege_tables.
- Increase memory limit for ntp.
- Make rsyslog listen to our socket.
- Remove rc.quota_create.
- the config file is radiusclient.conf, not radiusclient-ng.conf.
- Add hack for running rc7.d script during runlevel 4.
- Apply SME Server config file changes to pwauth.
- Fix libgomp obsoletes to not obsolete el6 version.
- Change order of mail options in check4updates.
- Fix parsing issues with "manage RAID" menu option in the console.
- Remove SSH v1 legacy support.
- Support nolvm boot option.
- Create degraded RAID1 array with single disk install.
- nodmraid is the default for SME 9.0 installs.
- Give more time to the grub menu.
- Customize confirmation dialogs during fresh install.
- Run installer in 'text' mode.
- Roll new stream to really remove obsolete images
- Roll new stream to remove obsolete images
- Move console backup to e-smith-backup
- Console restore should reboot
- Boostrap console should only offer restore if no password set
- Non-code changes to perform_restore.pm
- Refer to removable media not CDROM in console restore
- Remove insecure SSL ciphers
- Add more PHP options to ibays only by db commands<br />
- Update frame header and footer
- Use mysql_upgrade in 00_restore_dumped_dbs, by Terje Edseth
- Modify template to allow Squid proxy https access to ports other than 443,563 using db command<br />
- Add -n 1 to the dmesg line in rc.sysinit to prevent unwanted messages appearing on the console
- Remove CentOS Branding patch
- Move support.pl from e-smith-base to smeserver-support
- Add a verification in remoteaccess panel of number of pptp clients against ip allowed in dhcpd
- Display a warning with the domain name before to remove it
- Move mysql logging to multilog
General features
================
- Based on CentOS 6.7 and all available updates
==Known issues==
==Known issues==
