--- cdrom.image/sme9/README.txt 2014/06/21 03:44:45 1.13 +++ cdrom.image/sme9/README.txt 2015/03/27 08:09:11 1.14 @@ -1,10 +1,10 @@ -SME Server 9.0 Release Notes -============================ +Koozali SME Server 9.1 Beta 1 Release Notes +==================================== -21st June 2014 +27th March 2015 -The SME Server development team is pleased to announce the release of -SME Server 9.0 which is based on CentOS 6.5. +The Koozali SME Server (SME Server) development team is pleased to announce +the release of SME Server 9.1 Beta 1 which is based on CentOS 6.6. Bug reports and reports of potential bugs should be raised in the bug tracker (and only there, please); @@ -14,8 +14,8 @@ tracker (and only there, please); Download ======== -You can download SME Server 9.0 from -http://mirror.contribs.org/smeserver/releases/9/iso/x86_64/ +You can download SME Server 9.1 Beta 1 from +http://mirror.contribs.org/smeserver/releases/testing/9.1.beta1/ or for other methods see http://wiki.contribs.org/SME_Server:Download Please note it may take up to 48 hours for mirrors to finish syncing, @@ -36,10 +36,12 @@ However, the availability and quality of meeting our expenses, such as hosting costs, server hardware, etc. As such, we ask for a donation to offset costs and fund further development. + a) If you are a school, a church, a non-profit organisation or an individual using SME Server for private purposes, we would appreciate you to contribute within your means toward the costs associated with hosting, maintenance and development. + b) If you are a company or an integrator and you are deploying SME Server in the course of your work to generate revenue, we expect you to make a donation commensurate with the level of revenue you generate and the number of servers @@ -51,307 +53,200 @@ Koozali Inc is happy to supply an invoic simply email treasurer@koozali.org -Chris Burnat -============ - -It is with the deepest regret we have to inform you that on Wednesday 11th June -Chris Burnat passed away. He was one of the most ardent supporters of -Koozali SME Server and we all owe him an enormous debt of gratitude. - -We dedicate this release of SME Server 9.0 to Chris. -Without him it would be nowhere near ready. If you download and use it, -please remember him and his work, and that of all the other contributors -who work tirelessly to make Koozali SME as good as it is. - -We extend our thoughts and deepest sympathies to his family. - - Notes ===== -In-place upgrades are not supported. It is necessary to backup and then restore. +In-place upgrades from SME 8.x are not supported. It is necessary to backup +and then restore. /boot partition is always RAID 1. The spare handling for RAID arrays is not implemented. -USB installs are now supported, see: +USB installs are now supported, see: http://wiki.contribs.org/Install_From_USB#SME_Server_9 + Changes in this release ======================= -Only the changes since SME Server 9.0 Alpha 3 are listed, mainly +Only the changes since SME Server 9.0 are listed, mainly autogenerated from the changelogs. Packages altered by Centos, Redhat, and Fedora-associated developers are not included. + Backups ------- -- Workstation Backup, do not exclude dar files by default - in line with console backup. -- Workstation Backup, fix selective restore by requesting array - of results from CGI.pm. -- Workstation Backup, new method to show files being restored is needed - when using dar 2.4. -- Simplify the workstation backup report. -- Workstation Backup, count backup sets from 1. -- Update the text in the Backup panel. -- Allow more time for cifs mounts before reporting errors. -- Dar updated to 2.4.10. -- Workstation Backup, add a choice to delete old backup before or after - backup. -- Workstation Backup, remove temporary directory on success. -- Refactor directory tree creation and removal. -- Workstation Backup, inconsistent formatting of host share name in messages. -- Workstation Backup, more reliable catalog creation. -- Workstation Backup, report cifs mount errors. -- Workstation Backup, do not access /proc/mounts -- Incremental backup fix. -- Workstation Backup, allow spaces in the backup destination. - Includes fix for disk usage broken with spaces. -- Desktop Backup, allow user setting of compression level. -- Use Wake on LAN before starting Backup with DAR. -- NFS syntax is deprecated for CIFS mount. -- Require cifs-utils and use UNC paths for cifs mount. -- Improve text in console backup for success and failure. -- Console USB Backup, allow user setting of compression level. - Compression level of the console backup is now -6 by default. -- Patch to exclude trying to backup aquota.* files so that backups to tape - will succeed. -- Update to the latest version of console restore. -- Boostrap console should only offer restore if no password set. -- Delete items from dar catalog in descending order -- Minor non-functional updates based on PerlCritic and review comments -- Move console backup to e-smith-backup -- Workstation Backup, selective restore of deleted files -- Remove migrate fragment 30vfstype -- Workstation Backup, Don't delete old sets, only empty them. -- Workstation Backup, Mail and WOL now subroutines -- Workstation Backup, remove the need for a temporary directory, updated. -- Workstation Backup, backupname includes seconds. -- Simplification of the time routines. -- Workstation Backup, remove the need for a temporary directory. -- Allow configuration of workstation backup if no removable disk present -- Create simplified function for updating the DarCatalog -- Workstation Backup, do not create folder in / -- Workstation Backup, suppress ctime error message on incremental backups - + - dar add pkgconfig + - dar new upstream version + - Workstation Backup, do not fail backup for mtime/ctime mismatch + - Change the sub checkMount() to findmnt Ian Wells + - Add requires nfs-utils + - The nfs service is neither started or allowed to start + - Don't remove the apache group during restore -File Server ------------ -- Also remove the empty template-begin file in pam.d/proftpd templates. -- Remove unused pam templates. -- Replace vfs_shadow_copy with vfs_shadow_copy2 for shadow snapshots. -- Add template for wide links. -- Add templates for max protocol. -- Add support for Windows 8 domain joining & user login. -- Add windows network performance enhancements registry file. -- Update default ServerName in 30smbServerName -- Add ability to configure waiting for network Win7 registry option. -- Change default Workgroup and Domain to sme-server. -- Fix mod_sftp/mod_sftp_pam invalid pool allocation during kbdint - authentication. -- Replace vfs_shadow_copy with vfs_shadow_copy2 for shadow snapshots. -- Remove 20smb as migrating from pre-SME7 is not supported -LDAP (Optional in SME 9.0, and considered experimental) +LDAP ---- -- Adjust slapd ACL to change dn.subtree to dn.children. + - Make pdbedit output independent from locale and timezone so it can be + parsed + - Symlink /etc/init.d/ldap to /usr/bin/sv + - Chown all DB files to ldap before staring slapd + - Set checkpoint in slapd.conf instead of DB_CONFIG + - Stop ldap on shutdown (rc0 and rc6) + - Don't overwrite the ldif dump if slapcat's output is empty + (code from Charlie Brady) + - Run db_recover on startup + - Don't wipe LDAP DB when the ldif dump is empty Localisation ------------ -- Latest translations included. + - apply locale 2015-03-14 patch from pootle + - apply locale 2014-12-25 patch from pootle Mail Server ----------- -- Only present one auth method at a time, in order, to NET::SMTP. -- Remove limit properties from the imaps DB entry. -- Apply process limits to dovecot. -- Include /usr/bin/refreshclam -- Allow webmail-only-local-network. -- Fix handling of messages with no body and no trailing \n after - headers (eq was used in attempted assignment). -- Fetchmail multidrop mode follows TCPPort setting. -- Always enable imap, listen on loopback is disabled. -- Avoid use of unitialised variables in smtp migrate fragments. -- Simplify qmail concurrency templates. -- Modify domain style pseudonym pointing to user with dot in name. -- Accept messages with no body and no trailing \n after headers. -- Fix Net::DNS update breaks qpsmtpd. -- allows the spamassassin plugin to read the size limit from its - arguments -- Move clamscan scheduling to complete before 99-raid-check. -- Listen on loopback if disabled. -- Fix permissions on imapd.pem as it's used by pop3s. -- Do not obsolete bglibs, it's required for cvm. -- Allow plaintext (unless explicitly disabled). -- Do not obsolete cvm, it's still needed for qpsmtpd. -- Fix size_limit initialization. -- reads MaxMessageSize prop of spamassassin and adds it - to the arguments of the plugin if defined. -- Requires e-smith-cvm-unix-local. -- Load TextCat plugin if ok_languages is enabled. -- Fix how qpsmtpd tags spam email. -- Remove Packager and Vendor from spec file. -- Revert last change. -- Sources are local, do not download them. -- Updates to release 0.98.1 -- Handle exceptions during attempted SASL auth. Add more debug tracing. -- Remove DENYSOFT on SPF softfail -- Remove insecure ciphers -- Remove workarounds for how qpsmtpd tags spam email -- Fix whitespace in 10required_score -- Update SBL and RBL Lists + - ClamAV Updated to release 0.98.6 + - Add new zip file signatures to default mailpatterns database : ZIPVOSX & ZIPV3 + - Disable fips mode on stunnel + - Use stunnel instead of sslio to support TLS + - Revert forcing TLSv1 patch as it breaks some inbound delivery + - Revert whitelist_soft dnsbl as it hasn't been verified yet and we need to + push the fix for TLSv1 + - Modify whitelist_soft transaction to interact with dnsbl filter + by John Crisp + - Force usage of TLSv1 + - Increase MemLimit to 700M for clamav-0.98 + - Allow custom passdb args + - allow IP relayclient stored by DB + Code from Stefano ZAmboni + & Charlie Brady -Server manager +PHP -------------- -- Renew donation text in server-manager. -- Do not load mod_ssl. -- Remove log noise from Create starter web site panel. -- Add security fix for CVE-2013-4113. -- Renew donation text and graphic in server-manager. -- Update footer copyright and renew full copyright text. -- Change wording of Software Update button. -- Roll new stream to remove obsolete images -- Remove references to obsolete images, by Stephane de Labrusse -- Fix new starter website. -- Update location of Primary index.html. - -Webmail and Groupware ---------------------- -- Allow webmail-only-local-network. -- Don't use SSL over loopback. -- Replace last change with a default value for horde access -- Ensure initialisation of variables in webmail-only-local-network. + - fileinfo: fix out-of-bounds read in elf note headers. CVE-2014-3710 + - xmlrpc: fix out-of-bounds read flaw in mkgmtime() CVE-2014-3668 + - core: fix integer overflow in unserialize() CVE-2014-3669 + - exif: fix heap corruption issue in exif_thumbnail() CVE-2014-3670 + - spl: fix use-after-free in ArrayIterator due to object + change during sorting. CVE-2014-4698 + - spl: fix use-after-free in SPL Iterators. CVE-2014-4670 + - gd: fix NULL pointer dereference in gdImageCreateFromXpm. + CVE-2014-2497 + - fileinfo: fix incomplete fix for CVE-2012-1571 in + cdf_read_property_info. CVE-2014-3587 + - core: fix incomplete fix for CVE-2014-4049 DNS TXT + record parsing. CVE-2014-3597 + - core: type confusion issue in phpinfo(). CVE-2014-4721 + - date: fix heap-based buffer over-read in DateInterval. CVE-2013-6712 + - core: fix heap-based buffer overflow in DNS TXT record parsing. + CVE-2014-4049 + - core: unserialize() SPL ArrayObject / SPLObjectStorage type + confusion flaw. CVE-2014-3515 + - fileinfo: out-of-bounds memory access in fileinfo. CVE-2014-2270 + - fileinfo: unrestricted recursion in handling of indirect type + rules. CVE-2014-1943 + - fileinfo: out of bounds read in CDF parser. CVE-2012-1571 + - fileinfo: cdf_check_stream_offset boundary check. CVE-2014-3479 + - fileinfo: cdf_count_chain insufficient boundary check. CVE-2014-3480 + - fileinfo: cdf_unpack_summary_info() excessive looping + DoS. CVE-2014-0237 + - fileinfo: CDF property info parsing nelements infinite + loop. CVE-2014-0238 + - add php_get_module_initialized internal function (#1053301) + - soap: fixRFC2616 transgression (#1045019) + - fix static calling in non-static method (#953786) + - fix autoload called from closing session (#954027) + - drop unneeded part of CVE-2006-724.patch and fileinfo.patch + extension not provided or git binary patches (#1064027) + - odbc: fix incompatible pointer type (#1053982) + - mysqli: fix possible segfault in mysqli_stmt::bind_result + php bug 66762 (#1069167) + - mysql: fix php_mysql_fetch_hash writes long value into int + php bug 52636 (#1054953) Web Server ---------- -- Force magic_quotes Off. -- Remove insecure ciphers + - Disable SSLv3 + - Turn SSLEngine on in the SSL vhost (ProxyPassVirtualHosts) + - Remove obsolete gpc_order setting from php.ini. + - Add an upload_tmp_folder setting by db command + Thanks to Michael McCarn and Jean-philippe Pialasse Other fixes and updates ----------------------- -- Add ssh-autoblock for external interface. - See: http://wiki.contribs.org/AutoBlock -- Do not hardcode NIC names to eth0 and eth1. -- Return nic names in probeAdapters so we can drop HWAddress. -- Remove HWAddress prop from interfaces. -- Remove the "swap interface" feature. -- Remove obsolete VLAN code. -- Load the bonding module if NIC bonding is enabled. -- Define the udev-post service in the DB. -- Provide the ability to restrict ibay access to http. -- Restart rsyslog in logrotate event. -- Set smb ServerName if unset. -- Don't reload init in bootstrap-console-save and console-save. -- Fix add_new_disk_to_raid1. -- Provide the ability to force https per ibay. -- Add an audit for groups. - See: http://wiki.contribs.org/Audit_Tools#groups-users -- Update the full names of users added in %pre. -- Fix uid and gid to be the same for the users added in %pre. -- Changed Prereq to Requires(pre) as Prereq is deprecated. -- Patch to correct issue with not being able to access a password protected - ibay. -- Update ServerName (Samba netbios name) when SystemName is updated. -- Remove old System Name from the Hosts DB. -- Fix group creation when LDAP auth is enabled. -- Disable IPv6 on a default install. -- Continue escaping control chars in rsyslog, just replace LF with space. -- Use UTF-8 in the console. -- Remove redundant parts of init-accounts. -- Add_template_to_ssl.pem, codes by JP Pialasse. -- Require diald. -- Removal of rc.e-smith now functionality is in e-smith-service. -- Replacement of rc.e-smith by moving code into e-smith-service. -- Fix the way '.' works in bash. -- rename /etc/ldap.conf to /etc/pam_ldap.conf (and same for .secret). -- Always define InternalInterface NICBonding. -- In the console refer to removable media instead of USB disk. -- Fix a few more syslog => rsyslog items. -- Remove modprobe stuff. -- Don't be as agressive on rate limiting. -- Change syslog templates to rsyslog. -- Ensure existing_hwaddr is always initialized. -- Change System Name from mitel-networks-server to sme-server. -- Patch to remove symlink to Primary ibay from /home/e-smith/files/primary. -- Patch to correct issue with not being able to access a password protected - ibay. -- Correctly display accented letters in the console. -- Add e-smith as a Requires(pre) and remove adding users in %pre. -- Fix uid and gid to be the same in create-system-user. -- Ignore mysql.event table. -- Use --single-transaction in mysql-dump-tables. -- Use mysql_upgrade instead of fix_privilege_tables. -- Increase memory limit for ntp. -- Make rsyslog listen to our socket. -- Remove rc.quota_create. -- the config file is radiusclient.conf, not radiusclient-ng.conf. -- Add templates for radiusclient-ng.conf file to remove binaddr - directive. -- Add directive to options.pptpd so that radius plugin can find the - radiusclient configuration file.. -- Fix permissions of /etc/radiusclient-ng/servers. -- Add hack for running rc7.d script during runlevel 4. -- Apply SME Server config file changes to pwauth. -- Fix libgomp obsoletes to not obsolete el6 version. -- Change order of mail options in check4updates. -- Fix parsing issues with "manage RAID" menu option in the console. -- Remove SSH v1 legacy support. -- Support nolvm boot option. -- Create degraded RAID1 array with single disk install. -- nodmraid is the default for SME 9.0 installs. -- Give more time to the grub menu. -- Update installer hard drive warning. -- Customize confirmation dialogs during fresh install. -- Run installer in 'text' mode. -- Roll new stream to really remove obsolete images -- Roll new stream to remove obsolete images -- Move console backup to e-smith-backup -- Remove support.pl from e-smith-base and move to smeserver-support -- Console restore should reboot -- Boostrap console should only offer restore if no password set -- Add restore backup as a console item for freshly installed servers -- Non-code changes to perform_restore.pm -- Refer to removable media not CDROM in console restore -- Remove insecure SSL ciphers -- Add more PHP options to ibays only by db commands. - See: http://wiki.contribs.org/DB_Variables_Configuration -- Add SSLRequireSSL to ibays when SSL is set to enabled -- Force https per ibay should not be the default for existing ibays -- Add textbox() to console.pm, getLicenseFile to util.pm -- Update frame header and footer -- Use mysql_upgrade in 00_restore_dumped_dbs, by Terje Edseth -- Use mysql_upgrade --force due to upgrade to MySQL 5.1 -- Prevent server being used in NTP amplification attacks. -- Code by Jesper Holck -- Modify template to allow Squid proxy https access to ports other than - 443,563 using db command. - See: http://wiki.contribs.org/DB_Variables_Configuration -- Add -n 1 to the dmesg line in rc.sysinit to prevent unwanted messages - appearing on the console -- Correct offest in runlevel7 patch to avoid .orig file -- Remove CentOS Branding patch -- Add logcheck to help analyse errors in the log files -- Roll new stream to remove obsolete images -- Move support.pl from e-smith-base to smeserver-support -- The console license page now uses dialog's textbox. -- Ensure console is run with taint checking. -- Add a verification in the console of number of pptp clients against ip allowed in dhcpd -- Add a verification in remoteaccess panel of number of pptp clients against ip allowed in dhcpd -- Display a warning with the domain name before to remove it. -- Move mysql logging to multilog -- Remove the information_schema -- Fix error with flush of xt_recent SSH connections. -- Add option to tcpsvd to set socket keepalive. + - When quiting the console app with unsaved changes set the default selected + answer to NO + - Added a comment to specify the real configuration file of dhcpd + - Modified the patch of daniel e-smith-base-5.6.0-ensure_apache_alias_www.patch + - Ensure www group exists and that apache is an alias of www + - Check where running runlevel 4, not 7 in service wrapper + - Correctly update NIC configuration on single NIC systems + - Symlink udev-post service in rc7 + - Fix PPPoE after a post-upgrade + - Remove dependency on microcode_ctl + - Prevent emailing about the normal, weekly, checks of RAID arrays, by Mark Casey + - Don't claim to own /sbin and /sbin/e-smith + - Add an upload_tmp_folder setting by db command + Thanks to Michael McCarn and Jean-philippe Pialasse + - the folder /tmp is created by the event init-ibays + - the event ibay-modify create/chown/chmod the folder /tmp + - Add an upload_tmp_folder setting by db command + Thanks to Michael McCarn and Jean-philippe Pialasse + - Force SSL following ibays settings to the relevant domain + - Perl::critic syntax modifications + - Add more PHP options to ibays only by db commands + - Add SSLRequireSSL to ibays when SSL is set to enabled + - Allow the admin upsd in /etc/hosts.allow + - Creation Admin Privilege for use of upscmd & upsrw + - Remove obsolete directives {allowfrom} + - Access property created (default value is 'localhost') + - Remove obsolete directives {ACL,ACCEPT,REJECT} and switch to LISTEN + in /etc/ups/upsd.conf + - Allow NUT in /etc/hosts.allow and in /etc/services + Code change from Daniel B. + - Revert the patch e-smith-tinydns-2.4.0_add_hostname_following_dhcpdleases_hostname.patch + - Duplicate hostnames with different IP are not used, a warn in log is printed + - The server hostname can not be used by a dhcp client, a warning in log is printed + - Changed the name of /tmp/dhcpd.leases to /tmp/tmpdhcpd.leases + when the dhcpd lease is modified + - Do template-expand of /var/service/tinydns/root/data + - Do sigus1 of dhcp-dns & dnscache + - Forked DHCPparse for parsing the end of lease and remove old entry of dnscache + - Require perl-Text-DHCPparse removed + - Timestamp added in tinydns, the entry in dnscache is cleared when the lease is over + - Add new feature 'Parse dhcpd.leases and feed to tinydns' + - e-smith-tinydns-2.4.0_add_hostname_following_dhcpdleases_hostname.patch + made from the solution of Stefano Zamboni + - Make slapd service an alias for ldap + - Switched to sysvinit from systemd (it's rhel-6) + - Fixed license tag Related: rhbz#632853 + - pptpd New version + - Dropped pppd-unbundle patch (upstreamed) + - Various fixes according to Fedora review Related: rhbz#632853 + - Modified for Fedora Resolves: rhbz#632853 + - Update to upstream version 2.3.4, which fixes CVE-2012-3478 and CVE-2012-2252 + - Updated rsync-protocol.patch to fix CVE-2012-2251, and to apply on top of the + CVE-2012-3478 and CVE-2012-2252 fixes. + - Updated makefile.patch to preserve RPM CFLAGS. + - Added command-line-error.patch (from Debian), correcting error message + generated when insecure command line option is used (CVE-2012-3478 fix + regression). + - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + - Add patch for rsync3 compat (#485946) + - Update runit to 2.1.2 + - Remove now uneeded obsolete directives + - Remove openssl from the Exclude list of centos repo + - Add a default Yum db property for check4contribsupdates + - Added a check-update for the smecontribs repository + - Move protected package list to the correct location + General features ================ -- Based on CentOS 6.5 and all available updates - +- Based on CentOS 6.6 and all available updates -Ian Wells +Terry Fage On behalf of the SME Server development team -$Id: README.txt,v 1.12 2014/06/18 15:14:22 wellsi Exp $