Hello community, here is the log from the commit of package openldap2 for openSUSE:Factory checked in at 2015-12-06 07:38:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openldap2 (Old) and /work/SRC/openSUSE:Factory/.openldap2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openldap2" Changes: -------- --- /work/SRC/openSUSE:Factory/openldap2/openldap2-client.changes 2015-10-24 10:23:27.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openldap2.new/openldap2-client.changes 2015-12-06 07:38:31.000000000 +0100 @@ -1,0 +2,15 @@ +Wed Dec 2 12:51:10 UTC 2015 - [email protected] + +- Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch + to fix CVE-2015-6908. (bsc#945582) +- Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch + to address weak DH size vulnerability (bsc#937766) + +------------------------------------------------------------------- +Mon Nov 30 10:16:57 UTC 2015 - [email protected] + +- Introduce patch 0009-Fix-ldap-host-lookup-ipv6.patch + to fix an issue with unresponsive LDAP host lookups in IPv6 environment. + (bsc#955210) + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/openldap2/openldap2.changes 2015-10-24 10:23:27.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openldap2.new/openldap2.changes 2015-12-06 07:38:31.000000000 +0100 @@ -1,0 +2,15 @@ +Wed Dec 2 12:50:47 UTC 2015 - [email protected] + +- Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch + to fix CVE-2015-6908. (bsc#945582) +- Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch + to address weak DH size vulnerability (bsc#937766) + +------------------------------------------------------------------- +Mon Nov 30 10:16:57 UTC 2015 - [email protected] + +- Introduce patch 0009-Fix-ldap-host-lookup-ipv6.patch + to fix an issue with unresponsive LDAP host lookups in IPv6 environment. + (bsc#955210) + +------------------------------------------------------------------- New: ---- 0009-Fix-ldap-host-lookup-ipv6.patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch 0011-Enforce-minimum-DH-size-of-1024.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openldap2-client.spec ++++++ --- /var/tmp/diff_new_pack.Iu734i/_old 2015-12-06 07:38:33.000000000 +0100 +++ /var/tmp/diff_new_pack.Iu734i/_new 2015-12-06 07:38:33.000000000 +0100 @@ -46,6 +46,9 @@ Patch6: 0006-No-Build-date-and-time-in-binaries.dif Patch7: 0007-Recover-on-DB-version-change.dif Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch +Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch +Patch10: 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch +Patch11: 0011-Enforce-minimum-DH-size-of-1024.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: cyrus-sasl-devel BuildRequires: groff @@ -177,6 +180,9 @@ %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 cp %{SOURCE5} . %build openldap2.spec: same change ++++++ 0009-Fix-ldap-host-lookup-ipv6.patch ++++++ The patch was written by Christian Kornacker on 2014-01-08 to fix an issue with unresponsive LDAP host lookups in IPv6 environment. --- libraries/libldap/util-int.c | 39 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 2 deletions(-) Index: openldap-2.4.41/libraries/libldap/util-int.c =================================================================== --- openldap-2.4.41.orig/libraries/libldap/util-int.c +++ openldap-2.4.41/libraries/libldap/util-int.c @@ -731,10 +731,16 @@ static char *safe_realloc( char **buf, i char * ldap_pvt_get_fqdn( char *name ) { - char *fqdn, *ha_buf; + int rc; + char *fqdn; char hostbuf[MAXHOSTNAMELEN+1]; +#ifdef HAVE_GETADDRINFO + struct addrinfo hints, *res; +#else + char *ha_buf; struct hostent *hp, he_buf; - int rc, local_h_errno; + int local_h_errno; +#endif if( name == NULL ) { if( gethostname( hostbuf, MAXHOSTNAMELEN ) == 0 ) { @@ -745,6 +751,33 @@ char * ldap_pvt_get_fqdn( char *name ) } } +#ifdef HAVE_GETADDRINFO + memset( &hints, '\0', sizeof( hints ) ); + hints.ai_family = AF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags |= AI_CANONNAME; + + /* most getaddrinfo(3) use non-threadsafe resolver libraries */ + LDAP_MUTEX_LOCK(&ldap_int_resolv_mutex); + + rc = getaddrinfo( name, NULL, &hints, &res ); + + LDAP_MUTEX_UNLOCK(&ldap_int_resolv_mutex); + + if ( rc != 0 ) { + fqdn = LDAP_STRDUP( name ); + } else { + while ( res ) { + if ( res->ai_canonname ) { + fqdn = LDAP_STRDUP ( res->ai_canonname ); + break; + } + res = res->ai_next; + } + freeaddrinfo( res ); + } +#else + rc = ldap_pvt_gethostbyname_a( name, &he_buf, &ha_buf, &hp, &local_h_errno ); @@ -755,6 +788,8 @@ char * ldap_pvt_get_fqdn( char *name ) } LDAP_FREE( ha_buf ); +#endif + return fqdn; } ++++++ 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch ++++++ >From 844ee7df820fa397249ce76984d2e7094746cd93 Mon Sep 17 00:00:00 2001 From: Howard Chu <[email protected]> Date: Sat, 12 Sep 2015 22:18:22 +0100 Subject: [PATCH] Revert "Revert "ITS#8240 remove obsolete assert"" We have never documented our use of assert, so can't expect builders to do the right thing. This reverts commit 55dd4d3275d24c5190fdfada8dfae0320628b993. The commit fixes CVE-2015-6908. diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c index 85c3e23..c05dcf8 100644 --- a/libraries/liblber/io.c +++ b/libraries/liblber/io.c @@ -679,7 +679,7 @@ done: return (ber->ber_tag); } - assert( 0 ); /* ber structure is messed up ?*/ + /* invalid input */ return LBER_DEFAULT; } -- 2.6.3 ++++++ 0011-Enforce-minimum-DH-size-of-1024.patch ++++++ The patch was authored by Marcus Meissner <[email protected]> on 2015-07-13 to address weak DH size vulnerability. --- openldap-2.4.26.orig/libraries/libldap/tls_o.c +++ openldap-2.4.26/libraries/libldap/tls_o.c @@ -1190,7 +1190,6 @@ jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7t -----END DH PARAMETERS-----\n"; static const struct dhinfo tlso_dhpem[] = { - { 512, tlso_dhpem512, sizeof(tlso_dhpem512) }, { 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) }, { 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) }, { 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) }, @@ -1205,6 +1204,9 @@ tlso_tmp_dh_cb( SSL *ssl, int is_export, DH *dh = NULL; int i; + /* for Logjam, rev up the minimum DH group size to 1024 bit */ + if (key_length < 1024) key_length = 1024; + /* Do we have params of this length already? */ LDAP_MUTEX_LOCK( &tlso_dh_mutex ); for ( p = tlso_dhparams; p; p=p->next ) {
