Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
I would like to apply a few fixes to openldap in stable. These changes
are all in testing already.
The first two changes are related to making sure the package can be
built reliably in stretch.
* Relax the dependency of libldap-2.4-2 on libldap-common to also permit
later versions. (Closes: #860774)
openldap manages to have a transitive build-dependency on itself, via
heimdal-multidev. What's happened a few times now is that libldap-common
gets built on the fast arch:all buildd and uploaded, then a slower arch
would go BD-Uninstallable because the libldap-common candidate is newer
than what the existing libldap-2.4-2 on that arch requires (apt and w-b
will both only consider the newest available). This relaxes the
dependency to allow pulling in the newer libldap-common.
The problem could happen as well when building this version, because
it's not "fixed" until libldap-2.4-2 is built and installed. If that
happens I will have to ask my sponsor to perform binary-only uploads on
any affected arches, as we did in unstable when fixing it there.
* Disable test060-mt-hot on ppc64el temporarily to avoid failing tests until
the underlying kernel bug #866122 is fixed.
A helper program used by this test gets its registers corrupted on
ppc64el when run with stretch's kernel and libc, apparently due to some
interaction between transactional memory (this arch has lock elision
enabled in glibc) and floating point. The kernel bug is still in
progress, so we have no recourse but to disable the test on this one
arch for now. The affected code is in the test suite and is not part of
the binary packages.
* Fix upgrade failure when olcSuffix contains a backslash. (Closes: #864719)
This changes the maintainer scripts to use raw read and fixed grep when
processing LDIF values, to ensure they don't interpret these backslashes
as escapes.
The remaining changes are fixes for upstream bugs or regressions.
* Import upstream patch to avoid reading the value of the
LDAP_OPT_X_TLS_REQUIRE_CERT option from previously freed memory.
(ITS#8385) (Closes: #820244)
The bug report is about replication setups, but theoretically it could
occur in any program that initiates multiple LDAP client connections
using the same TLS context. Occasionally it causes the program to crash,
but more often the symptom is the cert validation option takes on a
"random" value. This is most often noticed when validation is done
despite being configured to a permissive setting ("never" or "allow"),
resulting in negotiation failures in self-signed setups; but in theory
it could also flip the other way, resulting in validation being *less*
permissive than configured, so I also consider it a (minor) security
concern.
* Import upstream patch to fix potential endless replication loop in a
multi-master delta-syncrepl scenario with 3 or more nodes.
(ITS#8432) (Closes: #868753)
This is a regression since jessie. It renders stretch's slapd somewhat
unreliable for production use, if you run an affected configuration.
* Import upstream patches to fix memory corruption caused by calling
sasl_client_init() multiple times and possibly concurrently.
(ITS#8648) (Closes: #860947)
This is a regression in jessie compared to wheezy. There used to be a
mutex around the sasl_client_init() call, but upstream removed it in
2.4.36. Since then, clients that perform SASL binds concurrently on
multiple threads would experience various symptoms including hangs or
crashes. This seems to mostly affect slapd setups with multiple
replication connections (e.g. N-way multi-master) using GSSAPI binds.
diff -Nru openldap-2.4.44+dfsg/debian/changelog
openldap-2.4.44+dfsg/debian/changelog
--- openldap-2.4.44+dfsg/debian/changelog 2017-05-28 09:59:46.0
-0700
+++ openldap-2.4.44+dfsg/debian/changelog 2017-08-10 12:12:46.0
-0700
@@ -1,3 +1,22 @@
+openldap (2.4.44+dfsg-5+deb9u1) stretch; urgency=medium
+
+ * Relax the dependency of libldap-2.4-2 on libldap-common to also permit
+later versions. (Closes: #860774)
+ * Disable test060-mt-hot on ppc64el temporarily to avoid failing tests until
+the underlying kernel bug #866122 is fixed.
+ * Fix upgrade failure when olcSuffix contains a backslash. (Closes: #864719)
+ * Import upstream patch to avoid reading the value of the
+LDAP_OPT_X_TLS_REQUIRE_CERT option from previously freed memory.
+(ITS#8385) (Closes: #820244)
+ * Import upstream patch to fix potential endless replication loop in a
+multi-master delta-syncrepl scenario with 3 or more nodes.
+(ITS#8432) (Closes: #868753)
+ * Import upstream patches to fix memory corruption caused by calling
+sasl_client_init() multiple times and possibly concurrently.
+(ITS#8648) (Closes: #860947)
+
+ -- Ryan Tandy Thu, 10