forked from pool/openldap2
Accepting request 511674 from network:ldap
1 OBS-URL: https://build.opensuse.org/request/show/511674 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openldap2?expand=0&rev=124
This commit is contained in:
commit
6a2a4e5d1c
@ -1,24 +0,0 @@
|
|||||||
The patch was authored by Marcus Meissner <meissner@suse.com> on 2015-07-13
|
|
||||||
to address weak DH size vulnerability.
|
|
||||||
|
|
||||||
--- openldap-2.4.26.orig/libraries/libldap/tls_o.c
|
|
||||||
+++ openldap-2.4.26/libraries/libldap/tls_o.c
|
|
||||||
@@ -1190,7 +1190,6 @@ jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7t
|
|
||||||
-----END DH PARAMETERS-----\n";
|
|
||||||
|
|
||||||
static const struct dhinfo tlso_dhpem[] = {
|
|
||||||
- { 512, tlso_dhpem512, sizeof(tlso_dhpem512) },
|
|
||||||
{ 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) },
|
|
||||||
{ 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) },
|
|
||||||
{ 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) },
|
|
||||||
@@ -1205,6 +1204,9 @@ tlso_tmp_dh_cb( SSL *ssl, int is_export,
|
|
||||||
DH *dh = NULL;
|
|
||||||
int i;
|
|
||||||
|
|
||||||
+ /* for Logjam, rev up the minimum DH group size to 1024 bit */
|
|
||||||
+ if (key_length < 1024) key_length = 1024;
|
|
||||||
+
|
|
||||||
/* Do we have params of this length already? */
|
|
||||||
LDAP_MUTEX_LOCK( &tlso_dh_mutex );
|
|
||||||
for ( p = tlso_dhparams; p; p=p->next ) {
|
|
||||||
|
|
@ -1,33 +0,0 @@
|
|||||||
The TLS configuration deliberately hid the error in case that user specified CA locations
|
|
||||||
cannot be read, by loading CAs from default locations; and when user does not specify CA
|
|
||||||
locations, the CAs from default locations are not read at all.
|
|
||||||
|
|
||||||
This patch corrects the behaviour so that CAs from default location are used if user does
|
|
||||||
not specify a CA location, and user is informed of the error if CAs cannot be loaded from
|
|
||||||
the user specified location.
|
|
||||||
|
|
||||||
Howard Guo <hguo@suse.com> 2016-11-10
|
|
||||||
|
|
||||||
diff -rupN openldap-2.4.41/libraries/libldap/tls_o.c openldap-2.4.41-patched/libraries/libldap/tls_o.c
|
|
||||||
--- openldap-2.4.41/libraries/libldap/tls_o.c 2015-06-21 02:19:58.000000000 +0200
|
|
||||||
+++ openldap-2.4.41-patched/libraries/libldap/tls_o.c 2016-11-10 15:10:32.784147041 +0100
|
|
||||||
@@ -253,10 +253,16 @@ tlso_ctx_init( struct ldapoptions *lo, s
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (lo->ldo_tls_cacertfile != NULL || lo->ldo_tls_cacertdir != NULL) {
|
|
||||||
+ if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) {
|
|
||||||
+ if ( !SSL_CTX_set_default_verify_paths( ctx ) ) {
|
|
||||||
+ Debug( LDAP_DEBUG_ANY, "TLS: "
|
|
||||||
+ "could not use default certificate paths", 0, 0, 0 );
|
|
||||||
+ tlso_report_error();
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
if ( !SSL_CTX_load_verify_locations( ctx,
|
|
||||||
- lt->lt_cacertfile, lt->lt_cacertdir ) ||
|
|
||||||
- !SSL_CTX_set_default_verify_paths( ctx ) )
|
|
||||||
+ lt->lt_cacertfile, lt->lt_cacertdir ) )
|
|
||||||
{
|
|
||||||
Debug( LDAP_DEBUG_ANY, "TLS: "
|
|
||||||
"could not load verify locations (file:`%s',dir:`%s').\n",
|
|
28
0013-ITS-8692-let-back-sock-generate-increment-line.patch
Normal file
28
0013-ITS-8692-let-back-sock-generate-increment-line.patch
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
From 6c37844c5c52b95aff5e4e547cda8a7258e92a35 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Michael=20Str=C3=B6der?= <michael@stroeder.com>
|
||||||
|
Date: Wed, 12 Jul 2017 20:18:22 +0200
|
||||||
|
Subject: [PATCH] ITS#8692 let back-sock generate increment: line in case of
|
||||||
|
LDAP_MOD_INCREMENT (see RFC 4525, section 3)
|
||||||
|
|
||||||
|
---
|
||||||
|
servers/slapd/back-sock/modify.c | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/servers/slapd/back-sock/modify.c b/servers/slapd/back-sock/modify.c
|
||||||
|
index c35d31bc6..9342d2702 100644
|
||||||
|
--- a/servers/slapd/back-sock/modify.c
|
||||||
|
+++ b/servers/slapd/back-sock/modify.c
|
||||||
|
@@ -85,6 +85,10 @@ sock_back_modify(
|
||||||
|
case LDAP_MOD_REPLACE:
|
||||||
|
fprintf( fp, "replace: %s\n", mod->sm_desc->ad_cname.bv_val );
|
||||||
|
break;
|
||||||
|
+
|
||||||
|
+ case LDAP_MOD_INCREMENT:
|
||||||
|
+ fprintf( fp, "increment: %s\n", mod->sm_desc->ad_cname.bv_val );
|
||||||
|
+ break;
|
||||||
|
}
|
||||||
|
|
||||||
|
if( mod->sm_values != NULL ) {
|
||||||
|
--
|
||||||
|
2.13.2
|
||||||
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:d7de6bf3c67009c95525dde3a0212cc110d0a70b92af2af8e3ee800e81b88400
|
|
||||||
size 5658830
|
|
3
openldap-2.4.45.tgz
Normal file
3
openldap-2.4.45.tgz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:cdd6cffdebcd95161a73305ec13fc7a78e9707b46ca9f84fb897cd5626df3824
|
||||||
|
size 5672845
|
@ -1,3 +1,47 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Jul 20 14:19:47 UTC 2017 - michael@stroeder.com
|
||||||
|
|
||||||
|
- added overlay trace to package openldap2-contrib
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jul 12 18:52:42 UTC 2017 - michael@stroeder.com
|
||||||
|
|
||||||
|
- Upgrade to upstream 2.4.45 release
|
||||||
|
- removed obsolete 0010-Enforce-minimum-DH-size-of-1024.patch
|
||||||
|
and 0012-use-system-wide-cert-dir-by-default.patch
|
||||||
|
- added 0013-ITS-8692-let-back-sock-generate-increment-line.patch
|
||||||
|
for supporting modify increment operations with back-sock
|
||||||
|
- added overlay addpartial to package openldap2-contrib
|
||||||
|
|
||||||
|
--------------------------------------------------------------------
|
||||||
|
Wed Jun 7 09:32:52 UTC 2017 - hguo@suse.com
|
||||||
|
|
||||||
|
- Remove legacy daemon control that was used to migrate from SLE 11
|
||||||
|
to 12. (bsc#1038405)
|
||||||
|
|
||||||
|
--------------------------------------------------------------------
|
||||||
|
Tue Jun 6 13:47:18 UTC 2017 - hguo@suse.com
|
||||||
|
|
||||||
|
- There is no change made about the package itself, this is only
|
||||||
|
copying over some changelog texts from SLE package:
|
||||||
|
- bug#976172 owned by hguo@suse.com: openldap2 - missing
|
||||||
|
/usr/share/doc/packages/openldap2/guide/admin/guide.html
|
||||||
|
- bug#916914 owned by varkoly@suse.com: VUL-0: CVE-2015-1546:
|
||||||
|
openldap2: slapd crash in valueReturnFilter cleanup
|
||||||
|
- [fate#319300](https://fate.suse.com/319300)
|
||||||
|
- [CVE-2015-1545](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1545)
|
||||||
|
- bug#905959 owned by hguo@suse.com: L3-Question: Are multiple
|
||||||
|
"Connection 0" in a Multi Master setup normal ?
|
||||||
|
- [CVE-2015-1546](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546)
|
||||||
|
- bug#916897 owned by varkoly@suse.com: VUL-0: CVE-2015-1545:
|
||||||
|
openldap2: slapd crashes on search with deref control and empty attr list
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Apr 7 16:47:24 UTC 2017 - jengelh@inai.de
|
||||||
|
|
||||||
|
- Drop binutils requirement; the code using /usr/bin/strings has
|
||||||
|
been dropped in openSUSE:Factory/openldap2 revision 112.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Sat Feb 18 22:11:29 UTC 2017 - kukuk@suse.com
|
Sat Feb 18 22:11:29 UTC 2017 - kukuk@suse.com
|
||||||
|
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
|
|
||||||
|
|
||||||
%define run_test_suite 0
|
%define run_test_suite 0
|
||||||
%define version_main 2.4.44
|
%define version_main 2.4.45
|
||||||
|
|
||||||
%if %{suse_version} >= 1310 && %{suse_version} != 1315
|
%if %{suse_version} >= 1310 && %{suse_version} != 1315
|
||||||
%define _rundir /run/slapd
|
%define _rundir /run/slapd
|
||||||
@ -56,9 +56,8 @@ Patch6: 0006-No-Build-date-and-time-in-binaries.dif
|
|||||||
Patch7: 0007-Recover-on-DB-version-change.dif
|
Patch7: 0007-Recover-on-DB-version-change.dif
|
||||||
Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
|
Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
|
||||||
Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch
|
Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch
|
||||||
Patch10: 0010-Enforce-minimum-DH-size-of-1024.patch
|
|
||||||
Patch11: 0011-openldap-re24-its7796.patch
|
Patch11: 0011-openldap-re24-its7796.patch
|
||||||
Patch12: 0012-use-system-wide-cert-dir-by-default.patch
|
Patch13: 0013-ITS-8692-let-back-sock-generate-increment-line.patch
|
||||||
Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
|
Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
|
||||||
Source201: %{name_ppolicy_check_module}.Makefile
|
Source201: %{name_ppolicy_check_module}.Makefile
|
||||||
Source202: %{name_ppolicy_check_module}.conf
|
Source202: %{name_ppolicy_check_module}.conf
|
||||||
@ -83,8 +82,6 @@ Requires: libldap-2_4-2 = %{version_main}
|
|||||||
Recommends: cyrus-sasl
|
Recommends: cyrus-sasl
|
||||||
Conflicts: openldap
|
Conflicts: openldap
|
||||||
PreReq: %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep
|
PreReq: %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep
|
||||||
# For /usr/bin/strings
|
|
||||||
Requires(pre): binutils
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
OpenLDAP is a client and server reference implementation of the
|
OpenLDAP is a client and server reference implementation of the
|
||||||
@ -152,6 +149,7 @@ Requires: openldap2 = %{version_main}
|
|||||||
|
|
||||||
%description contrib
|
%description contrib
|
||||||
Various overlays found in contrib/:
|
Various overlays found in contrib/:
|
||||||
|
addpartial Intercepts ADD requests, applies changes to existing entries
|
||||||
allop
|
allop
|
||||||
allowed Generates attributes indicating access rights
|
allowed Generates attributes indicating access rights
|
||||||
autogroup
|
autogroup
|
||||||
@ -163,6 +161,7 @@ nops
|
|||||||
pw-sha2 generates/validates SHA-2 password hashes
|
pw-sha2 generates/validates SHA-2 password hashes
|
||||||
pw-pbkdf2 generates/validates PBKDF2 password hashes
|
pw-pbkdf2 generates/validates PBKDF2 password hashes
|
||||||
smbk5pwd generates Samba3 password hashes (heimdal krb disabled)
|
smbk5pwd generates Samba3 password hashes (heimdal krb disabled)
|
||||||
|
trace traces overlay invocation
|
||||||
|
|
||||||
%package doc
|
%package doc
|
||||||
Summary: OpenLDAP Documentation
|
Summary: OpenLDAP Documentation
|
||||||
@ -250,9 +249,8 @@ gzip -k %{S:203}
|
|||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
%patch9 -p1
|
%patch9 -p1
|
||||||
%patch10 -p1
|
|
||||||
%patch11 -p1
|
%patch11 -p1
|
||||||
%patch12 -p1
|
%patch13 -p1
|
||||||
cp %{SOURCE5} .
|
cp %{SOURCE5} .
|
||||||
|
|
||||||
# Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/
|
# Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/
|
||||||
@ -299,11 +297,10 @@ export STRIP=""
|
|||||||
make depend
|
make depend
|
||||||
make %{?_smp_mflags}
|
make %{?_smp_mflags}
|
||||||
# Build selected contrib overlays
|
# Build selected contrib overlays
|
||||||
for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2
|
for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
|
||||||
do
|
do
|
||||||
make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}"
|
make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}"
|
||||||
done
|
done
|
||||||
# One more level up needed because of passwd/sha2
|
|
||||||
# slapo-smbk5pwd only for Samba password hashes
|
# slapo-smbk5pwd only for Samba password hashes
|
||||||
make -C contrib/slapd-modules/smbk5pwd %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" DEFS="-DDO_SAMBA" HEIMDAL_LIB=""
|
make -C contrib/slapd-modules/smbk5pwd %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" DEFS="-DDO_SAMBA" HEIMDAL_LIB=""
|
||||||
|
|
||||||
@ -344,7 +341,7 @@ make STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "
|
|||||||
# Additional symbolic link to slapd executable in /usr/sbin/
|
# Additional symbolic link to slapd executable in /usr/sbin/
|
||||||
ln -s %{_libdir}/slapd ${RPM_BUILD_ROOT}/usr/sbin/slapd
|
ln -s %{_libdir}/slapd ${RPM_BUILD_ROOT}/usr/sbin/slapd
|
||||||
# Install selected contrib overlays
|
# Install selected contrib overlays
|
||||||
for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2
|
for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
|
||||||
do
|
do
|
||||||
make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
|
make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
|
||||||
done
|
done
|
||||||
@ -386,7 +383,7 @@ install -m 644 %{SOURCE3} ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG
|
|||||||
install -m 644 ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG.example
|
install -m 644 ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG.example
|
||||||
install -d ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/
|
install -d ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/
|
||||||
install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/openldap
|
install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/openldap
|
||||||
rm -f `find doc/guide ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d`
|
find doc/guide '(' ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d ')' -delete
|
||||||
rm -rf doc/guide/release
|
rm -rf doc/guide/release
|
||||||
|
|
||||||
%define DOCDIR %{_defaultdocdir}/%{name}
|
%define DOCDIR %{_defaultdocdir}/%{name}
|
||||||
@ -424,11 +421,8 @@ rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-tcl.5
|
|||||||
rm -f ${RPM_BUILD_ROOT}%{_libdir}/lib*.la
|
rm -f ${RPM_BUILD_ROOT}%{_libdir}/lib*.la
|
||||||
|
|
||||||
%pre
|
%pre
|
||||||
getent group ldap >/dev/null || /usr/sbin/groupadd -g 70 -o -r ldap || :
|
getent group ldap >/dev/null || /usr/sbin/groupadd -g 70 -o -r ldap
|
||||||
getent passwd ldap >/dev/null || /usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/false -c "User for OpenLDAP" -d /var/lib/ldap ldap || :
|
getent passwd ldap >/dev/null || /usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/false -c "User for OpenLDAP" -d /var/lib/ldap ldap
|
||||||
if /usr/bin/chkconfig ldap 2>&1 | grep -q on; then
|
|
||||||
touch %{_rundir}/enable_slapd_service
|
|
||||||
fi
|
|
||||||
%service_add_pre slapd.service
|
%service_add_pre slapd.service
|
||||||
|
|
||||||
%post
|
%post
|
||||||
@ -437,11 +431,7 @@ if [ ${1:-0} -gt 1 ] && [ -f %{_libdir}/sasl2/slapd.conf ] ; then
|
|||||||
cp %{_libdir}/sasl2/slapd.conf /etc/sasl2/slapd.conf
|
cp %{_libdir}/sasl2/slapd.conf /etc/sasl2/slapd.conf
|
||||||
fi
|
fi
|
||||||
%{fillup_only -n openldap ldap}
|
%{fillup_only -n openldap ldap}
|
||||||
%{remove_and_set -n openldap OPENLDAP_RUN_DB_RECOVER}
|
|
||||||
%service_add_post slapd.service
|
%service_add_post slapd.service
|
||||||
if [ -f %{_rundir}/enable_slapd_service ]; then
|
|
||||||
/usr/bin/systemctl --quiet enable slapd
|
|
||||||
fi
|
|
||||||
|
|
||||||
%post -n libldap-2_4-2 -p /sbin/ldconfig
|
%post -n libldap-2_4-2 -p /sbin/ldconfig
|
||||||
|
|
||||||
@ -564,6 +554,7 @@ fi
|
|||||||
|
|
||||||
%files contrib
|
%files contrib
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
|
%{_libdir}/openldap/addpartial.*
|
||||||
%{_libdir}/openldap/allowed.*
|
%{_libdir}/openldap/allowed.*
|
||||||
%{_libdir}/openldap/allop.*
|
%{_libdir}/openldap/allop.*
|
||||||
%{_libdir}/openldap/autogroup.*
|
%{_libdir}/openldap/autogroup.*
|
||||||
@ -575,6 +566,7 @@ fi
|
|||||||
%{_libdir}/openldap/denyop.*
|
%{_libdir}/openldap/denyop.*
|
||||||
%{_libdir}/openldap/cloak.*
|
%{_libdir}/openldap/cloak.*
|
||||||
%{_libdir}/openldap/smbk5pwd.*
|
%{_libdir}/openldap/smbk5pwd.*
|
||||||
|
%{_libdir}/openldap/trace.*
|
||||||
|
|
||||||
%files client
|
%files client
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
|
Loading…
Reference in New Issue
Block a user