--- cdrom.image/sme9/README.txt 2013/10/12 06:31:51 1.4 +++ cdrom.image/sme9/README.txt 2015/12/09 08:43:49 1.19 @@ -1,32 +1,48 @@ -SME Server 9.0 Beta 1 Release Notes -=================================== +Koozali SME Server 9.1 Final Release Notes +=========================================== +09 Dec 2015 -14 October 2013 +The Koozali SME Server (SME Server) development team is pleased to announce +the release of SME Server 9.1 which is based on CentOS 6.7. -The SME Server development team is pleased to announce the release of -SME Server 9.0 Beta 1 which is based on CentOS 6.4 +SME 9.1 incorporates only very minor changes from SME 9.1rc1 + +CentOS 6.# has an EOL of 20 Nov 2020. Bug reports and reports of potential bugs should be raised in the bug tracker (and only there, please); http://bugs.contribs.org/ +Download +======== +You can download SME Server 9.1 from +http://mirror.contribs.org/smeserver/releases/9.1/ +or for other methods see http://wiki.contribs.org/SME_Server:Download + +Please note it may take up to 48 hours for mirrors to finish syncing, +during this time you may experience problems. + About SME Server ================ - SME Server is the leading Linux distribution for small and medium -enterprises. +enterprises. SME Server is brought to you by Koozali Foundation, Inc., +a non-profit corporation that exists to provide marketing and legal support +for SME Server. SME Server is freely available under the GNU General Public License and is only possible through the efforts of the SME Server community. + However, the availability and quality of SME Server is dependent on meeting our expenses, such as hosting costs, server hardware, etc. As such, we ask for a donation to offset costs and fund further development. + a) If you are a school, a church, a non-profit organisation or an individual using SME Server for private purposes, we would appreciate you to contribute within your means toward the costs associated with hosting, maintenance and development. + b) If you are a company or an integrator and you are deploying SME Server in the course of your work to generate revenue, we expect you to make a donation commensurate with the level of revenue you generate and the number of servers @@ -34,183 +50,275 @@ your have in the field. Please, help the Please visit http://wiki.contribs.org/Donate to donate. -Thanks -====== - -The development team would like to thank all of those who have involved -themselves with this release. +Koozali Inc is happy to supply an invoice for any donations received, +simply email treasurer@koozali.org Notes ===== +In-place upgrades are not supported. It is necessary to backup and then restore. +/boot partition is always RAID 1. + +The spare handling for RAID arrays is not implemented. -This section will be updated for SME Server 9.0 Beta 2 +USB installs are now supported, see: +http://wiki.contribs.org/Install_From_USB#SME_Server_9 +Minimal changes have been made from SME9.1rc1 Major changes in this release ============================= - -This section will be updated for SME Server 9.0 Beta 2 - +Added functionality to use a Dummy NIC for the internal interface. +Set the check update frequency of smecontribs through the server-manager. +Disable SSLv3. +Added Windows 10 support for SME Domain. Changes in this release ======================= - -This section will be updated for SME Server 9.0 Beta 2 -Currently this only shows changes since SME Server 9.0 Alpha 3 and it is -autogenerated from the changelogs. A more human readable version will be -written for SME Server 9.0 Beta 2. - +Only the changes since SME Server 9.0 are listed, mainly +autogenerated from the changelogs. Packages altered by Centos, Redhat, and Fedora-associated developers are not included. - Backups ------- -- Dar updated to 2.4.10 -- Workstation Backup, add a choice to delete old backup before or after - backup. -- Workstation Backup, remove temporary directory on success. -- Refactor directory tree creation and removal. -- Workstation Backup, inconsistent formatting of host share name in messages. -- Workstation Backup, more reliable catalog creation. -- Workstation Backup, report cifs mount errors. -- Workstation Backup, do not access /proc/mounts -- Incremental backup fix. -- Workstation Backup, allow spaces in the backup destination. - Includes fix for disk usage broken with spaces. -- Desktop Backup, allow user setting of compression level. -- Use Wake on LAN before starting Backup with DAR. -- NFS syntax is deprecated for CIFS mount. -- Require cifs-utils and use UNC paths for cifs mount. -- Improve text in console backup for success and failure. -- Console USB Backup, allow user setting of compression level. - Compression level of the console backup is now -6 by default. + - dar new upstream version + - dar add pkgconfig + - The mountpoint is tested before attempting the console backup + - Workstation Backup, do not fail backup for mtime/ctime mismatch + - Change the sub checkMount() to findmnt Ian Wells + - Add requires nfs-utils + - The nfs service is neither started or allowed to start + - Don't remove the apache group during restore File Server ----------- -- Also remove the empty template-begin file in pam.d/proftpd templates. -- Remove unused pam templates. -- Replace vfs_shadow_copy with vfs_shadow_copy2 for shadow snapshots. -- Add template for wide links. -- Add templates for max protocol. -- Add support for Windows 8 domain joining & user login. -- Add windows network performance enhancements registry file. -- Update default ServerName in 30smbServerName -- Add ability to configure waiting for network Win7 registry option. -- Change default Workgroup and Domain to sme-server. -- Fix mod_sftp/mod_sftp_pam invalid pool allocation during kbdint - authentication + - The samba performance registry is now added in the win10samba.reg + - Fix samba audit parameters + Patch from Jorge Gonzalez + Replace syslog template to rsyslog so samba audits are logged in the correct + file +- The samba performance registry is now added in the win10samba.reg + Corrected typo in patch of bad character '“', relative to roaming profile + e-smith-samba-2.4.0.bz9038.W10_registry.patch + Roaming profiles follow Windows version (.V2,.V3,.V4,.V5) + added W10 support to SME Domain + e-smith-samba-2.4.0.bz9038.W10_registry.patch + - Added e-smith-samba-2.4.0.bz9048.RoamingProfileForW8.patch + Modified the registry file for roaming profile with W8 + Roaming profiles follow Windows version (.V2,.V3,.V4,.V5) + - Add dependency on perl(Crypt::Cracklib), needed for ftpasswd --use-cracklib + Add -utils subpackage for support tools (#1258440), using a sub-package to + ensure that the main package does not require perl + Update ftpasswd to version from proftpd 1.3.5a for additional functionality + (SHA passwords, locking and unlocking of accounts) -LDAP (Optional in SME 9.0, and considered experimental) + +LDAP ---- -None + - Remove size limit for search result + - Make pdbedit output independent from locale and timezone so it can be + parsed + - Symlink /etc/init.d/ldap to /usr/bin/sv + - Chown all DB files to ldap before staring slapd + - Set checkpoint in slapd.conf instead of DB_CONFIG + - Stop ldap on shutdown (rc0 and rc6) + - Don't overwrite the ldif dump if slapcat's output is empty + (code from Charlie Brady) + - Run db_recover on startup + - Don't wipe LDAP DB when the ldif dump is empty Localisation ------------ -- Latest translations included. + - apply locale smeserver-locale-2.4.0-locale-2015-07-12.patch + - apply locale smeserver-locale-2.4.0-locale-2015-07-01.patch + - apply locale 2015-03-14 patch from pootle + - apply locale 2014-12-25 patch from pootle Mail Server ----------- -- Fetchmail multidrop mode follows TCPPort setting. -- Always enable imap, listen on loopback is disabled. -- Avoid use of unitialised variables in smtp migrate fragments. -- Simplify qmail concurrency templates. -- Modify domain style pseudonym pointing to user with dot in name. -- Accept messages with no body and no trailing \n after headers. -- Fix Net::DNS update breaks qpsmtpd. -- allows the spamassassin plugin to read the size limit from its - arguments -- Move clamscan scheduling to complete before 99-raid-check. -- Listen on loopback if disabled. -- Fix permissions on imapd.pem as it's used by pop3s. -- Do not obsolete bglibs, it's required for cvm. -- Allow plaintext (unless explicitly disabled). -- Do not obsolete cvm, it's still needed for qpsmtpd. -- Fix size_limit initialization. -- reads MaxMessageSize prop of spamassassin and adds it - to the arguments of the plugin if defined. -- Requires e-smith-cvm-unix-local. -- Load TextCat plugin if ok_languages is enabled. -- Fix how qpsmtpd tags spam email. + - ClamAV Updated to release 0.98.7 + - Remove the patch e-smith-email-5.4.0-UEsDBBQDAAAIA-new-signature.patch + - Add new zip file signatures to default mailpatterns database : UEsDBBQDAAAIA + - Add new zip file signatures to default mailpatterns database : ZIPVOSX & ZIPV3 + - Disable fips mode on stunnel + - Use stunnel instead of sslio to support TLS + - Revert forcing TLSv1 patch as it breaks some inbound delivery + - Revert whitelist_soft dnsbl as it hasn't been verified yet and we need to + push the fix for TLSv1 + - Modify whitelist_soft transaction to interact with dnsbl filter + by John Crisp + - Force usage of TLSv1 + - Increase MemLimit to 700M for clamav-0.98 + - Allow custom passdb args + - allow IP relayclient stored by DB + Code from Stefano ZAmboni + & Charlie Brady + - allow IP relayclient stored by DB + Code from Stefano ZAmboni Server manager -------------- -- Renew donation text in server-manager. -- Do not load mod_ssl. -- Remove log noise from Create starter web site panel. -- add security fix for CVE-2013-4113. - -Webmail and Groupware ---------------------- -- Don't use SSL over loopback. + - fix gzfile accept paths with NUL character #1213407 + - fix patch for CVE-2015-4024 + - fix more functions accept paths with NUL character #1213407 + - soap: missing fix for #1222538 and #1204868 + - core: fix multipart/form-data request can use excessive + amount of CPU usage CVE-2015-4024 + - fix various functions accept paths with NUL character + CVE-2015-4026, #1213407 + - ftp: fix integer overflow leading to heap overflow when + reading FTP file listing CVE-2015-4022 + - phar: fix buffer over-read in metadata parsing CVE-2015-2783 + - phar: invalid pointer free() in phar_tar_process_metadata() + CVE-2015-3307 + - phar: fix buffer overflow in phar_set_inode() CVE-2015-3329 + - phar: fix memory corruption in phar_parse_tarfile caused by + empty entry file name CVE-2015-4021 + - soap: more fix type confusion through unserialize #1222538 + - soap: more fix type confusion through unserialize #1204868 + - core: fix double in zend_ts_hash_graceful_destroy CVE-2014-9425 + - core: fix use-after-free in unserialize CVE-2015-2787 + - exif: fix free on unitialized pointer CVE-2015-0232 + - gd: fix buffer read overflow in gd_gif.c CVE-2014-9709 + - date: fix use after free vulnerability in unserialize CVE-2015-0273 + - enchant: fix heap buffer overflow in enchant_broker_request_dict + CVE-2014-9705 + - phar: use after free in phar_object.c CVE-2015-2301 + - soap: fix type confusion through unserialize + - fileinfo: fix out-of-bounds read in elf note headers. CVE-2014-3710 + - xmlrpc: fix out-of-bounds read flaw in mkgmtime() CVE-2014-3668 + - core: fix integer overflow in unserialize() CVE-2014-3669 + - exif: fix heap corruption issue in exif_thumbnail() CVE-2014-3670 + - spl: fix use-after-free in ArrayIterator due to object + change during sorting. CVE-2014-4698 + - spl: fix use-after-free in SPL Iterators. CVE-2014-4670 + - gd: fix NULL pointer dereference in gdImageCreateFromXpm. + CVE-2014-2497 + - fileinfo: fix incomplete fix for CVE-2012-1571 in + cdf_read_property_info. CVE-2014-3587 + - core: fix incomplete fix for CVE-2014-4049 DNS TXT + record parsing. CVE-2014-3597 + - core: type confusion issue in phpinfo(). CVE-2014-4721 + - date: fix heap-based buffer over-read in DateInterval. CVE-2013-6712 + - core: fix heap-based buffer overflow in DNS TXT record parsing. + CVE-2014-4049 + - core: unserialize() SPL ArrayObject / SPLObjectStorage type + confusion flaw. CVE-2014-3515 + - fileinfo: out-of-bounds memory access in fileinfo. CVE-2014-2270 + - fileinfo: unrestricted recursion in handling of indirect type + rules. CVE-2014-1943 + - fileinfo: out of bounds read in CDF parser. CVE-2012-1571 + - fileinfo: cdf_check_stream_offset boundary check. CVE-2014-3479 + - fileinfo: cdf_count_chain insufficient boundary check. CVE-2014-3480 + - fileinfo: cdf_unpack_summary_info() excessive looping + DoS. CVE-2014-0237 + - fileinfo: CDF property info parsing nelements infinite + loop. CVE-2014-0238 + - add php_get_module_initialized internal function (#1053301) + - soap: fixRFC2616 transgression (#1045019) + - fix static calling in non-static method (#953786) + - fix autoload called from closing session (#954027) + - drop unneeded part of CVE-2006-724.patch and fileinfo.patch + extension not provided or git binary patches (#1064027) + - odbc: fix incompatible pointer type (#1053982) + - mysqli: fix possible segfault in mysqli_stmt::bind_result + php bug 66762 (#1069167) + - mysql: fix php_mysql_fetch_hash writes long value into int + php bug 52636 (#1054953) Web Server ---------- -- Force magic_quotes Off. + - DIsable SSLv3 + - Revert CRIME mitigation patch, as it's not needed + - Mitigate CVE-2012-4929 + - Turn SSLEngine on in the SSL vhost (ProxyPassVirtualHosts) + - Remove obsolete gpc_order setting from php.ini. + - Add an upload_tmp_folder setting by db command + - Thanks to Michael McCarn and Jean-philippe Pialasse Other fixes and updates ----------------------- -- Update the full names of users added in %pre. -- Fix uid and gid to be the same for the users added in %pre. -- Changed Prereq to Requires(pre) as Prereq is deprecated. -- Patch to correct issue with not being able to access a password protected - ibay. -- Update ServerName (Samba netbios name) when SystemName is updated. -- Remove old System Name from the Hosts DB. -- Fix group creation when LDAP auth is enabled. -- Disable IPv6 on a default install. -- Continue escaping control chars in rsyslog, just replace LF with space. -- Use UTF-8 in the console. -- Remove redundant parts of init-accounts. -- Add_template_to_ssl.pem, codes by JP Pialasse. -- Require diald. -- Removal of rc.e-smith now functionality is in e-smith-service. -- Replacement of rc.e-smith by moving code into e-smith-service. -- Fix the way '.' works in bash. -- rename /etc/ldap.conf to /etc/pam_ldap.conf (and same for .secret). -- Always define InternalInterface NICBonding. -- In the console refer to removable media instead of USB disk. -- Fix a few more syslog => rsyslog items. -- Remove modprobe stuff. -- Don't be as agressive on rate limiting. -- Change syslog templates to rsyslog. -- Ensure existing_hwaddr is always initialized. -- Change System Name from mitel-networks-server to sme-server. -- Patch to remove symlink to Primary ibay from /home/e-smith/files/primary. -- Patch to correct issue with not being able to access a password protected - ibay. -- Correctly display accented letters in the console. -- Add e-smith as a Requires(pre) and remove adding users in %pre. -- Fix uid and gid to be the same in create-system-user. -- Ignore mysql.event table. -- Use --single-transaction in mysql-dump-tables. -- Use mysql_upgrade instead of fix_privilege_tables. -- Increase memory limit for ntp. -- Make rsyslog listen to our socket. -- Remove rc.quota_create. -- the config file is radiusclient.conf, not radiusclient-ng.conf. -- Add templates for radiusclient-ng.conf file to remove binaddr - directive. -- Add directive to options.pptpd so that radius plugin can find the - radiusclient configuration file.. -- Fix permissions of /etc/radiusclient-ng/servers. -- Add hack for running rc7.d script during runlevel 4. -- Apply SME Server config file changes to pwauth. -- Renew donation text and add donation graphic. -- Fix /etc/system-release. -- Fix libgomp obsoletes to not obsolete el6 version. -- Change order of mail options in check4updates. -- Change wording of Software Update button. + - Update /etc/mime.types templates + - Use sha256 algorithm for signature of SSL cert. + - Added new createlinks function event_templates event_actions event_services + - Don't claim to own /sbin and /sbin/e-smith + - display variable name in the server-manager $domainName, $domainDesc $domain + - Revert the upload_tmp_folder patch as it needs some more work + - Add dummy NIC support as InternalInterface + - Only fire the ip-change event when IP is assigned to WAN nic + (Code by Charlie Brady and John Crisp) + - Only reset service access when switching to or from private server mode + (Code by Charlie Brady) + - When quiting the console app with unsaved changes set the default selected + answer to NO + - Added a comment to specify the real configuration file of dhcpd + - Modified the patch of daniel e-smith-base-5.6.0-ensure_apache_alias_www.patch + - Ensure www group exists and that apache is an alias of www + - Check where running runlevel 4, not 7 in service wrapper + - Correctly update NIC configuration on single NIC systems + - Symlink udev-post service in rc7 + - Fix PPPoE after a post-upgrade + - Remove dependency on microcode_ctl + - Prevent emailing about the normal, weekly, checks of RAID arrays, by Mark Casey + - Don't claim to own /sbin and /sbin/e-smith + - Add an upload_tmp_folder setting by db command + Thanks to Michael McCarn and Jean-philippe Pialasse + - the folder /tmp is created by the event init-ibays + - the event ibay-modify create/chown/chmod the folder /tmp + - Add an upload_tmp_folder setting by db command + Thanks to Michael McCarn and Jean-philippe Pialasse + - Force SSL following ibays settings to the relevant domain + - Perl::critic syntax modifications + - Add more PHP options to ibays only by db commands + - Add SSLRequireSSL to ibays when SSL is set to enabled + - Allow the admin upsd in /etc/hosts.allow + - Creation Admin Privilege for use of upscmd & upsrw + - Remove obsolete directives {allowfrom} + - Access property created (default value is 'localhost') + - Remove obsolete directives {ACL,ACCEPT,REJECT} and switch to LISTEN + in /etc/ups/upsd.conf + - Allow NUT in /etc/hosts.allow and in /etc/services + Code change from Daniel B. + - Revert the patch e-smith-tinydns-2.4.0_add_hostname_following_dhcpdleases_hostname.patch + - Duplicate hostnames with different IP are not used, a warn in log is printed + - The server hostname can not be used by a dhcp client, a warning in log is printed + - Changed the name of /tmp/dhcpd.leases to /tmp/tmpdhcpd.leases + when the dhcpd lease is modified + - Do template-expand of /var/service/tinydns/root/data + - Do sigus1 of dhcp-dns & dnscache + - Forked DHCPparse for parsing the end of lease and remove old entry of dnscache + - Require perl-Text-DHCPparse removed + - Timestamp added in tinydns, the entry in dnscache is cleared when the lease is over + - Add new feature 'Parse dhcpd.leases and feed to tinydns' + - e-smith-tinydns-2.4.0_add_hostname_following_dhcpdleases_hostname.patch + made from the solution of Stefano Zamboni + - Make slapd service an alias for ldap + - Switched to sysvinit from systemd (it's rhel-6) + - Fixed license tag Related: rhbz#632853 + - pptpd New version + - Dropped pppd-unbundle patch (upstreamed) + - Various fixes according to Fedora review Related: rhbz#632853 + - Modified for Fedora Resolves: rhbz#632853 + - Update to upstream version 2.3.4, which fixes CVE-2012-3478 and CVE-2012-2252 + - Updated rsync-protocol.patch to fix CVE-2012-2251, and to apply on top of the + CVE-2012-3478 and CVE-2012-2252 fixes. + - Updated makefile.patch to preserve RPM CFLAGS. + - Added command-line-error.patch (from Debian), correcting error message + generated when insecure command line option is used (CVE-2012-3478 fix + regression). + - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + - Add patch for rsync3 compat (#485946) + - Update runit to 2.1.2 + - Remove now uneeded obsolete directives + - Remove openssl from the Exclude list of centos repo + - Add a default Yum db property for check4contribsupdates + - Added a check-update for the smecontribs repository + - Move protected package list to the correct location General features ================ +- Based on CentOS 6.7 and all available updates -- Based on CentOS 6.4 and all available updates - -$Id: README.txt,v 1.3 2013/10/05 05:06:26 wellsi Exp $ - - - - - +Terry Fage +On behalf of the SME Server development team