- Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch

to fix CVE-2015-6908. (bsc#945582)
- Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch
  to address weak DH size vulnerability (bsc#937766)

- Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
  to fix CVE-2015-6908. (bsc#945582)
- Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch
  to address weak DH size vulnerability (bsc#937766)

OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=143
This commit is contained in:
Howard Guo 2015-12-02 12:58:25 +00:00 committed by Git OBS Bridge
parent 48315a6a03
commit dc3d146869
6 changed files with 73 additions and 0 deletions

View File

@ -0,0 +1,27 @@
From 844ee7df820fa397249ce76984d2e7094746cd93 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@symas.com>
Date: Sat, 12 Sep 2015 22:18:22 +0100
Subject: [PATCH] Revert "Revert "ITS#8240 remove obsolete assert""
We have never documented our use of assert, so can't expect
builders to do the right thing.
This reverts commit 55dd4d3275d24c5190fdfada8dfae0320628b993.
The commit fixes CVE-2015-6908.
diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c
index 85c3e23..c05dcf8 100644
--- a/libraries/liblber/io.c
+++ b/libraries/liblber/io.c
@@ -679,7 +679,7 @@ done:
return (ber->ber_tag);
}
- assert( 0 ); /* ber structure is messed up ?*/
+ /* invalid input */
return LBER_DEFAULT;
}
--
2.6.3

View File

@ -0,0 +1,24 @@
The patch was authored by Marcus Meissner <meissner@suse.com> on 2015-07-13
to address weak DH size vulnerability.
--- openldap-2.4.26.orig/libraries/libldap/tls_o.c
+++ openldap-2.4.26/libraries/libldap/tls_o.c
@@ -1190,7 +1190,6 @@ jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7t
-----END DH PARAMETERS-----\n";
static const struct dhinfo tlso_dhpem[] = {
- { 512, tlso_dhpem512, sizeof(tlso_dhpem512) },
{ 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) },
{ 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) },
{ 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) },
@@ -1205,6 +1204,9 @@ tlso_tmp_dh_cb( SSL *ssl, int is_export,
DH *dh = NULL;
int i;
+ /* for Logjam, rev up the minimum DH group size to 1024 bit */
+ if (key_length < 1024) key_length = 1024;
+
/* Do we have params of this length already? */
LDAP_MUTEX_LOCK( &tlso_dh_mutex );
for ( p = tlso_dhparams; p; p=p->next ) {

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Wed Dec 2 12:51:10 UTC 2015 - hguo@suse.com
- Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
to fix CVE-2015-6908. (bsc#945582)
- Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch
to address weak DH size vulnerability (bsc#937766)
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Nov 30 10:16:57 UTC 2015 - hguo@suse.com Mon Nov 30 10:16:57 UTC 2015 - hguo@suse.com

View File

@ -47,6 +47,8 @@ Patch6: 0006-No-Build-date-and-time-in-binaries.dif
Patch7: 0007-Recover-on-DB-version-change.dif Patch7: 0007-Recover-on-DB-version-change.dif
Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch
Patch10: 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
Patch11: 0011-Enforce-minimum-DH-size-of-1024.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: cyrus-sasl-devel BuildRequires: cyrus-sasl-devel
BuildRequires: groff BuildRequires: groff
@ -179,6 +181,8 @@ This package contains the OpenLDAP client libraries.
%patch7 -p1 %patch7 -p1
%patch8 -p1 %patch8 -p1
%patch9 -p1 %patch9 -p1
%patch10 -p1
%patch11 -p1
cp %{SOURCE5} . cp %{SOURCE5} .
%build %build

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Wed Dec 2 12:50:47 UTC 2015 - hguo@suse.com
- Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
to fix CVE-2015-6908. (bsc#945582)
- Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch
to address weak DH size vulnerability (bsc#937766)
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Nov 30 10:16:57 UTC 2015 - hguo@suse.com Mon Nov 30 10:16:57 UTC 2015 - hguo@suse.com

View File

@ -47,6 +47,8 @@ Patch6: 0006-No-Build-date-and-time-in-binaries.dif
Patch7: 0007-Recover-on-DB-version-change.dif Patch7: 0007-Recover-on-DB-version-change.dif
Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch
Patch10: 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
Patch11: 0011-Enforce-minimum-DH-size-of-1024.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: cyrus-sasl-devel BuildRequires: cyrus-sasl-devel
BuildRequires: groff BuildRequires: groff