diff --git a/0010-Enforce-minimum-DH-size-of-1024.patch b/0010-Enforce-minimum-DH-size-of-1024.patch deleted file mode 100644 index db4b18c..0000000 --- a/0010-Enforce-minimum-DH-size-of-1024.patch +++ /dev/null @@ -1,24 +0,0 @@ -The patch was authored by Marcus Meissner on 2015-07-13 -to address weak DH size vulnerability. - ---- openldap-2.4.26.orig/libraries/libldap/tls_o.c -+++ openldap-2.4.26/libraries/libldap/tls_o.c -@@ -1190,7 +1190,6 @@ jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7t - -----END DH PARAMETERS-----\n"; - - static const struct dhinfo tlso_dhpem[] = { -- { 512, tlso_dhpem512, sizeof(tlso_dhpem512) }, - { 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) }, - { 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) }, - { 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) }, -@@ -1205,6 +1204,9 @@ tlso_tmp_dh_cb( SSL *ssl, int is_export, - DH *dh = NULL; - int i; - -+ /* for Logjam, rev up the minimum DH group size to 1024 bit */ -+ if (key_length < 1024) key_length = 1024; -+ - /* Do we have params of this length already? */ - LDAP_MUTEX_LOCK( &tlso_dh_mutex ); - for ( p = tlso_dhparams; p; p=p->next ) { - diff --git a/0012-use-system-wide-cert-dir-by-default.patch b/0012-use-system-wide-cert-dir-by-default.patch deleted file mode 100644 index 78e64ee..0000000 --- a/0012-use-system-wide-cert-dir-by-default.patch +++ /dev/null @@ -1,33 +0,0 @@ -The TLS configuration deliberately hid the error in case that user specified CA locations -cannot be read, by loading CAs from default locations; and when user does not specify CA -locations, the CAs from default locations are not read at all. - -This patch corrects the behaviour so that CAs from default location are used if user does -not specify a CA location, and user is informed of the error if CAs cannot be loaded from -the user specified location. - -Howard Guo 2016-11-10 - -diff -rupN openldap-2.4.41/libraries/libldap/tls_o.c openldap-2.4.41-patched/libraries/libldap/tls_o.c ---- openldap-2.4.41/libraries/libldap/tls_o.c 2015-06-21 02:19:58.000000000 +0200 -+++ openldap-2.4.41-patched/libraries/libldap/tls_o.c 2016-11-10 15:10:32.784147041 +0100 -@@ -253,10 +253,16 @@ tlso_ctx_init( struct ldapoptions *lo, s - return -1; - } - -- if (lo->ldo_tls_cacertfile != NULL || lo->ldo_tls_cacertdir != NULL) { -+ if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) { -+ if ( !SSL_CTX_set_default_verify_paths( ctx ) ) { -+ Debug( LDAP_DEBUG_ANY, "TLS: " -+ "could not use default certificate paths", 0, 0, 0 ); -+ tlso_report_error(); -+ return -1; -+ } -+ } else { - if ( !SSL_CTX_load_verify_locations( ctx, -- lt->lt_cacertfile, lt->lt_cacertdir ) || -- !SSL_CTX_set_default_verify_paths( ctx ) ) -+ lt->lt_cacertfile, lt->lt_cacertdir ) ) - { - Debug( LDAP_DEBUG_ANY, "TLS: " - "could not load verify locations (file:`%s',dir:`%s').\n", diff --git a/0013-ITS-8692-let-back-sock-generate-increment-line.patch b/0013-ITS-8692-let-back-sock-generate-increment-line.patch new file mode 100644 index 0000000..7fbb1f0 --- /dev/null +++ b/0013-ITS-8692-let-back-sock-generate-increment-line.patch @@ -0,0 +1,28 @@ +From 6c37844c5c52b95aff5e4e547cda8a7258e92a35 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michael=20Str=C3=B6der?= +Date: Wed, 12 Jul 2017 20:18:22 +0200 +Subject: [PATCH] ITS#8692 let back-sock generate increment: line in case of + LDAP_MOD_INCREMENT (see RFC 4525, section 3) + +--- + servers/slapd/back-sock/modify.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/servers/slapd/back-sock/modify.c b/servers/slapd/back-sock/modify.c +index c35d31bc6..9342d2702 100644 +--- a/servers/slapd/back-sock/modify.c ++++ b/servers/slapd/back-sock/modify.c +@@ -85,6 +85,10 @@ sock_back_modify( + case LDAP_MOD_REPLACE: + fprintf( fp, "replace: %s\n", mod->sm_desc->ad_cname.bv_val ); + break; ++ ++ case LDAP_MOD_INCREMENT: ++ fprintf( fp, "increment: %s\n", mod->sm_desc->ad_cname.bv_val ); ++ break; + } + + if( mod->sm_values != NULL ) { +-- +2.13.2 + diff --git a/openldap-2.4.44.tgz b/openldap-2.4.44.tgz deleted file mode 100644 index 57ce079..0000000 --- a/openldap-2.4.44.tgz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d7de6bf3c67009c95525dde3a0212cc110d0a70b92af2af8e3ee800e81b88400 -size 5658830 diff --git a/openldap-2.4.45.tgz b/openldap-2.4.45.tgz new file mode 100644 index 0000000..0af5b2a --- /dev/null +++ b/openldap-2.4.45.tgz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cdd6cffdebcd95161a73305ec13fc7a78e9707b46ca9f84fb897cd5626df3824 +size 5672845 diff --git a/openldap2.changes b/openldap2.changes index b047d67..14496ba 100644 --- a/openldap2.changes +++ b/openldap2.changes @@ -1,3 +1,47 @@ +------------------------------------------------------------------- +Thu Jul 20 14:19:47 UTC 2017 - michael@stroeder.com + +- added overlay trace to package openldap2-contrib + +------------------------------------------------------------------- +Wed Jul 12 18:52:42 UTC 2017 - michael@stroeder.com + +- Upgrade to upstream 2.4.45 release +- removed obsolete 0010-Enforce-minimum-DH-size-of-1024.patch + and 0012-use-system-wide-cert-dir-by-default.patch +- added 0013-ITS-8692-let-back-sock-generate-increment-line.patch + for supporting modify increment operations with back-sock +- added overlay addpartial to package openldap2-contrib + +-------------------------------------------------------------------- +Wed Jun 7 09:32:52 UTC 2017 - hguo@suse.com + +- Remove legacy daemon control that was used to migrate from SLE 11 + to 12. (bsc#1038405) + +-------------------------------------------------------------------- +Tue Jun 6 13:47:18 UTC 2017 - hguo@suse.com + +- There is no change made about the package itself, this is only + copying over some changelog texts from SLE package: +- bug#976172 owned by hguo@suse.com: openldap2 - missing + /usr/share/doc/packages/openldap2/guide/admin/guide.html +- bug#916914 owned by varkoly@suse.com: VUL-0: CVE-2015-1546: + openldap2: slapd crash in valueReturnFilter cleanup +- [fate#319300](https://fate.suse.com/319300) +- [CVE-2015-1545](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1545) +- bug#905959 owned by hguo@suse.com: L3-Question: Are multiple + "Connection 0" in a Multi Master setup normal ? +- [CVE-2015-1546](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546) +- bug#916897 owned by varkoly@suse.com: VUL-0: CVE-2015-1545: + openldap2: slapd crashes on search with deref control and empty attr list + +------------------------------------------------------------------- +Fri Apr 7 16:47:24 UTC 2017 - jengelh@inai.de + +- Drop binutils requirement; the code using /usr/bin/strings has + been dropped in openSUSE:Factory/openldap2 revision 112. + ------------------------------------------------------------------- Sat Feb 18 22:11:29 UTC 2017 - kukuk@suse.com diff --git a/openldap2.spec b/openldap2.spec index 691d84f..0f9c263 100644 --- a/openldap2.spec +++ b/openldap2.spec @@ -17,7 +17,7 @@ %define run_test_suite 0 -%define version_main 2.4.44 +%define version_main 2.4.45 %if %{suse_version} >= 1310 && %{suse_version} != 1315 %define _rundir /run/slapd @@ -56,9 +56,8 @@ Patch6: 0006-No-Build-date-and-time-in-binaries.dif Patch7: 0007-Recover-on-DB-version-change.dif Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch -Patch10: 0010-Enforce-minimum-DH-size-of-1024.patch Patch11: 0011-openldap-re24-its7796.patch -Patch12: 0012-use-system-wide-cert-dir-by-default.patch +Patch13: 0013-ITS-8692-let-back-sock-generate-increment-line.patch Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz Source201: %{name_ppolicy_check_module}.Makefile Source202: %{name_ppolicy_check_module}.conf @@ -83,8 +82,6 @@ Requires: libldap-2_4-2 = %{version_main} Recommends: cyrus-sasl Conflicts: openldap PreReq: %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep -# For /usr/bin/strings -Requires(pre): binutils %description OpenLDAP is a client and server reference implementation of the @@ -152,6 +149,7 @@ Requires: openldap2 = %{version_main} %description contrib Various overlays found in contrib/: +addpartial Intercepts ADD requests, applies changes to existing entries allop allowed Generates attributes indicating access rights autogroup @@ -163,6 +161,7 @@ nops pw-sha2 generates/validates SHA-2 password hashes pw-pbkdf2 generates/validates PBKDF2 password hashes smbk5pwd generates Samba3 password hashes (heimdal krb disabled) +trace traces overlay invocation %package doc Summary: OpenLDAP Documentation @@ -250,9 +249,8 @@ gzip -k %{S:203} %patch7 -p1 %patch8 -p1 %patch9 -p1 -%patch10 -p1 %patch11 -p1 -%patch12 -p1 +%patch13 -p1 cp %{SOURCE5} . # Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/ @@ -299,11 +297,10 @@ export STRIP="" make depend make %{?_smp_mflags} # Build selected contrib overlays -for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 +for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace do make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" done -# One more level up needed because of passwd/sha2 # slapo-smbk5pwd only for Samba password hashes make -C contrib/slapd-modules/smbk5pwd %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" DEFS="-DDO_SAMBA" HEIMDAL_LIB="" @@ -344,7 +341,7 @@ make STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" " # Additional symbolic link to slapd executable in /usr/sbin/ ln -s %{_libdir}/slapd ${RPM_BUILD_ROOT}/usr/sbin/slapd # Install selected contrib overlays -for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 +for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace do make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install done @@ -386,7 +383,7 @@ install -m 644 %{SOURCE3} ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG install -m 644 ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG.example install -d ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/ install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/openldap -rm -f `find doc/guide ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d` +find doc/guide '(' ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d ')' -delete rm -rf doc/guide/release %define DOCDIR %{_defaultdocdir}/%{name} @@ -424,11 +421,8 @@ rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-tcl.5 rm -f ${RPM_BUILD_ROOT}%{_libdir}/lib*.la %pre -getent group ldap >/dev/null || /usr/sbin/groupadd -g 70 -o -r ldap || : -getent passwd ldap >/dev/null || /usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/false -c "User for OpenLDAP" -d /var/lib/ldap ldap || : -if /usr/bin/chkconfig ldap 2>&1 | grep -q on; then - touch %{_rundir}/enable_slapd_service -fi +getent group ldap >/dev/null || /usr/sbin/groupadd -g 70 -o -r ldap +getent passwd ldap >/dev/null || /usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/false -c "User for OpenLDAP" -d /var/lib/ldap ldap %service_add_pre slapd.service %post @@ -437,11 +431,7 @@ if [ ${1:-0} -gt 1 ] && [ -f %{_libdir}/sasl2/slapd.conf ] ; then cp %{_libdir}/sasl2/slapd.conf /etc/sasl2/slapd.conf fi %{fillup_only -n openldap ldap} -%{remove_and_set -n openldap OPENLDAP_RUN_DB_RECOVER} %service_add_post slapd.service -if [ -f %{_rundir}/enable_slapd_service ]; then - /usr/bin/systemctl --quiet enable slapd -fi %post -n libldap-2_4-2 -p /sbin/ldconfig @@ -564,6 +554,7 @@ fi %files contrib %defattr(-,root,root) +%{_libdir}/openldap/addpartial.* %{_libdir}/openldap/allowed.* %{_libdir}/openldap/allop.* %{_libdir}/openldap/autogroup.* @@ -575,6 +566,7 @@ fi %{_libdir}/openldap/denyop.* %{_libdir}/openldap/cloak.* %{_libdir}/openldap/smbk5pwd.* +%{_libdir}/openldap/trace.* %files client %defattr(-,root,root)