Bug#901194: jessie-pu: package openldap/2.4.40+dfsg-1+deb8u4

2018-06-13 Thread Ryan Tandy 

On Wed, Jun 13, 2018 at 07:13:24PM +0100, Adam D. Barratt wrote:

Please go ahead.


Thank you. Uploaded and accepted.

Bug#901194: jessie-pu: package openldap/2.4.40+dfsg-1+deb8u4

2018-06-13 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sat, 2018-06-09 at 18:32 -0700, Ryan Tandy wrote:
> Please consider this openldap update for jessie. I apologize for the 
> late request and will understand if it doesn't make it.
> 
>   * Fix upgrade failure when olcSuffix contains a backslash. (Closes:
> #864719)
> 
[...]
>   * Import upstream patches to fix memory corruption caused by
> calling
> sasl_client_init() multiple times and possibly concurrently.
> (ITS#8648) (Closes: #860947)
> 

Please go ahead.

Regards,

Adam

Processed: Re: Bug#901194: jessie-pu: package openldap/2.4.40+dfsg-1+deb8u4

2018-06-13 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #901194 [release.debian.org] jessie-pu: package 
openldap/2.4.40+dfsg-1+deb8u4
Added tag(s) confirmed.

-- 
901194: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901194
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#901194: jessie-pu: package openldap/2.4.40+dfsg-1+deb8u4

2018-06-09 Thread Ryan Tandy 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear OSRM,

Please consider this openldap update for jessie. I apologize for the 
late request and will understand if it doesn't make it.

  * Fix upgrade failure when olcSuffix contains a backslash. (Closes: #864719)

I would like to apply this fix in jessie to ensure that if openldap gets 
a security update during jessie LTS, affected systems will be able to 
install it. As well there may be some users who choose to upgrade from 
wheezy after its LTS ends. I have tested both upgrade scenarios 
(jessie->jessie and wheezy->jessie).

For avoidance of doubt: this includes the changes also proposed for 
stretch in #901192 (the affected code is always executed in 
wheezy->jessie upgrades).

  * Import upstream patches to fix memory corruption caused by calling
sasl_client_init() multiple times and possibly concurrently.
(ITS#8648) (Closes: #860947)

This issue affected several slapd users and came with a variety of 
symptoms. A typical example of an affected setup would be a multi-master 
setup where replication is authenticated using Kerberos (SASL/GSSAPI). 
These patches have been applied in stretch (in +deb9u1) and in Ubuntu 
xenial, with no regressions reported.

thanks,
Ryan

-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -u openldap-2.4.40+dfsg/debian/changelog 
openldap-2.4.40+dfsg/debian/changelog
--- openldap-2.4.40+dfsg/debian/changelog
+++ openldap-2.4.40+dfsg/debian/changelog
@@ -1,3 +1,12 @@
+openldap (2.4.40+dfsg-1+deb8u4) jessie; urgency=medium
+
+  * Fix upgrade failure when olcSuffix contains a backslash. (Closes: #864719)
+  * Import upstream patches to fix memory corruption caused by calling 
+sasl_client_init() multiple times and possibly concurrently.
+(ITS#8648) (Closes: #860947)
+
+ -- Ryan Tandy   Tue, 05 Jun 2018 20:16:25 -0700
+
 openldap (2.4.40+dfsg-1+deb8u3) jessie-security; urgency=high
 
   * debian/patches/ITS-8655-paged-results-double-free.patch: Fix a double free 
diff -u openldap-2.4.40+dfsg/debian/patches/series 
openldap-2.4.40+dfsg/debian/patches/series
--- openldap-2.4.40+dfsg/debian/patches/series
+++ openldap-2.4.40+dfsg/debian/patches/series
@@ -29,0 +30,2 @@
+ITS-8648-check-result-of-ldap_int_initialize-in-ldap.patch
+ITS-8648-init-SASL-library-in-global-init.patch
diff -u openldap-2.4.40+dfsg/debian/slapd.scripts-common 
openldap-2.4.40+dfsg/debian/slapd.scripts-common
--- openldap-2.4.40+dfsg/debian/slapd.scripts-common
+++ openldap-2.4.40+dfsg/debian/slapd.scripts-common
@@ -100,7 +100,7 @@
 }
 # }}}
 update_databases_permissions() {   # {{{
-   get_suffix | while read suffix; do
+   get_suffix | while read -r suffix; do
dbdir=`get_directory "$suffix"`
update_permissions "$dbdir"
done
@@ -163,11 +163,11 @@
 
dir=`database_dumping_destdir`
echo >&2 "  Dumping to $dir: "
-   (get_suffix | while read suffix; do
+   (get_suffix | while read -r suffix; do
dbdir=`get_directory "$suffix"`
if [ -n "$dbdir" ]; then
file="$dir/$suffix.ldif"
-   echo -n "  - directory $suffix... " >&2
+   printf '  - directory %s... ' "$suffix" >&2
# Need to support slapd.d migration from preinst
if [ -f "${SLAPD_CONF}" ]; then
slapcat_opts="-g -f ${SLAPD_CONF}"
@@ -194,7 +194,7 @@
 
dir=`database_dumping_destdir`
echo >&2 "  Loading from $dir: "
-   get_suffix | while read suffix; do
+   get_suffix | while read -r suffix; do
dbdir=`get_directory "$suffix"`
if [ -z "$dbdir" ]; then
continue
@@ -206,11 +206,11 @@
fi
 
file="$dir/$suffix.ldif"
-   echo -n "  - directory $suffix... " >&2
+   printf '  - directory %s... ' "$suffix" >&2
 
# If there is an old DB_CONFIG file, restore it before
# running slapadd
-   backupdir=`compute_backup_path -n "$dbdir" "$suffix"`
+   backupdir="$(compute_backup_path -n "$dbdir" "$suffix")"
if [ -e "$backupdir"/DB_CONFIG ]; then
cp -a "$backupdir"/DB_CONFIG "$dbdir"/
fi
@@ -249,7 +249,7 @@
 # }}}
 move_incompatible_databases_away() {   # {{{
echo >&2 "  Moving old database directories to /var/backups:"
-