Accepting request 347172 from network:ldap

- Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch to fix CVE-2015-6908. (bsc#945582) - Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch to address weak DH size vulnerability (bsc#937766) - Introduce patch 0009-Fix-ldap-host-lookup-ipv6.patch to fix an issue with unresponsive LDAP host lookups in IPv6 environment. (bsc#955210) - Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch to fix CVE-2015-6908. (bsc#945582) - Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch to address weak DH size vulnerability (bsc#937766) - Introduce patch 0009-Fix-ldap-host-lookup-ipv6.patch to fix an issue with unresponsive LDAP host lookups in IPv6 environment. (bsc#955210) OBS-URL: https://build.opensuse.org/request/show/347172 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openldap2?expand=0&rev=114
2015-12-06 06:38:30 +00:00 · 2015-12-06 06:38:30 +00:00 · 465adf6f01
commit 465adf6f01
parent 029d25d1f0 429b456698
7 changed files with 166 additions and 0 deletions
--- a/0009-Fix-ldap-host-lookup-ipv6.patch
+++ b/0009-Fix-ldap-host-lookup-ipv6.patch
@ -0,0 +1,73 @@
+The patch was written by Christian Kornacker on 2014-01-08 to fix an issue with unresponsive
+LDAP host lookups in IPv6 environment.
+
+---
+ libraries/libldap/util-int.c |   39 +++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 37 insertions(+), 2 deletions(-)
+
+Index: openldap-2.4.41/libraries/libldap/util-int.c
+===================================================================
+--- openldap-2.4.41.orig/libraries/libldap/util-int.c
+++ openldap-2.4.41/libraries/libldap/util-int.c
+@@ -731,10 +731,16 @@ static char *safe_realloc( char **buf, i
+ 
+ char * ldap_pvt_get_fqdn( char *name )
+ {
+-	char *fqdn, *ha_buf;
+	int rc;
+	char *fqdn;
+ 	char hostbuf[MAXHOSTNAMELEN+1];
+#ifdef HAVE_GETADDRINFO
+	struct addrinfo hints, *res;
+#else
+	char *ha_buf;
+ 	struct hostent *hp, he_buf;
+-	int rc, local_h_errno;
+	int local_h_errno;
+#endif
+ 
+ 	if( name == NULL ) {
+ 		if( gethostname( hostbuf, MAXHOSTNAMELEN ) == 0 ) {
+@@ -745,6 +751,33 @@ char * ldap_pvt_get_fqdn( char *name )
+ 		}
+ 	}
+ 
+#ifdef HAVE_GETADDRINFO
+	memset( &hints, '\0', sizeof( hints ) );
+	hints.ai_family = AF_UNSPEC;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_flags |= AI_CANONNAME;
+
+	/* most getaddrinfo(3) use non-threadsafe resolver libraries */
+	LDAP_MUTEX_LOCK(&ldap_int_resolv_mutex);
+
+	rc = getaddrinfo( name, NULL, &hints, &res );
+
+	LDAP_MUTEX_UNLOCK(&ldap_int_resolv_mutex);
+
+	if ( rc != 0 ) {
+		fqdn = LDAP_STRDUP( name );
+	} else {
+		while ( res ) {
+			if ( res->ai_canonname ) {
+				fqdn = LDAP_STRDUP ( res->ai_canonname );
+				break;
+			}
+			res = res->ai_next;
+		}
+		freeaddrinfo( res );
+	}
+#else
+
+ 	rc = ldap_pvt_gethostbyname_a( name,
+ 		&he_buf, &ha_buf, &hp, &local_h_errno );
+ 
+@@ -755,6 +788,8 @@ char * ldap_pvt_get_fqdn( char *name )
+ 	}
+ 
+ 	LDAP_FREE( ha_buf );
+#endif
+
+ 	return fqdn;
+ }
+ 
--- a/0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
+++ b/0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
@ -0,0 +1,27 @@
+From 844ee7df820fa397249ce76984d2e7094746cd93 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@symas.com>
+Date: Sat, 12 Sep 2015 22:18:22 +0100
+Subject: [PATCH] Revert "Revert "ITS#8240 remove obsolete assert""
+
+We have never documented our use of assert, so can't expect
+builders to do the right thing.
+This reverts commit 55dd4d3275d24c5190fdfada8dfae0320628b993.
+
+The commit fixes CVE-2015-6908.
+
+diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c
+index 85c3e23..c05dcf8 100644
+--- a/libraries/liblber/io.c
+++ b/libraries/liblber/io.c
+@@ -679,7 +679,7 @@ done:
+ 		return (ber->ber_tag);
+ 	}
+ 
+-	assert( 0 ); /* ber structure is messed up ?*/
+	/* invalid input */
+ 	return LBER_DEFAULT;
+ }
+ 
+-- 
+2.6.3
+
--- a/0011-Enforce-minimum-DH-size-of-1024.patch
+++ b/0011-Enforce-minimum-DH-size-of-1024.patch
@ -0,0 +1,24 @@
+The patch was authored by Marcus Meissner <meissner@suse.com> on 2015-07-13
+to address weak DH size vulnerability.
+
+--- openldap-2.4.26.orig/libraries/libldap/tls_o.c
+++ openldap-2.4.26/libraries/libldap/tls_o.c
+@@ -1190,7 +1190,6 @@ jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7t
+ -----END DH PARAMETERS-----\n";
+ 
+ static const struct dhinfo tlso_dhpem[] = {
+-	{ 512, tlso_dhpem512, sizeof(tlso_dhpem512) },
+	{ 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) },
+	{ 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) },
+	{ 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) },
+@@ -1205,6 +1204,9 @@ tlso_tmp_dh_cb( SSL *ssl, int is_export,
+	DH *dh = NULL;
+	int i;
+ 
+	/* for Logjam, rev up the minimum DH group size to 1024 bit */
+	if (key_length < 1024) key_length = 1024;
+
+	/* Do we have params of this length already? */
+	LDAP_MUTEX_LOCK( &tlso_dh_mutex );
+	for ( p = tlso_dhparams; p; p=p->next ) {
+
--- a/openldap2-client.changes
+++ b/openldap2-client.changes
@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Wed Dec  2 12:51:10 UTC 2015 - hguo@suse.com
+
+- Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
+  to fix CVE-2015-6908. (bsc#945582)
+- Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch
+  to address weak DH size vulnerability (bsc#937766)
+
+-------------------------------------------------------------------
+Mon Nov 30 10:16:57 UTC 2015 - hguo@suse.com
+
+- Introduce patch 0009-Fix-ldap-host-lookup-ipv6.patch
+  to fix an issue with unresponsive LDAP host lookups in IPv6 environment.
+  (bsc#955210)
+
 -------------------------------------------------------------------
 Fri Oct  9 09:19:35 UTC 2015 - hguo@suse.com

--- a/openldap2-client.spec
+++ b/openldap2-client.spec
@ -46,6 +46,9 @@ Patch5:         0005-pie-compile.dif
 Patch6:         0006-No-Build-date-and-time-in-binaries.dif
 Patch7:         0007-Recover-on-DB-version-change.dif
 Patch8:         0008-In-monitor-backend-do-not-return-Connection0-entries.patch
+Patch9:         0009-Fix-ldap-host-lookup-ipv6.patch
+Patch10:        0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
+Patch11:        0011-Enforce-minimum-DH-size-of-1024.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  groff
@ -177,6 +180,9 @@ This package contains the OpenLDAP client libraries.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
 cp %{SOURCE5} .

 %build
--- a/openldap2.changes
+++ b/openldap2.changes
@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Wed Dec  2 12:50:47 UTC 2015 - hguo@suse.com
+
+- Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
+  to fix CVE-2015-6908. (bsc#945582)
+- Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch
+  to address weak DH size vulnerability (bsc#937766)
+
+-------------------------------------------------------------------
+Mon Nov 30 10:16:57 UTC 2015 - hguo@suse.com
+
+- Introduce patch 0009-Fix-ldap-host-lookup-ipv6.patch
+  to fix an issue with unresponsive LDAP host lookups in IPv6 environment.
+  (bsc#955210)
+
 -------------------------------------------------------------------
 Fri Oct  9 09:19:35 UTC 2015 - hguo@suse.com

--- a/openldap2.spec
+++ b/openldap2.spec
@ -46,6 +46,9 @@ Patch5:         0005-pie-compile.dif
 Patch6:         0006-No-Build-date-and-time-in-binaries.dif
 Patch7:         0007-Recover-on-DB-version-change.dif
 Patch8:         0008-In-monitor-backend-do-not-return-Connection0-entries.patch
+Patch9:         0009-Fix-ldap-host-lookup-ipv6.patch
+Patch10:        0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
+Patch11:        0011-Enforce-minimum-DH-size-of-1024.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  groff
@ -177,6 +180,9 @@ This package contains the OpenLDAP client libraries.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
 cp %{SOURCE5} .

 %build