diff --git a/.gitignore b/.gitignore
index 6d6680b..4b4f04b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
-SOURCES/openldap-2.4.40.tgz
+SOURCES/openldap-2.4.44.tgz
diff --git a/.openldap.metadata b/.openldap.metadata
index e394c8f..12ca5b7 100644
--- a/.openldap.metadata
+++ b/.openldap.metadata
@@ -1,2 +1,2 @@
444fe85f8c42d97355d88ec295b18ecb58faeb52 SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
-0cfac3b024b99de2e2456cc7254481b6644e0b96 SOURCES/openldap-2.4.40.tgz
+016a738d050a68d388602a74b5e991035cdba149 SOURCES/openldap-2.4.44.tgz
diff --git a/SOURCES/openldap-ITS8003-fix-off-by-one-in-LDIF-length.patch b/SOURCES/openldap-ITS8003-fix-off-by-one-in-LDIF-length.patch
deleted file mode 100644
index 26ece7d..0000000
--- a/SOURCES/openldap-ITS8003-fix-off-by-one-in-LDIF-length.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-commit aa66d539543de0ad884f1b8e38948ecd946bf47a
-Author: Howard Chu <hyc@openldap.org>
-Date: Mon Dec 15 14:36:55 2014 +0000
-
- ITS#8003 fix off-by-one in LDIF length
-
- must account for leading space when counting total number of lines
-
-diff --git a/include/ldif.h b/include/ldif.h
-index f638ef9..69bb0c9 100644
---- a/include/ldif.h
-+++ b/include/ldif.h
-@@ -52,12 +52,12 @@ LDAP_LDIF_V (int) ldif_debug;
- */
- #define LDIF_SIZE_NEEDED(nlen,vlen) \
- ((nlen) + 4 + LDIF_BASE64_LEN(vlen) \
-- + ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / LDIF_LINE_WIDTH * 2 ))
-+ + ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / (LDIF_LINE_WIDTH-1) * 2 ))
-
- #define LDIF_SIZE_NEEDED_WRAP(nlen,vlen,wrap) \
- ((nlen) + 4 + LDIF_BASE64_LEN(vlen) \
-- + ((wrap) == 0 ? ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / ( LDIF_LINE_WIDTH ) * 2 ) : \
-- ((wrap) == LDIF_LINE_WIDTH_MAX ? 0 : ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / (wrap) * 2 ))))
-+ + ((wrap) == 0 ? ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / ( LDIF_LINE_WIDTH-1 ) * 2 ) : \
-+ ((wrap) == LDIF_LINE_WIDTH_MAX ? 0 : ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / (wrap-1) * 2 ))))
-
- LDAP_LDIF_F( int )
- ldif_parse_line LDAP_P((
diff --git a/SOURCES/openldap-ITS8240-remove-obsolete-assert.patch b/SOURCES/openldap-ITS8240-remove-obsolete-assert.patch
deleted file mode 100644
index 33d7283..0000000
--- a/SOURCES/openldap-ITS8240-remove-obsolete-assert.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-CVE-2015-6908 openldap: ber_get_next denial of service vulnerability
-Upstream: ITS#8240
-
-diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c
---- a/libraries/liblber/io.c
-+++ b/libraries/liblber/io.c
-@@ -679,7 +679,7 @@ done:
- return (ber->ber_tag);
- }
-
-+ /* invalid input */
-- assert( 0 ); /* ber structure is messed up ?*/
- return LBER_DEFAULT;
- }
-
diff --git a/SOURCES/openldap-ITS8329-back_sql-id_query.patch b/SOURCES/openldap-ITS8329-back_sql-id_query.patch
deleted file mode 100644
index cf05c96..0000000
--- a/SOURCES/openldap-ITS8329-back_sql-id_query.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-fix: id_query option is not available after rebasing openldap to 2.4.39
-Resolves: rhbz#1311832
-Upstream: ITS#8329
-diff --git a/servers/slapd/back-sql/config.c b/servers/slapd/back-sql/config.c
---- a/servers/slapd/back-sql/config.c
-+++ b/servers/slapd/back-sql/config.c
-@@ -213,6 +213,11 @@ static ConfigTable sqlcfg[] = {
- ARG_ON_OFF|ARG_MAGIC|SQL_AUTOCOMMIT, (void *)sql_cf_gen,
- "( OLcfgDbAt:6.45 NAME 'olcSqlAutocommit' "
- "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
-+ { "id_query", "SQL expression", 2, 0, 0, ARG_STRING|ARG_QUOTE|ARG_OFFSET,
-+ (void *)offsetof(struct backsql_info, sql_id_query),
-+ "( OLcfgDbAt:6.46 NAME 'olcSqlIdQuery' "
-+ "DESC 'Query used to collect entryID mapping data' "
-+ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
- { NULL, NULL, 0, 0, 0, ARG_IGNORED,
- NULL, NULL, NULL, NULL }
- };
-@@ -233,7 +238,7 @@ static ConfigOCs sqlocs[] = {
- "olcSqlFailIfNoMapping $ olcSqlAllowOrphans $ olcSqlBaseObject $ "
- "olcSqlLayer $ olcSqlUseSubtreeShortcut $ olcSqlFetchAllAttrs $ "
- "olcSqlFetchAttrs $ olcSqlCheckSchema $ olcSqlAliasingKeyword $ "
-- "olcSqlAliasingQuote $ olcSqlAutocommit ) )",
-+ "olcSqlAliasingQuote $ olcSqlAutocommit $ olcSqlIdQuery ) )",
- Cft_Database, sqlcfg },
- { NULL, Cft_Abstract, NULL }
- };
diff --git a/SOURCES/openldap-ITS8337-fix-missing-olcDbChecksum-config-attr.patch b/SOURCES/openldap-ITS8337-fix-missing-olcDbChecksum-config-attr.patch
deleted file mode 100644
index 76cc3fd..0000000
--- a/SOURCES/openldap-ITS8337-fix-missing-olcDbChecksum-config-attr.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-commit 901fe3318f1c4ea7adac45f906d5447d71e43f8a
-Author: Howard Chu <hyc@openldap.org>
-Date: Sat Dec 12 16:14:02 2015 +0000
-
- ITS#8337 fix missing olcDbChecksum config attr
-
-diff --git a/servers/slapd/back-bdb/config.c b/servers/slapd/back-bdb/config.c
-index e07381f..a5b5888 100644
---- a/servers/slapd/back-bdb/config.c
-+++ b/servers/slapd/back-bdb/config.c
-@@ -163,8 +163,8 @@ static ConfigOCs bdbocs[] = {
- #endif
- "SUP olcDatabaseConfig "
- "MUST olcDbDirectory "
-- "MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbConfig $ "
-- "olcDbCryptFile $ olcDbCryptKey $ "
-+ "MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbChecksum $ "
-+ "olcDbConfig $ olcDbCryptFile $ olcDbCryptKey $ "
- "olcDbNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ "
- "olcDbIndex $ olcDbLinearIndex $ olcDbLockDetect $ "
- "olcDbMode $ olcDbSearchStack $ olcDbShmKey $ "
diff --git a/SOURCES/openldap-ITS8655-fix-double-free-on-paged-search-with-pagesize-0.patch b/SOURCES/openldap-ITS8655-fix-double-free-on-paged-search-with-pagesize-0.patch
new file mode 100644
index 0000000..7ccec9e
--- /dev/null
+++ b/SOURCES/openldap-ITS8655-fix-double-free-on-paged-search-with-pagesize-0.patch
@@ -0,0 +1,23 @@
+commit ec2fe743f5795eb7aaf43687e6b257ac071cef22
+Author: Ryan Tandy <ryan@nardis.ca>
+Date: Wed May 17 20:07:39 2017 -0700
+
+ ITS#8655 fix double free on paged search with pagesize 0
+
+ Fixes a double free when a search includes the Paged Results control
+ with a page size of 0 and the search base matches the filter.
+
+diff --git a/servers/slapd/back-mdb/search.c b/servers/slapd/back-mdb/search.c
+index 009939d..d0db918 100644
+--- a/servers/slapd/back-mdb/search.c
++++ b/servers/slapd/back-mdb/search.c
+@@ -1066,7 +1066,8 @@ notfound:
+ /* check size limit */
+ if ( get_pagedresults(op) > SLAP_CONTROL_IGNORED ) {
+ if ( rs->sr_nentries >= ((PagedResultsState *)op->o_pagedresults_state)->ps_size ) {
+- mdb_entry_return( op, e );
++ if (e != base)
++ mdb_entry_return( op, e );
+ e = NULL;
+ send_paged_response( op, rs, &lastid, tentries );
+ goto done;
diff --git a/SOURCES/openldap-fix-missing-frontend-indexing.patch b/SOURCES/openldap-fix-missing-frontend-indexing.patch
deleted file mode 100644
index d2e8d4e..0000000
--- a/SOURCES/openldap-fix-missing-frontend-indexing.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/servers/slapd/bconfig.c 2015-06-02 14:37:10.930873419 +0200
-+++ b/servers/slapd/bconfig.c 2015-06-02 14:37:35.105233408 +0200
-@@ -4679,7 +4679,7 @@
- if ( ce_type == Cft_Database )
- nsibs--;
-
-- if ( index != nsibs ) {
-+ if ( index != nsibs || isfrontend) {
- if ( gotindex ) {
- if ( index < nsibs ) {
- if ( tailindex ) return LDAP_NAMING_VIOLATION;
diff --git a/SOURCES/openldap-nss-ciphersuite-handle-masks-correctly.patch b/SOURCES/openldap-nss-ciphersuite-handle-masks-correctly.patch
index 75832da..c3d087c 100644
--- a/SOURCES/openldap-nss-ciphersuite-handle-masks-correctly.patch
+++ b/SOURCES/openldap-nss-ciphersuite-handle-masks-correctly.patch
@@ -16,7 +16,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
#define SSL_aDSA 0x00000004L
#define SSL_DSA SSL_aDSA
#define SSL_eNULL 0x00000008L
-@@ -225,19 +224,26 @@ typedef struct {
+@@ -225,19 +224,27 @@ typedef struct {
#define SSL_RC2 0x00000080L
#define SSL_AES128 0x00000100L
#define SSL_AES256 0x00000200L
@@ -36,6 +36,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+#define SSL_kEECDH 0x00200000L
+#define SSL_AESGCM 0x00400000L
+#define SSL_AEAD 0x00800000L
++#define SSL_CHACHA20POLY1305 0x02000000L
+
+/* cipher attributes non-unique - do not use for definitions */
+#define SSL_RSA 0x00000001L
@@ -118,7 +119,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
} else if (!strcmp(cipher, "3DES")) {
mask |= SSL_3DES;
} else if (!strcmp(cipher, "DES")) {
-@@ -685,28 +705,43 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+@@ -685,28 +705,45 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
mask |= SSL_RC2;
} else if (!strcmp(cipher, "MD5")) {
mask |= SSL_MD5;
@@ -166,6 +167,8 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+ } else if ((!strcmp(cipher, "ECDSA")) || (!strcmp(cipher, "aECDSA"))) {
mask |= SSL_aECDSA;
+ negative_mask |= SSL_kECDH;
++ } else if (!strcmp(cipher, "CHACHA20POLY1305")) {
++ mask |= SSL_CHACHA20POLY1305;
} else if (!strcmp(cipher, "SSLv2")) {
protocol |= SSL2;
} else if (!strcmp(cipher, "SSLv3")) {
diff --git a/SOURCES/openldap-nss-reregister-nss-shutdown-callback.patch b/SOURCES/openldap-nss-reregister-nss-shutdown-callback.patch
new file mode 100644
index 0000000..03b8611
--- /dev/null
+++ b/SOURCES/openldap-nss-reregister-nss-shutdown-callback.patch
@@ -0,0 +1,50 @@
+NSS: re-register NSS_Shutdown callback
+
+Original upstream comment:
+"""
+When there's a persistent daemon for auth and it sets LDAP_OPT_X_TLS_NEWCTX, it
+fails to auth at third login.
+
+1. everything is good and destroyed after use but
+tlsm_register_shutdown_callonce.initialized=1.
+2. still good but because tlsm_register_shutdown_callonce.initialized==1, it
+fails to register shutdown function.
+ so pem_module is not destroyed at the end.
+3. pem_module is not NULL so it's not initialized again and not added to modules
+list. And Login fails.
+"""
+
+Sent-By: soohoon.lee@f5.com
+Original-Name: soohoon-lee-160823.patch
+Upstream-ITS: 8484
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index cdf7f8e..cf05914 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -1145,6 +1145,8 @@ tlsm_auth_cert_handler(void *arg, PRFileDesc *fd,
+ return ret;
+ }
+
++static PRCallOnceType tlsm_register_shutdown_callonce = {0,0};
++
+ static SECStatus
+ tlsm_nss_shutdown_cb( void *appData, void *nssData )
+ {
+@@ -1157,10 +1159,15 @@ tlsm_nss_shutdown_cb( void *appData, void *nssData )
+ SECMOD_DestroyModule( pem_module );
+ pem_module = NULL;
+ }
++
++ /* init callonce so it can be armed again for cases like persistent daemon with LDAP_OPT_X_TLS_NEWCTX */
++ tlsm_register_shutdown_callonce.initialized = 0;
++ tlsm_register_shutdown_callonce.inProgress = 0;
++ tlsm_register_shutdown_callonce.status = 0;
++
+ return rc;
+ }
+
+-static PRCallOnceType tlsm_register_shutdown_callonce = {0,0};
+ static PRStatus PR_CALLBACK
+ tlsm_register_nss_shutdown_cb( void )
+ {
diff --git a/SOURCES/openldap-nss-update-list-of-ciphers.patch b/SOURCES/openldap-nss-update-list-of-ciphers.patch
index d0d7ae6..23f136b 100644
--- a/SOURCES/openldap-nss-update-list-of-ciphers.patch
+++ b/SOURCES/openldap-nss-update-list-of-ciphers.patch
@@ -77,7 +77,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
/* cipher strength */
#define SSL_NULL 0x00000001L
-@@ -237,32 +251,117 @@ typedef struct {
+@@ -237,32 +251,120 @@ typedef struct {
#define SSL3 0x00000002L
/* OpenSSL treats SSL3 and TLSv1 the same */
#define TLS1 SSL3
@@ -213,6 +213,9 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+ {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA384, TLS1_2, SSL_HIGH},
+#endif
+
++ {"ECDHE-RSA-CHACHA20-POLY1305", 0xcca8 /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
++ {"ECDHE-ECDSA-CHACHA20-POLY1305", 0xcca9 /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aECDSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
++ {"DHE-RSA-CHACHA20-POLY1305", 0xccaa /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kEDH|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
};
#define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties))
diff --git a/SOURCES/openldap-perl-fix-moduleconfig-config.patch b/SOURCES/openldap-perl-fix-moduleconfig-config.patch
deleted file mode 100644
index 8103487..0000000
--- a/SOURCES/openldap-perl-fix-moduleconfig-config.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-fix: slaptest doesn't convert perlModuleConfig lines
-
-Resolves: #1184585
-Upstream: ITS #8105
-Author: Jan Synacek <jsynacek@redhat.com>
-
-diff --git a/servers/slapd/back-perl/config.c b/servers/slapd/back-perl/config.c
-index fd00965..d1c7886 100644
---- a/servers/slapd/back-perl/config.c
-+++ b/servers/slapd/back-perl/config.c
-@@ -219,9 +219,11 @@ perl_cf(
- XPUSHs( pb->pb_obj_ref );
-
- /* Put all arguments on the perl stack */
-- for( args = 1; args < c->argc; args++ ) {
-+ for( args = 1; args < c->argc; args++ )
- XPUSHs(sv_2mortal(newSVpv(c->argv[args], 0)));
-- }
-+
-+ ber_str2bv( c->line + STRLENOF("perlModuleConfig "), 0, 0, &bv );
-+ value_add_one( &pb->pb_module_config, &bv );
-
- PUTBACK ;
-
diff --git a/SPECS/openldap.spec b/SPECS/openldap.spec
index f1bbe23..d8dbcbf 100644
--- a/SPECS/openldap.spec
+++ b/SPECS/openldap.spec
@@ -4,8 +4,8 @@
%global check_password_version 1.1
Name: openldap
-Version: 2.4.40
-Release: 13%{?dist}
+Version: 2.4.44
+Release: 5%{?dist}
Summary: LDAP support libraries
Group: System Environment/Daemons
License: OpenLDAP
@@ -58,25 +58,17 @@ Patch22: openldap-support-tlsv1-and-later.patch
Patch23: openldap-module-passwd-sha2.patch
# pending upstream inclusion, ITS #7744
Patch24: openldap-man-tls-reqcert.patch
-# already in upstream, see ITS #8105, incorporated by commits 25bbf11 and fb1bf1c
-Patch25: openldap-perl-fix-moduleconfig-config.patch
-# already in upstream, see ITS#8150, incorporated by commit 39b05c7
-Patch26: openldap-fix-missing-frontend-indexing.patch
Patch27: openldap-nss-ciphersuite-handle-masks-correctly.patch
Patch28: openldap-nss-ciphers-use-nss-defaults.patch
-# CVE-2015-6908, ITS#8240
-Patch29: openldap-ITS8240-remove-obsolete-assert.patch
# this is a temporary fix for #1294385, it should be solved properly, backported from #1144294
Patch30: openldap-temporary-ssl-thr-init-race.patch
-# already in upstream (2.4.41), see ITS#8003
-Patch31: openldap-ITS8003-fix-off-by-one-in-LDIF-length.patch
-# already in upstream, see ITS#8337
-Patch32: openldap-ITS8337-fix-missing-olcDbChecksum-config-attr.patch
-# ITS#8329
-Patch33: openldap-ITS8329-back_sql-id_query.patch
Patch34: openldap-nss-protocol-version-new-api.patch
Patch35: openldap-ITS8428-init-sc_writewait.patch
Patch36: openldap-bdb_idl_fetch_key-correct-key-pointer.patch
+Patch37: openldap-ITS8655-fix-double-free-on-paged-search-with-pagesize-0.patch
+
+# upstream ITS#8484
+Patch60: openldap-nss-reregister-nss-shutdown-callback.patch
# check-password module specific patches
Patch90: check-password-makefile.patch
@@ -206,18 +198,14 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch22 -p1
%patch23 -p1
%patch24 -p1
-%patch25 -p1
-%patch26 -p1
%patch27 -p1
%patch28 -p1
-%patch29 -p1
%patch30 -p1
-%patch31 -p1
-%patch32 -p1
-%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
+%patch37 -p1
+%patch60 -p1
%patch102 -p1
@@ -307,6 +295,12 @@ pushd openldap-%{version}
--libexecdir=%{_libdir}
make %{_smp_mflags}
+
+# build mdb_* tools
+pushd libraries/liblmdb
+export XCFLAGS="$CFLAGS"
+make %{_smp_mflags}
+popd
popd
pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
@@ -321,6 +315,9 @@ mkdir -p %{buildroot}%{_libdir}/
pushd openldap-%{version}
make install DESTDIR=%{buildroot} STRIP=""
+pushd libraries/liblmdb
+make install DESTDIR=%{buildroot}
+popd
popd
# install check_password module
@@ -370,6 +367,14 @@ install -m 0755 %SOURCE53 %{buildroot}%{_libexecdir}/openldap/upgrade-db.sh
install -m 0755 %SOURCE54 %{buildroot}%{_libexecdir}/openldap/create-certdb.sh
install -m 0755 %SOURCE55 %{buildroot}%{_libexecdir}/openldap/generate-server-cert.sh
+# install mdb_* tools
+mv %{buildroot}/usr/local/bin/mdb_{copy,dump,load,stat} %{buildroot}%{_libexecdir}/openldap/
+mkdir -p %{buildroot}%{_libexecdir}/openldap/man/man1
+mv %{buildroot}/usr/local/share/man/man1/mdb_{copy,dump,load,stat}.1 %{buildroot}%{_libexecdir}/openldap/man/man1/
+# we don't want the library itself nor header file
+rm -f %{buildroot}/usr/local/include/lmdb.h
+rm -f %{buildroot}/usr/local/lib/liblmdb.{a,so}
+
# remove build root from config files and manual pages
perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf
perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_mandir}/*/*.*
@@ -649,6 +654,8 @@ exit 0
%{_libexecdir}/openldap/check-config.sh
%{_libexecdir}/openldap/upgrade-db.sh
%{_libexecdir}/openldap/generate-server-cert.sh
+%{_libexecdir}/openldap/mdb_*
+%{_libexecdir}/openldap/man/man1/mdb_*
%{_sbindir}/sl*
%{_mandir}/man8/*
%{_mandir}/man5/slapd*.5*
@@ -673,6 +680,21 @@ exit 0
%{_mandir}/man3/*
%changelog
+* Tue Jun 6 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-5
+- fix CVE-2017-9287 openldap: Double free vulnerability in servers/slapd/back-mdb/search.c (#1458210)
+
+* Fri Mar 24 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-4
+- NSS: Include some CHACHA20POLY1305 ciphers (#1432907)
+
+* Wed Mar 15 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-3
+- NSS: re-register NSS_Shutdown callback (#1405354)
+
+* Wed Mar 15 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-2
+- Include MDB tools in openldap-servers (#1428740)
+
+* Wed Jan 4 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-1
+- Rebase to openldap-2.4.44 (#1386365)
+
* Wed Aug 17 2016 Matus Honek <mhonek@redhat.com> - 2.4.40-13
- fix: Bad log levels in check_password module
- fix: We can't search expected entries from LDAP server