--- cdrom.image/sme10/README.txt 2018/12/28 03:33:50 1.4 +++ cdrom.image/sme10/README.txt 2020/06/17 02:43:09 1.5 @@ -1,12 +1,12 @@ -Koozali SME Server 10 Alpha 4 Release Notes +Koozali SME Server 10 Alpha 5 Release Notes ===================================== -These are draft only and are in a constat state of update. +These are draft only and are in a constant state of update. -27 Dec 2018 +17 Jun 2020 The Koozali SME Server development team is pleased to announce the -release of SME Server 10 Alpha 4 which will be the next major release of +release of SME Server 10 Alpha 5 which will be the next major release of SME Server. This release is based on CentOS 7. CentOS 7.# has an EOL of 30 June 2024. @@ -20,8 +20,8 @@ dedicated test machine and take part in Some notes on Koozali SME Server 10 can be found at https://wiki.contribs.org/SME_Server_10.0_Development -SME10 Roadmap - Alpha 4 -https://wiki.contribs.org/SME10_Roadmap#SME_10_Alpha_4 +SME10 Roadmap - Alpha 5 +https://wiki.contribs.org/SME10_Roadmap#SME_10_Alpha_5 Bug reports and reports of potential bugs should be raised in the bug tracker (and only there, please); @@ -70,21 +70,33 @@ simply email treasurer at koozali.org Notes ===== In-place upgrades are not supported. It is necessary to backup and then -restore. -(Remember, testing purpose only) +restore. (Remember, testing purpose only) -The spare handling for RAID arrays is not implemented. +The spare handling for RAID arrays is not implemented as yet. -USB installs are now supported, see: -https://wiki.koozali.org/Install_From_USB +New Server-Manager Framework, Mojolicious, is now well on the way to full implementation + +USB installs are once again fully supported +Note: it is important to use proposed apps to create the boot media +See: https://wiki.koozali.org/Install_From_USB + +Netinstall is once again fully supported + +Install to a system supporting a UEFI BIOS is also now fully supported + +The work that has gone into getting SME 10 to this stage has been enormous, an attempt to list and detail the work that has been done in recent months would not do justice to the effort contributed by the following, + +thank you one and all: + +Jean Phillipe Pialasse +Michel Begue +Brian Read +Catton Durbrow +Chris Sansom-Ninnes +John Crisp + +there have also been many others who have done what they can, thank you: -Current installer is still branded CentOS. A kickstart script allows you -to go through the graphical installation process. If your disk is not -empty, you will need to use the Anaconda interface to format it and -partition it. If it is empty all is automatic. You will have to set your -root password twice: once during Anaconda installation (you could use a -lame password), a second time in the Koozali SME server configuration -process. Major changes in this release ============================= @@ -92,7 +104,7 @@ This release is based on CentOS 7.# Changes in this release ======================= -see above and below +see above and below, to much to list General features ================ @@ -106,152 +118,120 @@ autogenerated from the changelogs. Packages altered by Centos, Redhat, and Fedora-associated developers are not included. +The changelogs are written per package, and each package is assigned a group. + Backups -# e-smith-backup updated from 2.6.0-11.el7.sme to 2.6.0-12.el7.sme -- added patch for workstation backup lock [SME: 9127] -- code from Stefano Zamboni +e-smith-backup +- Added /etc/backup-data.d to backup paths +- Added error handling to restore using pipe pattern from perform_backup +- Made reboot optional after console restore +- Fixed bootstrap restore not activating config changes +- Manually added ext2 and ext3 to Block Device file system check where ext4 present +- updated Block Device discovery to fix recovery from console +- Credit to Catton Durbrow File Server -# e-smith-samba updated from 2.6.0-6.el7.sme to 2.6.0-7.el7.sme -- fix typo in /server-resources/regedit/win10samba.reg [SME: 10515] - -# samba updated from 4.4.4-14.6.el7.sme to 4.6.2-12.4.el7.sme -# samba-common updated from 4.4.4-14.6.el7.sme to 4.6.2-12.4.el7.sme -# samba-common-tools updated from 4.4.4-14.6.el7.sme to 4.6.2-12.4.el7.sme -# samba-python updated from 4.4.4-14.6.el7.sme to 4.6.2-12.4.el7.sme -# samba-client-libs updated from 4.4.4-14.6.el7.sme to 4.6.2-12.4.el7.sme -# samba-client updated from 4.4.4-14.6.el7.sme to 4.6.2-12.4.el7.sme -# samba-winbind-krb5-locator updated from 4.4.4-14.6.el7.sme to 4.6.2-12.4.el7.sme -# samba-libs updated from 4.4.4-14.6.el7.sme to 4.6.2-12.4.el7.sme -# samba-dc updated from 4.4.4-14.6.el7.sme to 4.6.2-12.4.el7.sme -# samba-winbind-modules updated from 4.4.4-14.6.el7.sme to 4.6.2-12.4.el7.sme -# samba-dc-libs updated from 4.4.4-14.6.el7.sme to 4.6.2-12.4.el7.sme -# samba-winbind-clients updated from 4.4.4-14.6.el7.sme to 4.6.2-12.4.el7.sme -# libwbclient updated from 4.4.4-14.6.el7.sme to 4.6.2-12.4.el7.sme -# samba-common-libs updated from 4.4.4-14.6.el7.sme to 4.6.2-12.4.el7.sme -# libsmbclient updated from 4.4.4-14.6.el7.sme to 4.6.2-12.4.el7.sme -# samba-winbind updated from 4.4.4-14.6.el7.sme to 4.6.2-12.4.el7.sme -- import 4.6.2-12 [SME: 10429] -- change gnutls-devel >= 3.4.7 to gnutls-devel to allow build -- import to SME the two last upstream releases [SME: 10326] -- resolves: #1514314 - Fix CVE-2017-14746 and CVE-2017-15275 -- resolves: #1491213 - CVE-2017-12150 CVE-2017-12151 CVE-2017-12163 -- resolves: #1484423 - Require at least krb5 version 1.15.1 -- resolves: #1484713 - Fix password changes for users via smbpasswd -- resolves: #1484723 - Be more graceful on FSCTL_VALIDATE_NEGOTIATE_INFO - returned errors -- resolves: #1481188 - Fix 'net ads changetrustpw' -- resolves: #1459936 - Fix regression with "follow symlinks = no" -- resolves: #1461336 - Fix smbclient username parsing -- resolves: #1460937 - Fix username normalization with winbind -- resolves: #1459179 - Fix smbclient session setup printing -- related: #1277999 - Add missing patchset -- resolves: #1431986 - Fix expand_msdfs VFS module LDAP +e-smith-ldap +- New protocol default as TLSv1.2 +New property TLSProtocolMin +Ciphers are now ordered with stronger first + Localisation -# smeserver-locale updated from 2.6.0-9.el7.sme to 2.6.0-11.el7.sme -- apply locale 2018-12-14 patch -- apply locale 2017-12-02 patch Mail Server -# clamav updated from 0.99.2-1.el7.sme to 0.100.2-1.el7.sme -- Update to 0.100.2 [SME: 10578] - -# e-smith-pop3 updated from 2.6.0-2.el7.sme to 2.6.0-3.el7.sme -- fix undefined fqdn for pop3 [SME: 10257] - -# qpsmtpd updated from 0.96-18.el7.sme to 0.96-19.el7.sme -- add support to force spamcheck on specific IP for fetchmail [SME: 10290] - -# smeserver-qpsmtpd updated from 2.6.0-30.el7.sme to 2.6.0-32.el7.sme -- add forcespamcheck support for fetchmail [SME: 10290] -- Log DMARC reporting in syslog instead of sending email to the admin. - Also suppress SSL connection failed warnings [SME: 10298] - -# djbdns updated from 1.05-8.el7.sme to 1.05-10.el7.sme -- improve short ttl cname resolution and glueless answer from akadns [SME: 8362] -- 500-cutom-dnscache-maxloop.patch: increase QUERY_MAXLEVEL 5->10 , set QUERY_MAXLOOP 160 ---import patches from openwrt and rename already applied patches ---fix security issues [SME: 10374] -- 020-dnsroots-update.patch: update list of root DNS servers -- 070-dnscache-dpos-tcp-servfail.patch: SERVFAIL rename previous patch dns_transmit-bug.patch -- 080-dnscache-cache-negatives.patch: rfc2308 ? -- 210-dnscache-strict-forwardonly.patch: rename previous patch dnscache-strict-forwardonly.patch -- 240-tinydns-alias-chain-truncation.patch: rename previous patch tinydns-alias-chain-truncation.patch -- 270-dnscache-sigpipe-fix.patch: SIGPIPE -- 300-bugfix-dnscache-dempsky-poison.patch: CVE-2009-0858 -- 310-bugfix-dnscache-merge-outgoing-requests.patch: CVE-2008-4392 -- 320-bugfix-dnscache-cache-soa-records.patch: CVE-2008-4392 -- 450-dnscache-ghost-domain-CVE-2012-1191.patch: CVE-2012-1191 http://marc.info/?l=djbdns&m=134190748729079&w=2 ---bug fixes [SME: 10374] -- 060-dnscache-big-udp-packets.patch: accept and handle longer than 512 bytes UDP packets -- 230-tinydns-data-semantic-error.patch: handle semantic error to avoid publishing false dns records ---fix issue with short ttl cname like akamaid [SME: 8362] -- 200-dnscache-cname-handling.patch: rename previous patch dnscache-cname-handling.patch -- 330-fix-dnscache-cname-handling.patch: fix dnscache cname for short ttl -- 500-cutom-dnscache-maxloop.patch: set max loop to 200 ---needed for previous patches to apply cleanly -- 030-srv-records-and-axfrget.patch: add SRV record type and axfr-get decompose SRC and PTR records (for 230-*.patch) -- 050-tinydns-mmap-leak.patch: report cdb leak -- 080-dnscache-cache-negatives.patch: rfc2308 ? -- 090-tinydns-one-second.patch: improve tinydns with 8 or more concurent connections (for 240-*.patch) -- 120-compiler-temporary-filename.patch: change tmp filename to avoid conflicts (for 230-*.patch) - -# smeserver-spamassassin updated from 2.6.0-7.el7.sme to 2.6.0-8.el7.sme -- disable auto_learn by default when enabling Bayes [SME: 8160] -- added properties UseBayesAutoLearn, BayesAutoLearnThresholdSpam and BayesAutoLearnThresholdNonSpam - -# e-smith-qmail updated from 2.6.0-3.el7.sme to 2.6.0-4.el7.sme -- Update aliases files for every groups passed as argument [SME: 10386] +clamav +- Update clamav-db as per epel last spec file +to add clamav-update as provides +- +smeserver-clamav +- increase lower memory limit to 1GB +- fix for AllowSupplementaryGroups warning +thanks to bunkobugsy +smeserver-dovecot +- fix typo in enabling TLSv1.2 as default +- fix typo in 35ssl template +- fix typo in createlinks +- revert property names with period in it +- add property AcceptFullEmail with enabled as default +smeserver-qpsmtpd +- minimum Protocol TLSv1.0 +better ciphers order. Server manager -php -- load openssl configuration file on startup #1408301 -- gd: fix buffer over-read into uninitialized memory CVE-2017-7890 -- fix php should provide php(httpd) #1215429 -- fpm: backport PHP-FPM's clear_env option from 5.4.27 #1410010 -default value is "yes", preserving previous behaviour -- openssl: fix default_socket_timeout does not work with SSL #1378196 -- gd: fix DoS vulnerability in gdImageCreateFromGd2Ctx() CVE-2016-10167 -- gd: Signed Integer Overflow gd_io.c CVE-2016-10168 +e-smith-formmagick +- add locale for CSRF +- add CSRF patch - thank you to Daniel Berteaud +e-smith-manager +perl-CGI-FormMagick +- add timeout +- update CSRF patch +- add requires perl(Session::Token) +- fix add CSRF patch - thank you to Daniel Berteaud Webmail and Groupware +smeserver-horde +- workaround logging noise caused by libsasl +- log as admin and not admin@domain for cli tasks +- fix ingo imap preferences +- allow httpd-auth for calendar, tasks access using rpc.php ... +- add smeserver-horde-update event +- avoid loss of user parameter on Primary Domain change +this will also avoid the loss of parameter if we log with a different virtualhost +horde preference is now stored with the SME username without @domain +- fix bad regex to strip domain +also we can now force Primary domain to use as default email +we can strip heading string from virtualhost domain to create email +default identity email will update as long as no other identity is created for the user +- fix typo in php-fpm patch +- remove php3 references +- remove strict and warning alert from error log +- dedicated php-fpm pool for horde +- apply patches from John H. Bennett III +- cvs admin -ko on patch1 + Web Server +e-smith-apache +- disable TLSv1 TLSv1.1 by default + Other fixes and updates -# e-smith-base updated from 5.8.0-35.el7.sme to 5.8.0-38.el7.sme -- icleaning xinetd.conf fragment out of the package [SME: 10219] -- revert previous change - wrong package -- added post transaction rule for ntp [SME: 10190] -- thank you to Stefano Zamboni for this work - -# smeserver-yum updated from 2.6.0-16.el7.sme to 2.6.0-17.el7.sme -- add yum-plugin-post-transaction-actions as requirement [SME: 1100] - -# e-smith-devtools updated from 2.6.0-6.el7.sme to 2.6.0-7.el7.sme -- ease update of e-smith-devtools on non SME builders [SME: 10536] - -# smeserver-support updated from 2.8.0-12.el7.sme to 2.8.0-15.el7.sme -- exclude libtevent,python-tevent from base and updates to avoid conflict with localy build version of samba [SME: 10573] -- add back perl(LWP::Protocol::https) support [SME: 10516] -- upstream samba packages were not all excluded [SME: 10428] - -# e-smith-ntp updated from 2.6.0-3.el7.sme to 2.6.0-4.el7.sme -- added post transaction rule for ntp [SME: 10190] -- thank you to Stefano Zamboni for this work - -# e-smith-lib updated from 2.6.0-6.el7.sme to 2.6.0-7.el7.sme -- Skip tap_soft interfaces (eg SoftEther, code from Hsing-Foo Wang) - [SME: 10445] +e-smith-base +- wildcard self-signed certificate +e-smith-ibays +- revert patch, wrong rpm +- add support for php-fpm +e-smith-lib +- add support for systemctl reload-or-restart, try-restart, enable -now +e-smith-ntp +- revert last change +on sme10 systemd has ntpd disabled by default +e-smith-openssh +- add Whitelist to AutoBlock using property sshd ValidFrom +- update client ciphers to use +- add ciphers, macs and KexAlgorithms for server +rssh +smeserver-release +- Bump new rpm for sme10 alpha5 +smeserver-support +- obsoletes e-smith-starterwebsite +smeserver-yum +- avoid missing template error after removal of a rpm +- restart php-fpm services when needed +- applying patch +- fix NameError: global name 'yum_update_dbs' is not defined +- use yum-cron with autoupdate feature On behalf of the Koozali SME Server development team +- Compilation of release data is thanks to scripts developed by Ian Wells and + substantially improved by Jean Phillipe Pialasse