forked from pool/openldap2
Accepting request 500558 from home:stroeder:branches:network:ldap
update to 2.4.45 OBS-URL: https://build.opensuse.org/request/show/500558 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=176
This commit is contained in:
parent
787c8bf6cf
commit
31fe523df6
@ -1,24 +0,0 @@
|
|||||||
The patch was authored by Marcus Meissner <meissner@suse.com> on 2015-07-13
|
|
||||||
to address weak DH size vulnerability.
|
|
||||||
|
|
||||||
--- openldap-2.4.26.orig/libraries/libldap/tls_o.c
|
|
||||||
+++ openldap-2.4.26/libraries/libldap/tls_o.c
|
|
||||||
@@ -1190,7 +1190,6 @@ jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7t
|
|
||||||
-----END DH PARAMETERS-----\n";
|
|
||||||
|
|
||||||
static const struct dhinfo tlso_dhpem[] = {
|
|
||||||
- { 512, tlso_dhpem512, sizeof(tlso_dhpem512) },
|
|
||||||
{ 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) },
|
|
||||||
{ 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) },
|
|
||||||
{ 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) },
|
|
||||||
@@ -1205,6 +1204,9 @@ tlso_tmp_dh_cb( SSL *ssl, int is_export,
|
|
||||||
DH *dh = NULL;
|
|
||||||
int i;
|
|
||||||
|
|
||||||
+ /* for Logjam, rev up the minimum DH group size to 1024 bit */
|
|
||||||
+ if (key_length < 1024) key_length = 1024;
|
|
||||||
+
|
|
||||||
/* Do we have params of this length already? */
|
|
||||||
LDAP_MUTEX_LOCK( &tlso_dh_mutex );
|
|
||||||
for ( p = tlso_dhparams; p; p=p->next ) {
|
|
||||||
|
|
@ -1,33 +0,0 @@
|
|||||||
The TLS configuration deliberately hid the error in case that user specified CA locations
|
|
||||||
cannot be read, by loading CAs from default locations; and when user does not specify CA
|
|
||||||
locations, the CAs from default locations are not read at all.
|
|
||||||
|
|
||||||
This patch corrects the behaviour so that CAs from default location are used if user does
|
|
||||||
not specify a CA location, and user is informed of the error if CAs cannot be loaded from
|
|
||||||
the user specified location.
|
|
||||||
|
|
||||||
Howard Guo <hguo@suse.com> 2016-11-10
|
|
||||||
|
|
||||||
diff -rupN openldap-2.4.41/libraries/libldap/tls_o.c openldap-2.4.41-patched/libraries/libldap/tls_o.c
|
|
||||||
--- openldap-2.4.41/libraries/libldap/tls_o.c 2015-06-21 02:19:58.000000000 +0200
|
|
||||||
+++ openldap-2.4.41-patched/libraries/libldap/tls_o.c 2016-11-10 15:10:32.784147041 +0100
|
|
||||||
@@ -253,10 +253,16 @@ tlso_ctx_init( struct ldapoptions *lo, s
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (lo->ldo_tls_cacertfile != NULL || lo->ldo_tls_cacertdir != NULL) {
|
|
||||||
+ if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) {
|
|
||||||
+ if ( !SSL_CTX_set_default_verify_paths( ctx ) ) {
|
|
||||||
+ Debug( LDAP_DEBUG_ANY, "TLS: "
|
|
||||||
+ "could not use default certificate paths", 0, 0, 0 );
|
|
||||||
+ tlso_report_error();
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
if ( !SSL_CTX_load_verify_locations( ctx,
|
|
||||||
- lt->lt_cacertfile, lt->lt_cacertdir ) ||
|
|
||||||
- !SSL_CTX_set_default_verify_paths( ctx ) )
|
|
||||||
+ lt->lt_cacertfile, lt->lt_cacertdir ) )
|
|
||||||
{
|
|
||||||
Debug( LDAP_DEBUG_ANY, "TLS: "
|
|
||||||
"could not load verify locations (file:`%s',dir:`%s').\n",
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:d7de6bf3c67009c95525dde3a0212cc110d0a70b92af2af8e3ee800e81b88400
|
|
||||||
size 5658830
|
|
3
openldap-2.4.45.tgz
Normal file
3
openldap-2.4.45.tgz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:cdd6cffdebcd95161a73305ec13fc7a78e9707b46ca9f84fb897cd5626df3824
|
||||||
|
size 5672845
|
@ -1,3 +1,10 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jun 2 07:26:42 UTC 2017 - michael@stroeder.com
|
||||||
|
|
||||||
|
- Upgrade to upstream 2.4.45 release
|
||||||
|
- removed obsolete 0010-Enforce-minimum-DH-size-of-1024.patch
|
||||||
|
and 0012-use-system-wide-cert-dir-by-default.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Apr 27 10:08:31 UTC 2017 - michael@stroeder.com
|
Thu Apr 27 10:08:31 UTC 2017 - michael@stroeder.com
|
||||||
|
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
|
|
||||||
|
|
||||||
%define run_test_suite 0
|
%define run_test_suite 0
|
||||||
%define version_main 2.4.44
|
%define version_main 2.4.45
|
||||||
|
|
||||||
%if %{suse_version} >= 1310 && %{suse_version} != 1315
|
%if %{suse_version} >= 1310 && %{suse_version} != 1315
|
||||||
%define _rundir /run/slapd
|
%define _rundir /run/slapd
|
||||||
@ -56,9 +56,7 @@ Patch6: 0006-No-Build-date-and-time-in-binaries.dif
|
|||||||
Patch7: 0007-Recover-on-DB-version-change.dif
|
Patch7: 0007-Recover-on-DB-version-change.dif
|
||||||
Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
|
Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
|
||||||
Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch
|
Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch
|
||||||
Patch10: 0010-Enforce-minimum-DH-size-of-1024.patch
|
|
||||||
Patch11: 0011-openldap-re24-its7796.patch
|
Patch11: 0011-openldap-re24-its7796.patch
|
||||||
Patch12: 0012-use-system-wide-cert-dir-by-default.patch
|
|
||||||
Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
|
Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
|
||||||
Source201: %{name_ppolicy_check_module}.Makefile
|
Source201: %{name_ppolicy_check_module}.Makefile
|
||||||
Source202: %{name_ppolicy_check_module}.conf
|
Source202: %{name_ppolicy_check_module}.conf
|
||||||
@ -254,9 +252,7 @@ gzip -k %{S:203}
|
|||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
%patch9 -p1
|
%patch9 -p1
|
||||||
%patch10 -p1
|
|
||||||
%patch11 -p1
|
%patch11 -p1
|
||||||
%patch12 -p1
|
|
||||||
cp %{SOURCE5} .
|
cp %{SOURCE5} .
|
||||||
|
|
||||||
# Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/
|
# Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/
|
||||||
|
Loading…
Reference in New Issue
Block a user