Accepting request 511674 from network:ldap

1

OBS-URL: https://build.opensuse.org/request/show/511674
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openldap2?expand=0&rev=124

0010-Enforce-minimum-DH-size-of-1024.patch

@@ -1,24 +0,0 @@
-The patch was authored by Marcus Meissner <meissner@suse.com> on 2015-07-13
-to address weak DH size vulnerability.
-
---- openldap-2.4.26.orig/libraries/libldap/tls_o.c
-+++ openldap-2.4.26/libraries/libldap/tls_o.c
-@@ -1190,7 +1190,6 @@ jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7t
- -----END DH PARAMETERS-----\n";
- 
- static const struct dhinfo tlso_dhpem[] = {
--	{ 512, tlso_dhpem512, sizeof(tlso_dhpem512) },
-	{ 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) },
-	{ 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) },
-	{ 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) },
-@@ -1205,6 +1204,9 @@ tlso_tmp_dh_cb( SSL *ssl, int is_export,
-	DH *dh = NULL;
-	int i;
- 
-+	/* for Logjam, rev up the minimum DH group size to 1024 bit */
-+	if (key_length < 1024) key_length = 1024;
-+
-	/* Do we have params of this length already? */
-	LDAP_MUTEX_LOCK( &tlso_dh_mutex );
-	for ( p = tlso_dhparams; p; p=p->next ) {
-

0012-use-system-wide-cert-dir-by-default.patch

@@ -1,33 +0,0 @@
-The TLS configuration deliberately hid the error in case that user specified CA locations
-cannot be read, by loading CAs from default locations; and when user does not specify CA
-locations, the CAs from default locations are not read at all.
-
-This patch corrects the behaviour so that CAs from default location are used if user does
-not specify a CA location, and user is informed of the error if CAs cannot be loaded from
-the user specified location.
-
-Howard Guo <hguo@suse.com> 2016-11-10
-
-diff -rupN openldap-2.4.41/libraries/libldap/tls_o.c openldap-2.4.41-patched/libraries/libldap/tls_o.c
---- openldap-2.4.41/libraries/libldap/tls_o.c	2015-06-21 02:19:58.000000000 +0200
-+++ openldap-2.4.41-patched/libraries/libldap/tls_o.c	2016-11-10 15:10:32.784147041 +0100
-@@ -253,10 +253,16 @@ tlso_ctx_init( struct ldapoptions *lo, s
- 		return -1;
- 	}
- 
--	if (lo->ldo_tls_cacertfile != NULL || lo->ldo_tls_cacertdir != NULL) {
-+	if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) {
-+		if ( !SSL_CTX_set_default_verify_paths( ctx ) ) {
-+			Debug( LDAP_DEBUG_ANY, "TLS: "
-+				"could not use default certificate paths", 0, 0, 0 );
-+			tlso_report_error();
-+			return -1;
-+		}
-+	} else {
- 		if ( !SSL_CTX_load_verify_locations( ctx,
--				lt->lt_cacertfile, lt->lt_cacertdir ) ||
--			!SSL_CTX_set_default_verify_paths( ctx ) )
-+				lt->lt_cacertfile, lt->lt_cacertdir ) )
- 		{
- 			Debug( LDAP_DEBUG_ANY, "TLS: "
- 				"could not load verify locations (file:`%s',dir:`%s').\n",

0013-ITS-8692-let-back-sock-generate-increment-line.patch

@@ -0,0 +1,28 @@
+From 6c37844c5c52b95aff5e4e547cda8a7258e92a35 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michael=20Str=C3=B6der?= <michael@stroeder.com>
+Date: Wed, 12 Jul 2017 20:18:22 +0200
+Subject: [PATCH] ITS#8692 let back-sock generate increment: line in case of
+ LDAP_MOD_INCREMENT (see RFC 4525, section 3)
+
+---
+ servers/slapd/back-sock/modify.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/servers/slapd/back-sock/modify.c b/servers/slapd/back-sock/modify.c
+index c35d31bc6..9342d2702 100644
+--- a/servers/slapd/back-sock/modify.c
++++ b/servers/slapd/back-sock/modify.c
+@@ -85,6 +85,10 @@ sock_back_modify(
+ 		case LDAP_MOD_REPLACE:
+ 			fprintf( fp, "replace: %s\n", mod->sm_desc->ad_cname.bv_val );
+ 			break;
++
++		case LDAP_MOD_INCREMENT:
++			fprintf( fp, "increment: %s\n", mod->sm_desc->ad_cname.bv_val );
++			break;
+ 		}
+ 
+ 		if( mod->sm_values != NULL ) {
+-- 
+2.13.2
+

openldap-2.4.44.tgz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d7de6bf3c67009c95525dde3a0212cc110d0a70b92af2af8e3ee800e81b88400
-size 5658830

openldap-2.4.45.tgz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cdd6cffdebcd95161a73305ec13fc7a78e9707b46ca9f84fb897cd5626df3824
+size 5672845

openldap2.changes

@@ -1,3 +1,47 @@
+-------------------------------------------------------------------
+Thu Jul 20 14:19:47 UTC 2017 - michael@stroeder.com
+
+- added overlay trace to package openldap2-contrib
+
+-------------------------------------------------------------------
+Wed Jul 12 18:52:42 UTC 2017 - michael@stroeder.com
+
+- Upgrade to upstream 2.4.45 release
+- removed obsolete 0010-Enforce-minimum-DH-size-of-1024.patch
+  and  0012-use-system-wide-cert-dir-by-default.patch
+- added 0013-ITS-8692-let-back-sock-generate-increment-line.patch
+  for supporting modify increment operations with back-sock
+- added overlay addpartial to package openldap2-contrib
+
+--------------------------------------------------------------------
+Wed Jun  7 09:32:52 UTC 2017 - hguo@suse.com
+
+- Remove legacy daemon control that was used to migrate from SLE 11
+  to 12. (bsc#1038405)
+
+--------------------------------------------------------------------
+Tue Jun  6 13:47:18 UTC 2017 - hguo@suse.com
+
+- There is no change made about the package itself, this is only
+  copying over some changelog texts from SLE package:
+- bug#976172 owned by hguo@suse.com: openldap2 - missing  
+  /usr/share/doc/packages/openldap2/guide/admin/guide.html
+- bug#916914 owned by varkoly@suse.com: VUL-0: CVE-2015-1546:
+  openldap2: slapd crash in valueReturnFilter cleanup
+- [fate#319300](https://fate.suse.com/319300)
+- [CVE-2015-1545](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1545)
+- bug#905959 owned by hguo@suse.com: L3-Question: Are multiple
+  "Connection 0" in a Multi Master setup normal ?
+- [CVE-2015-1546](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546)
+- bug#916897 owned by varkoly@suse.com: VUL-0: CVE-2015-1545:
+  openldap2: slapd crashes on search with deref control and empty attr list
+
+-------------------------------------------------------------------
+Fri Apr  7 16:47:24 UTC 2017 - jengelh@inai.de
+
+- Drop binutils requirement; the code using /usr/bin/strings has
+  been dropped in openSUSE:Factory/openldap2 revision 112.
+
 -------------------------------------------------------------------
 Sat Feb 18 22:11:29 UTC 2017 - kukuk@suse.com
 

openldap2.spec

@@ -17,7 +17,7 @@
 
 
 %define run_test_suite 0
-%define version_main 2.4.44
+%define version_main 2.4.45
 
 %if %{suse_version} >= 1310 && %{suse_version} != 1315
 %define  _rundir /run/slapd
@@ -56,9 +56,8 @@ Patch6:         0006-No-Build-date-and-time-in-binaries.dif
 Patch7:         0007-Recover-on-DB-version-change.dif
 Patch8:         0008-In-monitor-backend-do-not-return-Connection0-entries.patch
 Patch9:         0009-Fix-ldap-host-lookup-ipv6.patch
-Patch10:        0010-Enforce-minimum-DH-size-of-1024.patch
 Patch11:        0011-openldap-re24-its7796.patch
-Patch12:        0012-use-system-wide-cert-dir-by-default.patch
+Patch13:        0013-ITS-8692-let-back-sock-generate-increment-line.patch
 Source200:      %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
 Source201:      %{name_ppolicy_check_module}.Makefile
 Source202:      %{name_ppolicy_check_module}.conf
@@ -83,8 +82,6 @@ Requires:       libldap-2_4-2 = %{version_main}
 Recommends:     cyrus-sasl
 Conflicts:      openldap
 PreReq:         %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep
-# For /usr/bin/strings
-Requires(pre):  binutils
 
 %description
 OpenLDAP is a client and server reference implementation of the
@@ -152,6 +149,7 @@ Requires:       openldap2 = %{version_main}
 
 %description contrib
 Various overlays found in contrib/:
+addpartial    Intercepts ADD requests, applies changes to existing entries
 allop
 allowed       Generates attributes indicating access rights
 autogroup
@@ -163,6 +161,7 @@ nops
 pw-sha2       generates/validates SHA-2 password hashes
 pw-pbkdf2     generates/validates PBKDF2 password hashes
 smbk5pwd      generates Samba3 password hashes (heimdal krb disabled)
+trace         traces overlay invocation
 
 %package doc
 Summary:        OpenLDAP Documentation
@@ -250,9 +249,8 @@ gzip -k %{S:203}
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
-%patch10 -p1
 %patch11 -p1
-%patch12 -p1
+%patch13 -p1
 cp %{SOURCE5} .
 
 # Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/
@@ -299,11 +297,10 @@ export STRIP=""
 make depend
 make %{?_smp_mflags}
 # Build selected contrib overlays
-for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2
+for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
 do
   make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}"
 done
-# One more level up needed because of passwd/sha2
 # slapo-smbk5pwd only for Samba password hashes
 make -C contrib/slapd-modules/smbk5pwd %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" DEFS="-DDO_SAMBA" HEIMDAL_LIB=""
 
@@ -344,7 +341,7 @@ make STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "
 # Additional symbolic link to slapd executable in /usr/sbin/
 ln -s %{_libdir}/slapd ${RPM_BUILD_ROOT}/usr/sbin/slapd
 # Install selected contrib overlays
-for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2
+for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
 do
   make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
 done
@@ -386,7 +383,7 @@ install -m 644 %{SOURCE3} ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG
 install -m 644 ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG.example
 install -d ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/
 install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/openldap
-rm -f `find doc/guide ! -name *.html -a ! -name *.gif -a ! -name *.png -a !  -type d`
+find doc/guide '(' ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d ')' -delete
 rm -rf doc/guide/release
 
 %define DOCDIR %{_defaultdocdir}/%{name}
@@ -424,11 +421,8 @@ rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-tcl.5
 rm -f  ${RPM_BUILD_ROOT}%{_libdir}/lib*.la
 
 %pre
-getent group ldap >/dev/null || /usr/sbin/groupadd -g 70 -o -r ldap || :
-getent passwd ldap >/dev/null || /usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/false -c "User for OpenLDAP" -d /var/lib/ldap ldap || :
-if /usr/bin/chkconfig ldap 2>&1 | grep -q on; then
-    touch %{_rundir}/enable_slapd_service
-fi
+getent group ldap >/dev/null || /usr/sbin/groupadd -g 70 -o -r ldap
+getent passwd ldap >/dev/null || /usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/false -c "User for OpenLDAP" -d /var/lib/ldap ldap
 %service_add_pre slapd.service
 
 %post
@@ -437,11 +431,7 @@ if [ ${1:-0} -gt 1 ] && [ -f %{_libdir}/sasl2/slapd.conf ] ; then
   cp %{_libdir}/sasl2/slapd.conf /etc/sasl2/slapd.conf
 fi
 %{fillup_only -n openldap ldap}
-%{remove_and_set -n openldap OPENLDAP_RUN_DB_RECOVER}
 %service_add_post slapd.service
-if [ -f %{_rundir}/enable_slapd_service ]; then
-    /usr/bin/systemctl --quiet enable slapd
-fi
 
 %post -n libldap-2_4-2 -p /sbin/ldconfig
 
@@ -564,6 +554,7 @@ fi
 
 %files contrib
 %defattr(-,root,root)
+%{_libdir}/openldap/addpartial.*
 %{_libdir}/openldap/allowed.*
 %{_libdir}/openldap/allop.*
 %{_libdir}/openldap/autogroup.*
@@ -575,6 +566,7 @@ fi
 %{_libdir}/openldap/denyop.*
 %{_libdir}/openldap/cloak.*
 %{_libdir}/openldap/smbk5pwd.*
+%{_libdir}/openldap/trace.*
 
 %files client
 %defattr(-,root,root)