Hello community, here is the log from the commit of package openldap2 for openSUSE:11.4 checked in at Fri Mar 4 16:15:36 CET 2011.
-------- --- old-versions/11.4/all/openldap2/openldap2-client.changes 2011-01-19 17:54:59.000000000 +0100 +++ 11.4/openldap2/openldap2-client.changes 2011-03-02 10:44:41.000000000 +0100 @@ -1,0 +2,14 @@ +Tue Mar 1 13:15:45 UTC 2011 - [email protected] + +- ModRDN Operations with an empty old DN value and "remove old RDN" + enabled could crash the LDAP Server (bnc#674985, ITS#6768) +- Using the password policy overlay in a chainging setup (with + "ppolicy_forward_updates" enabled) could cause BIND operations + to return SUCCESS even if the wrong password was sent. + (bnc#674985, ITS#6607) +- Only expose SSS/VLV controls in rootDSE if the sssvlv overlay is + at least instanciated once. Solaris clients (and Outlook) have + problems connecting to OpenLDAP otherwise (bnc#648479, includes + fixes for ITS#6647, ITS#6649 and ITS#6685) + +------------------------------------------------------------------- openldap2.changes: same change Package does not exist at destination yet. Using Fallback old-versions/11.4/all/openldap2 Destination is old-versions/11.4/UPDATES/all/openldap2 calling whatdependson for 11.4-i586 New: ---- 0010-unregister_supported_control-backport-dif 0011-Fix-exposure-of-SSS-VLV-controls-ITS-6647-dif 0012-forwarded-bind-failure-messages-cause-success-ITS-6607-dif 0013-fix-modrdn-with-empty-olddn-ITS-6768-dif ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openldap2-client.spec ++++++ --- /var/tmp/diff_new_pack.feYpTh/_old 2011-03-04 16:15:17.000000000 +0100 +++ /var/tmp/diff_new_pack.feYpTh/_new 2011-03-04 16:15:17.000000000 +0100 @@ -25,7 +25,7 @@ BuildRequires: -libopenssl-devel -pwdutils openssl-devel %endif Version: 2.4.23 -Release: 6 +Release: 6.<RELEASE2> Url: http://www.openldap.org License: BSD3c(or similar) ; openldap 2.8 %if "%{name}" == "openldap2" @@ -63,6 +63,10 @@ Patch7: 0007-No-Build-date-and-time-in-binaries.dif Patch8: 0008-Recover-on-DB-version-change.dif Patch9: 0009-List-static-overlays-backends-when-with-VVV.dif +Patch10: 0010-unregister_supported_control-backport-dif +Patch11: 0011-Fix-exposure-of-SSS-VLV-controls-ITS-6647-dif +Patch12: 0012-forwarded-bind-failure-messages-cause-success-ITS-6607-dif +Patch13: 0013-fix-modrdn-with-empty-olddn-ITS-6768-dif Patch100: openldap-2.3.37.dif Patch200: slapd_getaddrinfo_dupl.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -88,6 +92,25 @@ The OpenLDAP Project <[email protected]> +The Lightweight Directory Access Protocol (LDAP) is used to access +online directory services. It runs directly over TCP and can be used to +access a stand-alone LDAP directory service or to access a directory +service that has an X.500 back-end. + + + +Authors: +-------- + The OpenLDAP Project <[email protected]> + +This package contains the OpenLDAP client utilities. + + +Authors: +-------- + The OpenLDAP Project <[email protected]> + + %package -n openldap2-back-perl License: BSD3c(or similar) ; openldap 2.8 Summary: OpenLDAP Perl Back-End @@ -182,6 +205,25 @@ The OpenLDAP Project <[email protected]> +The Lightweight Directory Access Protocol (LDAP) is used to access +online directory services. It runs directly over TCP and can be used to +access a stand-alone LDAP directory service or to access a directory +service that has an X.500 back-end. + + + +Authors: +-------- + The OpenLDAP Project <[email protected]> + +This package contains the OpenLDAP client utilities. + + +Authors: +-------- + The OpenLDAP Project <[email protected]> + + %package -n openldap2-devel License: BSD3c(or similar) ; openldap 2.8 Summary: Libraries, Header Files and Documentation for OpenLDAP @@ -239,6 +281,10 @@ %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 %if %suse_version == 1100 %patch200 -p1 %endif ++++++ openldap2.spec ++++++ --- /var/tmp/diff_new_pack.feYpTh/_old 2011-03-04 16:15:17.000000000 +0100 +++ /var/tmp/diff_new_pack.feYpTh/_new 2011-03-04 16:15:17.000000000 +0100 @@ -25,7 +25,7 @@ BuildRequires: -libopenssl-devel -pwdutils openssl-devel %endif Version: 2.4.23 -Release: 6 +Release: 11.<RELEASE2> Url: http://www.openldap.org License: BSD3c(or similar) ; openldap 2.8 %if "%{name}" == "openldap2" @@ -63,6 +63,10 @@ Patch7: 0007-No-Build-date-and-time-in-binaries.dif Patch8: 0008-Recover-on-DB-version-change.dif Patch9: 0009-List-static-overlays-backends-when-with-VVV.dif +Patch10: 0010-unregister_supported_control-backport-dif +Patch11: 0011-Fix-exposure-of-SSS-VLV-controls-ITS-6647-dif +Patch12: 0012-forwarded-bind-failure-messages-cause-success-ITS-6607-dif +Patch13: 0013-fix-modrdn-with-empty-olddn-ITS-6768-dif Patch100: openldap-2.3.37.dif Patch200: slapd_getaddrinfo_dupl.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -220,6 +224,10 @@ %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 %if %suse_version == 1100 %patch200 -p1 %endif ++++++ 0010-unregister_supported_control-backport-dif ++++++ >From 7fd700941fb1d735a78073124fb8f473eaf9b1b4 Mon Sep 17 00:00:00 2001 From: ralf <ralf> Date: Wed, 30 Jun 2010 10:38:01 +0000 Subject: unregister_supported_control() backport The fix for bnc#648479/ITS#6647 makes use of this call Original log-message: new call unregister_supported_control(), will be needed for cn=config delete support Also included: use be_ctrls[cid] for counting the number of overlay instances that have registered the control for a specific BackendDB to make sure that the control is unregistered only after the last instance calls overlay_unregister_control(). diff --git a/servers/slapd/backover.c b/servers/slapd/backover.c index cef3286..d2065dc 100644 --- a/servers/slapd/backover.c +++ b/servers/slapd/backover.c @@ -1074,14 +1074,22 @@ overlay_register_control( BackendDB *be, const char *oid ) gotit = 1; } - bd->be_ctrls[ cid ] = 1; + /* overlays can be instanciated multiple times, use + * be_ctrls[ cid ] as an instance counter, so that the + * overlay's controls are only really disabled after the + * last instance called overlay_register_control() */ + bd->be_ctrls[ cid ]++; bd->be_ctrls[ SLAP_MAX_CIDS ] = 1; } } if ( !gotit ) { - be->bd_self->be_ctrls[ cid ] = 1; + /* overlays can be instanciated multiple times, use + * be_ctrls[ cid ] as an instance counter, so that the + * overlay's controls are only really unregistered after the + * last instance called overlay_register_control() */ + be->bd_self->be_ctrls[ cid ]++; be->bd_self->be_ctrls[ SLAP_MAX_CIDS ] = 1; } @@ -1089,6 +1097,34 @@ overlay_register_control( BackendDB *be, const char *oid ) } void +overlay_unregister_control( BackendDB *be, const char *oid ) +{ + int gotit = 0; + int cid; + + if ( slap_find_control_id( oid, &cid ) == LDAP_CONTROL_NOT_FOUND ) { + return; + } + + if ( SLAP_ISGLOBALOVERLAY( be ) ) { + BackendDB *bd; + + /* remove from all backends... */ + LDAP_STAILQ_FOREACH( bd, &backendDB, be_next ) { + if ( bd == be->bd_self ) { + gotit = 1; + } + + bd->be_ctrls[ cid ]--; + } + } + + if ( !gotit ) { + be->bd_self->be_ctrls[ cid ]--; + } +} + +void overlay_destroy_one( BackendDB *be, slap_overinst *on ) { slap_overinfo *oi = on->on_info; diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c index 5cdfaf0..0aaac3a 100644 --- a/servers/slapd/controls.c +++ b/servers/slapd/controls.c @@ -344,6 +344,38 @@ register_supported_control2(const char *controloid, return LDAP_SUCCESS; } +#ifdef SLAP_CONFIG_DELETE +int +unregister_supported_control( const char *controloid ) +{ + struct slap_control *sc; + int i; + + if ( controloid == NULL || (sc = find_ctrl( controloid )) == NULL ){ + return -1; + } + + for ( i = 0; slap_known_controls[ i ]; i++ ) { + if ( strcmp( controloid, slap_known_controls[ i ] ) == 0 ) { + do { + slap_known_controls[ i ] = slap_known_controls[ i+1 ]; + } while ( slap_known_controls[ i++ ] ); + num_known_controls--; + break; + } + } + + LDAP_SLIST_REMOVE(&controls_list, sc, slap_control, sc_next); + ch_free( sc->sc_oid ); + if ( sc->sc_extendedopsbv != NULL ) { + ber_bvarray_free( sc->sc_extendedopsbv ); + } + ch_free( sc ); + + return 0; +} +#endif /* SLAP_CONFIG_DELETE */ + /* * One-time initialization of internal controls. */ diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index fa225d9..65015cb 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -647,6 +647,10 @@ LDAP_SLAPD_F (int) register_supported_control2 LDAP_P(( int *controlcid )); #define register_supported_control(oid, mask, exops, fn, cid) \ register_supported_control2((oid), (mask), (exops), (fn), 0, (cid)) +#ifdef SLAP_CONFIG_DELETE +LDAP_SLAPD_F (int) unregister_supported_control LDAP_P(( + const char* controloid )); +#endif /* SLAP_CONFIG_DELETE */ LDAP_SLAPD_F (int) slap_controls_init LDAP_P ((void)); LDAP_SLAPD_F (void) controls_destroy LDAP_P ((void)); LDAP_SLAPD_F (int) controls_root_dse_info LDAP_P ((Entry *e)); -- 1.7.3.4 ++++++ 0011-Fix-exposure-of-SSS-VLV-controls-ITS-6647-dif ++++++ >From 829dc9ac421c3a69e20b016f405d93ff263f124f Mon Sep 17 00:00:00 2001 From: ralf <ralf> Date: Fri, 22 Jan 2010 17:01:25 +0000 Subject: Fix exposure of SSS/VLV controls (ITS#6647) Fixes bnc#648479 Contains the following upstream commits: - plugged one time memory leak (found with valgrind) - Quit send loops if slapd is shutting down - make sure so is correctly initialized (spotted by valgrind, possibly related to ITS#6649) - do not expose control until sssvlv overlay is actually instantiated at least once (ITS#6647) - ITS#6685 fix result code tag - Unregister VLV control as well when last overlay instance is removed (additional fix for ITS#6647) diff --git a/servers/slapd/overlays/sssvlv.c b/servers/slapd/overlays/sssvlv.c index 10dde1f..38e9e2d 100644 --- a/servers/slapd/overlays/sssvlv.c +++ b/servers/slapd/overlays/sssvlv.c @@ -198,7 +198,7 @@ static int pack_vlv_response_control( ber_init2( ber, NULL, LBER_USE_DER ); ber_set_option( ber, LBER_OPT_BER_MEMCTX, &op->o_tmpmemctx ); - rc = ber_printf( ber, "{iii", so->so_vlv_target, so->so_nentries, + rc = ber_printf( ber, "{iie", so->so_vlv_target, so->so_nentries, so->so_vlv_rc ); if ( rc != -1 && so->so_vcontext ) { @@ -801,9 +801,9 @@ static int sssvlv_op_search( op->o_tmpmemctx ); /* Install serversort response callback to handle a new search */ if ( ps || vc ) { - so = ch_malloc( sizeof(sort_op)); + so = ch_calloc( 1, sizeof(sort_op)); } else { - so = op->o_tmpalloc( sizeof(sort_op), op->o_tmpmemctx ); + so = op->o_tmpcalloc( 1, sizeof(sort_op), op->o_tmpmemctx ); } sort_conns[op->o_conn->c_conn_idx] = so; @@ -1158,6 +1158,38 @@ static int sssvlv_db_init( { slap_overinst *on = (slap_overinst *)be->bd_info; sssvlv_info *si; + + if ( ov_count == 0 ) { + int rc; + + rc = register_supported_control2( LDAP_CONTROL_SORTREQUEST, + SLAP_CTRL_SEARCH, + NULL, + sss_parseCtrl, + 1 /* replace */, + &sss_cid ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "Failed to register Sort Request control '%s' (%d)\n", + LDAP_CONTROL_SORTREQUEST, rc, 0 ); + return rc; + } + + rc = register_supported_control2( LDAP_CONTROL_VLVREQUEST, + SLAP_CTRL_SEARCH, + NULL, + vlv_parseCtrl, + 1 /* replace */, + &vlv_cid ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "Failed to register VLV Request control '%s' (%d)\n", + LDAP_CONTROL_VLVREQUEST, rc, 0 ); +#ifdef SLAP_CONFIG_DELETE + overlay_unregister_control( be, LDAP_CONTROL_SORTREQUEST ); + unregister_supported_control( LDAP_CONTROL_SORTREQUEST ); +#endif /* SLAP_CONFIG_DELETE */ + return rc; + } + } si = (sssvlv_info *)ch_malloc(sizeof(sssvlv_info)); on->on_bi.bi_private = si; @@ -1183,14 +1215,23 @@ static int sssvlv_db_destroy( { slap_overinst *on = (slap_overinst *)be->bd_info; sssvlv_info *si = (sssvlv_info *)on->on_bi.bi_private; - + ov_count--; if ( !ov_count && sort_conns) { sort_conns--; ch_free(sort_conns); ldap_pvt_thread_mutex_destroy( &sort_conns_mutex ); } - + +#ifdef SLAP_CONFIG_DELETE + overlay_unregister_control( be, LDAP_CONTROL_SORTREQUEST ); + overlay_unregister_control( be, LDAP_CONTROL_VLVREQUEST ); + if ( ov_count == 0 ) { + unregister_supported_control( LDAP_CONTROL_SORTREQUEST ); + unregister_supported_control( LDAP_CONTROL_VLVREQUEST ); + } +#endif /* SLAP_CONFIG_DELETE */ + if ( si ) { ch_free( si ); on->on_bi.bi_private = NULL; @@ -1217,30 +1258,9 @@ int sssvlv_initialize() if ( rc ) return rc; - rc = register_supported_control2( LDAP_CONTROL_SORTREQUEST, - SLAP_CTRL_SEARCH, - NULL, - sss_parseCtrl, - 1 /* replace */, - &sss_cid ); - - if ( rc == LDAP_SUCCESS ) { - rc = register_supported_control2( LDAP_CONTROL_VLVREQUEST, - SLAP_CTRL_SEARCH, - NULL, - vlv_parseCtrl, - 1 /* replace */, - &vlv_cid ); - } - - if ( rc == LDAP_SUCCESS ) { - rc = overlay_register( &sssvlv ); - if ( rc != LDAP_SUCCESS ) { - Debug( LDAP_DEBUG_ANY, "Failed to register server side sort overlay\n", 0, 0, 0 ); - } - } - else { - Debug( LDAP_DEBUG_ANY, "Failed to register control %d\n", rc, 0, 0 ); + rc = overlay_register( &sssvlv ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "Failed to register server side sort overlay\n", 0, 0, 0 ); } return rc; -- 1.7.3.4 ++++++ 0012-forwarded-bind-failure-messages-cause-success-ITS-6607-dif ++++++ >From 2fd270af43c3a952f999fa1de3e9e6c9275e9d08 Mon Sep 17 00:00:00 2001 From: quanah <quanah> Date: Mon, 10 Jan 2011 20:36:19 +0000 Subject: forwarded bind failure messages cause success (ITS#6607) Original log from CVS: Add rev 1.77 of chain.c for control callbacks ITS#6475, ITS#6607 bnc#674985 CVE-2011-1024 diff --git a/servers/slapd/back-ldap/chain.c b/servers/slapd/back-ldap/chain.c index c517f15..6b7036a 100644 --- a/servers/slapd/back-ldap/chain.c +++ b/servers/slapd/back-ldap/chain.c @@ -854,6 +854,7 @@ ldap_chain_response( Operation *op, SlapReply *rs ) /* we need this to know if back-ldap returned any result */ lb.lb_lc = lc; + sc2.sc_next = sc->sc_next; sc2.sc_private = &lb; sc2.sc_response = ldap_chain_cb_response; op->o_callback = &sc2; @@ -947,6 +948,7 @@ ldap_chain_response( Operation *op, SlapReply *rs ) case LDAP_SUCCESS: case LDAP_REFERRAL: + sr_err = rs->sr_err; /* slapd-ldap sent response */ if ( !op->o_abandon && lb.lb_status != LDAP_CH_RES ) { /* FIXME: should we send response? */ @@ -974,7 +976,7 @@ cannot_chain:; default: #endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */ if ( LDAP_CHAIN_RETURN_ERR( lc ) ) { - rs->sr_err = rc; + sr_err = rs->sr_err = rc; rs->sr_type = sr_type; } else { @@ -992,7 +994,8 @@ cannot_chain:; } if ( lb.lb_status == LDAP_CH_NONE && rc != SLAPD_ABANDON ) { - op->o_callback = NULL; + /* give the remaining callbacks a chance */ + op->o_callback = sc->sc_next; rc = rs->sr_err = slap_map_api2result( rs ); send_ldap_result( op, rs ); } -- 1.7.3.4 ++++++ 0013-fix-modrdn-with-empty-olddn-ITS-6768-dif ++++++ >From 65dd46e08db6fb93c7e5515c2ced2f0f444f241d Mon Sep 17 00:00:00 2001 From: quanah <quanah> Date: Tue, 4 Jan 2011 19:44:43 +0000 Subject: fix modrdn with empty olddn (ITS#6768) slapd crashes when processing a modrdn operation with an empty olddn parameter and "remove old DN" enabled. (bnc#674985) diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c index e2e4bf0..562da72 100644 --- a/servers/slapd/modrdn.c +++ b/servers/slapd/modrdn.c @@ -392,7 +392,9 @@ slap_modrdn2mods( LDAPRDN new_rdn = NULL; assert( !BER_BVISEMPTY( &op->oq_modrdn.rs_newrdn ) ); - assert( !op->orr_deleteoldrdn || !BER_BVISEMPTY( &op->o_req_dn ) ); + + /* if requestDN is empty, silently reset deleteOldRDN */ + if ( BER_BVISEMPTY( &op->o_req_dn ) ) op->orr_deleteoldrdn = 0; if ( ldap_bv2rdn_x( &op->oq_modrdn.rs_newrdn, &new_rdn, (char **)&rs->sr_text, LDAP_DN_FORMAT_LDAP, op->o_tmpmemctx ) ) { -- 1.7.3.4 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
