[cyber] I: p10/branch packages: +2 (18975)

[QA Team Robot <qa@altlinux.org>]

	2 UPDATED packages

sssd - System Security Services Daemon
* Tue Dec 10 2024 Evgeny Sinelnikov <sin@altlinux> 2.9.6-alt3
- Fix typo in sss_ec_get_key() for OpenSSL older than 3.0.
* Sat Dec 07 2024 Evgeny Sinelnikov <sin@altlinux> 2.9.6-alt2
- Add postponed restart of sssd services (closes: 52364).
* Fri Dec 06 2024 Evgeny Sinelnikov <sin@altlinux> 2.9.6-alt1
- Update to latest 2.9 LTM release:
  + The DoT for dynamic DNS updates is supported now. It requires new version of
    nsupdate from BIND 9.19+. The dyndns_server option is extended so it can be
    in form of URI (dns+tls://1.2.3.4:853#servername). New set of options:
    dyndns_dot_cacert, dyndns_dot_cert and dyndns_dot_key allows to
    configure DNS-over-TLS communication.
  + The option default_domain_suffix is deprecated. Consider using the more
    flexible domain_resolution_order instead.
* Mon Dec 02 2024 Evgeny Sinelnikov <sin@altlinux> 2.9.5-alt2
- Update to latest 2.9 LTM release with fixes from upstream:
  + dyndns: collect nsupdate debug output.
  + ldap_child: make sure invalid krb5 context is not used (GitHub#7715).
  + CLIENT: don't try to lookup `getservbyport(0, ...)`
  + OPTS: Add the option for DP_OPT_DYNDNS_REFRESH_OFFSET
  + pam_sss: add some missing cleanup calls.
  + ipa: Check sudo command threshold correctly
  + ssh: do not use default_domain_suffix
  + build: unbreak detection for x400Address
- cert util: add support build with OpenSSL older than 3.0
* Tue Oct 29 2024 Evgeny Sinelnikov <sin@altlinux> 2.9.5-alt1
- Update to latest 2.9 LTM release (fixes: CVE-2023-3758) (closes: 51860).
- Add sssd-dbus to Requires for sssd-tools (due the InfoPipe responder using).
- Major fixes from upstream (GitHub#5708, GitHub#7109, GitHub#7152, GitHub#7173,
                             GitHub#7197, GitHub#7250, GitHub#7319, GitHub#7375)
  + SSSD incorrectly works with AD GPO during user login (fixed a race
    condition flaw in GPO policy application).
  + gdm smartcard login fails with "system error 4" in case of multiple
    identities.
  + passkey cannot fall back to password, when both of user authentication
    types configured for IPA user even when user intends to do so.
  + AD users are unable to log in due to case sensitivity of user because the
    domain is found as an alias to the email address.
  + Errors in krb5_child.log every time a user authenticates:
    "Pre-authentication failed: No pkinit_anchors supplied".
  + SSSD is not fully registering the domains if the cache is empty (refresh
    root domain when read directly).
  + PAC and PAM responders can crash if backend takes too long time to process
    getDomains() (use proper context if client disconnects before request is
    completed).
  + Add option 'failover_primary_timeout' to configure timeout to reconnect to
    primary servers: minimum and default value in seconds is 31.

- Major backported fixes from upstream (GitHub#7451, GitHub#7404, GitHub#7007,
                                        GitHub#5418, GitHub#7456, GitHub#7462,
                                        GitHub#5861, GitHub#7532, GitHub#7590,
                                        GitHub#7590, GitHub#7642)
  + sysdb: do not fail to add non-posix user to MPG domain (e.g. cause issues
    during GPO evaluation when adding a host account).
  + enhance 'soft_crl' option (revoked certificate will now be rejected if the
    CRL is expired even if 'soft_crl' is set).
  + pam_sss: fix passthrow of old authtok from another pam modules (issue in
    case of using 'use_first_pass' parameter when we need to get old password
    from another module) at PAM_PRELIM_CHECK.
  + krb5_child: do not try passwords during two-factor authentication.
    It should use use the dedicated OTP auth types SSS_AUTHTOK_TYPE_2FA and
    SSS_AUTHTOK_TYPE_2FA_SINGLE exclusively and should not try password or other
    types.
  + Expose flat_name (file.file palceholder) for use in homedir path also for AD
    subdomains.
  + cert util: replace deprecated OpenSSL calls (replaces them if OpenSSL 3.0 or
    newer is used).
  + pam: only set SYSDB_LOCAL_SMARTCARD_AUTH to 'true' but never to 'false'.
  + sdap: allow to provide user_map when looking up group memberships of other
    objects similar to user objects but with different attribute mappings, e.g.
    host objects in AD.
  + ad: use default user_map when looking of host groups for GPO (to determine
    the group memberships of a host for GPO evaluation).
  + ad: honor ad_use_ldaps setting with ad_machine_pw_renewal passed as
    '--use-ldaps' argument to the adcli update command which handles the
    automatic renewal of AD machine account password.
  + Add missing 'dns_update_per_family' option (whether DNS update of A and AAAA
    record should be performed in one update or in two separate updates).
* Fri Mar 15 2024 Evgeny Sinelnikov <sin@altlinux> 2.9.4-alt2
- Update 2.9 major release with fixes from upstream:
  + Fix the build with Samba 4.20.
  + IFP: don't trigger backtrace in case of ACL check fail.
  + krb5_child: fix order of calloc arguments.
  + pam: fix SC auth with multiple certs and missing login name.
* Wed Jan 17 2024 Evgeny Sinelnikov <sin@altlinux> 2.9.4-alt1

xfce4-smartbookmark-plugin - Smart bookmarks for the Xfce panel
* Thu Dec 26 2024 Mikhail Efremov <sem@altlinux> 0.5.3-alt1
- Updated to 0.5.3.
* Thu Oct 03 2024 Mikhail Efremov <sem@altlinux> 0.5.2-alt2
- Fixed build: added intltool to BR.
* Thu Dec 24 2020 Mikhail Efremov <sem@altlinux> 0.5.2-alt1

Total 18975 source packages.