Accepting request 718342 from home:stroeder:branches:network:ldap

- Update to upstream release 2.4.48 with security fixes:
  * CVE-2019-13057 (ITS#9038):
    rootdn of any db can assert any identity
  * CVE-2019-13565 (ITS#9052):
    Unauthorized access caused by incorrect handling of SASL SSF values
- Fix CVE-2017-17740 by disabling nops overlay not maintained by upstream
  (see also bsc#1073313, comment #36)
- Removed obsolete patches:
  * 0002-openldap-its8727-plug-ber-leaks.patch
  * 0017-Fix-segfault-in-nops.patch

Note that I disabled slapo-nops instead of rebasing 0017-Fix-segfault-in-nops.patch which is somewhat debatable. You can take it or leave it.

OBS-URL: https://build.opensuse.org/request/show/718342
OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=247

0002-openldap-its8727-plug-ber-leaks.patch

@@ -1,26 +0,0 @@
-From 11320a9156e1306c251b27443439dc2e1db0107b Mon Sep 17 00:00:00 2001
-From: Howard Chu <hyc@openldap.org>
-Date: Tue, 17 Jan 2017 11:35:54 +0000
-Subject: ITS#8727 plug ber leaks
-
-
-diff --git a/libraries/libldap/request.c b/libraries/libldap/request.c
-index 31145432f..7d2d7a458 100644
---- a/libraries/libldap/request.c
-+++ b/libraries/libldap/request.c
-@@ -315,6 +315,7 @@ ldap_send_server_request(
- 		LDAP_MUTEX_UNLOCK( &ld->ld_options.ldo_mutex );
- 		if ( rc == -1 ) {
- 			ld->ld_errno = LDAP_ENCODING_ERROR;
-+			ber_free( ber, 1 );
- 			LDAP_CONN_UNLOCK_IF(m_noconn);
- 			return rc;
- 		}
-@@ -334,6 +335,7 @@ ldap_send_server_request(
- 		rc = -1;
- 	}
- 	if ( rc ) {
-+		ber_free( ber, 1 );
- 		LDAP_CONN_UNLOCK_IF(m_noconn);
- 		return rc;
- 	}

0017-Fix-segfault-in-nops.patch

@@ -1,35 +0,0 @@
-diff --git a/servers/slapd/overlays/memberof.c b/servers/slapd/overlays/memberof.c
-index 54c24682a..06945d811 100644
---- a/servers/slapd/overlays/memberof.c
-+++ b/servers/slapd/overlays/memberof.c
-@@ -360,10 +360,16 @@ memberof_value_modify(
- 	unsigned long opid = op->o_opid;
- 	SlapReply	rs2 = { REP_RESULT };
- 	slap_callback	cb = { NULL, slap_null_cb, NULL, NULL };
--	Modifications	mod[ 2 ] = { { { 0 } } }, *ml;
--	struct berval	values[ 4 ], nvalues[ 4 ];
-+	Modifications	*mod, *ml;
-+	struct berval   *values, *nvalues;
- 	int		mcnt = 0;
- 
-+	mod = (Modifications*)malloc(2 * sizeof(Modifications));
-+	memset(mod, 0, 2 * sizeof(Modifications));
-+
-+	values = (struct berval*)malloc(4 * sizeof(struct berval));
-+	nvalues = (struct berval*)malloc(4 * sizeof(struct berval));
-+
- 	op2.o_tag = LDAP_REQ_MODIFY;
- 
- 	op2.o_req_dn = *ndn;
-@@ -493,6 +499,11 @@ memberof_value_modify(
- 	/* restore original opid */
- 	op->o_opid = opid;
- 
-+
-+	slap_mods_free( mod, 0 );
-+	free(values);
-+	free(nvalues);
-+
- 	/* FIXME: if old_group_ndn doesn't exist, both delete __and__
- 	 * add will fail; better split in two operations, although
- 	 * not optimal in terms of performance.  At least it would

openldap-2.4.47.tgz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f54c5877865233d9ada77c60c0f69b3e0bfd8b1b55889504c650047cc305520b
-size 5699678

openldap-2.4.48.tgz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d9523ffcab5cd14b709fcf3cb4d04e8bc76bb8970113255f372bc74954c6074d
+size 5704883

openldap2.changes

@@ -1,3 +1,70 @@
+-------------------------------------------------------------------
+Wed Jul 24 21:23:28 UTC 2019 - Michael Ströder <michael@stroeder.com>
+
+- Update to upstream release 2.4.48 with security fixes:
+  * CVE-2019-13057 (ITS#9038):
+    rootdn of any db can assert any identity
+  * CVE-2019-13565 (ITS#9052):
+    Unauthorized access caused by incorrect handling of SASL SSF values
+- Fix CVE-2017-17740 by disabling nops overlay not maintained by upstream
+  (see also bsc#1073313, comment #36)
+- Removed obsolete patches:
+  * 0002-openldap-its8727-plug-ber-leaks.patch
+  * 0017-Fix-segfault-in-nops.patch
+
+OpenLDAP 2.4.48 (2019/07/24)
+  Added libldap OpenSSL Elliptic Curve support (ITS#7595)
+  Added libldap Expose OpenLDAP specific interfaces via openldap.h (ITS#8671)
+  Added slapd-monitor support for slapd-mdb (ITS#7770)
+  Fixed liblber leaks (ITS#8727)
+  Fixed liblber with partial flush (ITS#8864)
+  Fixed libldap ASYNC TLS so it works (ITS#8957,ITS#8980)
+  Fixed libldap ASYNC connections with Solaris 10 (ITS#8968)
+  Fixed libldap with SASL_NOCANON=on and ldapi connections (ITS#7585)
+  Fixed libldap to be able to unset syncrepl TLS options (ITS#7042)
+  Fixed libldap race condition in ldap_int_initialize (ITS#7996, ITS#8450)
+  Fixed libldap return code in ldap_create_assertion_control_value (ITS#8674)
+  Fixed libldap to correctly disable IPv6 when configured to do so (ITS#8754)
+  Fixed libldap to correctly close TLS connection (ITS#8755)
+  Fixed libldap with non-blocking TLS and referals (ITS#8167)
+  Fixed libldap_r handling of deprecated OpenSSL function (ITS#8353)
+  Fixed liblunicode case correspondance (ITS#8508)
+  Fixed slapd with an idletimeout of less than four seconds (ITS#8952)
+  Fixed slapd config parser variable for Windows64 (ITS#9012)
+  Fixed slapd syncrepl fallback handling with delta-syncrepl (ITS#9015)
+  Fixed slapd telephoneNumberNormalize, cert DN validation (ITS#8999)
+  Fixed slapd syncrepl for relax with delta-syncrepl (ITS#8037)
+  Fixed slapd to restrict rootDN proxyauthz to its own databases (ITS#9038)
+  Fixed slapd to initialize SASL SSF per connection (ITS#9052)
+  Fixed slapo-accesslog with SLAP_MOD_SOFT modifications (ITS#8990)
+  Fixed slapd-ldap starttls connections timeout behavior (ITS#8963)
+  Fixed slapd-ldap segfault when entry result doesn't match filter (ITS#8997)
+  Fixed slapd-meta conversion from slapd.conf to cn=config (ITS#8743)
+  Fixed slapd-meta assertion when network interface goes down (ITS#8841)
+  Fixed slapd-mdb fix bitshift integer overflow (ITS#8989)
+  Fixed slapd-mdb index cleanup with cn=config (ITS#8472)
+  Fixed slapd-mdb to improve performance with alias deref (ITS#7657)
+  Fixed slapo-accesslog possible assert with exops (ITS#8971)
+  Fixed slapo-chain to correctly reject multiple chaining URIs (ITS#8637)
+  Fixed slapo-chain conversion from slapd.conf to cn=config (ITS#8799)
+  Fixed slapo-memberof conversion from slapd.conf to cn=config (ITS#8663)
+  Fixed slapo-memberof for group name change to itself (ITS#9000)
+  Fixed slapo-ppolicy behavior when pwdInHistory is changed (ITS#8349)
+  Fixed slapo-rwm to not free original filter (ITS#8964)
+  Fixed slapo-syncprov contextCSN generation (ITS#9015)
+  Build Environment
+    Fixed slapd to only link to BDB libraries with static build (ITS#8948)
+    Fixed libldap implicit declaration with LDAP_CONNECTIONLESS (ITS#8794)
+    Fixed libldap double inclusion of limits.h in cyrus.c (ITS#9041)
+  Documentation
+    General - Fixed minor typos (ITS#8764, ITS#8761)
+    admin24 - Miscellaneous updates promoting mdb and fixing examples (ITS#9031)
+    slapd.access(5) - Note MDB is the primary backend (ITS#8881)
+    slapd.backends(5) - Note MDB is the recommended backend (ITS#8771)
+    slapd-ldap(5) - Document starttls parameter (ITS#8693)
+  Contrib
+    Added slapo-lastbind capability to forward authTimestamp updates (ITS#7721)
+
 -------------------------------------------------------------------
 Tue May 14 04:33:38 UTC 2019 - William Brown <william.brown@suse.com>
 

openldap2.spec

@@ -22,7 +22,7 @@
 %endif
 
 %define run_test_suite 0
-%define version_main 2.4.47
+%define version_main 2.4.48
 
 %if %{suse_version} >= 1310 && %{suse_version} != 1315
 %define  _rundir /run/slapd
@@ -58,7 +58,6 @@ Source16:       sysconfig.openldap
 Source17:       openldap_update_modules_path.sh
 Source18:       openldap2.conf
 Patch1:         0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch
-Patch2:         0002-openldap-its8727-plug-ber-leaks.patch
 Patch3:         0003-LDAPI-socket-location.dif
 Patch5:         0005-pie-compile.dif
 Patch7:         0007-Recover-on-DB-version-change.dif
@@ -67,7 +66,6 @@ Patch9:         0009-Fix-ldap-host-lookup-ipv6.patch
 Patch11:        0011-openldap-re24-its7796.patch
 Patch15:        openldap-r-only.dif
 Patch16:        0016-Clear-shared-key-only-in-close-function.patch
-Patch17:        0017-Fix-segfault-in-nops.patch
 Source200:      %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
 Source201:      %{name_ppolicy_check_module}.Makefile
 Source202:      %{name_ppolicy_check_module}.conf
@@ -169,7 +167,6 @@ cloak
 denyop
 lastbind      writes last bind timestamp to entry
 noopsrch      handles no-op search control
-nops
 pw-sha2       generates/validates SHA-2 password hashes
 pw-pbkdf2     generates/validates PBKDF2 password hashes
 smbk5pwd      generates Samba3 password hashes (heimdal krb disabled)
@@ -256,7 +253,6 @@ gzip -k %{S:203}
 # Unpack and patch OpenLDAP 2.4
 %setup -q -a 9 -n openldap-%{version_main}
 %patch1 -p1
-%patch2 -p1
 %patch3 -p1
 %patch5 -p1
 %patch7 -p1
@@ -265,7 +261,6 @@ gzip -k %{S:203}
 %patch11 -p1
 %patch15 -p1
 %patch16 -p1
-%patch17 -p1
 cp %{SOURCE5} .
 
 # Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/
@@ -312,7 +307,7 @@ export STRIP=""
 make depend
 make %{?_smp_mflags}
 # Build selected contrib overlays
-for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
+for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
 do
   make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}"
 done
@@ -356,7 +351,7 @@ make STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdi
 # Additional symbolic link to slapd executable in /usr/sbin/
 ln -s %{_libdir}/slapd %{buildroot}/usr/sbin/slapd
 # Install selected contrib overlays
-for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
+for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
 do
   make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
 done
@@ -589,7 +584,6 @@ fi
 %{_libdir}/openldap/autogroup.*
 %{_libdir}/openldap/lastbind.*
 %{_libdir}/openldap/noopsrch.*
-%{_libdir}/openldap/nops.*
 %{_libdir}/openldap/pw-sha2.*
 %{_libdir}/openldap/pw-pbkdf2.*
 %{_libdir}/openldap/denyop.*