forked from pool/openldap2
Accepting request 718552 from network:ldap
Read all of the following carefully: Update to upstream release 2.4.48 with security fixes: * CVE-2019-13057 (ITS#9038): rootdn of any db can assert any identity * CVE-2019-13565 (ITS#9052): Unauthorized access caused by incorrect handling of SASL SSF values Fix CVE-2017-17740 by disabling(!) nops overlay not maintained by upstream (see also bsc#1073313, comment #36) Note that I disabled slapo-nops instead of rebasing 0017-Fix-segfault-in-nops.patch which is somewhat debatable. Removal of SuSEfirewall2 service. OBS-URL: https://build.opensuse.org/request/show/718552 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openldap2?expand=0&rev=147
This commit is contained in:
commit
0567eeb791
@ -1,26 +0,0 @@
|
|||||||
From 11320a9156e1306c251b27443439dc2e1db0107b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Howard Chu <hyc@openldap.org>
|
|
||||||
Date: Tue, 17 Jan 2017 11:35:54 +0000
|
|
||||||
Subject: ITS#8727 plug ber leaks
|
|
||||||
|
|
||||||
|
|
||||||
diff --git a/libraries/libldap/request.c b/libraries/libldap/request.c
|
|
||||||
index 31145432f..7d2d7a458 100644
|
|
||||||
--- a/libraries/libldap/request.c
|
|
||||||
+++ b/libraries/libldap/request.c
|
|
||||||
@@ -315,6 +315,7 @@ ldap_send_server_request(
|
|
||||||
LDAP_MUTEX_UNLOCK( &ld->ld_options.ldo_mutex );
|
|
||||||
if ( rc == -1 ) {
|
|
||||||
ld->ld_errno = LDAP_ENCODING_ERROR;
|
|
||||||
+ ber_free( ber, 1 );
|
|
||||||
LDAP_CONN_UNLOCK_IF(m_noconn);
|
|
||||||
return rc;
|
|
||||||
}
|
|
||||||
@@ -334,6 +335,7 @@ ldap_send_server_request(
|
|
||||||
rc = -1;
|
|
||||||
}
|
|
||||||
if ( rc ) {
|
|
||||||
+ ber_free( ber, 1 );
|
|
||||||
LDAP_CONN_UNLOCK_IF(m_noconn);
|
|
||||||
return rc;
|
|
||||||
}
|
|
@ -1,35 +0,0 @@
|
|||||||
diff --git a/servers/slapd/overlays/memberof.c b/servers/slapd/overlays/memberof.c
|
|
||||||
index 54c24682a..06945d811 100644
|
|
||||||
--- a/servers/slapd/overlays/memberof.c
|
|
||||||
+++ b/servers/slapd/overlays/memberof.c
|
|
||||||
@@ -360,10 +360,16 @@ memberof_value_modify(
|
|
||||||
unsigned long opid = op->o_opid;
|
|
||||||
SlapReply rs2 = { REP_RESULT };
|
|
||||||
slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
|
|
||||||
- Modifications mod[ 2 ] = { { { 0 } } }, *ml;
|
|
||||||
- struct berval values[ 4 ], nvalues[ 4 ];
|
|
||||||
+ Modifications *mod, *ml;
|
|
||||||
+ struct berval *values, *nvalues;
|
|
||||||
int mcnt = 0;
|
|
||||||
|
|
||||||
+ mod = (Modifications*)malloc(2 * sizeof(Modifications));
|
|
||||||
+ memset(mod, 0, 2 * sizeof(Modifications));
|
|
||||||
+
|
|
||||||
+ values = (struct berval*)malloc(4 * sizeof(struct berval));
|
|
||||||
+ nvalues = (struct berval*)malloc(4 * sizeof(struct berval));
|
|
||||||
+
|
|
||||||
op2.o_tag = LDAP_REQ_MODIFY;
|
|
||||||
|
|
||||||
op2.o_req_dn = *ndn;
|
|
||||||
@@ -493,6 +499,11 @@ memberof_value_modify(
|
|
||||||
/* restore original opid */
|
|
||||||
op->o_opid = opid;
|
|
||||||
|
|
||||||
+
|
|
||||||
+ slap_mods_free( mod, 0 );
|
|
||||||
+ free(values);
|
|
||||||
+ free(nvalues);
|
|
||||||
+
|
|
||||||
/* FIXME: if old_group_ndn doesn't exist, both delete __and__
|
|
||||||
* add will fail; better split in two operations, although
|
|
||||||
* not optimal in terms of performance. At least it would
|
|
@ -1,17 +0,0 @@
|
|||||||
## Name: OpenLDAP Server
|
|
||||||
## Description: Opens ports for the OpenLDAP Server (slapd).
|
|
||||||
|
|
||||||
# space separated list of allowed TCP ports
|
|
||||||
TCP="ldap ldaps"
|
|
||||||
|
|
||||||
# space separated list of allowed UDP ports
|
|
||||||
UDP="ldap"
|
|
||||||
|
|
||||||
# space separated list of allowed RPC services
|
|
||||||
RPC=""
|
|
||||||
|
|
||||||
# space separated list of allowed IP protocols
|
|
||||||
IP=""
|
|
||||||
|
|
||||||
# space separated list of allowed UDP broadcast ports
|
|
||||||
BROADCAST=""
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:f54c5877865233d9ada77c60c0f69b3e0bfd8b1b55889504c650047cc305520b
|
|
||||||
size 5699678
|
|
3
openldap-2.4.48.tgz
Normal file
3
openldap-2.4.48.tgz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:d9523ffcab5cd14b709fcf3cb4d04e8bc76bb8970113255f372bc74954c6074d
|
||||||
|
size 5704883
|
@ -1,3 +1,78 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Jul 25 11:08:46 UTC 2019 - matthias.gerstner@suse.com
|
||||||
|
|
||||||
|
- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
|
||||||
|
firewalld, see [1].
|
||||||
|
|
||||||
|
[1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jul 24 21:23:28 UTC 2019 - Michael Ströder <michael@stroeder.com>
|
||||||
|
|
||||||
|
- Update to upstream release 2.4.48 with security fixes:
|
||||||
|
* CVE-2019-13057 (ITS#9038):
|
||||||
|
rootdn of any db can assert any identity
|
||||||
|
* CVE-2019-13565 (ITS#9052):
|
||||||
|
Unauthorized access caused by incorrect handling of SASL SSF values
|
||||||
|
- Fix CVE-2017-17740 by disabling nops overlay not maintained by upstream
|
||||||
|
(see also bsc#1073313, comment #36)
|
||||||
|
- Removed obsolete patches:
|
||||||
|
* 0002-openldap-its8727-plug-ber-leaks.patch
|
||||||
|
* 0017-Fix-segfault-in-nops.patch
|
||||||
|
|
||||||
|
OpenLDAP 2.4.48 (2019/07/24)
|
||||||
|
Added libldap OpenSSL Elliptic Curve support (ITS#7595)
|
||||||
|
Added libldap Expose OpenLDAP specific interfaces via openldap.h (ITS#8671)
|
||||||
|
Added slapd-monitor support for slapd-mdb (ITS#7770)
|
||||||
|
Fixed liblber leaks (ITS#8727)
|
||||||
|
Fixed liblber with partial flush (ITS#8864)
|
||||||
|
Fixed libldap ASYNC TLS so it works (ITS#8957,ITS#8980)
|
||||||
|
Fixed libldap ASYNC connections with Solaris 10 (ITS#8968)
|
||||||
|
Fixed libldap with SASL_NOCANON=on and ldapi connections (ITS#7585)
|
||||||
|
Fixed libldap to be able to unset syncrepl TLS options (ITS#7042)
|
||||||
|
Fixed libldap race condition in ldap_int_initialize (ITS#7996, ITS#8450)
|
||||||
|
Fixed libldap return code in ldap_create_assertion_control_value (ITS#8674)
|
||||||
|
Fixed libldap to correctly disable IPv6 when configured to do so (ITS#8754)
|
||||||
|
Fixed libldap to correctly close TLS connection (ITS#8755)
|
||||||
|
Fixed libldap with non-blocking TLS and referals (ITS#8167)
|
||||||
|
Fixed libldap_r handling of deprecated OpenSSL function (ITS#8353)
|
||||||
|
Fixed liblunicode case correspondance (ITS#8508)
|
||||||
|
Fixed slapd with an idletimeout of less than four seconds (ITS#8952)
|
||||||
|
Fixed slapd config parser variable for Windows64 (ITS#9012)
|
||||||
|
Fixed slapd syncrepl fallback handling with delta-syncrepl (ITS#9015)
|
||||||
|
Fixed slapd telephoneNumberNormalize, cert DN validation (ITS#8999)
|
||||||
|
Fixed slapd syncrepl for relax with delta-syncrepl (ITS#8037)
|
||||||
|
Fixed slapd to restrict rootDN proxyauthz to its own databases (ITS#9038)
|
||||||
|
Fixed slapd to initialize SASL SSF per connection (ITS#9052)
|
||||||
|
Fixed slapo-accesslog with SLAP_MOD_SOFT modifications (ITS#8990)
|
||||||
|
Fixed slapd-ldap starttls connections timeout behavior (ITS#8963)
|
||||||
|
Fixed slapd-ldap segfault when entry result doesn't match filter (ITS#8997)
|
||||||
|
Fixed slapd-meta conversion from slapd.conf to cn=config (ITS#8743)
|
||||||
|
Fixed slapd-meta assertion when network interface goes down (ITS#8841)
|
||||||
|
Fixed slapd-mdb fix bitshift integer overflow (ITS#8989)
|
||||||
|
Fixed slapd-mdb index cleanup with cn=config (ITS#8472)
|
||||||
|
Fixed slapd-mdb to improve performance with alias deref (ITS#7657)
|
||||||
|
Fixed slapo-accesslog possible assert with exops (ITS#8971)
|
||||||
|
Fixed slapo-chain to correctly reject multiple chaining URIs (ITS#8637)
|
||||||
|
Fixed slapo-chain conversion from slapd.conf to cn=config (ITS#8799)
|
||||||
|
Fixed slapo-memberof conversion from slapd.conf to cn=config (ITS#8663)
|
||||||
|
Fixed slapo-memberof for group name change to itself (ITS#9000)
|
||||||
|
Fixed slapo-ppolicy behavior when pwdInHistory is changed (ITS#8349)
|
||||||
|
Fixed slapo-rwm to not free original filter (ITS#8964)
|
||||||
|
Fixed slapo-syncprov contextCSN generation (ITS#9015)
|
||||||
|
Build Environment
|
||||||
|
Fixed slapd to only link to BDB libraries with static build (ITS#8948)
|
||||||
|
Fixed libldap implicit declaration with LDAP_CONNECTIONLESS (ITS#8794)
|
||||||
|
Fixed libldap double inclusion of limits.h in cyrus.c (ITS#9041)
|
||||||
|
Documentation
|
||||||
|
General - Fixed minor typos (ITS#8764, ITS#8761)
|
||||||
|
admin24 - Miscellaneous updates promoting mdb and fixing examples (ITS#9031)
|
||||||
|
slapd.access(5) - Note MDB is the primary backend (ITS#8881)
|
||||||
|
slapd.backends(5) - Note MDB is the recommended backend (ITS#8771)
|
||||||
|
slapd-ldap(5) - Document starttls parameter (ITS#8693)
|
||||||
|
Contrib
|
||||||
|
Added slapo-lastbind capability to forward authTimestamp updates (ITS#7721)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue May 14 04:33:38 UTC 2019 - William Brown <william.brown@suse.com>
|
Tue May 14 04:33:38 UTC 2019 - William Brown <william.brown@suse.com>
|
||||||
|
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%define run_test_suite 0
|
%define run_test_suite 0
|
||||||
%define version_main 2.4.47
|
%define version_main 2.4.48
|
||||||
|
|
||||||
%if %{suse_version} >= 1310 && %{suse_version} != 1315
|
%if %{suse_version} >= 1310 && %{suse_version} != 1315
|
||||||
%define _rundir /run/slapd
|
%define _rundir /run/slapd
|
||||||
@ -53,12 +53,10 @@ Source9: addonschema.tar.gz
|
|||||||
Source12: slapd.conf.example
|
Source12: slapd.conf.example
|
||||||
Source13: start
|
Source13: start
|
||||||
Source14: slapd.service
|
Source14: slapd.service
|
||||||
Source15: SuSEfirewall2.openldap
|
|
||||||
Source16: sysconfig.openldap
|
Source16: sysconfig.openldap
|
||||||
Source17: openldap_update_modules_path.sh
|
Source17: openldap_update_modules_path.sh
|
||||||
Source18: openldap2.conf
|
Source18: openldap2.conf
|
||||||
Patch1: 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch
|
Patch1: 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch
|
||||||
Patch2: 0002-openldap-its8727-plug-ber-leaks.patch
|
|
||||||
Patch3: 0003-LDAPI-socket-location.dif
|
Patch3: 0003-LDAPI-socket-location.dif
|
||||||
Patch5: 0005-pie-compile.dif
|
Patch5: 0005-pie-compile.dif
|
||||||
Patch7: 0007-Recover-on-DB-version-change.dif
|
Patch7: 0007-Recover-on-DB-version-change.dif
|
||||||
@ -67,7 +65,6 @@ Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch
|
|||||||
Patch11: 0011-openldap-re24-its7796.patch
|
Patch11: 0011-openldap-re24-its7796.patch
|
||||||
Patch15: openldap-r-only.dif
|
Patch15: openldap-r-only.dif
|
||||||
Patch16: 0016-Clear-shared-key-only-in-close-function.patch
|
Patch16: 0016-Clear-shared-key-only-in-close-function.patch
|
||||||
Patch17: 0017-Fix-segfault-in-nops.patch
|
|
||||||
Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
|
Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
|
||||||
Source201: %{name_ppolicy_check_module}.Makefile
|
Source201: %{name_ppolicy_check_module}.Makefile
|
||||||
Source202: %{name_ppolicy_check_module}.conf
|
Source202: %{name_ppolicy_check_module}.conf
|
||||||
@ -169,7 +166,6 @@ cloak
|
|||||||
denyop
|
denyop
|
||||||
lastbind writes last bind timestamp to entry
|
lastbind writes last bind timestamp to entry
|
||||||
noopsrch handles no-op search control
|
noopsrch handles no-op search control
|
||||||
nops
|
|
||||||
pw-sha2 generates/validates SHA-2 password hashes
|
pw-sha2 generates/validates SHA-2 password hashes
|
||||||
pw-pbkdf2 generates/validates PBKDF2 password hashes
|
pw-pbkdf2 generates/validates PBKDF2 password hashes
|
||||||
smbk5pwd generates Samba3 password hashes (heimdal krb disabled)
|
smbk5pwd generates Samba3 password hashes (heimdal krb disabled)
|
||||||
@ -256,7 +252,6 @@ gzip -k %{S:203}
|
|||||||
# Unpack and patch OpenLDAP 2.4
|
# Unpack and patch OpenLDAP 2.4
|
||||||
%setup -q -a 9 -n openldap-%{version_main}
|
%setup -q -a 9 -n openldap-%{version_main}
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1
|
|
||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
@ -265,7 +260,6 @@ gzip -k %{S:203}
|
|||||||
%patch11 -p1
|
%patch11 -p1
|
||||||
%patch15 -p1
|
%patch15 -p1
|
||||||
%patch16 -p1
|
%patch16 -p1
|
||||||
%patch17 -p1
|
|
||||||
cp %{SOURCE5} .
|
cp %{SOURCE5} .
|
||||||
|
|
||||||
# Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/
|
# Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/
|
||||||
@ -312,7 +306,7 @@ export STRIP=""
|
|||||||
make depend
|
make depend
|
||||||
make %{?_smp_mflags}
|
make %{?_smp_mflags}
|
||||||
# Build selected contrib overlays
|
# Build selected contrib overlays
|
||||||
for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
|
for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
|
||||||
do
|
do
|
||||||
make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}"
|
make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}"
|
||||||
done
|
done
|
||||||
@ -356,7 +350,7 @@ make STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdi
|
|||||||
# Additional symbolic link to slapd executable in /usr/sbin/
|
# Additional symbolic link to slapd executable in /usr/sbin/
|
||||||
ln -s %{_libdir}/slapd %{buildroot}/usr/sbin/slapd
|
ln -s %{_libdir}/slapd %{buildroot}/usr/sbin/slapd
|
||||||
# Install selected contrib overlays
|
# Install selected contrib overlays
|
||||||
for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
|
for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
|
||||||
do
|
do
|
||||||
make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
|
make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
|
||||||
done
|
done
|
||||||
@ -396,8 +390,6 @@ install -m 644 *.schema %{buildroot}/%{_sysconfdir}/openldap/schema
|
|||||||
install -m 644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/openldap
|
install -m 644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/openldap
|
||||||
install -m 644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/openldap
|
install -m 644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/openldap
|
||||||
install -m 644 %{SOURCE12} %{buildroot}/%{_sysconfdir}/openldap
|
install -m 644 %{SOURCE12} %{buildroot}/%{_sysconfdir}/openldap
|
||||||
install -d %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/
|
|
||||||
install -m 644 %{SOURCE15} %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/openldap
|
|
||||||
find doc/guide '(' ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d ')' -delete
|
find doc/guide '(' ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d ')' -delete
|
||||||
rm -rf doc/guide/release
|
rm -rf doc/guide/release
|
||||||
|
|
||||||
@ -473,7 +465,6 @@ fi
|
|||||||
|
|
||||||
%files
|
%files
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/openldap
|
|
||||||
%config %{_sysconfdir}/openldap/schema/*.schema
|
%config %{_sysconfdir}/openldap/schema/*.schema
|
||||||
%config %{_sysconfdir}/openldap/schema/*.ldif
|
%config %{_sysconfdir}/openldap/schema/*.ldif
|
||||||
%config(noreplace) /etc/sasl2/slapd.conf
|
%config(noreplace) /etc/sasl2/slapd.conf
|
||||||
@ -589,7 +580,6 @@ fi
|
|||||||
%{_libdir}/openldap/autogroup.*
|
%{_libdir}/openldap/autogroup.*
|
||||||
%{_libdir}/openldap/lastbind.*
|
%{_libdir}/openldap/lastbind.*
|
||||||
%{_libdir}/openldap/noopsrch.*
|
%{_libdir}/openldap/noopsrch.*
|
||||||
%{_libdir}/openldap/nops.*
|
|
||||||
%{_libdir}/openldap/pw-sha2.*
|
%{_libdir}/openldap/pw-sha2.*
|
||||||
%{_libdir}/openldap/pw-pbkdf2.*
|
%{_libdir}/openldap/pw-pbkdf2.*
|
||||||
%{_libdir}/openldap/denyop.*
|
%{_libdir}/openldap/denyop.*
|
||||||
|
Loading…
Reference in New Issue
Block a user