From dc3d146869d955d81cce1d89081a557b01d8404f121185071e1da983fc736844 Mon Sep 17 00:00:00 2001 From: Howard Guo Date: Wed, 2 Dec 2015 12:58:25 +0000 Subject: [PATCH] - Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch to fix CVE-2015-6908. (bsc#945582) - Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch to address weak DH size vulnerability (bsc#937766) - Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch to fix CVE-2015-6908. (bsc#945582) - Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch to address weak DH size vulnerability (bsc#937766) OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=143 --- ...vert-ITS-8240-remove-obsolete-assert.patch | 27 +++++++++++++++++++ 0011-Enforce-minimum-DH-size-of-1024.patch | 24 +++++++++++++++++ openldap2-client.changes | 8 ++++++ openldap2-client.spec | 4 +++ openldap2.changes | 8 ++++++ openldap2.spec | 2 ++ 6 files changed, 73 insertions(+) create mode 100644 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch create mode 100644 0011-Enforce-minimum-DH-size-of-1024.patch diff --git a/0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch b/0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch new file mode 100644 index 0000000..a85b81a --- /dev/null +++ b/0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch @@ -0,0 +1,27 @@ +From 844ee7df820fa397249ce76984d2e7094746cd93 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Sat, 12 Sep 2015 22:18:22 +0100 +Subject: [PATCH] Revert "Revert "ITS#8240 remove obsolete assert"" + +We have never documented our use of assert, so can't expect +builders to do the right thing. +This reverts commit 55dd4d3275d24c5190fdfada8dfae0320628b993. + +The commit fixes CVE-2015-6908. + +diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c +index 85c3e23..c05dcf8 100644 +--- a/libraries/liblber/io.c ++++ b/libraries/liblber/io.c +@@ -679,7 +679,7 @@ done: + return (ber->ber_tag); + } + +- assert( 0 ); /* ber structure is messed up ?*/ ++ /* invalid input */ + return LBER_DEFAULT; + } + +-- +2.6.3 + diff --git a/0011-Enforce-minimum-DH-size-of-1024.patch b/0011-Enforce-minimum-DH-size-of-1024.patch new file mode 100644 index 0000000..db4b18c --- /dev/null +++ b/0011-Enforce-minimum-DH-size-of-1024.patch @@ -0,0 +1,24 @@ +The patch was authored by Marcus Meissner on 2015-07-13 +to address weak DH size vulnerability. + +--- openldap-2.4.26.orig/libraries/libldap/tls_o.c ++++ openldap-2.4.26/libraries/libldap/tls_o.c +@@ -1190,7 +1190,6 @@ jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7t + -----END DH PARAMETERS-----\n"; + + static const struct dhinfo tlso_dhpem[] = { +- { 512, tlso_dhpem512, sizeof(tlso_dhpem512) }, + { 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) }, + { 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) }, + { 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) }, +@@ -1205,6 +1204,9 @@ tlso_tmp_dh_cb( SSL *ssl, int is_export, + DH *dh = NULL; + int i; + ++ /* for Logjam, rev up the minimum DH group size to 1024 bit */ ++ if (key_length < 1024) key_length = 1024; ++ + /* Do we have params of this length already? */ + LDAP_MUTEX_LOCK( &tlso_dh_mutex ); + for ( p = tlso_dhparams; p; p=p->next ) { + diff --git a/openldap2-client.changes b/openldap2-client.changes index 9b75618..c45cbc2 100644 --- a/openldap2-client.changes +++ b/openldap2-client.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Dec 2 12:51:10 UTC 2015 - hguo@suse.com + +- Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch + to fix CVE-2015-6908. (bsc#945582) +- Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch + to address weak DH size vulnerability (bsc#937766) + ------------------------------------------------------------------- Mon Nov 30 10:16:57 UTC 2015 - hguo@suse.com diff --git a/openldap2-client.spec b/openldap2-client.spec index dfc70cc..d613e96 100644 --- a/openldap2-client.spec +++ b/openldap2-client.spec @@ -47,6 +47,8 @@ Patch6: 0006-No-Build-date-and-time-in-binaries.dif Patch7: 0007-Recover-on-DB-version-change.dif Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch +Patch10: 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch +Patch11: 0011-Enforce-minimum-DH-size-of-1024.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: cyrus-sasl-devel BuildRequires: groff @@ -179,6 +181,8 @@ This package contains the OpenLDAP client libraries. %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 cp %{SOURCE5} . %build diff --git a/openldap2.changes b/openldap2.changes index 8d7211c..d854536 100644 --- a/openldap2.changes +++ b/openldap2.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Dec 2 12:50:47 UTC 2015 - hguo@suse.com + +- Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch + to fix CVE-2015-6908. (bsc#945582) +- Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch + to address weak DH size vulnerability (bsc#937766) + ------------------------------------------------------------------- Mon Nov 30 10:16:57 UTC 2015 - hguo@suse.com diff --git a/openldap2.spec b/openldap2.spec index 8df31f0..652e253 100644 --- a/openldap2.spec +++ b/openldap2.spec @@ -47,6 +47,8 @@ Patch6: 0006-No-Build-date-and-time-in-binaries.dif Patch7: 0007-Recover-on-DB-version-change.dif Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch +Patch10: 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch +Patch11: 0011-Enforce-minimum-DH-size-of-1024.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: cyrus-sasl-devel BuildRequires: groff