From d549f863e2589a3cfe2245404ae574ad981a8ca656c6b13d39bb34d213f0f74a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Str=C3=B6der?= Date: Thu, 25 Jul 2019 12:39:20 +0000 Subject: [PATCH 1/2] Accepting request 718342 from home:stroeder:branches:network:ldap - Update to upstream release 2.4.48 with security fixes: * CVE-2019-13057 (ITS#9038): rootdn of any db can assert any identity * CVE-2019-13565 (ITS#9052): Unauthorized access caused by incorrect handling of SASL SSF values - Fix CVE-2017-17740 by disabling nops overlay not maintained by upstream (see also bsc#1073313, comment #36) - Removed obsolete patches: * 0002-openldap-its8727-plug-ber-leaks.patch * 0017-Fix-segfault-in-nops.patch Note that I disabled slapo-nops instead of rebasing 0017-Fix-segfault-in-nops.patch which is somewhat debatable. You can take it or leave it. OBS-URL: https://build.opensuse.org/request/show/718342 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=247 --- 0002-openldap-its8727-plug-ber-leaks.patch | 26 --------- 0017-Fix-segfault-in-nops.patch | 35 ----------- openldap-2.4.47.tgz | 3 - openldap-2.4.48.tgz | 3 + openldap2.changes | 67 ++++++++++++++++++++++ openldap2.spec | 12 +--- 6 files changed, 73 insertions(+), 73 deletions(-) delete mode 100644 0002-openldap-its8727-plug-ber-leaks.patch delete mode 100644 0017-Fix-segfault-in-nops.patch delete mode 100644 openldap-2.4.47.tgz create mode 100644 openldap-2.4.48.tgz diff --git a/0002-openldap-its8727-plug-ber-leaks.patch b/0002-openldap-its8727-plug-ber-leaks.patch deleted file mode 100644 index 9b1ec2d..0000000 --- a/0002-openldap-its8727-plug-ber-leaks.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 11320a9156e1306c251b27443439dc2e1db0107b Mon Sep 17 00:00:00 2001 -From: Howard Chu -Date: Tue, 17 Jan 2017 11:35:54 +0000 -Subject: ITS#8727 plug ber leaks - - -diff --git a/libraries/libldap/request.c b/libraries/libldap/request.c -index 31145432f..7d2d7a458 100644 ---- a/libraries/libldap/request.c -+++ b/libraries/libldap/request.c -@@ -315,6 +315,7 @@ ldap_send_server_request( - LDAP_MUTEX_UNLOCK( &ld->ld_options.ldo_mutex ); - if ( rc == -1 ) { - ld->ld_errno = LDAP_ENCODING_ERROR; -+ ber_free( ber, 1 ); - LDAP_CONN_UNLOCK_IF(m_noconn); - return rc; - } -@@ -334,6 +335,7 @@ ldap_send_server_request( - rc = -1; - } - if ( rc ) { -+ ber_free( ber, 1 ); - LDAP_CONN_UNLOCK_IF(m_noconn); - return rc; - } diff --git a/0017-Fix-segfault-in-nops.patch b/0017-Fix-segfault-in-nops.patch deleted file mode 100644 index 7a6adc8..0000000 --- a/0017-Fix-segfault-in-nops.patch +++ /dev/null @@ -1,35 +0,0 @@ -diff --git a/servers/slapd/overlays/memberof.c b/servers/slapd/overlays/memberof.c -index 54c24682a..06945d811 100644 ---- a/servers/slapd/overlays/memberof.c -+++ b/servers/slapd/overlays/memberof.c -@@ -360,10 +360,16 @@ memberof_value_modify( - unsigned long opid = op->o_opid; - SlapReply rs2 = { REP_RESULT }; - slap_callback cb = { NULL, slap_null_cb, NULL, NULL }; -- Modifications mod[ 2 ] = { { { 0 } } }, *ml; -- struct berval values[ 4 ], nvalues[ 4 ]; -+ Modifications *mod, *ml; -+ struct berval *values, *nvalues; - int mcnt = 0; - -+ mod = (Modifications*)malloc(2 * sizeof(Modifications)); -+ memset(mod, 0, 2 * sizeof(Modifications)); -+ -+ values = (struct berval*)malloc(4 * sizeof(struct berval)); -+ nvalues = (struct berval*)malloc(4 * sizeof(struct berval)); -+ - op2.o_tag = LDAP_REQ_MODIFY; - - op2.o_req_dn = *ndn; -@@ -493,6 +499,11 @@ memberof_value_modify( - /* restore original opid */ - op->o_opid = opid; - -+ -+ slap_mods_free( mod, 0 ); -+ free(values); -+ free(nvalues); -+ - /* FIXME: if old_group_ndn doesn't exist, both delete __and__ - * add will fail; better split in two operations, although - * not optimal in terms of performance. At least it would diff --git a/openldap-2.4.47.tgz b/openldap-2.4.47.tgz deleted file mode 100644 index e5946a3..0000000 --- a/openldap-2.4.47.tgz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f54c5877865233d9ada77c60c0f69b3e0bfd8b1b55889504c650047cc305520b -size 5699678 diff --git a/openldap-2.4.48.tgz b/openldap-2.4.48.tgz new file mode 100644 index 0000000..356db9e --- /dev/null +++ b/openldap-2.4.48.tgz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d9523ffcab5cd14b709fcf3cb4d04e8bc76bb8970113255f372bc74954c6074d +size 5704883 diff --git a/openldap2.changes b/openldap2.changes index 7cf9d2f..7c37f82 100644 --- a/openldap2.changes +++ b/openldap2.changes @@ -1,3 +1,70 @@ +------------------------------------------------------------------- +Wed Jul 24 21:23:28 UTC 2019 - Michael Ströder + +- Update to upstream release 2.4.48 with security fixes: + * CVE-2019-13057 (ITS#9038): + rootdn of any db can assert any identity + * CVE-2019-13565 (ITS#9052): + Unauthorized access caused by incorrect handling of SASL SSF values +- Fix CVE-2017-17740 by disabling nops overlay not maintained by upstream + (see also bsc#1073313, comment #36) +- Removed obsolete patches: + * 0002-openldap-its8727-plug-ber-leaks.patch + * 0017-Fix-segfault-in-nops.patch + +OpenLDAP 2.4.48 (2019/07/24) + Added libldap OpenSSL Elliptic Curve support (ITS#7595) + Added libldap Expose OpenLDAP specific interfaces via openldap.h (ITS#8671) + Added slapd-monitor support for slapd-mdb (ITS#7770) + Fixed liblber leaks (ITS#8727) + Fixed liblber with partial flush (ITS#8864) + Fixed libldap ASYNC TLS so it works (ITS#8957,ITS#8980) + Fixed libldap ASYNC connections with Solaris 10 (ITS#8968) + Fixed libldap with SASL_NOCANON=on and ldapi connections (ITS#7585) + Fixed libldap to be able to unset syncrepl TLS options (ITS#7042) + Fixed libldap race condition in ldap_int_initialize (ITS#7996, ITS#8450) + Fixed libldap return code in ldap_create_assertion_control_value (ITS#8674) + Fixed libldap to correctly disable IPv6 when configured to do so (ITS#8754) + Fixed libldap to correctly close TLS connection (ITS#8755) + Fixed libldap with non-blocking TLS and referals (ITS#8167) + Fixed libldap_r handling of deprecated OpenSSL function (ITS#8353) + Fixed liblunicode case correspondance (ITS#8508) + Fixed slapd with an idletimeout of less than four seconds (ITS#8952) + Fixed slapd config parser variable for Windows64 (ITS#9012) + Fixed slapd syncrepl fallback handling with delta-syncrepl (ITS#9015) + Fixed slapd telephoneNumberNormalize, cert DN validation (ITS#8999) + Fixed slapd syncrepl for relax with delta-syncrepl (ITS#8037) + Fixed slapd to restrict rootDN proxyauthz to its own databases (ITS#9038) + Fixed slapd to initialize SASL SSF per connection (ITS#9052) + Fixed slapo-accesslog with SLAP_MOD_SOFT modifications (ITS#8990) + Fixed slapd-ldap starttls connections timeout behavior (ITS#8963) + Fixed slapd-ldap segfault when entry result doesn't match filter (ITS#8997) + Fixed slapd-meta conversion from slapd.conf to cn=config (ITS#8743) + Fixed slapd-meta assertion when network interface goes down (ITS#8841) + Fixed slapd-mdb fix bitshift integer overflow (ITS#8989) + Fixed slapd-mdb index cleanup with cn=config (ITS#8472) + Fixed slapd-mdb to improve performance with alias deref (ITS#7657) + Fixed slapo-accesslog possible assert with exops (ITS#8971) + Fixed slapo-chain to correctly reject multiple chaining URIs (ITS#8637) + Fixed slapo-chain conversion from slapd.conf to cn=config (ITS#8799) + Fixed slapo-memberof conversion from slapd.conf to cn=config (ITS#8663) + Fixed slapo-memberof for group name change to itself (ITS#9000) + Fixed slapo-ppolicy behavior when pwdInHistory is changed (ITS#8349) + Fixed slapo-rwm to not free original filter (ITS#8964) + Fixed slapo-syncprov contextCSN generation (ITS#9015) + Build Environment + Fixed slapd to only link to BDB libraries with static build (ITS#8948) + Fixed libldap implicit declaration with LDAP_CONNECTIONLESS (ITS#8794) + Fixed libldap double inclusion of limits.h in cyrus.c (ITS#9041) + Documentation + General - Fixed minor typos (ITS#8764, ITS#8761) + admin24 - Miscellaneous updates promoting mdb and fixing examples (ITS#9031) + slapd.access(5) - Note MDB is the primary backend (ITS#8881) + slapd.backends(5) - Note MDB is the recommended backend (ITS#8771) + slapd-ldap(5) - Document starttls parameter (ITS#8693) + Contrib + Added slapo-lastbind capability to forward authTimestamp updates (ITS#7721) + ------------------------------------------------------------------- Tue May 14 04:33:38 UTC 2019 - William Brown diff --git a/openldap2.spec b/openldap2.spec index a6da116..6d8fbe8 100644 --- a/openldap2.spec +++ b/openldap2.spec @@ -22,7 +22,7 @@ %endif %define run_test_suite 0 -%define version_main 2.4.47 +%define version_main 2.4.48 %if %{suse_version} >= 1310 && %{suse_version} != 1315 %define _rundir /run/slapd @@ -58,7 +58,6 @@ Source16: sysconfig.openldap Source17: openldap_update_modules_path.sh Source18: openldap2.conf Patch1: 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch -Patch2: 0002-openldap-its8727-plug-ber-leaks.patch Patch3: 0003-LDAPI-socket-location.dif Patch5: 0005-pie-compile.dif Patch7: 0007-Recover-on-DB-version-change.dif @@ -67,7 +66,6 @@ Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch Patch11: 0011-openldap-re24-its7796.patch Patch15: openldap-r-only.dif Patch16: 0016-Clear-shared-key-only-in-close-function.patch -Patch17: 0017-Fix-segfault-in-nops.patch Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz Source201: %{name_ppolicy_check_module}.Makefile Source202: %{name_ppolicy_check_module}.conf @@ -169,7 +167,6 @@ cloak denyop lastbind writes last bind timestamp to entry noopsrch handles no-op search control -nops pw-sha2 generates/validates SHA-2 password hashes pw-pbkdf2 generates/validates PBKDF2 password hashes smbk5pwd generates Samba3 password hashes (heimdal krb disabled) @@ -256,7 +253,6 @@ gzip -k %{S:203} # Unpack and patch OpenLDAP 2.4 %setup -q -a 9 -n openldap-%{version_main} %patch1 -p1 -%patch2 -p1 %patch3 -p1 %patch5 -p1 %patch7 -p1 @@ -265,7 +261,6 @@ gzip -k %{S:203} %patch11 -p1 %patch15 -p1 %patch16 -p1 -%patch17 -p1 cp %{SOURCE5} . # Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/ @@ -312,7 +307,7 @@ export STRIP="" make depend make %{?_smp_mflags} # Build selected contrib overlays -for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace +for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace do make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" done @@ -356,7 +351,7 @@ make STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdi # Additional symbolic link to slapd executable in /usr/sbin/ ln -s %{_libdir}/slapd %{buildroot}/usr/sbin/slapd # Install selected contrib overlays -for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace +for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace do make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install done @@ -589,7 +584,6 @@ fi %{_libdir}/openldap/autogroup.* %{_libdir}/openldap/lastbind.* %{_libdir}/openldap/noopsrch.* -%{_libdir}/openldap/nops.* %{_libdir}/openldap/pw-sha2.* %{_libdir}/openldap/pw-pbkdf2.* %{_libdir}/openldap/denyop.* From d40995658b7f4a3f6eb4315b65df0fb2ec333ef3ff7338dd402a7f8c77434c07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Str=C3=B6der?= Date: Thu, 25 Jul 2019 12:57:50 +0000 Subject: [PATCH 2/2] Accepting request 718551 from home:stroeder:branches:network:ldap removal of SuSEfirewall2 service OBS-URL: https://build.opensuse.org/request/show/718551 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=248 --- SuSEfirewall2.openldap | 17 ----------------- openldap2.changes | 8 ++++++++ openldap2.spec | 4 ---- 3 files changed, 8 insertions(+), 21 deletions(-) delete mode 100644 SuSEfirewall2.openldap diff --git a/SuSEfirewall2.openldap b/SuSEfirewall2.openldap deleted file mode 100644 index e3fd802..0000000 --- a/SuSEfirewall2.openldap +++ /dev/null @@ -1,17 +0,0 @@ -## Name: OpenLDAP Server -## Description: Opens ports for the OpenLDAP Server (slapd). - -# space separated list of allowed TCP ports -TCP="ldap ldaps" - -# space separated list of allowed UDP ports -UDP="ldap" - -# space separated list of allowed RPC services -RPC="" - -# space separated list of allowed IP protocols -IP="" - -# space separated list of allowed UDP broadcast ports -BROADCAST="" diff --git a/openldap2.changes b/openldap2.changes index 7c37f82..7acf395 100644 --- a/openldap2.changes +++ b/openldap2.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Jul 25 11:08:46 UTC 2019 - matthias.gerstner@suse.com + +- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by + firewalld, see [1]. + + [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html + ------------------------------------------------------------------- Wed Jul 24 21:23:28 UTC 2019 - Michael Ströder diff --git a/openldap2.spec b/openldap2.spec index 6d8fbe8..26a1771 100644 --- a/openldap2.spec +++ b/openldap2.spec @@ -53,7 +53,6 @@ Source9: addonschema.tar.gz Source12: slapd.conf.example Source13: start Source14: slapd.service -Source15: SuSEfirewall2.openldap Source16: sysconfig.openldap Source17: openldap_update_modules_path.sh Source18: openldap2.conf @@ -391,8 +390,6 @@ install -m 644 *.schema %{buildroot}/%{_sysconfdir}/openldap/schema install -m 644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/openldap install -m 644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/openldap install -m 644 %{SOURCE12} %{buildroot}/%{_sysconfdir}/openldap -install -d %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/ -install -m 644 %{SOURCE15} %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/openldap find doc/guide '(' ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d ')' -delete rm -rf doc/guide/release @@ -468,7 +465,6 @@ fi %files %defattr(-,root,root) -%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/openldap %config %{_sysconfdir}/openldap/schema/*.schema %config %{_sysconfdir}/openldap/schema/*.ldif %config(noreplace) /etc/sasl2/slapd.conf