forked from jengelh/openldap2
Accepting request 347172 from network:ldap
- Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch to fix CVE-2015-6908. (bsc#945582) - Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch to address weak DH size vulnerability (bsc#937766) - Introduce patch 0009-Fix-ldap-host-lookup-ipv6.patch to fix an issue with unresponsive LDAP host lookups in IPv6 environment. (bsc#955210) - Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch to fix CVE-2015-6908. (bsc#945582) - Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch to address weak DH size vulnerability (bsc#937766) - Introduce patch 0009-Fix-ldap-host-lookup-ipv6.patch to fix an issue with unresponsive LDAP host lookups in IPv6 environment. (bsc#955210) OBS-URL: https://build.opensuse.org/request/show/347172 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openldap2?expand=0&rev=114
This commit is contained in:
commit
465adf6f01
73
0009-Fix-ldap-host-lookup-ipv6.patch
Normal file
73
0009-Fix-ldap-host-lookup-ipv6.patch
Normal file
@ -0,0 +1,73 @@
|
|||||||
|
The patch was written by Christian Kornacker on 2014-01-08 to fix an issue with unresponsive
|
||||||
|
LDAP host lookups in IPv6 environment.
|
||||||
|
|
||||||
|
---
|
||||||
|
libraries/libldap/util-int.c | 39 +++++++++++++++++++++++++++++++++++++--
|
||||||
|
1 file changed, 37 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
Index: openldap-2.4.41/libraries/libldap/util-int.c
|
||||||
|
===================================================================
|
||||||
|
--- openldap-2.4.41.orig/libraries/libldap/util-int.c
|
||||||
|
+++ openldap-2.4.41/libraries/libldap/util-int.c
|
||||||
|
@@ -731,10 +731,16 @@ static char *safe_realloc( char **buf, i
|
||||||
|
|
||||||
|
char * ldap_pvt_get_fqdn( char *name )
|
||||||
|
{
|
||||||
|
- char *fqdn, *ha_buf;
|
||||||
|
+ int rc;
|
||||||
|
+ char *fqdn;
|
||||||
|
char hostbuf[MAXHOSTNAMELEN+1];
|
||||||
|
+#ifdef HAVE_GETADDRINFO
|
||||||
|
+ struct addrinfo hints, *res;
|
||||||
|
+#else
|
||||||
|
+ char *ha_buf;
|
||||||
|
struct hostent *hp, he_buf;
|
||||||
|
- int rc, local_h_errno;
|
||||||
|
+ int local_h_errno;
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
if( name == NULL ) {
|
||||||
|
if( gethostname( hostbuf, MAXHOSTNAMELEN ) == 0 ) {
|
||||||
|
@@ -745,6 +751,33 @@ char * ldap_pvt_get_fqdn( char *name )
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef HAVE_GETADDRINFO
|
||||||
|
+ memset( &hints, '\0', sizeof( hints ) );
|
||||||
|
+ hints.ai_family = AF_UNSPEC;
|
||||||
|
+ hints.ai_socktype = SOCK_STREAM;
|
||||||
|
+ hints.ai_flags |= AI_CANONNAME;
|
||||||
|
+
|
||||||
|
+ /* most getaddrinfo(3) use non-threadsafe resolver libraries */
|
||||||
|
+ LDAP_MUTEX_LOCK(&ldap_int_resolv_mutex);
|
||||||
|
+
|
||||||
|
+ rc = getaddrinfo( name, NULL, &hints, &res );
|
||||||
|
+
|
||||||
|
+ LDAP_MUTEX_UNLOCK(&ldap_int_resolv_mutex);
|
||||||
|
+
|
||||||
|
+ if ( rc != 0 ) {
|
||||||
|
+ fqdn = LDAP_STRDUP( name );
|
||||||
|
+ } else {
|
||||||
|
+ while ( res ) {
|
||||||
|
+ if ( res->ai_canonname ) {
|
||||||
|
+ fqdn = LDAP_STRDUP ( res->ai_canonname );
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ res = res->ai_next;
|
||||||
|
+ }
|
||||||
|
+ freeaddrinfo( res );
|
||||||
|
+ }
|
||||||
|
+#else
|
||||||
|
+
|
||||||
|
rc = ldap_pvt_gethostbyname_a( name,
|
||||||
|
&he_buf, &ha_buf, &hp, &local_h_errno );
|
||||||
|
|
||||||
|
@@ -755,6 +788,8 @@ char * ldap_pvt_get_fqdn( char *name )
|
||||||
|
}
|
||||||
|
|
||||||
|
LDAP_FREE( ha_buf );
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
return fqdn;
|
||||||
|
}
|
||||||
|
|
27
0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
Normal file
27
0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
From 844ee7df820fa397249ce76984d2e7094746cd93 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Howard Chu <hyc@symas.com>
|
||||||
|
Date: Sat, 12 Sep 2015 22:18:22 +0100
|
||||||
|
Subject: [PATCH] Revert "Revert "ITS#8240 remove obsolete assert""
|
||||||
|
|
||||||
|
We have never documented our use of assert, so can't expect
|
||||||
|
builders to do the right thing.
|
||||||
|
This reverts commit 55dd4d3275d24c5190fdfada8dfae0320628b993.
|
||||||
|
|
||||||
|
The commit fixes CVE-2015-6908.
|
||||||
|
|
||||||
|
diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c
|
||||||
|
index 85c3e23..c05dcf8 100644
|
||||||
|
--- a/libraries/liblber/io.c
|
||||||
|
+++ b/libraries/liblber/io.c
|
||||||
|
@@ -679,7 +679,7 @@ done:
|
||||||
|
return (ber->ber_tag);
|
||||||
|
}
|
||||||
|
|
||||||
|
- assert( 0 ); /* ber structure is messed up ?*/
|
||||||
|
+ /* invalid input */
|
||||||
|
return LBER_DEFAULT;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.6.3
|
||||||
|
|
24
0011-Enforce-minimum-DH-size-of-1024.patch
Normal file
24
0011-Enforce-minimum-DH-size-of-1024.patch
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
The patch was authored by Marcus Meissner <meissner@suse.com> on 2015-07-13
|
||||||
|
to address weak DH size vulnerability.
|
||||||
|
|
||||||
|
--- openldap-2.4.26.orig/libraries/libldap/tls_o.c
|
||||||
|
+++ openldap-2.4.26/libraries/libldap/tls_o.c
|
||||||
|
@@ -1190,7 +1190,6 @@ jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7t
|
||||||
|
-----END DH PARAMETERS-----\n";
|
||||||
|
|
||||||
|
static const struct dhinfo tlso_dhpem[] = {
|
||||||
|
- { 512, tlso_dhpem512, sizeof(tlso_dhpem512) },
|
||||||
|
{ 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) },
|
||||||
|
{ 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) },
|
||||||
|
{ 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) },
|
||||||
|
@@ -1205,6 +1204,9 @@ tlso_tmp_dh_cb( SSL *ssl, int is_export,
|
||||||
|
DH *dh = NULL;
|
||||||
|
int i;
|
||||||
|
|
||||||
|
+ /* for Logjam, rev up the minimum DH group size to 1024 bit */
|
||||||
|
+ if (key_length < 1024) key_length = 1024;
|
||||||
|
+
|
||||||
|
/* Do we have params of this length already? */
|
||||||
|
LDAP_MUTEX_LOCK( &tlso_dh_mutex );
|
||||||
|
for ( p = tlso_dhparams; p; p=p->next ) {
|
||||||
|
|
@ -1,3 +1,18 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Dec 2 12:51:10 UTC 2015 - hguo@suse.com
|
||||||
|
|
||||||
|
- Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
|
||||||
|
to fix CVE-2015-6908. (bsc#945582)
|
||||||
|
- Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch
|
||||||
|
to address weak DH size vulnerability (bsc#937766)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Nov 30 10:16:57 UTC 2015 - hguo@suse.com
|
||||||
|
|
||||||
|
- Introduce patch 0009-Fix-ldap-host-lookup-ipv6.patch
|
||||||
|
to fix an issue with unresponsive LDAP host lookups in IPv6 environment.
|
||||||
|
(bsc#955210)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Oct 9 09:19:35 UTC 2015 - hguo@suse.com
|
Fri Oct 9 09:19:35 UTC 2015 - hguo@suse.com
|
||||||
|
|
||||||
|
@ -46,6 +46,9 @@ Patch5: 0005-pie-compile.dif
|
|||||||
Patch6: 0006-No-Build-date-and-time-in-binaries.dif
|
Patch6: 0006-No-Build-date-and-time-in-binaries.dif
|
||||||
Patch7: 0007-Recover-on-DB-version-change.dif
|
Patch7: 0007-Recover-on-DB-version-change.dif
|
||||||
Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
|
Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
|
||||||
|
Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch
|
||||||
|
Patch10: 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
|
||||||
|
Patch11: 0011-Enforce-minimum-DH-size-of-1024.patch
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
BuildRequires: cyrus-sasl-devel
|
BuildRequires: cyrus-sasl-devel
|
||||||
BuildRequires: groff
|
BuildRequires: groff
|
||||||
@ -177,6 +180,9 @@ This package contains the OpenLDAP client libraries.
|
|||||||
%patch6 -p1
|
%patch6 -p1
|
||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
|
%patch9 -p1
|
||||||
|
%patch10 -p1
|
||||||
|
%patch11 -p1
|
||||||
cp %{SOURCE5} .
|
cp %{SOURCE5} .
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
@ -1,3 +1,18 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Dec 2 12:50:47 UTC 2015 - hguo@suse.com
|
||||||
|
|
||||||
|
- Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
|
||||||
|
to fix CVE-2015-6908. (bsc#945582)
|
||||||
|
- Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch
|
||||||
|
to address weak DH size vulnerability (bsc#937766)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Nov 30 10:16:57 UTC 2015 - hguo@suse.com
|
||||||
|
|
||||||
|
- Introduce patch 0009-Fix-ldap-host-lookup-ipv6.patch
|
||||||
|
to fix an issue with unresponsive LDAP host lookups in IPv6 environment.
|
||||||
|
(bsc#955210)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Oct 9 09:19:35 UTC 2015 - hguo@suse.com
|
Fri Oct 9 09:19:35 UTC 2015 - hguo@suse.com
|
||||||
|
|
||||||
|
@ -46,6 +46,9 @@ Patch5: 0005-pie-compile.dif
|
|||||||
Patch6: 0006-No-Build-date-and-time-in-binaries.dif
|
Patch6: 0006-No-Build-date-and-time-in-binaries.dif
|
||||||
Patch7: 0007-Recover-on-DB-version-change.dif
|
Patch7: 0007-Recover-on-DB-version-change.dif
|
||||||
Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
|
Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
|
||||||
|
Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch
|
||||||
|
Patch10: 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch
|
||||||
|
Patch11: 0011-Enforce-minimum-DH-size-of-1024.patch
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
BuildRequires: cyrus-sasl-devel
|
BuildRequires: cyrus-sasl-devel
|
||||||
BuildRequires: groff
|
BuildRequires: groff
|
||||||
@ -177,6 +180,9 @@ This package contains the OpenLDAP client libraries.
|
|||||||
%patch6 -p1
|
%patch6 -p1
|
||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
|
%patch9 -p1
|
||||||
|
%patch10 -p1
|
||||||
|
%patch11 -p1
|
||||||
cp %{SOURCE5} .
|
cp %{SOURCE5} .
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
Loading…
Reference in New Issue
Block a user