1
0
forked from pool/openldap2

Accepting request 718552 from network:ldap

Read all of the following carefully:

Update to upstream release 2.4.48 with security fixes:
  * CVE-2019-13057 (ITS#9038):
    rootdn of any db can assert any identity
  * CVE-2019-13565 (ITS#9052):
    Unauthorized access caused by incorrect handling of SASL SSF values

Fix CVE-2017-17740 by disabling(!) nops overlay not maintained by upstream (see also bsc#1073313, comment #36)
Note that I disabled slapo-nops instead of rebasing 0017-Fix-segfault-in-nops.patch which is somewhat debatable.

Removal of SuSEfirewall2 service.

OBS-URL: https://build.opensuse.org/request/show/718552
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openldap2?expand=0&rev=147
This commit is contained in:
Dominique Leuenberger 2019-07-31 12:13:51 +00:00 committed by Git OBS Bridge
commit 0567eeb791
7 changed files with 81 additions and 94 deletions

View File

@ -1,26 +0,0 @@
From 11320a9156e1306c251b27443439dc2e1db0107b Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Tue, 17 Jan 2017 11:35:54 +0000
Subject: ITS#8727 plug ber leaks
diff --git a/libraries/libldap/request.c b/libraries/libldap/request.c
index 31145432f..7d2d7a458 100644
--- a/libraries/libldap/request.c
+++ b/libraries/libldap/request.c
@@ -315,6 +315,7 @@ ldap_send_server_request(
LDAP_MUTEX_UNLOCK( &ld->ld_options.ldo_mutex );
if ( rc == -1 ) {
ld->ld_errno = LDAP_ENCODING_ERROR;
+ ber_free( ber, 1 );
LDAP_CONN_UNLOCK_IF(m_noconn);
return rc;
}
@@ -334,6 +335,7 @@ ldap_send_server_request(
rc = -1;
}
if ( rc ) {
+ ber_free( ber, 1 );
LDAP_CONN_UNLOCK_IF(m_noconn);
return rc;
}

View File

@ -1,35 +0,0 @@
diff --git a/servers/slapd/overlays/memberof.c b/servers/slapd/overlays/memberof.c
index 54c24682a..06945d811 100644
--- a/servers/slapd/overlays/memberof.c
+++ b/servers/slapd/overlays/memberof.c
@@ -360,10 +360,16 @@ memberof_value_modify(
unsigned long opid = op->o_opid;
SlapReply rs2 = { REP_RESULT };
slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
- Modifications mod[ 2 ] = { { { 0 } } }, *ml;
- struct berval values[ 4 ], nvalues[ 4 ];
+ Modifications *mod, *ml;
+ struct berval *values, *nvalues;
int mcnt = 0;
+ mod = (Modifications*)malloc(2 * sizeof(Modifications));
+ memset(mod, 0, 2 * sizeof(Modifications));
+
+ values = (struct berval*)malloc(4 * sizeof(struct berval));
+ nvalues = (struct berval*)malloc(4 * sizeof(struct berval));
+
op2.o_tag = LDAP_REQ_MODIFY;
op2.o_req_dn = *ndn;
@@ -493,6 +499,11 @@ memberof_value_modify(
/* restore original opid */
op->o_opid = opid;
+
+ slap_mods_free( mod, 0 );
+ free(values);
+ free(nvalues);
+
/* FIXME: if old_group_ndn doesn't exist, both delete __and__
* add will fail; better split in two operations, although
* not optimal in terms of performance. At least it would

View File

@ -1,17 +0,0 @@
## Name: OpenLDAP Server
## Description: Opens ports for the OpenLDAP Server (slapd).
# space separated list of allowed TCP ports
TCP="ldap ldaps"
# space separated list of allowed UDP ports
UDP="ldap"
# space separated list of allowed RPC services
RPC=""
# space separated list of allowed IP protocols
IP=""
# space separated list of allowed UDP broadcast ports
BROADCAST=""

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f54c5877865233d9ada77c60c0f69b3e0bfd8b1b55889504c650047cc305520b
size 5699678

3
openldap-2.4.48.tgz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d9523ffcab5cd14b709fcf3cb4d04e8bc76bb8970113255f372bc74954c6074d
size 5704883

View File

@ -1,3 +1,78 @@
-------------------------------------------------------------------
Thu Jul 25 11:08:46 UTC 2019 - matthias.gerstner@suse.com
- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
firewalld, see [1].
[1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html
-------------------------------------------------------------------
Wed Jul 24 21:23:28 UTC 2019 - Michael Ströder <michael@stroeder.com>
- Update to upstream release 2.4.48 with security fixes:
* CVE-2019-13057 (ITS#9038):
rootdn of any db can assert any identity
* CVE-2019-13565 (ITS#9052):
Unauthorized access caused by incorrect handling of SASL SSF values
- Fix CVE-2017-17740 by disabling nops overlay not maintained by upstream
(see also bsc#1073313, comment #36)
- Removed obsolete patches:
* 0002-openldap-its8727-plug-ber-leaks.patch
* 0017-Fix-segfault-in-nops.patch
OpenLDAP 2.4.48 (2019/07/24)
Added libldap OpenSSL Elliptic Curve support (ITS#7595)
Added libldap Expose OpenLDAP specific interfaces via openldap.h (ITS#8671)
Added slapd-monitor support for slapd-mdb (ITS#7770)
Fixed liblber leaks (ITS#8727)
Fixed liblber with partial flush (ITS#8864)
Fixed libldap ASYNC TLS so it works (ITS#8957,ITS#8980)
Fixed libldap ASYNC connections with Solaris 10 (ITS#8968)
Fixed libldap with SASL_NOCANON=on and ldapi connections (ITS#7585)
Fixed libldap to be able to unset syncrepl TLS options (ITS#7042)
Fixed libldap race condition in ldap_int_initialize (ITS#7996, ITS#8450)
Fixed libldap return code in ldap_create_assertion_control_value (ITS#8674)
Fixed libldap to correctly disable IPv6 when configured to do so (ITS#8754)
Fixed libldap to correctly close TLS connection (ITS#8755)
Fixed libldap with non-blocking TLS and referals (ITS#8167)
Fixed libldap_r handling of deprecated OpenSSL function (ITS#8353)
Fixed liblunicode case correspondance (ITS#8508)
Fixed slapd with an idletimeout of less than four seconds (ITS#8952)
Fixed slapd config parser variable for Windows64 (ITS#9012)
Fixed slapd syncrepl fallback handling with delta-syncrepl (ITS#9015)
Fixed slapd telephoneNumberNormalize, cert DN validation (ITS#8999)
Fixed slapd syncrepl for relax with delta-syncrepl (ITS#8037)
Fixed slapd to restrict rootDN proxyauthz to its own databases (ITS#9038)
Fixed slapd to initialize SASL SSF per connection (ITS#9052)
Fixed slapo-accesslog with SLAP_MOD_SOFT modifications (ITS#8990)
Fixed slapd-ldap starttls connections timeout behavior (ITS#8963)
Fixed slapd-ldap segfault when entry result doesn't match filter (ITS#8997)
Fixed slapd-meta conversion from slapd.conf to cn=config (ITS#8743)
Fixed slapd-meta assertion when network interface goes down (ITS#8841)
Fixed slapd-mdb fix bitshift integer overflow (ITS#8989)
Fixed slapd-mdb index cleanup with cn=config (ITS#8472)
Fixed slapd-mdb to improve performance with alias deref (ITS#7657)
Fixed slapo-accesslog possible assert with exops (ITS#8971)
Fixed slapo-chain to correctly reject multiple chaining URIs (ITS#8637)
Fixed slapo-chain conversion from slapd.conf to cn=config (ITS#8799)
Fixed slapo-memberof conversion from slapd.conf to cn=config (ITS#8663)
Fixed slapo-memberof for group name change to itself (ITS#9000)
Fixed slapo-ppolicy behavior when pwdInHistory is changed (ITS#8349)
Fixed slapo-rwm to not free original filter (ITS#8964)
Fixed slapo-syncprov contextCSN generation (ITS#9015)
Build Environment
Fixed slapd to only link to BDB libraries with static build (ITS#8948)
Fixed libldap implicit declaration with LDAP_CONNECTIONLESS (ITS#8794)
Fixed libldap double inclusion of limits.h in cyrus.c (ITS#9041)
Documentation
General - Fixed minor typos (ITS#8764, ITS#8761)
admin24 - Miscellaneous updates promoting mdb and fixing examples (ITS#9031)
slapd.access(5) - Note MDB is the primary backend (ITS#8881)
slapd.backends(5) - Note MDB is the recommended backend (ITS#8771)
slapd-ldap(5) - Document starttls parameter (ITS#8693)
Contrib
Added slapo-lastbind capability to forward authTimestamp updates (ITS#7721)
------------------------------------------------------------------- -------------------------------------------------------------------
Tue May 14 04:33:38 UTC 2019 - William Brown <william.brown@suse.com> Tue May 14 04:33:38 UTC 2019 - William Brown <william.brown@suse.com>

View File

@ -22,7 +22,7 @@
%endif %endif
%define run_test_suite 0 %define run_test_suite 0
%define version_main 2.4.47 %define version_main 2.4.48
%if %{suse_version} >= 1310 && %{suse_version} != 1315 %if %{suse_version} >= 1310 && %{suse_version} != 1315
%define _rundir /run/slapd %define _rundir /run/slapd
@ -53,12 +53,10 @@ Source9: addonschema.tar.gz
Source12: slapd.conf.example Source12: slapd.conf.example
Source13: start Source13: start
Source14: slapd.service Source14: slapd.service
Source15: SuSEfirewall2.openldap
Source16: sysconfig.openldap Source16: sysconfig.openldap
Source17: openldap_update_modules_path.sh Source17: openldap_update_modules_path.sh
Source18: openldap2.conf Source18: openldap2.conf
Patch1: 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch Patch1: 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch
Patch2: 0002-openldap-its8727-plug-ber-leaks.patch
Patch3: 0003-LDAPI-socket-location.dif Patch3: 0003-LDAPI-socket-location.dif
Patch5: 0005-pie-compile.dif Patch5: 0005-pie-compile.dif
Patch7: 0007-Recover-on-DB-version-change.dif Patch7: 0007-Recover-on-DB-version-change.dif
@ -67,7 +65,6 @@ Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch
Patch11: 0011-openldap-re24-its7796.patch Patch11: 0011-openldap-re24-its7796.patch
Patch15: openldap-r-only.dif Patch15: openldap-r-only.dif
Patch16: 0016-Clear-shared-key-only-in-close-function.patch Patch16: 0016-Clear-shared-key-only-in-close-function.patch
Patch17: 0017-Fix-segfault-in-nops.patch
Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
Source201: %{name_ppolicy_check_module}.Makefile Source201: %{name_ppolicy_check_module}.Makefile
Source202: %{name_ppolicy_check_module}.conf Source202: %{name_ppolicy_check_module}.conf
@ -169,7 +166,6 @@ cloak
denyop denyop
lastbind writes last bind timestamp to entry lastbind writes last bind timestamp to entry
noopsrch handles no-op search control noopsrch handles no-op search control
nops
pw-sha2 generates/validates SHA-2 password hashes pw-sha2 generates/validates SHA-2 password hashes
pw-pbkdf2 generates/validates PBKDF2 password hashes pw-pbkdf2 generates/validates PBKDF2 password hashes
smbk5pwd generates Samba3 password hashes (heimdal krb disabled) smbk5pwd generates Samba3 password hashes (heimdal krb disabled)
@ -256,7 +252,6 @@ gzip -k %{S:203}
# Unpack and patch OpenLDAP 2.4 # Unpack and patch OpenLDAP 2.4
%setup -q -a 9 -n openldap-%{version_main} %setup -q -a 9 -n openldap-%{version_main}
%patch1 -p1 %patch1 -p1
%patch2 -p1
%patch3 -p1 %patch3 -p1
%patch5 -p1 %patch5 -p1
%patch7 -p1 %patch7 -p1
@ -265,7 +260,6 @@ gzip -k %{S:203}
%patch11 -p1 %patch11 -p1
%patch15 -p1 %patch15 -p1
%patch16 -p1 %patch16 -p1
%patch17 -p1
cp %{SOURCE5} . cp %{SOURCE5} .
# Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/ # Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/
@ -312,7 +306,7 @@ export STRIP=""
make depend make depend
make %{?_smp_mflags} make %{?_smp_mflags}
# Build selected contrib overlays # Build selected contrib overlays
for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
do do
make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}"
done done
@ -356,7 +350,7 @@ make STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdi
# Additional symbolic link to slapd executable in /usr/sbin/ # Additional symbolic link to slapd executable in /usr/sbin/
ln -s %{_libdir}/slapd %{buildroot}/usr/sbin/slapd ln -s %{_libdir}/slapd %{buildroot}/usr/sbin/slapd
# Install selected contrib overlays # Install selected contrib overlays
for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
do do
make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
done done
@ -396,8 +390,6 @@ install -m 644 *.schema %{buildroot}/%{_sysconfdir}/openldap/schema
install -m 644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/openldap install -m 644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/openldap
install -m 644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/openldap install -m 644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/openldap
install -m 644 %{SOURCE12} %{buildroot}/%{_sysconfdir}/openldap install -m 644 %{SOURCE12} %{buildroot}/%{_sysconfdir}/openldap
install -d %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/
install -m 644 %{SOURCE15} %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/openldap
find doc/guide '(' ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d ')' -delete find doc/guide '(' ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d ')' -delete
rm -rf doc/guide/release rm -rf doc/guide/release
@ -473,7 +465,6 @@ fi
%files %files
%defattr(-,root,root) %defattr(-,root,root)
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/openldap
%config %{_sysconfdir}/openldap/schema/*.schema %config %{_sysconfdir}/openldap/schema/*.schema
%config %{_sysconfdir}/openldap/schema/*.ldif %config %{_sysconfdir}/openldap/schema/*.ldif
%config(noreplace) /etc/sasl2/slapd.conf %config(noreplace) /etc/sasl2/slapd.conf
@ -589,7 +580,6 @@ fi
%{_libdir}/openldap/autogroup.* %{_libdir}/openldap/autogroup.*
%{_libdir}/openldap/lastbind.* %{_libdir}/openldap/lastbind.*
%{_libdir}/openldap/noopsrch.* %{_libdir}/openldap/noopsrch.*
%{_libdir}/openldap/nops.*
%{_libdir}/openldap/pw-sha2.* %{_libdir}/openldap/pw-sha2.*
%{_libdir}/openldap/pw-pbkdf2.* %{_libdir}/openldap/pw-pbkdf2.*
%{_libdir}/openldap/denyop.* %{_libdir}/openldap/denyop.*