1
0
forked from jengelh/openldap2

Accepting request 500558 from home:stroeder:branches:network:ldap

update to 2.4.45

OBS-URL: https://build.opensuse.org/request/show/500558
OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=176
This commit is contained in:
Michael Ströder 2017-06-02 09:23:02 +00:00 committed by Git OBS Bridge
parent 787c8bf6cf
commit 31fe523df6
6 changed files with 11 additions and 65 deletions

View File

@ -1,24 +0,0 @@
The patch was authored by Marcus Meissner <meissner@suse.com> on 2015-07-13
to address weak DH size vulnerability.
--- openldap-2.4.26.orig/libraries/libldap/tls_o.c
+++ openldap-2.4.26/libraries/libldap/tls_o.c
@@ -1190,7 +1190,6 @@ jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7t
-----END DH PARAMETERS-----\n";
static const struct dhinfo tlso_dhpem[] = {
- { 512, tlso_dhpem512, sizeof(tlso_dhpem512) },
{ 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) },
{ 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) },
{ 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) },
@@ -1205,6 +1204,9 @@ tlso_tmp_dh_cb( SSL *ssl, int is_export,
DH *dh = NULL;
int i;
+ /* for Logjam, rev up the minimum DH group size to 1024 bit */
+ if (key_length < 1024) key_length = 1024;
+
/* Do we have params of this length already? */
LDAP_MUTEX_LOCK( &tlso_dh_mutex );
for ( p = tlso_dhparams; p; p=p->next ) {

View File

@ -1,33 +0,0 @@
The TLS configuration deliberately hid the error in case that user specified CA locations
cannot be read, by loading CAs from default locations; and when user does not specify CA
locations, the CAs from default locations are not read at all.
This patch corrects the behaviour so that CAs from default location are used if user does
not specify a CA location, and user is informed of the error if CAs cannot be loaded from
the user specified location.
Howard Guo <hguo@suse.com> 2016-11-10
diff -rupN openldap-2.4.41/libraries/libldap/tls_o.c openldap-2.4.41-patched/libraries/libldap/tls_o.c
--- openldap-2.4.41/libraries/libldap/tls_o.c 2015-06-21 02:19:58.000000000 +0200
+++ openldap-2.4.41-patched/libraries/libldap/tls_o.c 2016-11-10 15:10:32.784147041 +0100
@@ -253,10 +253,16 @@ tlso_ctx_init( struct ldapoptions *lo, s
return -1;
}
- if (lo->ldo_tls_cacertfile != NULL || lo->ldo_tls_cacertdir != NULL) {
+ if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) {
+ if ( !SSL_CTX_set_default_verify_paths( ctx ) ) {
+ Debug( LDAP_DEBUG_ANY, "TLS: "
+ "could not use default certificate paths", 0, 0, 0 );
+ tlso_report_error();
+ return -1;
+ }
+ } else {
if ( !SSL_CTX_load_verify_locations( ctx,
- lt->lt_cacertfile, lt->lt_cacertdir ) ||
- !SSL_CTX_set_default_verify_paths( ctx ) )
+ lt->lt_cacertfile, lt->lt_cacertdir ) )
{
Debug( LDAP_DEBUG_ANY, "TLS: "
"could not load verify locations (file:`%s',dir:`%s').\n",

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d7de6bf3c67009c95525dde3a0212cc110d0a70b92af2af8e3ee800e81b88400
size 5658830

3
openldap-2.4.45.tgz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:cdd6cffdebcd95161a73305ec13fc7a78e9707b46ca9f84fb897cd5626df3824
size 5672845

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Fri Jun 2 07:26:42 UTC 2017 - michael@stroeder.com
- Upgrade to upstream 2.4.45 release
- removed obsolete 0010-Enforce-minimum-DH-size-of-1024.patch
and 0012-use-system-wide-cert-dir-by-default.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Apr 27 10:08:31 UTC 2017 - michael@stroeder.com Thu Apr 27 10:08:31 UTC 2017 - michael@stroeder.com

View File

@ -17,7 +17,7 @@
%define run_test_suite 0 %define run_test_suite 0
%define version_main 2.4.44 %define version_main 2.4.45
%if %{suse_version} >= 1310 && %{suse_version} != 1315 %if %{suse_version} >= 1310 && %{suse_version} != 1315
%define _rundir /run/slapd %define _rundir /run/slapd
@ -56,9 +56,7 @@ Patch6: 0006-No-Build-date-and-time-in-binaries.dif
Patch7: 0007-Recover-on-DB-version-change.dif Patch7: 0007-Recover-on-DB-version-change.dif
Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch
Patch10: 0010-Enforce-minimum-DH-size-of-1024.patch
Patch11: 0011-openldap-re24-its7796.patch Patch11: 0011-openldap-re24-its7796.patch
Patch12: 0012-use-system-wide-cert-dir-by-default.patch
Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
Source201: %{name_ppolicy_check_module}.Makefile Source201: %{name_ppolicy_check_module}.Makefile
Source202: %{name_ppolicy_check_module}.conf Source202: %{name_ppolicy_check_module}.conf
@ -254,9 +252,7 @@ gzip -k %{S:203}
%patch7 -p1 %patch7 -p1
%patch8 -p1 %patch8 -p1
%patch9 -p1 %patch9 -p1
%patch10 -p1
%patch11 -p1 %patch11 -p1
%patch12 -p1
cp %{SOURCE5} . cp %{SOURCE5} .
# Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/ # Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/