Hello community, here is the log from the commit of package openldap2 for openSUSE:Factory checked in at 2019-07-31 14:13:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openldap2 (Old) and /work/SRC/openSUSE:Factory/.openldap2.new.4126 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openldap2" Wed Jul 31 14:13:51 2019 rev:147 rq:718552 version:unknown Changes: -------- --- /work/SRC/openSUSE:Factory/openldap2/openldap2.changes 2019-05-17 23:36:15.946137743 +0200 +++ /work/SRC/openSUSE:Factory/.openldap2.new.4126/openldap2.changes 2019-07-31 14:13:54.954885212 +0200 @@ -1,0 +2,75 @@ +Thu Jul 25 11:08:46 UTC 2019 - [email protected] + +- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by + firewalld, see [1]. + + [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html + +------------------------------------------------------------------- +Wed Jul 24 21:23:28 UTC 2019 - Michael Ströder <[email protected]> + +- Update to upstream release 2.4.48 with security fixes: + * CVE-2019-13057 (ITS#9038): + rootdn of any db can assert any identity + * CVE-2019-13565 (ITS#9052): + Unauthorized access caused by incorrect handling of SASL SSF values +- Fix CVE-2017-17740 by disabling nops overlay not maintained by upstream + (see also bsc#1073313, comment #36) +- Removed obsolete patches: + * 0002-openldap-its8727-plug-ber-leaks.patch + * 0017-Fix-segfault-in-nops.patch + +OpenLDAP 2.4.48 (2019/07/24) + Added libldap OpenSSL Elliptic Curve support (ITS#7595) + Added libldap Expose OpenLDAP specific interfaces via openldap.h (ITS#8671) + Added slapd-monitor support for slapd-mdb (ITS#7770) + Fixed liblber leaks (ITS#8727) + Fixed liblber with partial flush (ITS#8864) + Fixed libldap ASYNC TLS so it works (ITS#8957,ITS#8980) + Fixed libldap ASYNC connections with Solaris 10 (ITS#8968) + Fixed libldap with SASL_NOCANON=on and ldapi connections (ITS#7585) + Fixed libldap to be able to unset syncrepl TLS options (ITS#7042) + Fixed libldap race condition in ldap_int_initialize (ITS#7996, ITS#8450) + Fixed libldap return code in ldap_create_assertion_control_value (ITS#8674) + Fixed libldap to correctly disable IPv6 when configured to do so (ITS#8754) + Fixed libldap to correctly close TLS connection (ITS#8755) + Fixed libldap with non-blocking TLS and referals (ITS#8167) + Fixed libldap_r handling of deprecated OpenSSL function (ITS#8353) + Fixed liblunicode case correspondance (ITS#8508) + Fixed slapd with an idletimeout of less than four seconds (ITS#8952) + Fixed slapd config parser variable for Windows64 (ITS#9012) + Fixed slapd syncrepl fallback handling with delta-syncrepl (ITS#9015) + Fixed slapd telephoneNumberNormalize, cert DN validation (ITS#8999) + Fixed slapd syncrepl for relax with delta-syncrepl (ITS#8037) + Fixed slapd to restrict rootDN proxyauthz to its own databases (ITS#9038) + Fixed slapd to initialize SASL SSF per connection (ITS#9052) + Fixed slapo-accesslog with SLAP_MOD_SOFT modifications (ITS#8990) + Fixed slapd-ldap starttls connections timeout behavior (ITS#8963) + Fixed slapd-ldap segfault when entry result doesn't match filter (ITS#8997) + Fixed slapd-meta conversion from slapd.conf to cn=config (ITS#8743) + Fixed slapd-meta assertion when network interface goes down (ITS#8841) + Fixed slapd-mdb fix bitshift integer overflow (ITS#8989) + Fixed slapd-mdb index cleanup with cn=config (ITS#8472) + Fixed slapd-mdb to improve performance with alias deref (ITS#7657) + Fixed slapo-accesslog possible assert with exops (ITS#8971) + Fixed slapo-chain to correctly reject multiple chaining URIs (ITS#8637) + Fixed slapo-chain conversion from slapd.conf to cn=config (ITS#8799) + Fixed slapo-memberof conversion from slapd.conf to cn=config (ITS#8663) + Fixed slapo-memberof for group name change to itself (ITS#9000) + Fixed slapo-ppolicy behavior when pwdInHistory is changed (ITS#8349) + Fixed slapo-rwm to not free original filter (ITS#8964) + Fixed slapo-syncprov contextCSN generation (ITS#9015) + Build Environment + Fixed slapd to only link to BDB libraries with static build (ITS#8948) + Fixed libldap implicit declaration with LDAP_CONNECTIONLESS (ITS#8794) + Fixed libldap double inclusion of limits.h in cyrus.c (ITS#9041) + Documentation + General - Fixed minor typos (ITS#8764, ITS#8761) + admin24 - Miscellaneous updates promoting mdb and fixing examples (ITS#9031) + slapd.access(5) - Note MDB is the primary backend (ITS#8881) + slapd.backends(5) - Note MDB is the recommended backend (ITS#8771) + slapd-ldap(5) - Document starttls parameter (ITS#8693) + Contrib + Added slapo-lastbind capability to forward authTimestamp updates (ITS#7721) + +------------------------------------------------------------------- Old: ---- 0002-openldap-its8727-plug-ber-leaks.patch 0017-Fix-segfault-in-nops.patch SuSEfirewall2.openldap openldap-2.4.47.tgz New: ---- openldap-2.4.48.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openldap2.spec ++++++ --- /var/tmp/diff_new_pack.bNCtTA/_old 2019-07-31 14:13:56.898883765 +0200 +++ /var/tmp/diff_new_pack.bNCtTA/_new 2019-07-31 14:13:56.902883763 +0200 @@ -22,7 +22,7 @@ %endif %define run_test_suite 0 -%define version_main 2.4.47 +%define version_main 2.4.48 %if %{suse_version} >= 1310 && %{suse_version} != 1315 %define _rundir /run/slapd @@ -53,12 +53,10 @@ Source12: slapd.conf.example Source13: start Source14: slapd.service -Source15: SuSEfirewall2.openldap Source16: sysconfig.openldap Source17: openldap_update_modules_path.sh Source18: openldap2.conf Patch1: 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch -Patch2: 0002-openldap-its8727-plug-ber-leaks.patch Patch3: 0003-LDAPI-socket-location.dif Patch5: 0005-pie-compile.dif Patch7: 0007-Recover-on-DB-version-change.dif @@ -67,7 +65,6 @@ Patch11: 0011-openldap-re24-its7796.patch Patch15: openldap-r-only.dif Patch16: 0016-Clear-shared-key-only-in-close-function.patch -Patch17: 0017-Fix-segfault-in-nops.patch Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz Source201: %{name_ppolicy_check_module}.Makefile Source202: %{name_ppolicy_check_module}.conf @@ -169,7 +166,6 @@ denyop lastbind writes last bind timestamp to entry noopsrch handles no-op search control -nops pw-sha2 generates/validates SHA-2 password hashes pw-pbkdf2 generates/validates PBKDF2 password hashes smbk5pwd generates Samba3 password hashes (heimdal krb disabled) @@ -256,7 +252,6 @@ # Unpack and patch OpenLDAP 2.4 %setup -q -a 9 -n openldap-%{version_main} %patch1 -p1 -%patch2 -p1 %patch3 -p1 %patch5 -p1 %patch7 -p1 @@ -265,7 +260,6 @@ %patch11 -p1 %patch15 -p1 %patch16 -p1 -%patch17 -p1 cp %{SOURCE5} . # Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/ @@ -312,7 +306,7 @@ make depend make %{?_smp_mflags} # Build selected contrib overlays -for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace +for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace do make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" done @@ -356,7 +350,7 @@ # Additional symbolic link to slapd executable in /usr/sbin/ ln -s %{_libdir}/slapd %{buildroot}/usr/sbin/slapd # Install selected contrib overlays -for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace +for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace do make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install done @@ -396,8 +390,6 @@ install -m 644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/openldap install -m 644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/openldap install -m 644 %{SOURCE12} %{buildroot}/%{_sysconfdir}/openldap -install -d %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/ -install -m 644 %{SOURCE15} %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/openldap find doc/guide '(' ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d ')' -delete rm -rf doc/guide/release @@ -473,7 +465,6 @@ %files %defattr(-,root,root) -%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/openldap %config %{_sysconfdir}/openldap/schema/*.schema %config %{_sysconfdir}/openldap/schema/*.ldif %config(noreplace) /etc/sasl2/slapd.conf @@ -589,7 +580,6 @@ %{_libdir}/openldap/autogroup.* %{_libdir}/openldap/lastbind.* %{_libdir}/openldap/noopsrch.* -%{_libdir}/openldap/nops.* %{_libdir}/openldap/pw-sha2.* %{_libdir}/openldap/pw-pbkdf2.* %{_libdir}/openldap/denyop.* ++++++ openldap-2.4.47.tgz -> openldap-2.4.48.tgz ++++++ ++++ 16432 lines of diff (skipped)
