Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Dear OSRM,
Please consider this openldap update for jessie. I apologize for the
late request and will understand if it doesn't make it.
* Fix upgrade failure when olcSuffix contains a backslash. (Closes: #864719)
I would like to apply this fix in jessie to ensure that if openldap gets
a security update during jessie LTS, affected systems will be able to
install it. As well there may be some users who choose to upgrade from
wheezy after its LTS ends. I have tested both upgrade scenarios
(jessie->jessie and wheezy->jessie).
For avoidance of doubt: this includes the changes also proposed for
stretch in #901192 (the affected code is always executed in
wheezy->jessie upgrades).
* Import upstream patches to fix memory corruption caused by calling
sasl_client_init() multiple times and possibly concurrently.
(ITS#8648) (Closes: #860947)
This issue affected several slapd users and came with a variety of
symptoms. A typical example of an affected setup would be a multi-master
setup where replication is authenticated using Kerberos (SASL/GSSAPI).
These patches have been applied in stretch (in +deb9u1) and in Ubuntu
xenial, with no regressions reported.
thanks,
Ryan
-- System Information:
Debian Release: 9.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500,
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8),
LANGUAGE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -u openldap-2.4.40+dfsg/debian/changelog
openldap-2.4.40+dfsg/debian/changelog
--- openldap-2.4.40+dfsg/debian/changelog
+++ openldap-2.4.40+dfsg/debian/changelog
@@ -1,3 +1,12 @@
+openldap (2.4.40+dfsg-1+deb8u4) jessie; urgency=medium
+
+ * Fix upgrade failure when olcSuffix contains a backslash. (Closes: #864719)
+ * Import upstream patches to fix memory corruption caused by calling
+sasl_client_init() multiple times and possibly concurrently.
+(ITS#8648) (Closes: #860947)
+
+ -- Ryan Tandy Tue, 05 Jun 2018 20:16:25 -0700
+
openldap (2.4.40+dfsg-1+deb8u3) jessie-security; urgency=high
* debian/patches/ITS-8655-paged-results-double-free.patch: Fix a double free
diff -u openldap-2.4.40+dfsg/debian/patches/series
openldap-2.4.40+dfsg/debian/patches/series
--- openldap-2.4.40+dfsg/debian/patches/series
+++ openldap-2.4.40+dfsg/debian/patches/series
@@ -29,0 +30,2 @@
+ITS-8648-check-result-of-ldap_int_initialize-in-ldap.patch
+ITS-8648-init-SASL-library-in-global-init.patch
diff -u openldap-2.4.40+dfsg/debian/slapd.scripts-common
openldap-2.4.40+dfsg/debian/slapd.scripts-common
--- openldap-2.4.40+dfsg/debian/slapd.scripts-common
+++ openldap-2.4.40+dfsg/debian/slapd.scripts-common
@@ -100,7 +100,7 @@
}
# }}}
update_databases_permissions() { # {{{
- get_suffix | while read suffix; do
+ get_suffix | while read -r suffix; do
dbdir=`get_directory "$suffix"`
update_permissions "$dbdir"
done
@@ -163,11 +163,11 @@
dir=`database_dumping_destdir`
echo >&2 " Dumping to $dir: "
- (get_suffix | while read suffix; do
+ (get_suffix | while read -r suffix; do
dbdir=`get_directory "$suffix"`
if [ -n "$dbdir" ]; then
file="$dir/$suffix.ldif"
- echo -n " - directory $suffix... " >&2
+ printf ' - directory %s... ' "$suffix" >&2
# Need to support slapd.d migration from preinst
if [ -f "${SLAPD_CONF}" ]; then
slapcat_opts="-g -f ${SLAPD_CONF}"
@@ -194,7 +194,7 @@
dir=`database_dumping_destdir`
echo >&2 " Loading from $dir: "
- get_suffix | while read suffix; do
+ get_suffix | while read -r suffix; do
dbdir=`get_directory "$suffix"`
if [ -z "$dbdir" ]; then
continue
@@ -206,11 +206,11 @@
fi
file="$dir/$suffix.ldif"
- echo -n " - directory $suffix... " >&2
+ printf ' - directory %s... ' "$suffix" >&2
# If there is an old DB_CONFIG file, restore it before
# running slapadd
- backupdir=`compute_backup_path -n "$dbdir" "$suffix"`
+ backupdir="$(compute_backup_path -n "$dbdir" "$suffix")"
if [ -e "$backupdir"/DB_CONFIG ]; then
cp -a "$backupdir"/DB_CONFIG "$dbdir"/
fi
@@ -249,7 +249,7 @@
# }}}
move_incompatible_databases_away() { # {{{
echo >&2 " Moving old database directories to /var/backups:"
-