diff --git a/0010-Enforce-minimum-DH-size-of-1024.patch b/0010-Enforce-minimum-DH-size-of-1024.patch deleted file mode 100644 index db4b18c..0000000 --- a/0010-Enforce-minimum-DH-size-of-1024.patch +++ /dev/null @@ -1,24 +0,0 @@ -The patch was authored by Marcus Meissner on 2015-07-13 -to address weak DH size vulnerability. - ---- openldap-2.4.26.orig/libraries/libldap/tls_o.c -+++ openldap-2.4.26/libraries/libldap/tls_o.c -@@ -1190,7 +1190,6 @@ jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7t - -----END DH PARAMETERS-----\n"; - - static const struct dhinfo tlso_dhpem[] = { -- { 512, tlso_dhpem512, sizeof(tlso_dhpem512) }, - { 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) }, - { 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) }, - { 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) }, -@@ -1205,6 +1204,9 @@ tlso_tmp_dh_cb( SSL *ssl, int is_export, - DH *dh = NULL; - int i; - -+ /* for Logjam, rev up the minimum DH group size to 1024 bit */ -+ if (key_length < 1024) key_length = 1024; -+ - /* Do we have params of this length already? */ - LDAP_MUTEX_LOCK( &tlso_dh_mutex ); - for ( p = tlso_dhparams; p; p=p->next ) { - diff --git a/0012-use-system-wide-cert-dir-by-default.patch b/0012-use-system-wide-cert-dir-by-default.patch deleted file mode 100644 index 78e64ee..0000000 --- a/0012-use-system-wide-cert-dir-by-default.patch +++ /dev/null @@ -1,33 +0,0 @@ -The TLS configuration deliberately hid the error in case that user specified CA locations -cannot be read, by loading CAs from default locations; and when user does not specify CA -locations, the CAs from default locations are not read at all. - -This patch corrects the behaviour so that CAs from default location are used if user does -not specify a CA location, and user is informed of the error if CAs cannot be loaded from -the user specified location. - -Howard Guo 2016-11-10 - -diff -rupN openldap-2.4.41/libraries/libldap/tls_o.c openldap-2.4.41-patched/libraries/libldap/tls_o.c ---- openldap-2.4.41/libraries/libldap/tls_o.c 2015-06-21 02:19:58.000000000 +0200 -+++ openldap-2.4.41-patched/libraries/libldap/tls_o.c 2016-11-10 15:10:32.784147041 +0100 -@@ -253,10 +253,16 @@ tlso_ctx_init( struct ldapoptions *lo, s - return -1; - } - -- if (lo->ldo_tls_cacertfile != NULL || lo->ldo_tls_cacertdir != NULL) { -+ if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) { -+ if ( !SSL_CTX_set_default_verify_paths( ctx ) ) { -+ Debug( LDAP_DEBUG_ANY, "TLS: " -+ "could not use default certificate paths", 0, 0, 0 ); -+ tlso_report_error(); -+ return -1; -+ } -+ } else { - if ( !SSL_CTX_load_verify_locations( ctx, -- lt->lt_cacertfile, lt->lt_cacertdir ) || -- !SSL_CTX_set_default_verify_paths( ctx ) ) -+ lt->lt_cacertfile, lt->lt_cacertdir ) ) - { - Debug( LDAP_DEBUG_ANY, "TLS: " - "could not load verify locations (file:`%s',dir:`%s').\n", diff --git a/openldap-2.4.44.tgz b/openldap-2.4.44.tgz deleted file mode 100644 index 57ce079..0000000 --- a/openldap-2.4.44.tgz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d7de6bf3c67009c95525dde3a0212cc110d0a70b92af2af8e3ee800e81b88400 -size 5658830 diff --git a/openldap-2.4.45.tgz b/openldap-2.4.45.tgz new file mode 100644 index 0000000..0af5b2a --- /dev/null +++ b/openldap-2.4.45.tgz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cdd6cffdebcd95161a73305ec13fc7a78e9707b46ca9f84fb897cd5626df3824 +size 5672845 diff --git a/openldap2.changes b/openldap2.changes index 03ce3aa..ba8af10 100644 --- a/openldap2.changes +++ b/openldap2.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Jun 2 07:26:42 UTC 2017 - michael@stroeder.com + +- Upgrade to upstream 2.4.45 release +- removed obsolete 0010-Enforce-minimum-DH-size-of-1024.patch + and 0012-use-system-wide-cert-dir-by-default.patch + ------------------------------------------------------------------- Thu Apr 27 10:08:31 UTC 2017 - michael@stroeder.com diff --git a/openldap2.spec b/openldap2.spec index 81e3439..4facabd 100644 --- a/openldap2.spec +++ b/openldap2.spec @@ -17,7 +17,7 @@ %define run_test_suite 0 -%define version_main 2.4.44 +%define version_main 2.4.45 %if %{suse_version} >= 1310 && %{suse_version} != 1315 %define _rundir /run/slapd @@ -56,9 +56,7 @@ Patch6: 0006-No-Build-date-and-time-in-binaries.dif Patch7: 0007-Recover-on-DB-version-change.dif Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch -Patch10: 0010-Enforce-minimum-DH-size-of-1024.patch Patch11: 0011-openldap-re24-its7796.patch -Patch12: 0012-use-system-wide-cert-dir-by-default.patch Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz Source201: %{name_ppolicy_check_module}.Makefile Source202: %{name_ppolicy_check_module}.conf @@ -254,9 +252,7 @@ gzip -k %{S:203} %patch7 -p1 %patch8 -p1 %patch9 -p1 -%patch10 -p1 %patch11 -p1 -%patch12 -p1 cp %{SOURCE5} . # Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/