Hello community, here is the log from the commit of package 389-ds for openSUSE:Leap:15.2 checked in at 2020-04-17 13:37:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/389-ds (Old) and /work/SRC/openSUSE:Leap:15.2/.389-ds.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "389-ds" Fri Apr 17 13:37:40 2020 rev:23 rq:793928 version:1.4.2.11~git0.aff1a2831 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/389-ds/389-ds.changes 2020-02-22 17:53:21.209881835 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.389-ds.new.2738/389-ds.changes 2020-04-17 13:38:03.312242983 +0200 @@ -1,0 +2,43 @@ +Tue Apr 07 05:27:28 UTC 2020 - [email protected] + +- Patch rollup as described in bsc#1169364 +- Add rust vendor.tar.gz as a source - rust is still an optional build + and will be enabled in the future. +- Update ns-slapd ownership to remove dirsrv as an owner as dirsrv will + not exist in containers with systemd users. +- Add 0001-Ticket-51014-slapi_pal.c-possible-static-buffer-over.patch to + resolve a warning found in static analysis in OBS (upstream #51014) +- Update to version 1.4.2.11~git0.aff1a2831: + * Bump version to 1.4.2.11 + * Issue 50994 - Fix latest UI bugs found by QE + * Issue 50337 - Replace exec() with setattr() + * Issue 50984 - Memory leaks in disk monitoring + * Issue 50975 - Revise UI branding with new minimized build + * Issue 49437 - Fix memory leak with indirect COS + * Issue 50976 - Clean up Web UI source directory from unused files + * Issue 50744 - -n option of dbverify does not work + * Issue 50952- SSCA lacks basicConstraint:CA + * Bump version to 1.4.2.10 + * Issue 50966 - UI - Database indexes not using typeAhead correctly + * Issue 50974 - UI - wrong title in "Delete Suffix" popup + * Issue 50972 - Fix cockpit plugin build + * Issue 50800 - wildcards in rootdn-allow-ip attribute are not accepted + * Issue 50963 - We should bundle *.min.js files of Console + * Bump version to 1.4.2.9 + * Ticket: 50755 - setting nsslapd-db-home-directory is overriding db_directory + * Issue 50937 - Update CLI for new backend split configuration + * Issue 50499 - Fix npm audit issues + * Issue 50884 - Health check tool DSEldif check fails + * Issue 50926 - Remove dual spinner and other UI fixes + * Issue 49845 - Remove pkgconfig check for libasan + * Issue 50758 - Only Recommend bash-completion, not Require + * Issue 50928 - Unable to create a suffix with countryName + * Issue 50904 - Connect All React Components And Refactor the Main Navigation Tab Code + * Issue 50919 - Backend delete fails using dsconf + * Issue 50872 - dsconf can't create GSSAPI replication agreements + * Ticket 50914 - No error returned when adding an entry matching filters for a non existing automember group + * Issue 50909 - nsDS5ReplicaId cant be set to the old value it had before + * Ticket 50618 - support cgroupv2 + * Ticket 50898 - ldclt core dumped when run with -e genldif option + +------------------------------------------------------------------- Old: ---- 389-ds-base-1.4.2.8~git0.3aaa3e820.tar.bz2 New: ---- 0001-Ticket-51014-slapi_pal.c-possible-static-buffer-over.patch 389-ds-base-1.4.2.11~git0.aff1a2831.tar.bz2 dirsrv-user.conf vendor.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ 389-ds.spec ++++++ --- /var/tmp/diff_new_pack.2SxIA1/_old 2020-04-17 13:38:04.172243630 +0200 +++ /var/tmp/diff_new_pack.2SxIA1/_new 2020-04-17 13:38:04.176243633 +0200 @@ -51,7 +51,7 @@ %define svrcorelib libsvrcore0 Name: 389-ds -Version: 1.4.2.8~git0.3aaa3e820 +Version: 1.4.2.11~git0.aff1a2831 Release: 0 Summary: 389 Directory Server License: GPL-3.0-or-later AND MPL-2.0 @@ -60,7 +60,12 @@ Source: 389-ds-base-%{version}.tar.bz2 Source1: extra-schema.tgz Source2: LICENSE.openldap +%if %{with rust} +Source3: vendor.tar.gz +%endif Source9: %{name}-rpmlintrc +Source10: %{user_group}-user.conf +Patch0: 0001-Ticket-51014-slapi_pal.c-possible-static-buffer-over.patch # 389-ds does not support i686 ExcludeArch: %ix86 BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -78,6 +83,7 @@ BuildRequires: libtalloc-devel BuildRequires: libtevent-devel BuildRequires: libtool +BuildRequires: sysuser-tools # net-snmp-devel is needed to build the snmp ldap-agent BuildRequires: net-snmp-devel >= 5.1.2 BuildRequires: openldap2-devel @@ -135,6 +141,7 @@ %endif # Needed for creating the ccache and some GSSAPI steps in sasl Requires: krb5 +%sysusers_requires # 389-ds does not directly require gssapi, but it is needed for # ldap gssapi auth, so we recommend it. # This used to be a requirement, but it's actually optional. @@ -149,7 +156,7 @@ PreReq: permissions Obsoletes: 389-ds-base < %{version}-%{release} Provides: 389-ds-base = %{version}-%{release} -%{?systemd_requires} +%{?systemd_ordering} %description 389 Directory Server is a full-featured LDAPv3 compliant server. In @@ -240,9 +247,18 @@ uses the facilities provided by NSS. %prep +# Extract the 389-ds sources. %setup -q -a 1 -n %{name}-base-%{version} +%patch0 -p1 + +# Extract the vendor.tar.gz. The -D -T here prevents removal of the sources +# from the previous setup step. +%if %{with rust} +%setup -q -n %{name}-base-%{version} -D -T -a 3 +%endif %build +%sysusers_generate_pre %{SOURCE10} %{user_group} # Make sure python3 is used in shebangs # FIX ME!! This should be fixed in the source code !!! sed -r -i '1s|^#!\s*%{_bindir}.*python.*|#!%{_bindir}/%{use_python}|' ldap/admin/src/scripts/{*.py,ds-replcheck} src/lib389/cli/ds* @@ -308,6 +324,7 @@ mkdir -p %{buildroot}%{logdir} mkdir -p %{buildroot}%{homedir} mkdir -p %{buildroot}%{lockdir} +mkdir -p %{buildroot}%{_sysusersdir} #remove libtool archives and static libs find %{buildroot} -type f -name "*.la" -delete -print @@ -327,14 +344,9 @@ rm -rv %{buildroot}/usr/share/metainfo/389-console/ mv src/svrcore/README{,.svrcore} mv src/svrcore/LICENSE{,.svrcore} +install -m 0644 %{SOURCE10} %{buildroot}%{_sysusersdir}/ -%pre -if ! getent group %{user_group} >/dev/null; then - %{_sbindir}/groupadd -f -r %{user_group} -fi -if ! getent passwd %{user_group} >/dev/null; then - %{_sbindir}/useradd -r -g %{user_group} -s /sbin/nologin -r -d %{homedir} -c "User for 389 directory server" %{user_group} -fi +%pre -f %{user_group}.pre %post %fillup_only -n dirsrv @@ -375,6 +387,7 @@ %defattr(-,root,root) %doc README* %license LICENSE LICENSE.openldap +%{_sysusersdir}/%{user_group}-user.conf %dir %attr(-,%{user_group},%{user_group}) %{homedir} %dir %attr(-,%{user_group},%{user_group}) %{logdir} %config(noreplace) %{_sysconfdir}/dirsrv/config/* @@ -446,7 +459,7 @@ # TODO: audit bug running https://bugzilla.opensuse.org/show_bug.cgi?id=1111564 # This also needs a lot more work on the service file #attr(750,root,dirsrv) #caps(CAP_NET_BIND_SERVICE=pe) #{_sbindir}/ns-slapd -%verify(not caps) %attr(755,root,dirsrv) %{_sbindir}/ns-slapd +%verify(not caps) %attr(755,root,root) %{_sbindir}/ns-slapd %if ! %{with lib389} %{_sbindir}/bak2db %{_sbindir}/bak2db.pl ++++++ 0001-Ticket-51014-slapi_pal.c-possible-static-buffer-over.patch ++++++ >From b213ed417210f223c97369bdb479c6fbe4f49913 Mon Sep 17 00:00:00 2001 From: William Brown <[email protected]> Date: Tue, 7 Apr 2020 16:30:41 +1000 Subject: [PATCH] Ticket 51014 - slapi_pal.c possible static buffer overflow Bug Description: Due to an incorrect use of a buffer size, static analysis in suse detected a possible overflow in slapi pal. However, it requires root permissions to exploit anything, and thus is not a security issues. Fix Description: Change the buffer we read the cgroup into to be maxpathlen size. https://pagure.io/389-ds-base/issue/51014 Author: William Brown <[email protected]> Review by: ??? --- ldap/servers/slapd/slapi_pal.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ldap/servers/slapd/slapi_pal.c b/ldap/servers/slapd/slapi_pal.c index 3ae7d12b3..fecc24d4c 100644 --- a/ldap/servers/slapd/slapi_pal.c +++ b/ldap/servers/slapd/slapi_pal.c @@ -126,7 +126,7 @@ _spal_dir_exist(char *path) static char * _spal_cgroupv2_path() { FILE *f; - char s[256] = {0}; + char s[MAXPATHLEN + 1] = {0}; char *res = NULL; /* We discover our path by looking at /proc/self/cgroup */ f = fopen("/proc/self/cgroup", "r"); -- 2.24.1 (Apple Git-126) ++++++ 389-ds-base-1.4.2.8~git0.3aaa3e820.tar.bz2 -> 389-ds-base-1.4.2.11~git0.aff1a2831.tar.bz2 ++++++ ++++ 41429 lines of diff (skipped) ++++++ 389-ds-base.obsinfo ++++++ --- /var/tmp/diff_new_pack.2SxIA1/_old 2020-04-17 13:38:06.928245703 +0200 +++ /var/tmp/diff_new_pack.2SxIA1/_new 2020-04-17 13:38:06.928245703 +0200 @@ -1,5 +1,5 @@ name: 389-ds-base -version: 1.4.2.8~git0.3aaa3e820 -mtime: 1581621761 -commit: 3aaa3e820939a3cf321f8397c4ab541a5be38320 +version: 1.4.2.11~git0.aff1a2831 +mtime: 1585768307 +commit: aff1a2831ea3f76ba8864154740a9bc7e3234773 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.2SxIA1/_old 2020-04-17 13:38:06.996245754 +0200 +++ /var/tmp/diff_new_pack.2SxIA1/_new 2020-04-17 13:38:07.000245757 +0200 @@ -6,9 +6,9 @@ <param name="versionformat">@PARENT_TAG@~git@TAG_OFFSET@.%h</param> <param name="scm">git</param> <!-- use 1.4 branch --> - <param name="revision">389-ds-base-1.4.2.8</param> + <param name="revision">389-ds-base-1.4.2.11</param> <!-- use 1.4.0.20 tag as base --> - <param name="match-tag">389-ds-base-1.4.2.8</param> + <param name="match-tag">389-ds-base-1.4.2.11</param> <!-- remove the extra prefix from the tag again it looks so funny because the service removed "-" from the string before--> <param name="versionrewrite-pattern">389dsbase(.*)</param> <param name="versionrewrite-replacement">\1</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.2SxIA1/_old 2020-04-17 13:38:07.016245769 +0200 +++ /var/tmp/diff_new_pack.2SxIA1/_new 2020-04-17 13:38:07.016245769 +0200 @@ -1,4 +1,4 @@ <servicedata> <service name="tar_scm"> <param name="url">https://pagure.io/389-ds-base.git</param> - <param name="changesrevision">3aaa3e820939a3cf321f8397c4ab541a5be38320</param></service></servicedata> \ No newline at end of file + <param name="changesrevision">aff1a2831ea3f76ba8864154740a9bc7e3234773</param></service></servicedata> \ No newline at end of file ++++++ dirsrv-user.conf ++++++ #Type Name ID GECOS Home directory Shell g dirsrv - - u dirsrv - "User for 389 directory server" /var/lib/dirsrv /sbin/nologin
