Hello community, here is the log from the commit of package 389-ds for openSUSE:Factory checked in at 2015-06-23 11:56:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/389-ds (Old) and /work/SRC/openSUSE:Factory/.389-ds.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "389-ds" Changes: -------- --- /work/SRC/openSUSE:Factory/389-ds/389-ds.changes 2015-04-30 11:51:20.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.389-ds.new/389-ds.changes 2015-06-23 11:56:12.000000000 +0200 @@ -1,0 +2,8 @@ +Wed Jun 17 09:38:48 UTC 2015 - [email protected] + +- Update to new upstrema release 1.3.3.11 +- Added 389-ds-1.3.3.11-CVE-2015-3230.patch: + nsSSL3Ciphers preference not enforced on server side + [boo#934934] [CVE-2015-3230] + +------------------------------------------------------------------- Old: ---- 389-ds-base-1.3.3.10.tar.bz2 New: ---- 389-ds-1.3.3.11-CVE-2015-3230.patch 389-ds-base-1.3.3.11.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ 389-ds.spec ++++++ --- /var/tmp/diff_new_pack.6si19b/_old 2015-06-23 11:56:13.000000000 +0200 +++ /var/tmp/diff_new_pack.6si19b/_new 2015-06-23 11:56:13.000000000 +0200 @@ -18,11 +18,11 @@ Name: 389-ds Summary: 389 Directory Server -Version: 1.3.3.10 -Release: 0 -Group: Productivity/Networking/LDAP/Servers License: GPL-2.0 -URL: http://port389.org/ +Group: Productivity/Networking/LDAP/Servers +Version: 1.3.3.11 +Release: 0 +Url: http://port389.org/ #DL-URL: http://port389.org/wiki/Source #Git-Clone: git://git.fedorahosted.org/389/ds @@ -30,6 +30,8 @@ Source9: %name-rpmlintrc # PATCH-FIX-SLES -- Make init scripts LSB conform Patch1: 389-ds-base-1.3.2.11_init_fhs.patch +# PATCH-FIX-UPSTREM -- Fix nsSSL3Ciphers preference not being enforced +Patch2: 389-ds-1.3.3.11-CVE-2015-3230.patch BuildRequires: cyrus-sasl-devel BuildRequires: db-devel >= 4.5 BuildRequires: gcc-c++ @@ -37,7 +39,7 @@ # net-snmp-devel is needed to build the snmp ldap-agent BuildRequires: net-snmp-devel >= 5.1.2 BuildRequires: openldap2-devel -# pam-devel is required the pam passthru auth plug-in +# pam-devel is required by the pam passthru auth plug-in BuildRequires: pam-devel %if 0%{?suse_version} < 1220 BuildRequires: libicu-devel >= 3.4 @@ -55,7 +57,7 @@ BuildRequires: pkgconfig(svrcore) BuildRequires: pkgconfig(systemd) %endif -BuildRoot: %_tmppath/%name-%version-build +BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires: cyrus-sasl-digestmd5 Requires: cyrus-sasl-gssapi Requires: mozilla-nss-tools @@ -69,22 +71,23 @@ Requires: perl(Socket6) %if 0%{?suse_version} < 1220 -%global with_systemd 0 -%else -%global with_systemd 1 +%define __without_systemd 0 %endif + +%bcond_without systemd + %if 0%{?suse_version} >= 1230 Requires: %_sbindir/service %else Requires: /sbin/service %endif Requires(post): fillup -%if %{?with_systemd} == 0 +%if %{with systemd} +%{?systemd_requires} +%else Requires(post): insserv Requires(post): /sbin/chkconfig Requires(preun): /sbin/chkconfig -%else -%{?systemd_requires} %endif Obsoletes: 389-ds-base < %version-%release @@ -115,7 +118,7 @@ %prep %setup -qn %name-base-%version -%patch -P 1 -p1 +%patch -P 1 -P 2 -p1 %build # openldap has no pkgconfig file; because of that, 389ds will prefer @@ -125,12 +128,12 @@ --sbindir=%_libexecdir/%name/sbin \ --enable-autobind \ --with-openldap \ -%if %{?with_systemd} == 0 - --with-initddir="%_initddir" \ -%else +%if %{with systemd} --with-systemdsystemunitdir \ --with-systemdsystemconfdir \ --with-systemdgroupname=dirsrv.target \ +%else + --with-initddir="%_initddir" \ %endif . @@ -143,7 +146,7 @@ install -d "$b/%_sbindir" ln -s "%_libexecdir/%name/sbin/setup-ds.pl" "$b/%_sbindir/setup-ds.pl" -%if %{?with_systemd} == 1 +%if %{with systemd} install -d "$b/%_unitdir/dirsrv.target.wants" %if 0%{?suse_version} >= 1230 ln -s service "$b/%_sbindir/rcdirsrv" @@ -166,18 +169,16 @@ # make sure perl scripts have a proper shebang sed -i -e 's|#{{PERL-EXEC}}|#!%_bindir/perl|' "$b/%_datadir/dirsrv/script-templates"/template-*.pl -%if %{?with_systemd} == 1 +%if %{with systemd} %pre %service_add_pre dirsrv@*.service dirsrv-snmp.service dirsrv.target %endif %post /sbin/ldconfig -%if %{?with_systemd} == 1 -%if 0%{?suse_version} +%if %{with systemd} %fillup_only -n dirsrv %fillup_only -n dirsrv.systemd -%endif %service_add_post dirsrv@*.service dirsrv-snmp.service dirsrv.target %else %fillup_and_insserv dirsrv @@ -185,7 +186,7 @@ %endif %preun -%if %{?with_systemd} == 1 +%if %{with systemd} %service_del_preun dirsrv@*.service dirsrv-snmp.service dirsrv.target %else %stop_on_removal dirsrv @@ -194,7 +195,7 @@ %postun /sbin/ldconfig -%if %{?with_systemd} == 1 +%if %{with systemd} %service_del_postun dirsrv@*.service dirsrv-snmp.service dirsrv.target %else %restart_on_update dirsrv @@ -214,7 +215,7 @@ %config(noreplace) %_sysconfdir/dirsrv/config/ldap-agent.conf %config(noreplace) %_sysconfdir/dirsrv/config/template-initconfig %_datadir/dirsrv -%if %{?with_systemd} == 1 +%if %{with systemd} %_unitdir/dirsrv* %else %_initddir/dirsrv* ++++++ 389-ds-1.3.3.11-CVE-2015-3230.patch ++++++ >From 99109e38ca671951c50724018fce71e2e362f0ff Mon Sep 17 00:00:00 2001 From: Noriko Hosoi <[email protected]> Date: Thu, 11 Jun 2015 22:25:14 -0700 Subject: Ticket #48194 - nsSSL3Ciphers preference not enforced server side Description: The fix for ticket 47838 accidentally changed the timing of setting default cipher preferences and creating a sslSocket which broke setting the default preferences to each sslSocket. https://fedorahosted.org/389/ticket/48194 Reviewed by [email protected] (Thank you, Rich!!) (cherry picked from commit 53c9c4e84e3bcbc40de87b1e7cf7634d14599e1c) diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c index 67d01cd..198edbc 100644 --- a/ldap/servers/slapd/ssl.c +++ b/ldap/servers/slapd/ssl.c @@ -1342,9 +1342,6 @@ slapd_ssl_init() freeConfigEntry( &entry ); } - /* ugaston- Cipher preferences must be set before any sslSocket is created - * for such sockets to take preferences into account. - */ freeConfigEntry( &entry ); /* Introduce a way of knowing whether slapd_ssl_init has @@ -1590,6 +1587,45 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) errorbuf[0] = '\0'; + /* + * Cipher preferences must be set before any sslSocket is created + * for such sockets to take preferences into account. + */ + getConfigEntry(configDN, &e); + if (e == NULL) { + slapd_SSL_warn("Security Initialization: Failed get config entry %s", configDN); + return 1; + } + val = slapi_entry_attr_get_charptr(e, "allowWeakCipher"); + if (val) { + if (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") || + !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")) { + allowweakcipher = CIPHER_SET_DISALLOWWEAKCIPHER; + } else if (!PL_strcasecmp(val, "on") || !PL_strcasecmp(val, "true") || + !PL_strcmp(val, "1") || !PL_strcasecmp(val, "yes")) { + allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER; + } else { + slapd_SSL_warn("The value of allowWeakCipher \"%s\" in %s is invalid.", + "Ignoring it and set it to default.", val, configDN); + } + } + slapi_ch_free((void **) &val); + + /* Set SSL cipher preferences */ + *cipher_string = 0; + if(ciphers && (*ciphers) && PL_strcmp(ciphers, "blank")) + PL_strncpyz(cipher_string, ciphers, sizeof(cipher_string)); + slapi_ch_free((void **) &ciphers); + + if ( NULL != (val = _conf_setciphers(cipher_string, allowweakcipher)) ) { + errorCode = PR_GetError(); + slapd_SSL_warn("Security Initialization: Failed to set SSL cipher " + "preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", + val, errorCode, slapd_pr_strerror(errorCode)); + slapi_ch_free((void **) &val); + } + freeConfigEntry(&e); + /* Import pr fd into SSL */ pr_sock = SSL_ImportFD( NULL, sock ); if( pr_sock == (PRFileDesc *)NULL ) { @@ -1632,8 +1668,6 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) slapd_pk11_setSlotPWValues(slot, 0, 0); } - - /* * Now, get the complete list of cipher families. Each family * has a token name and personality name which we'll use to find @@ -1816,9 +1850,8 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) "out of disk space! Make more room in /tmp " "and try again. (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", errorCode, slapd_pr_strerror(errorCode)); - } - else { - slapd_SSL_error("Config of server nonce cache failed (error %d - %s)", + } else { + slapd_SSL_error("Config of server nonce cache failed (error %d - %s)", errorCode, slapd_pr_strerror(errorCode)); } return rv; @@ -1985,36 +2018,6 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ } #endif - val = slapi_entry_attr_get_charptr(e, "allowWeakCipher"); - if (val) { - if (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") || - !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")) { - allowweakcipher = CIPHER_SET_DISALLOWWEAKCIPHER; - } else if (!PL_strcasecmp(val, "on") || !PL_strcasecmp(val, "true") || - !PL_strcmp(val, "1") || !PL_strcasecmp(val, "yes")) { - allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER; - } else { - slapd_SSL_warn("The value of allowWeakCipher \"%s\" in %s is invalid.", - "Ignoring it and set it to default.", val, configDN); - } - } - slapi_ch_free((void **) &val); - - /* Set SSL cipher preferences */ - *cipher_string = 0; - if(ciphers && (*ciphers) && PL_strcmp(ciphers, "blank")) - PL_strncpyz(cipher_string, ciphers, sizeof(cipher_string)); - slapi_ch_free((void **) &ciphers); - - if ( NULL != (val = _conf_setciphers(cipher_string, allowweakcipher)) ) { - errorCode = PR_GetError(); - slapd_SSL_warn("Security Initialization: Failed to set SSL cipher " - "preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", - val, errorCode, slapd_pr_strerror(errorCode)); - rv = 3; - slapi_ch_free((void **) &val); - } - freeConfigEntry( &e ); if(( slapd_SSLclientAuth = config_get_SSLclientAuth()) != SLAPD_SSLCLIENTAUTH_OFF ) { @@ -2059,17 +2062,17 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) /* richm 20020227 To do LDAP client SSL init, we need to do - static void - ldapssl_basic_init( void ) - { - PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0); + static void + ldapssl_basic_init( void ) + { + PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0); - PR_SetConcurrency( 4 ); - } + PR_SetConcurrency( 4 ); + } NSS_Init(certdbpath); SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_FALSE); - SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE); - s = NSS_SetDomesticPolicy(); + SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE); + s = NSS_SetDomesticPolicy(); We already do pr_init, we don't need pr_setconcurrency, we already do nss_init and the rest */ @@ -2095,7 +2098,7 @@ slapd_SSL_client_auth (LDAP* ld) char **family; char *personality = NULL; char *activation = NULL; - char *cipher = NULL; + char *cipher = NULL; for (family = family_list; *family; family++) { getConfigEntry( *family, &entry ); -- cgit v0.10.2 ++++++ 389-ds-base-1.3.3.10.tar.bz2 -> 389-ds-base-1.3.3.11.tar.bz2 ++++++ ++++ 1876 lines of diff (skipped)
