Accepting request 511674 from network:ldap

1

OBS-URL: https://build.opensuse.org/request/show/511674
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openldap2?expand=0&rev=124
This commit is contained in:
Dominique Leuenberger 2017-07-21 20:43:54 +00:00 committed by Git OBS Bridge
commit 6a2a4e5d1c
7 changed files with 87 additions and 80 deletions

View File

@ -1,24 +0,0 @@
The patch was authored by Marcus Meissner <meissner@suse.com> on 2015-07-13
to address weak DH size vulnerability.
--- openldap-2.4.26.orig/libraries/libldap/tls_o.c
+++ openldap-2.4.26/libraries/libldap/tls_o.c
@@ -1190,7 +1190,6 @@ jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7t
-----END DH PARAMETERS-----\n";
static const struct dhinfo tlso_dhpem[] = {
- { 512, tlso_dhpem512, sizeof(tlso_dhpem512) },
{ 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) },
{ 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) },
{ 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) },
@@ -1205,6 +1204,9 @@ tlso_tmp_dh_cb( SSL *ssl, int is_export,
DH *dh = NULL;
int i;
+ /* for Logjam, rev up the minimum DH group size to 1024 bit */
+ if (key_length < 1024) key_length = 1024;
+
/* Do we have params of this length already? */
LDAP_MUTEX_LOCK( &tlso_dh_mutex );
for ( p = tlso_dhparams; p; p=p->next ) {

View File

@ -1,33 +0,0 @@
The TLS configuration deliberately hid the error in case that user specified CA locations
cannot be read, by loading CAs from default locations; and when user does not specify CA
locations, the CAs from default locations are not read at all.
This patch corrects the behaviour so that CAs from default location are used if user does
not specify a CA location, and user is informed of the error if CAs cannot be loaded from
the user specified location.
Howard Guo <hguo@suse.com> 2016-11-10
diff -rupN openldap-2.4.41/libraries/libldap/tls_o.c openldap-2.4.41-patched/libraries/libldap/tls_o.c
--- openldap-2.4.41/libraries/libldap/tls_o.c 2015-06-21 02:19:58.000000000 +0200
+++ openldap-2.4.41-patched/libraries/libldap/tls_o.c 2016-11-10 15:10:32.784147041 +0100
@@ -253,10 +253,16 @@ tlso_ctx_init( struct ldapoptions *lo, s
return -1;
}
- if (lo->ldo_tls_cacertfile != NULL || lo->ldo_tls_cacertdir != NULL) {
+ if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) {
+ if ( !SSL_CTX_set_default_verify_paths( ctx ) ) {
+ Debug( LDAP_DEBUG_ANY, "TLS: "
+ "could not use default certificate paths", 0, 0, 0 );
+ tlso_report_error();
+ return -1;
+ }
+ } else {
if ( !SSL_CTX_load_verify_locations( ctx,
- lt->lt_cacertfile, lt->lt_cacertdir ) ||
- !SSL_CTX_set_default_verify_paths( ctx ) )
+ lt->lt_cacertfile, lt->lt_cacertdir ) )
{
Debug( LDAP_DEBUG_ANY, "TLS: "
"could not load verify locations (file:`%s',dir:`%s').\n",

View File

@ -0,0 +1,28 @@
From 6c37844c5c52b95aff5e4e547cda8a7258e92a35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20Str=C3=B6der?= <michael@stroeder.com>
Date: Wed, 12 Jul 2017 20:18:22 +0200
Subject: [PATCH] ITS#8692 let back-sock generate increment: line in case of
LDAP_MOD_INCREMENT (see RFC 4525, section 3)
---
servers/slapd/back-sock/modify.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/servers/slapd/back-sock/modify.c b/servers/slapd/back-sock/modify.c
index c35d31bc6..9342d2702 100644
--- a/servers/slapd/back-sock/modify.c
+++ b/servers/slapd/back-sock/modify.c
@@ -85,6 +85,10 @@ sock_back_modify(
case LDAP_MOD_REPLACE:
fprintf( fp, "replace: %s\n", mod->sm_desc->ad_cname.bv_val );
break;
+
+ case LDAP_MOD_INCREMENT:
+ fprintf( fp, "increment: %s\n", mod->sm_desc->ad_cname.bv_val );
+ break;
}
if( mod->sm_values != NULL ) {
--
2.13.2

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d7de6bf3c67009c95525dde3a0212cc110d0a70b92af2af8e3ee800e81b88400
size 5658830

3
openldap-2.4.45.tgz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:cdd6cffdebcd95161a73305ec13fc7a78e9707b46ca9f84fb897cd5626df3824
size 5672845

View File

@ -1,3 +1,47 @@
-------------------------------------------------------------------
Thu Jul 20 14:19:47 UTC 2017 - michael@stroeder.com
- added overlay trace to package openldap2-contrib
-------------------------------------------------------------------
Wed Jul 12 18:52:42 UTC 2017 - michael@stroeder.com
- Upgrade to upstream 2.4.45 release
- removed obsolete 0010-Enforce-minimum-DH-size-of-1024.patch
and 0012-use-system-wide-cert-dir-by-default.patch
- added 0013-ITS-8692-let-back-sock-generate-increment-line.patch
for supporting modify increment operations with back-sock
- added overlay addpartial to package openldap2-contrib
--------------------------------------------------------------------
Wed Jun 7 09:32:52 UTC 2017 - hguo@suse.com
- Remove legacy daemon control that was used to migrate from SLE 11
to 12. (bsc#1038405)
--------------------------------------------------------------------
Tue Jun 6 13:47:18 UTC 2017 - hguo@suse.com
- There is no change made about the package itself, this is only
copying over some changelog texts from SLE package:
- bug#976172 owned by hguo@suse.com: openldap2 - missing
/usr/share/doc/packages/openldap2/guide/admin/guide.html
- bug#916914 owned by varkoly@suse.com: VUL-0: CVE-2015-1546:
openldap2: slapd crash in valueReturnFilter cleanup
- [fate#319300](https://fate.suse.com/319300)
- [CVE-2015-1545](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1545)
- bug#905959 owned by hguo@suse.com: L3-Question: Are multiple
"Connection 0" in a Multi Master setup normal ?
- [CVE-2015-1546](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546)
- bug#916897 owned by varkoly@suse.com: VUL-0: CVE-2015-1545:
openldap2: slapd crashes on search with deref control and empty attr list
-------------------------------------------------------------------
Fri Apr 7 16:47:24 UTC 2017 - jengelh@inai.de
- Drop binutils requirement; the code using /usr/bin/strings has
been dropped in openSUSE:Factory/openldap2 revision 112.
-------------------------------------------------------------------
Sat Feb 18 22:11:29 UTC 2017 - kukuk@suse.com

View File

@ -17,7 +17,7 @@
%define run_test_suite 0
%define version_main 2.4.44
%define version_main 2.4.45
%if %{suse_version} >= 1310 && %{suse_version} != 1315
%define _rundir /run/slapd
@ -56,9 +56,8 @@ Patch6: 0006-No-Build-date-and-time-in-binaries.dif
Patch7: 0007-Recover-on-DB-version-change.dif
Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch
Patch10: 0010-Enforce-minimum-DH-size-of-1024.patch
Patch11: 0011-openldap-re24-its7796.patch
Patch12: 0012-use-system-wide-cert-dir-by-default.patch
Patch13: 0013-ITS-8692-let-back-sock-generate-increment-line.patch
Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
Source201: %{name_ppolicy_check_module}.Makefile
Source202: %{name_ppolicy_check_module}.conf
@ -83,8 +82,6 @@ Requires: libldap-2_4-2 = %{version_main}
Recommends: cyrus-sasl
Conflicts: openldap
PreReq: %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep
# For /usr/bin/strings
Requires(pre): binutils
%description
OpenLDAP is a client and server reference implementation of the
@ -152,6 +149,7 @@ Requires: openldap2 = %{version_main}
%description contrib
Various overlays found in contrib/:
addpartial Intercepts ADD requests, applies changes to existing entries
allop
allowed Generates attributes indicating access rights
autogroup
@ -163,6 +161,7 @@ nops
pw-sha2 generates/validates SHA-2 password hashes
pw-pbkdf2 generates/validates PBKDF2 password hashes
smbk5pwd generates Samba3 password hashes (heimdal krb disabled)
trace traces overlay invocation
%package doc
Summary: OpenLDAP Documentation
@ -250,9 +249,8 @@ gzip -k %{S:203}
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
cp %{SOURCE5} .
# Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/
@ -299,11 +297,10 @@ export STRIP=""
make depend
make %{?_smp_mflags}
# Build selected contrib overlays
for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2
for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
do
make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}"
done
# One more level up needed because of passwd/sha2
# slapo-smbk5pwd only for Samba password hashes
make -C contrib/slapd-modules/smbk5pwd %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" DEFS="-DDO_SAMBA" HEIMDAL_LIB=""
@ -344,7 +341,7 @@ make STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "
# Additional symbolic link to slapd executable in /usr/sbin/
ln -s %{_libdir}/slapd ${RPM_BUILD_ROOT}/usr/sbin/slapd
# Install selected contrib overlays
for SLAPO_NAME in allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2
for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
do
make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
done
@ -386,7 +383,7 @@ install -m 644 %{SOURCE3} ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG
install -m 644 ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example ${RPM_BUILD_ROOT}/var/lib/ldap/DB_CONFIG.example
install -d ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/
install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/openldap
rm -f `find doc/guide ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d`
find doc/guide '(' ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d ')' -delete
rm -rf doc/guide/release
%define DOCDIR %{_defaultdocdir}/%{name}
@ -424,11 +421,8 @@ rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-tcl.5
rm -f ${RPM_BUILD_ROOT}%{_libdir}/lib*.la
%pre
getent group ldap >/dev/null || /usr/sbin/groupadd -g 70 -o -r ldap || :
getent passwd ldap >/dev/null || /usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/false -c "User for OpenLDAP" -d /var/lib/ldap ldap || :
if /usr/bin/chkconfig ldap 2>&1 | grep -q on; then
touch %{_rundir}/enable_slapd_service
fi
getent group ldap >/dev/null || /usr/sbin/groupadd -g 70 -o -r ldap
getent passwd ldap >/dev/null || /usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/false -c "User for OpenLDAP" -d /var/lib/ldap ldap
%service_add_pre slapd.service
%post
@ -437,11 +431,7 @@ if [ ${1:-0} -gt 1 ] && [ -f %{_libdir}/sasl2/slapd.conf ] ; then
cp %{_libdir}/sasl2/slapd.conf /etc/sasl2/slapd.conf
fi
%{fillup_only -n openldap ldap}
%{remove_and_set -n openldap OPENLDAP_RUN_DB_RECOVER}
%service_add_post slapd.service
if [ -f %{_rundir}/enable_slapd_service ]; then
/usr/bin/systemctl --quiet enable slapd
fi
%post -n libldap-2_4-2 -p /sbin/ldconfig
@ -564,6 +554,7 @@ fi
%files contrib
%defattr(-,root,root)
%{_libdir}/openldap/addpartial.*
%{_libdir}/openldap/allowed.*
%{_libdir}/openldap/allop.*
%{_libdir}/openldap/autogroup.*
@ -575,6 +566,7 @@ fi
%{_libdir}/openldap/denyop.*
%{_libdir}/openldap/cloak.*
%{_libdir}/openldap/smbk5pwd.*
%{_libdir}/openldap/trace.*
%files client
%defattr(-,root,root)