forked from pool/openldap2
Accepting request 718552 from network:ldap
Read all of the following carefully: Update to upstream release 2.4.48 with security fixes: * CVE-2019-13057 (ITS#9038): rootdn of any db can assert any identity * CVE-2019-13565 (ITS#9052): Unauthorized access caused by incorrect handling of SASL SSF values Fix CVE-2017-17740 by disabling(!) nops overlay not maintained by upstream (see also bsc#1073313, comment #36) Note that I disabled slapo-nops instead of rebasing 0017-Fix-segfault-in-nops.patch which is somewhat debatable. Removal of SuSEfirewall2 service. OBS-URL: https://build.opensuse.org/request/show/718552 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openldap2?expand=0&rev=147
This commit is contained in:
commit
0567eeb791
@ -1,26 +0,0 @@
|
||||
From 11320a9156e1306c251b27443439dc2e1db0107b Mon Sep 17 00:00:00 2001
|
||||
From: Howard Chu <hyc@openldap.org>
|
||||
Date: Tue, 17 Jan 2017 11:35:54 +0000
|
||||
Subject: ITS#8727 plug ber leaks
|
||||
|
||||
|
||||
diff --git a/libraries/libldap/request.c b/libraries/libldap/request.c
|
||||
index 31145432f..7d2d7a458 100644
|
||||
--- a/libraries/libldap/request.c
|
||||
+++ b/libraries/libldap/request.c
|
||||
@@ -315,6 +315,7 @@ ldap_send_server_request(
|
||||
LDAP_MUTEX_UNLOCK( &ld->ld_options.ldo_mutex );
|
||||
if ( rc == -1 ) {
|
||||
ld->ld_errno = LDAP_ENCODING_ERROR;
|
||||
+ ber_free( ber, 1 );
|
||||
LDAP_CONN_UNLOCK_IF(m_noconn);
|
||||
return rc;
|
||||
}
|
||||
@@ -334,6 +335,7 @@ ldap_send_server_request(
|
||||
rc = -1;
|
||||
}
|
||||
if ( rc ) {
|
||||
+ ber_free( ber, 1 );
|
||||
LDAP_CONN_UNLOCK_IF(m_noconn);
|
||||
return rc;
|
||||
}
|
@ -1,35 +0,0 @@
|
||||
diff --git a/servers/slapd/overlays/memberof.c b/servers/slapd/overlays/memberof.c
|
||||
index 54c24682a..06945d811 100644
|
||||
--- a/servers/slapd/overlays/memberof.c
|
||||
+++ b/servers/slapd/overlays/memberof.c
|
||||
@@ -360,10 +360,16 @@ memberof_value_modify(
|
||||
unsigned long opid = op->o_opid;
|
||||
SlapReply rs2 = { REP_RESULT };
|
||||
slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
|
||||
- Modifications mod[ 2 ] = { { { 0 } } }, *ml;
|
||||
- struct berval values[ 4 ], nvalues[ 4 ];
|
||||
+ Modifications *mod, *ml;
|
||||
+ struct berval *values, *nvalues;
|
||||
int mcnt = 0;
|
||||
|
||||
+ mod = (Modifications*)malloc(2 * sizeof(Modifications));
|
||||
+ memset(mod, 0, 2 * sizeof(Modifications));
|
||||
+
|
||||
+ values = (struct berval*)malloc(4 * sizeof(struct berval));
|
||||
+ nvalues = (struct berval*)malloc(4 * sizeof(struct berval));
|
||||
+
|
||||
op2.o_tag = LDAP_REQ_MODIFY;
|
||||
|
||||
op2.o_req_dn = *ndn;
|
||||
@@ -493,6 +499,11 @@ memberof_value_modify(
|
||||
/* restore original opid */
|
||||
op->o_opid = opid;
|
||||
|
||||
+
|
||||
+ slap_mods_free( mod, 0 );
|
||||
+ free(values);
|
||||
+ free(nvalues);
|
||||
+
|
||||
/* FIXME: if old_group_ndn doesn't exist, both delete __and__
|
||||
* add will fail; better split in two operations, although
|
||||
* not optimal in terms of performance. At least it would
|
@ -1,17 +0,0 @@
|
||||
## Name: OpenLDAP Server
|
||||
## Description: Opens ports for the OpenLDAP Server (slapd).
|
||||
|
||||
# space separated list of allowed TCP ports
|
||||
TCP="ldap ldaps"
|
||||
|
||||
# space separated list of allowed UDP ports
|
||||
UDP="ldap"
|
||||
|
||||
# space separated list of allowed RPC services
|
||||
RPC=""
|
||||
|
||||
# space separated list of allowed IP protocols
|
||||
IP=""
|
||||
|
||||
# space separated list of allowed UDP broadcast ports
|
||||
BROADCAST=""
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:f54c5877865233d9ada77c60c0f69b3e0bfd8b1b55889504c650047cc305520b
|
||||
size 5699678
|
3
openldap-2.4.48.tgz
Normal file
3
openldap-2.4.48.tgz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:d9523ffcab5cd14b709fcf3cb4d04e8bc76bb8970113255f372bc74954c6074d
|
||||
size 5704883
|
@ -1,3 +1,78 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Jul 25 11:08:46 UTC 2019 - matthias.gerstner@suse.com
|
||||
|
||||
- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
|
||||
firewalld, see [1].
|
||||
|
||||
[1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 24 21:23:28 UTC 2019 - Michael Ströder <michael@stroeder.com>
|
||||
|
||||
- Update to upstream release 2.4.48 with security fixes:
|
||||
* CVE-2019-13057 (ITS#9038):
|
||||
rootdn of any db can assert any identity
|
||||
* CVE-2019-13565 (ITS#9052):
|
||||
Unauthorized access caused by incorrect handling of SASL SSF values
|
||||
- Fix CVE-2017-17740 by disabling nops overlay not maintained by upstream
|
||||
(see also bsc#1073313, comment #36)
|
||||
- Removed obsolete patches:
|
||||
* 0002-openldap-its8727-plug-ber-leaks.patch
|
||||
* 0017-Fix-segfault-in-nops.patch
|
||||
|
||||
OpenLDAP 2.4.48 (2019/07/24)
|
||||
Added libldap OpenSSL Elliptic Curve support (ITS#7595)
|
||||
Added libldap Expose OpenLDAP specific interfaces via openldap.h (ITS#8671)
|
||||
Added slapd-monitor support for slapd-mdb (ITS#7770)
|
||||
Fixed liblber leaks (ITS#8727)
|
||||
Fixed liblber with partial flush (ITS#8864)
|
||||
Fixed libldap ASYNC TLS so it works (ITS#8957,ITS#8980)
|
||||
Fixed libldap ASYNC connections with Solaris 10 (ITS#8968)
|
||||
Fixed libldap with SASL_NOCANON=on and ldapi connections (ITS#7585)
|
||||
Fixed libldap to be able to unset syncrepl TLS options (ITS#7042)
|
||||
Fixed libldap race condition in ldap_int_initialize (ITS#7996, ITS#8450)
|
||||
Fixed libldap return code in ldap_create_assertion_control_value (ITS#8674)
|
||||
Fixed libldap to correctly disable IPv6 when configured to do so (ITS#8754)
|
||||
Fixed libldap to correctly close TLS connection (ITS#8755)
|
||||
Fixed libldap with non-blocking TLS and referals (ITS#8167)
|
||||
Fixed libldap_r handling of deprecated OpenSSL function (ITS#8353)
|
||||
Fixed liblunicode case correspondance (ITS#8508)
|
||||
Fixed slapd with an idletimeout of less than four seconds (ITS#8952)
|
||||
Fixed slapd config parser variable for Windows64 (ITS#9012)
|
||||
Fixed slapd syncrepl fallback handling with delta-syncrepl (ITS#9015)
|
||||
Fixed slapd telephoneNumberNormalize, cert DN validation (ITS#8999)
|
||||
Fixed slapd syncrepl for relax with delta-syncrepl (ITS#8037)
|
||||
Fixed slapd to restrict rootDN proxyauthz to its own databases (ITS#9038)
|
||||
Fixed slapd to initialize SASL SSF per connection (ITS#9052)
|
||||
Fixed slapo-accesslog with SLAP_MOD_SOFT modifications (ITS#8990)
|
||||
Fixed slapd-ldap starttls connections timeout behavior (ITS#8963)
|
||||
Fixed slapd-ldap segfault when entry result doesn't match filter (ITS#8997)
|
||||
Fixed slapd-meta conversion from slapd.conf to cn=config (ITS#8743)
|
||||
Fixed slapd-meta assertion when network interface goes down (ITS#8841)
|
||||
Fixed slapd-mdb fix bitshift integer overflow (ITS#8989)
|
||||
Fixed slapd-mdb index cleanup with cn=config (ITS#8472)
|
||||
Fixed slapd-mdb to improve performance with alias deref (ITS#7657)
|
||||
Fixed slapo-accesslog possible assert with exops (ITS#8971)
|
||||
Fixed slapo-chain to correctly reject multiple chaining URIs (ITS#8637)
|
||||
Fixed slapo-chain conversion from slapd.conf to cn=config (ITS#8799)
|
||||
Fixed slapo-memberof conversion from slapd.conf to cn=config (ITS#8663)
|
||||
Fixed slapo-memberof for group name change to itself (ITS#9000)
|
||||
Fixed slapo-ppolicy behavior when pwdInHistory is changed (ITS#8349)
|
||||
Fixed slapo-rwm to not free original filter (ITS#8964)
|
||||
Fixed slapo-syncprov contextCSN generation (ITS#9015)
|
||||
Build Environment
|
||||
Fixed slapd to only link to BDB libraries with static build (ITS#8948)
|
||||
Fixed libldap implicit declaration with LDAP_CONNECTIONLESS (ITS#8794)
|
||||
Fixed libldap double inclusion of limits.h in cyrus.c (ITS#9041)
|
||||
Documentation
|
||||
General - Fixed minor typos (ITS#8764, ITS#8761)
|
||||
admin24 - Miscellaneous updates promoting mdb and fixing examples (ITS#9031)
|
||||
slapd.access(5) - Note MDB is the primary backend (ITS#8881)
|
||||
slapd.backends(5) - Note MDB is the recommended backend (ITS#8771)
|
||||
slapd-ldap(5) - Document starttls parameter (ITS#8693)
|
||||
Contrib
|
||||
Added slapo-lastbind capability to forward authTimestamp updates (ITS#7721)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue May 14 04:33:38 UTC 2019 - William Brown <william.brown@suse.com>
|
||||
|
||||
|
@ -22,7 +22,7 @@
|
||||
%endif
|
||||
|
||||
%define run_test_suite 0
|
||||
%define version_main 2.4.47
|
||||
%define version_main 2.4.48
|
||||
|
||||
%if %{suse_version} >= 1310 && %{suse_version} != 1315
|
||||
%define _rundir /run/slapd
|
||||
@ -53,12 +53,10 @@ Source9: addonschema.tar.gz
|
||||
Source12: slapd.conf.example
|
||||
Source13: start
|
||||
Source14: slapd.service
|
||||
Source15: SuSEfirewall2.openldap
|
||||
Source16: sysconfig.openldap
|
||||
Source17: openldap_update_modules_path.sh
|
||||
Source18: openldap2.conf
|
||||
Patch1: 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch
|
||||
Patch2: 0002-openldap-its8727-plug-ber-leaks.patch
|
||||
Patch3: 0003-LDAPI-socket-location.dif
|
||||
Patch5: 0005-pie-compile.dif
|
||||
Patch7: 0007-Recover-on-DB-version-change.dif
|
||||
@ -67,7 +65,6 @@ Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch
|
||||
Patch11: 0011-openldap-re24-its7796.patch
|
||||
Patch15: openldap-r-only.dif
|
||||
Patch16: 0016-Clear-shared-key-only-in-close-function.patch
|
||||
Patch17: 0017-Fix-segfault-in-nops.patch
|
||||
Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
|
||||
Source201: %{name_ppolicy_check_module}.Makefile
|
||||
Source202: %{name_ppolicy_check_module}.conf
|
||||
@ -169,7 +166,6 @@ cloak
|
||||
denyop
|
||||
lastbind writes last bind timestamp to entry
|
||||
noopsrch handles no-op search control
|
||||
nops
|
||||
pw-sha2 generates/validates SHA-2 password hashes
|
||||
pw-pbkdf2 generates/validates PBKDF2 password hashes
|
||||
smbk5pwd generates Samba3 password hashes (heimdal krb disabled)
|
||||
@ -256,7 +252,6 @@ gzip -k %{S:203}
|
||||
# Unpack and patch OpenLDAP 2.4
|
||||
%setup -q -a 9 -n openldap-%{version_main}
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch5 -p1
|
||||
%patch7 -p1
|
||||
@ -265,7 +260,6 @@ gzip -k %{S:203}
|
||||
%patch11 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
cp %{SOURCE5} .
|
||||
|
||||
# Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/
|
||||
@ -312,7 +306,7 @@ export STRIP=""
|
||||
make depend
|
||||
make %{?_smp_mflags}
|
||||
# Build selected contrib overlays
|
||||
for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
|
||||
for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
|
||||
do
|
||||
make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}"
|
||||
done
|
||||
@ -356,7 +350,7 @@ make STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdi
|
||||
# Additional symbolic link to slapd executable in /usr/sbin/
|
||||
ln -s %{_libdir}/slapd %{buildroot}/usr/sbin/slapd
|
||||
# Install selected contrib overlays
|
||||
for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
|
||||
for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
|
||||
do
|
||||
make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
|
||||
done
|
||||
@ -396,8 +390,6 @@ install -m 644 *.schema %{buildroot}/%{_sysconfdir}/openldap/schema
|
||||
install -m 644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/openldap
|
||||
install -m 644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/openldap
|
||||
install -m 644 %{SOURCE12} %{buildroot}/%{_sysconfdir}/openldap
|
||||
install -d %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/
|
||||
install -m 644 %{SOURCE15} %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/openldap
|
||||
find doc/guide '(' ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d ')' -delete
|
||||
rm -rf doc/guide/release
|
||||
|
||||
@ -473,7 +465,6 @@ fi
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/openldap
|
||||
%config %{_sysconfdir}/openldap/schema/*.schema
|
||||
%config %{_sysconfdir}/openldap/schema/*.ldif
|
||||
%config(noreplace) /etc/sasl2/slapd.conf
|
||||
@ -589,7 +580,6 @@ fi
|
||||
%{_libdir}/openldap/autogroup.*
|
||||
%{_libdir}/openldap/lastbind.*
|
||||
%{_libdir}/openldap/noopsrch.*
|
||||
%{_libdir}/openldap/nops.*
|
||||
%{_libdir}/openldap/pw-sha2.*
|
||||
%{_libdir}/openldap/pw-pbkdf2.*
|
||||
%{_libdir}/openldap/denyop.*
|
||||
|
Loading…
Reference in New Issue
Block a user