diff --git a/.openldap.metadata b/.openldap.metadata index 80bf8dc..5df585c 100644 --- a/.openldap.metadata +++ b/.openldap.metadata @@ -1,2 +1,2 @@ -db02243150b050baac6a8ea4145ad73a1f6d2266 SOURCES/openldap-2.4.35.tgz 444fe85f8c42d97355d88ec295b18ecb58faeb52 SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz +2b8e8401214867c361f7212e7058f95118b5bd6c SOURCES/openldap-2.4.39.tgz diff --git a/SOURCES/ldap.conf b/SOURCES/ldap.conf index 661a259..aa6f8fd 100644 --- a/SOURCES/ldap.conf +++ b/SOURCES/ldap.conf @@ -15,4 +15,4 @@ TLS_CACERTDIR /etc/openldap/certs # Turning this off breaks GSSAPI used with krb5 when rdns = false -SASL_NOCANON on \ No newline at end of file +SASL_NOCANON on diff --git a/SOURCES/openldap-cldap.patch b/SOURCES/openldap-cldap.patch deleted file mode 100644 index 834b74f..0000000 --- a/SOURCES/openldap-cldap.patch +++ /dev/null @@ -1,270 +0,0 @@ -This is a 3-part patch that fixes connectionless ldap when used with IPv6. -================================================================================ -Don't try to parse the result of a CLDAP bind request. Since these are -faked, no message is actually returned. - -Author: Stef Walter -Upstream commit: 5c919894779d67280fa26afdd94d99248fc38099 -ITS: #7695 -Backported-By: Jan Synacek - ---- a/clients/tools/common.c 2013-08-16 20:12:59.000000000 +0200 -+++ b/clients/tools/common.c 2013-10-14 09:35:50.817033451 +0200 -@@ -1521,11 +1521,13 @@ tool_bind( LDAP *ld ) - tool_exit( ld, LDAP_LOCAL_ERROR ); - } - -- rc = ldap_parse_result( ld, result, &err, &matched, &info, &refs, -- &ctrls, 1 ); -- if ( rc != LDAP_SUCCESS ) { -- tool_perror( "ldap_bind parse result", rc, NULL, matched, info, refs ); -- tool_exit( ld, LDAP_LOCAL_ERROR ); -+ if ( result ) { -+ rc = ldap_parse_result( ld, result, &err, &matched, &info, &refs, -+ &ctrls, 1 ); -+ if ( rc != LDAP_SUCCESS ) { -+ tool_perror( "ldap_bind parse result", rc, NULL, matched, info, refs ); -+ tool_exit( ld, LDAP_LOCAL_ERROR ); -+ } - } - - #ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST -================================================================================ -commit d51ee964fc5e1f02b035811de0f95eee81c2789f -Author: Howard Chu -Date: Thu Oct 10 10:48:08 2013 -0700 - - ITS#7694 more for IPv6 CLDAP, slapd fix - -diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c -index e169494..7ed3f63 100644 ---- a/servers/slapd/connection.c -+++ b/servers/slapd/connection.c -@@ -1499,22 +1499,53 @@ connection_input( Connection *conn , conn_readinfo *cri ) - - #ifdef LDAP_CONNECTIONLESS - if ( conn->c_is_udp ) { -+#if defined(LDAP_PF_INET6) -+ char peername[sizeof("IP=[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]:65535")]; -+ char addr[INET6_ADDRSTRLEN]; -+#else - char peername[sizeof("IP=255.255.255.255:65336")]; -+ char addr[INET_ADDRSTRLEN]; -+#endif - const char *peeraddr_string = NULL; - -- len = ber_int_sb_read(conn->c_sb, &peeraddr, sizeof(struct sockaddr)); -- if (len != sizeof(struct sockaddr)) return 1; -+ len = ber_int_sb_read(conn->c_sb, &peeraddr, sizeof(Sockaddr)); -+ if (len != sizeof(Sockaddr)) return 1; - -+#if defined(LDAP_PF_INET6) -+ if (peeraddr.sa_addr.sa_family == AF_INET6) { -+ if ( IN6_IS_ADDR_V4MAPPED(&peeraddr.sa_in6_addr.sin6_addr) ) { - #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP ) -- char addr[INET_ADDRSTRLEN]; -- peeraddr_string = inet_ntop( AF_INET, &peeraddr.sa_in_addr.sin_addr, -+ peeraddr_string = inet_ntop( AF_INET, -+ ((struct in_addr *)&peeraddr.sa_in6_addr.sin6_addr.s6_addr[12]), -+ addr, sizeof(addr) ); -+#else /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */ -+ peeraddr_string = inet_ntoa( *((struct in_addr *) -+ &peeraddr.sa_in6_addr.sin6_addr.s6_addr[12]) ); -+#endif /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */ -+ if ( !peeraddr_string ) peeraddr_string = SLAP_STRING_UNKNOWN; -+ sprintf( peername, "IP=%s:%d", peeraddr_string, -+ (unsigned) ntohs( peeraddr.sa_in6_addr.sin6_port ) ); -+ } else { -+ peeraddr_string = inet_ntop( AF_INET6, -+ &peeraddr.sa_in6_addr.sin6_addr, -+ addr, sizeof addr ); -+ if ( !peeraddr_string ) peeraddr_string = SLAP_STRING_UNKNOWN; -+ sprintf( peername, "IP=[%s]:%d", peeraddr_string, -+ (unsigned) ntohs( peeraddr.sa_in6_addr.sin6_port ) ); -+ } -+ } else -+#endif -+#if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP ) -+ { -+ peeraddr_string = inet_ntop( AF_INET, &peeraddr.sa_in_addr.sin_addr, - addr, sizeof(addr) ); - #else /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */ -- peeraddr_string = inet_ntoa( peeraddr.sa_in_addr.sin_addr ); -+ peeraddr_string = inet_ntoa( peeraddr.sa_in_addr.sin_addr ); - #endif /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */ -- sprintf( peername, "IP=%s:%d", -- peeraddr_string, -- (unsigned) ntohs( peeraddr.sa_in_addr.sin_port ) ); -+ sprintf( peername, "IP=%s:%d", -+ peeraddr_string, -+ (unsigned) ntohs( peeraddr.sa_in_addr.sin_port ) ); -+ } - Statslog( LDAP_DEBUG_STATS, - "conn=%lu UDP request from %s (%s) accepted.\n", - conn->c_connid, peername, conn->c_sock_name.bv_val, 0, 0 ); -================================================================================ -commit 743a9783d57ea6b693e56f6545ac5d68dc9242c7 -Author: Stef Walter -Date: Thu Sep 12 15:49:36 2013 +0200 - - ITS#7694 Fix use of IPv6 with LDAP_CONNECTIONLESS - - LDAP_CONNECTIONLESS code assumed that the size of an peer address - is equal to or smaller than sizeof (struct sockaddr). - - Fix to use struct sockaddr_storage instead which is intended for - this purpose. Use getnameinfo() where appropriate so we don't - assume anything about the contents of struct sockaddr - -diff --git a/libraries/liblber/sockbuf.c b/libraries/liblber/sockbuf.c -index d997e92..858c942 100644 ---- a/libraries/liblber/sockbuf.c -+++ b/libraries/liblber/sockbuf.c -@@ -888,8 +888,8 @@ Sockbuf_IO ber_sockbuf_io_debug = { - * - * All I/O at this level must be atomic. For ease of use, the sb_readahead - * must be used above this module. All data reads and writes are prefixed -- * with a sockaddr containing the address of the remote entity. Upper levels -- * must read and write this sockaddr before doing the usual ber_printf/scanf -+ * with a sockaddr_storage containing the address of the remote entity. Upper levels -+ * must read and write this sockaddr_storage before doing the usual ber_printf/scanf - * operations on LDAP messages. - */ - -@@ -914,13 +914,13 @@ sb_dgram_read( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len ) - assert( SOCKBUF_VALID( sbiod->sbiod_sb ) ); - assert( buf != NULL ); - -- addrlen = sizeof( struct sockaddr ); -+ addrlen = sizeof( struct sockaddr_storage ); - src = buf; - buf = (char *) buf + addrlen; - len -= addrlen; - rc = recvfrom( sbiod->sbiod_sb->sb_fd, buf, len, 0, src, &addrlen ); - -- return rc > 0 ? rc+sizeof(struct sockaddr) : rc; -+ return rc > 0 ? rc+sizeof(struct sockaddr_storage) : rc; - } - - static ber_slen_t -@@ -934,11 +934,11 @@ sb_dgram_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len ) - assert( buf != NULL ); - - dst = buf; -- buf = (char *) buf + sizeof( struct sockaddr ); -- len -= sizeof( struct sockaddr ); -+ buf = (char *) buf + sizeof( struct sockaddr_storage ); -+ len -= sizeof( struct sockaddr_storage ); - - rc = sendto( sbiod->sbiod_sb->sb_fd, buf, len, 0, dst, -- sizeof( struct sockaddr ) ); -+ sizeof( struct sockaddr_storage ) ); - - if ( rc < 0 ) return -1; - -@@ -949,7 +949,7 @@ sb_dgram_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len ) - # endif - return -1; - } -- rc = len + sizeof(struct sockaddr); -+ rc = len + sizeof(struct sockaddr_storage); - return rc; - } - -diff --git a/libraries/libldap/abandon.c b/libraries/libldap/abandon.c -index d999b07..8fd9bc2 100644 ---- a/libraries/libldap/abandon.c -+++ b/libraries/libldap/abandon.c -@@ -209,7 +209,7 @@ start_again:; - LDAP_NEXT_MSGID(ld, i); - #ifdef LDAP_CONNECTIONLESS - if ( LDAP_IS_UDP(ld) ) { -- struct sockaddr sa = {0}; -+ struct sockaddr_storage sa = {0}; - /* dummy, filled with ldo_peer in request.c */ - err = ber_write( ber, (char *) &sa, sizeof(sa), 0 ); - } -diff --git a/libraries/libldap/open.c b/libraries/libldap/open.c -index 24d8a41..5b2613a 100644 ---- a/libraries/libldap/open.c -+++ b/libraries/libldap/open.c -@@ -268,6 +268,7 @@ ldap_init_fd( - int rc; - LDAP *ld; - LDAPConn *conn; -+ socklen_t len; - - *ldp = NULL; - rc = ldap_create( &ld ); -@@ -308,6 +309,15 @@ ldap_init_fd( - - #ifdef LDAP_CONNECTIONLESS - case LDAP_PROTO_UDP: -+ LDAP_IS_UDP(ld) = 1; -+ if( ld->ld_options.ldo_peer ) -+ ldap_memfree( ld->ld_options.ldo_peer ); -+ ld->ld_options.ldo_peer = ldap_memalloc( sizeof( struct sockaddr_storage ) ); -+ len = sizeof( struct sockaddr_storage ); -+ if( getpeername ( fd, ld->ld_options.ldo_peer, &len ) < 0) { -+ ldap_unbind_ext( ld, NULL, NULL ); -+ return( AC_SOCKET_ERROR ); -+ } - #ifdef LDAP_DEBUG - ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_debug, - LBER_SBIOD_LEVEL_PROVIDER, (void *)"udp_" ); -diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c -index b31e05d..90b92df 100644 ---- a/libraries/libldap/os-ip.c -+++ b/libraries/libldap/os-ip.c -@@ -422,8 +422,8 @@ ldap_pvt_connect(LDAP *ld, ber_socket_t s, - if (LDAP_IS_UDP(ld)) { - if (ld->ld_options.ldo_peer) - ldap_memfree(ld->ld_options.ldo_peer); -- ld->ld_options.ldo_peer=ldap_memalloc(sizeof(struct sockaddr)); -- AC_MEMCPY(ld->ld_options.ldo_peer,sin,sizeof(struct sockaddr)); -+ ld->ld_options.ldo_peer=ldap_memcalloc(1, sizeof(struct sockaddr_storage)); -+ AC_MEMCPY(ld->ld_options.ldo_peer,sin,addrlen); - return ( 0 ); - } - #endif -diff --git a/libraries/libldap/request.c b/libraries/libldap/request.c -index fc2f4d0..4822a63 100644 ---- a/libraries/libldap/request.c -+++ b/libraries/libldap/request.c -@@ -308,7 +308,7 @@ ldap_send_server_request( - ber_rewind( &tmpber ); - LDAP_MUTEX_LOCK( &ld->ld_options.ldo_mutex ); - rc = ber_write( &tmpber, ld->ld_options.ldo_peer, -- sizeof( struct sockaddr ), 0 ); -+ sizeof( struct sockaddr_storage ), 0 ); - LDAP_MUTEX_UNLOCK( &ld->ld_options.ldo_mutex ); - if ( rc == -1 ) { - ld->ld_errno = LDAP_ENCODING_ERROR; -diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c -index f2a6c7b..d293299 100644 ---- a/libraries/libldap/result.c -+++ b/libraries/libldap/result.c -@@ -482,8 +482,8 @@ retry: - sock_errset(0); - #ifdef LDAP_CONNECTIONLESS - if ( LDAP_IS_UDP(ld) ) { -- struct sockaddr from; -- ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr) ); -+ struct sockaddr_storage from; -+ ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) ); - if ( ld->ld_options.ldo_version == LDAP_VERSION2 ) isv2 = 1; - } - nextresp3: -diff --git a/libraries/libldap/search.c b/libraries/libldap/search.c -index 3867b5b..b966d1a 100644 ---- a/libraries/libldap/search.c -+++ b/libraries/libldap/search.c -@@ -305,7 +305,7 @@ ldap_build_search_req( - LDAP_NEXT_MSGID( ld, *idp ); - #ifdef LDAP_CONNECTIONLESS - if ( LDAP_IS_UDP(ld) ) { -- struct sockaddr sa = {0}; -+ struct sockaddr_storage sa = {0}; - /* dummy, filled with ldo_peer in request.c */ - err = ber_write( ber, (char *) &sa, sizeof( sa ), 0 ); - } diff --git a/SOURCES/openldap-doc1.patch b/SOURCES/openldap-doc1.patch deleted file mode 100644 index 13c4c41..0000000 --- a/SOURCES/openldap-doc1.patch +++ /dev/null @@ -1,36 +0,0 @@ -Upstream ITS: #7568 - -From 6be982c000133ccf9da949d39eed23a93bc7bfc5 Mon Sep 17 00:00:00 2001 -From: Jan Synacek -Date: Tue, 9 Apr 2013 12:41:38 +0200 -Subject: [PATCH 1/2] Fix typos in ldap.conf.5 - ---- - doc/man/man5/ldap.conf.5 | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 -index cfde143..8f7fecd 100644 ---- a/doc/man/man5/ldap.conf.5 -+++ b/doc/man/man5/ldap.conf.5 -@@ -297,7 +297,7 @@ Specifies if GSSAPI encryption (GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG) - should be used. The default is off. - .TP - .B GSSAPI_ALLOW_REMOTE_PRINCIPAL --Specifies if GSSAPI based authentification should try to form the -+Specifies if GSSAPI based authentication should try to form the - target principal name out of the ldapServiceName or dnsHostName - attribute of the targets RootDSE entry. The default is off. - .SH TLS OPTIONS -@@ -354,7 +354,7 @@ it is of critical importance that the key file is protected carefully. - When using Mozilla NSS, TLS_KEY specifies the name of a file that contains - the password for the key for the certificate specified with TLS_CERT. The - modutil command can be used to turn off password protection for the cert/key --database. For example, if TLS_CACERTDIR specifes /home/scarter/.moznss as -+database. For example, if TLS_CACERTDIR specifies /home/scarter/.moznss as - the location of the cert/key database, use modutil to change the password - to the empty string: - .nf --- -1.8.1.4 - diff --git a/SOURCES/openldap-doc2.patch b/SOURCES/openldap-doc2.patch deleted file mode 100644 index 47b1c13..0000000 --- a/SOURCES/openldap-doc2.patch +++ /dev/null @@ -1,27 +0,0 @@ -Upstream ITS: #7568 - -From 05c726c62785b2c307f9c5343a253d43ec7322c6 Mon Sep 17 00:00:00 2001 -From: Jan Synacek -Date: Tue, 9 Apr 2013 12:42:31 +0200 -Subject: [PATCH 2/2] Add -Q to slaptest's help - ---- - servers/slapd/slapcommon.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/servers/slapd/slapcommon.c b/servers/slapd/slapcommon.c -index 714e2bc..153310f 100644 ---- a/servers/slapd/slapcommon.c -+++ b/servers/slapd/slapcommon.c -@@ -92,7 +92,7 @@ usage( int tool, const char *progname ) - break; - - case SLAPTEST: -- options = " [-n databasenumber] [-u]\n"; -+ options = " [-n databasenumber] [-u] [-Q]\n"; - break; - - case SLAPSCHEMA: --- -1.8.1.4 - diff --git a/SOURCES/openldap-doc3.patch b/SOURCES/openldap-doc3.patch deleted file mode 100644 index d0e7821..0000000 --- a/SOURCES/openldap-doc3.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 128a8c486e86b8e8c8d34f0eb9fdc0b580212e5b Mon Sep 17 00:00:00 2001 -From: Jan Synacek -Date: Tue, 3 Sep 2013 14:09:37 +0200 -Subject: [PATCH] Fix typos in manpages. - ---- - doc/man/man1/ldapsearch.1 | 2 +- - doc/man/man5/slapd-passwd.5 | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1 -index 82ddddb..150f064 100644 ---- a/doc/man/man1/ldapsearch.1 -+++ b/doc/man/man1/ldapsearch.1 -@@ -456,7 +456,7 @@ This command: - .fi - .LP - will perform a one-level search at the c=US level for all entries --whose organization name (o) begins begins with \fBUniversity\fP. -+whose organization name (o) begins with \fBUniversity\fP. - The organization name and description attribute values will be retrieved - and printed to standard output, resulting in output similar to this: - .LP -diff --git a/doc/man/man5/slapd-passwd.5 b/doc/man/man5/slapd-passwd.5 -index fbd30f2..2dc5c5d 100644 ---- a/doc/man/man5/slapd-passwd.5 -+++ b/doc/man/man5/slapd-passwd.5 -@@ -13,7 +13,7 @@ serves up the user account information listed in the system - .BR passwd (5) - file. This backend is provided for demonstration purposes only. - The DN of each entry is "uid=,". --Note that non-base searches scan the the entire passwd file, and -+Note that non-base searches scan the entire passwd file, and - are best suited for hosts with small passwd files. - .SH CONFIGURATION - This --- -1.8.3.1 - diff --git a/SOURCES/openldap-loglevel2bvarray.patch b/SOURCES/openldap-loglevel2bvarray.patch deleted file mode 100644 index 1a0e766..0000000 --- a/SOURCES/openldap-loglevel2bvarray.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 4313b91b0bc2fe6585656cd69a03f9755b5af3c4 Mon Sep 17 00:00:00 2001 -From: Jan Synacek -Date: Wed, 29 May 2013 10:21:40 +0200 -Subject: [PATCH] Fix loglevel2bvarray - ---- - servers/slapd/bconfig.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c -index 4e1f1b5..def6daf 100644 ---- a/servers/slapd/bconfig.c -+++ b/servers/slapd/bconfig.c -@@ -3622,6 +3622,10 @@ loglevel2bvarray( int l, BerVarray *bva ) - loglevel_init(); - } - -+ if ( l == 0 ) { -+ return value_add_one( bva, ber_bvstr( "0" ) ); -+ } -+ - return mask_to_verbs( loglevel_ops, l, bva ); - } - --- -1.8.1.4 - diff --git a/SOURCES/openldap-manpages.patch b/SOURCES/openldap-manpages.patch index 1678b38..b69a391 100644 --- a/SOURCES/openldap-manpages.patch +++ b/SOURCES/openldap-manpages.patch @@ -6,13 +6,12 @@ diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1 index 3def6da..466c772 100644 --- a/doc/man/man1/ldapmodify.1 +++ b/doc/man/man1/ldapmodify.1 -@@ -397,9 +397,7 @@ exit status and a diagnostic message being written to standard error. +@@ -397,8 +397,7 @@ exit status and a diagnostic message being written to standard error. .BR ldap_add_ext (3), .BR ldap_delete_ext (3), .BR ldap_modify_ext (3), -.BR ldap_modrdn_ext (3), --.BR ldif (5), --.BR slapd.replog (5) +-.BR ldif (5). +.BR ldif (5) .SH AUTHOR The OpenLDAP Project @@ -29,44 +28,6 @@ index cfde143..63592cb 100644 This parameter is ignored with GnuTLS. When using Mozilla NSS, may contain a Mozilla NSS cert/key -diff --git a/doc/man/man5/ldif.5 b/doc/man/man5/ldif.5 -index 79615b6..2c06246 100644 ---- a/doc/man/man5/ldif.5 -+++ b/doc/man/man5/ldif.5 -@@ -270,8 +270,7 @@ commands. - .BR ldapmodify (1), - .BR slapadd (8), - .BR slapcat (8), --.BR slapd\-ldif (5), --.BR slapd.replog (5). -+.BR slapd\-ldif (5). - .LP - "LDAP Data Interchange Format," Good, G., RFC 2849. - .SH ACKNOWLEDGEMENTS -diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 -index 742876a..31643c7 100644 ---- a/doc/man/man5/slapd-config.5 -+++ b/doc/man/man5/slapd-config.5 -@@ -2086,7 +2086,6 @@ default slapd configuration directory - .BR slapd.conf (5), - .BR slapd.overlays (5), - .BR slapd.plugin (5), --.BR slapd.replog (5), - .BR slapd (8), - .BR slapacl (8), - .BR slapadd (8), -diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 -index 0a3a955..352cc7e 100644 ---- a/doc/man/man5/slapd.conf.5 -+++ b/doc/man/man5/slapd.conf.5 -@@ -2016,7 +2016,6 @@ default slapd configuration file - .BR slapd.backends (5), - .BR slapd.overlays (5), - .BR slapd.plugin (5), --.BR slapd.replog (5), - .BR slapd (8), - .BR slapacl (8), - .BR slapadd (8), diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8 index b739f4d..e2a1a00 100644 --- a/doc/man/man8/slapd.8 diff --git a/SOURCES/openldap-nss-pk11-freeslot.patch b/SOURCES/openldap-nss-pk11-freeslot.patch index 9ac541d..b128253 100644 --- a/SOURCES/openldap-nss-pk11-freeslot.patch +++ b/SOURCES/openldap-nss-pk11-freeslot.patch @@ -1,27 +1,23 @@ -Resolves: #929357 +Resolves: #1040324 -From 6330d1b87a45b447f33fe8ffd6fbbce9e60bb0ec Mon Sep 17 00:00:00 2001 -From: Rich Megginson +Upstream commit: 6330d1b87a45b447f33fe8ffd6fbbce9e60bb0ec +Author: Rich Megginson Date: Thu, 28 Mar 2013 19:05:02 -0600 -Subject: [PATCH] must call PK11_FreeSlot after SECMOD_CloseUserDB to remove ref to slot +Modified by: Jan Synacek ---- - libraries/libldap/tls_m.c | 2 ++ - 1 files changed, 2 insertions(+), 0 deletions(-) +This patch has been re-diffed so it clearly applies to OpenLDAP 2.4.39. diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c index 072d41d..c59d303 100644 --- a/libraries/libldap/tls_m.c +++ b/libraries/libldap/tls_m.c -@@ -2063,6 +2063,8 @@ tlsm_ctx_free ( tls_ctx *ctx ) +@@ -2151,6 +2151,8 @@ "TLS: could not close certdb slot - error %d:%s.\n", errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); } + PK11_FreeSlot( c->tc_certdb_slot ); + c->tc_certdb_slot = NULL; } - PL_strfree( c->tc_pin_file ); - c->tc_pin_file = NULL; --- -1.7.1 + if ( c->tc_pin_file ) { + PL_strfree( c->tc_pin_file ); diff --git a/SOURCES/openldap-rwm-reference-counting.patch b/SOURCES/openldap-rwm-reference-counting.patch new file mode 100644 index 0000000..67f4a66 --- /dev/null +++ b/SOURCES/openldap-rwm-reference-counting.patch @@ -0,0 +1,26 @@ +Author: Jan Synáček +Resolves: #1061405 +Upstream ITS: #7723 + +Correctly count references in rwm overlay. + +--- a/libraries/librewrite/session.c 2010-04-13 22:23:09.000000000 +0200 ++++ b/libraries/librewrite/session.c 2013-11-08 08:47:26.000000000 +0100 +@@ -161,6 +161,7 @@ + #ifdef USE_REWRITE_LDAP_PVT_THREADS + if ( session ) { + ldap_pvt_thread_mutex_lock( &session->ls_mutex ); ++ session->ls_count++; + } + ldap_pvt_thread_rdwr_runlock( &info->li_cookies_mutex ); + #endif /* USE_REWRITE_LDAP_PVT_THREADS */ +@@ -178,6 +179,7 @@ + ) + { + assert( session != NULL ); ++ session->ls_count--; + ldap_pvt_thread_mutex_unlock( &session->ls_mutex ); + } + + + diff --git a/SOURCES/openldap-security-pie.patch b/SOURCES/openldap-security-pie.patch deleted file mode 100644 index 025c3d4..0000000 --- a/SOURCES/openldap-security-pie.patch +++ /dev/null @@ -1,16 +0,0 @@ -Build slapd as position-independent executable (PIE) to take an advantage of -address space layout randomization (ASLD). - -Author: Thomas Woerner - ---- a/servers/slapd/Makefile.in -+++ b/servers/slapd/Makefile.in -@@ -263,7 +263,7 @@ slapi/libslapi.la: FORCE - (cd slapi; $(MAKE) $(MFLAGS) all) - - slapd: $(SLAPD_DEPENDS) @LIBSLAPI@ -- $(LTLINK) -o $@ $(SLAPD_OBJECTS) $(LIBS) \ -+ $(LTLINK) -pie -Wl,-z,defs -o $@ $(SLAPD_OBJECTS) $(LIBS) \ - $(WRAP_LIBS) - $(RM) $(SLAPTOOLS) - for i in $(SLAPTOOLS); do \ diff --git a/SPECS/openldap.spec b/SPECS/openldap.spec index 470c05a..4051012 100644 --- a/SPECS/openldap.spec +++ b/SPECS/openldap.spec @@ -4,8 +4,8 @@ %global check_password_version 1.1 Name: openldap -Version: 2.4.35 -Release: 7%{?dist} +Version: 2.4.39 +Release: 3%{?dist} Summary: LDAP support libraries Group: System Environment/Daemons License: OpenLDAP @@ -26,7 +26,6 @@ Source55: libexec-generate-server-cert.sh # patches for 2.4 Patch0: openldap-manpages.patch -Patch1: openldap-security-pie.patch Patch2: openldap-sql-linking.patch Patch3: openldap-reentrant-gethostby.patch Patch4: openldap-smbk5pwd-overlay.patch @@ -42,9 +41,6 @@ Patch13: openldap-nss-regex-search-hashed-cacert-dir.patch Patch14: openldap-nss-ignore-certdb-type-prefix.patch Patch15: openldap-nss-certs-from-certdb-fallback-pem.patch Patch16: openldap-nss-pk11-freeslot.patch -# documentation patches, already included upstream -Patch17: openldap-doc1.patch -Patch18: openldap-doc2.patch # fix back_perl problems with lt_dlopen() # might cause crashes because of symbol collisions # the proper fix is to link all perl modules against libperl @@ -52,12 +48,8 @@ Patch18: openldap-doc2.patch Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch # ldapi sasl fix pending upstream inclusion Patch20: openldap-ldapi-sasl.patch -# already included upstream -Patch21: openldap-loglevel2bvarray.patch -# more documentation fixes, upstreamed -Patch22: openldap-doc3.patch -# cldap fixes, upstreamed -Patch23: openldap-cldap.patch +# rwm reference counting fix, pending upstream inclusion +Patch21: openldap-rwm-reference-counting.patch # Fedora specific patches Patch100: openldap-autoconf-pkgconfig-nss.patch @@ -157,7 +149,6 @@ ln -s %{_includedir}/nspr4 include/nspr AUTOMAKE=%{_bindir}/true autoreconf -fi %patch0 -p1 -%patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 @@ -173,13 +164,9 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch14 -p1 %patch15 -p1 %patch16 -p1 -%patch17 -p1 -%patch18 -p1 %patch19 -p1 %patch20 -p1 %patch21 -p1 -%patch22 -p1 -%patch23 -p1 %patch102 -p1 @@ -199,9 +186,15 @@ popd %build +%ifarch s390 s390x + export CFLAGS="-fPIE" +%else + export CFLAGS="-fpie" +%endif +export LDFLAGS="-pie" # avoid stray dependencies (linker flag --as-needed) # enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS) -export CFLAGS="%{optflags} -Wl,--as-needed -DLDAP_CONNECTIONLESS" +export CFLAGS="${CFLAGS} %{optflags} -Wl,--as-needed -DLDAP_CONNECTIONLESS" pushd openldap-%{version} %configure \ @@ -229,6 +222,7 @@ pushd openldap-%{version} --enable-backends=mod \ --enable-bdb=yes \ --enable-hdb=yes \ + --enable-mdb=yes \ --enable-monitor=yes \ --disable-ndb \ \ @@ -294,8 +288,8 @@ install -m 0700 -d %{buildroot}%{_sharedstatedir}/ldap install -m 0755 -d %{buildroot}%{_localstatedir}/run/openldap # setup autocreation of runtime directories on tmpfs -mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d -install -m 0644 %SOURCE3 %{buildroot}%{_sysconfdir}/tmpfiles.d/slapd.conf +mkdir -p %{buildroot}%{_tmpfilesdir}/ +install -m 0644 %SOURCE3 %{buildroot}%{_tmpfilesdir}/slapd.conf # install default ldap.conf (customized) rm -f %{buildroot}%{_sysconfdir}/openldap/ldap.conf @@ -542,7 +536,7 @@ exit 0 %config(noreplace) %dir %attr(0750,ldap,ldap) %{_sysconfdir}/openldap/slapd.d %config(noreplace) %{_sysconfdir}/openldap/schema %config(noreplace) %{_sysconfdir}/sysconfig/slapd -%config(noreplace) %{_sysconfdir}/tmpfiles.d/slapd.conf +%config(noreplace) %{_tmpfilesdir}/slapd.conf %config(noreplace) %{_sysconfdir}/openldap/check_password.conf %dir %attr(0700,ldap,ldap) %{_sharedstatedir}/ldap %dir %attr(-,ldap,ldap) %{_localstatedir}/run/openldap @@ -552,7 +546,6 @@ exit 0 %{_libdir}/openldap/auditlog* %{_libdir}/openldap/back_dnssrv* %{_libdir}/openldap/back_ldap* -%{_libdir}/openldap/back_mdb* %{_libdir}/openldap/back_meta* %{_libdir}/openldap/back_null* %{_libdir}/openldap/back_passwd* @@ -609,6 +602,30 @@ exit 0 %{_mandir}/man3/* %changelog +* Wed Feb 26 2014 Jan Synáček - 2.4.39-3 +- move tmpfiles config to correct location (#1069513) + +* Wed Feb 5 2014 Jan Synáček - 2.4.39-2 +- CVE-2013-4449: segfault on certain queries with rwm overlay (#1061405) + +* Thu Jan 30 2014 Jan Synáček - 2.4.39-1 +- new upstream release (#1040324) + +* Fri Jan 24 2014 Daniel Mach - 2.4.35-12 +- Mass rebuild 2014-01-24 + +* Thu Jan 16 2014 Jan Synáček - 2.4.35-11 +- fix: missing EOL at the end of default /etc/openldap/ldap.conf (#1053005) + +* Fri Dec 27 2013 Daniel Mach - 2.4.35-10 +- Mass rebuild 2013-12-27 + +* Tue Dec 17 2013 Jan Synáček - 2.4.35-9 +- fix: more typos in manpages (#948562) + +* Wed Nov 13 2013 Jan Synáček - 2.4.35-8 +- fix: slaptest incorrectly handles 'include' directives containing a custom file (#1023415) + * Mon Oct 14 2013 Jan Synáček - 2.4.35-7 - fix: CLDAP is broken for IPv6 (#1007421)