forked from fedora-infra/fas
-
Notifications
You must be signed in to change notification settings - Fork 0
/
NEWS
187 lines (160 loc) · 6.29 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
====
NEWS
====
:Authors: Ricky Zhou, Mike McGrath, Toshio Kuratomi, Patrick Uiterwijk,
Ricky Elrod, Xavier Lamien
:Date: 08 May 2013
:Version: 0.8.18
-------
0.10.2
------
* Fix Downgrade members function (github #82).
* fasClient: load config as rawConfig.
* fasClient: Add username to ssh_command string.
-------
0.10.0
-------
* Add support for group moderator.
* Update FPCA license with new Red Hat mailing address.
* fasClient:
* Add initgroups entries format while building group.db
* Improve logger system.
* Add option to manage verbosity.
------
0.9.0
-----
* Add pkgdb2 support.
* Link GPG's keys to key.fedoraproject.org.
* Update helps infos balloon.
* Improve GPG key validation.
* Notify addresses from export-bugzilla script.
* Add hyperlink to privacy policy.
------
0.8.18
------
* Fix the human name heuristic to work with non-ascii characters
------
0.8.17
------
* **Security fix** Plugged an information leak in the /group/view method.
The /group/view url contains a list of users who have applied but are not yet
sponsored into a group. If the information from this url was retrieved as
JSON data instead of HTML this list of unsponsored users could include
private data. This includes hashed or encrypted authentication tokens (the
user's password and the user's security question respectively) as well as
information that FAS would normally hide if the user had set the privacy flag
on their account.
The security answer has always been gpg encrypted. The user's password has
been hashed with sha512 since version 0.8.9. Prior to that, it was hashed
with md5 (both using glibc's salted crypt function). The other data shown is
in plain text.
Sites running fas are strongly encouraged to either upgrade
to this version or apply the patch to fas/group.py from:
https://github.com/fedora-infra/fas/issues/21
* Fix a fpca signing bug
------
0.8.16
------
* Emit some more fedmsg events when changes occur to a user's account
* Fix fedmsg messages using nested dicts -- use the toplevel if there's only a
single value to be more compatible with the data returned from other services.
* Fix traceback in selinux when creating homedirs in fasClient
* Fix 500's error from group edit if no group_type has been set.
* Fix changing a user's email address before the address is verified
* Remove a case where openid login can result in being logged in as someone
else. This unfortunately breaks yadis but we're going to move to having
openid functionality in a second application so this is a stop gap until that
is deployed https://github.com/fedora-infra/fas-openid
* Show security question's status from user/view's page.
------
0.8.15
------
* Update translations
---------
0.8.14.91
---------
* Add a patch from ctria (see infra #3027) for checking passwords against
libpwquality. (Ricky Elrod)
---------
0.8.14.90
---------
* Show the content of the group if there are less than 10 people in
it. (Pierre-Yves Chibon)
* Add a place where the user is able to add their blog to the
planet. (Pierre-Yves Chibon)
* Added differing colors of headers for differing types of deployment.
(Patrick Uiterwijk)
------
0.8.14
------
* Added Security questions, with encrypted answers (Patrick Uiterwijk).
------
0.8.13
------
* Added fedmsg message publishing hooks (Ralph Bean).
------
0.8.12
------
* Added human name check requested in ticket #654. Modified regular expression
to not only check for missing section of full name (last or first), but avoid
potential false positives from users entering a middle initial.
(Fraser S. Gutteridge)
------
0.8.11
------
* Added feature to allow for email address or username at login (Ian Cole)
* JSON API: If the "/fpca/reject" method encounters an error talking to the
database the error is now categorized as DBAPIError instead of
sqlalchemy.SQLError. python-fedora should not be calling this method.
(Adam M. Dutko)
* fas/configs.py: set() now returns DBAPIError instead of SQLError on database
save error. (Adam M. Dutko)
* Implement the audio captcha, gives access to an audio file 'speaking' the
content of the captcha. (Pierre-Yves Chibon)
------
0.8.10
------
* Update user template to show "Invalid" if a password field is '!!'
(which means that an administrator has removed the password otherwise
it would be a password hash).
* Update home template so that resetpass link works whether or not the URL of
the home page had a trailing slash.
* Bugfix: When a user reset their password via the forgot password page, the
check for whether the user was changing to the current password was broken.
Fixed so that the current password is not allowed as the new password.
-------
0.8.9.1
-------
* **Important fix** The new password strength checking code was letting users
set empty passwords. This release fixes it.
.. warning::
The 0.8.9 release includes a validator for password strength checking.
This validator was not run if the user did not enter a password. This
allowed users to enter blank passwords. If you ran the password strength
checking code either from the brief time when the 0.8.9 release was
available or from snapshots of the code, you should check that none of your
users set empty passwords.
-----
0.8.9
-----
* Add password strength checking
* Add a forgot password link to the front page
* New, easier to use captcha!
* Mention that usernames must be ASCII (Adam M. Dutko)
* In the public key tooltip, mention users can upload multiple ssh keys to FAS. (Adam M. Dutko)
* No longer show that vacation is a valid status (Adam M. Dutko)
* Add the ability to remove one's ssh key
* Fix python-fedora deprecation warnings
* Now pulling translations from transifex.net
* Switch to using openssl's random functions if available
* Use glibc's sha512 crypt hashes when crypting passwords
* Fix to fasClient to drop privileges before writing out user's SSH key
* Make the webmaster mail configurable (Adam Dutko)
* Fix /user/list not returning any people who have not signed the CLA
* Fix for newer GeoIP data
* Fix a traceback when disabling invite_only
* Fix for locale setting
* Fix when calling selinux functions in fasClient
* Split the README into README, HACKING and INSTALL files. (Adam M. Dutko)
* Add a parameter to /group/list to allow returning the group information
without members. (Adam M. Dutko)