I can confirm that the following packages from xenial-proposed fix the bug: slapd 2.4.42+dfsg-2ubuntu3.1 libldap-2.4-2 2.4.42+dfsg-2ubuntu3.1 ldap-utils 2.4.42+dfsg-2ubuntu3.1
I did not test the packages in wily-proposed. Setting the test environment is not trivial, and I don't think it is worthwhile to make this effort for the release that goes out of support in two months, and has been already superseded by a LTS release. I apologize for a delay in replying to the verification request. This was caused by an unpleasant surprise encountered while testing the new packages. I attempted to recreate the test environment to mimic the setup in which I originally encountered this bug, but I did so slightly differently - and discovered another OpenLDAP bug that had basically the same symptoms. It was not immediately clear whether this situation was some unfixed edge case of the bug reported here, or if it was an entirely separate bug. Further analysis showed that it was the latter, the root cause is entirely different and similarities are coincidental. For reference, report for the new bug can be found at http://www.openldap.org/its/index.cgi?findid=8427 Testing methodology and environment: Tests were done with both fixed and unfixed versions of affected packages, i.e. 2.4.42+dfsg-2ubuntu3 and 2.4.42+dfsg-2ubuntu3.1. Note that symptoms of this bug are intermittent, and several iterations may be needed for them to surface. 1. Configure two LDAP servers in dual master replication setup using slapd.conf config file as shown below. 2. Provide the servers with TLS certificates that are correct but use 1024-bit public key. (Note: SECURE256 requires 4096-bit RSA key) 3. Set tls_reqcert to allow in slapd.conf. 4. Start slapd on both servers. 5. Stop and restart slapd on server A. 6. Server B will write errors to syslog: slapd: do_syncrep2: rid=001 (-1) Can't contact LDAP server slapd: do_syncrepl: rid=001 rc -1 retrying (9 retries left) Result when using fixed packages: After predefined time server B will retry replication, and we won't see any further error messages. Result when using unfixed packages: Server B produces the following messages in a loop: slapd: do_syncrepl: rid=001 rc -1 retrying (8 retries left) slapd: slap_client_connect: URI=ldaps://10.0.0.1 DN="cn=root,dc=test" ldap_sasl_bind_s failed (-1) The relevant parts of slapd.conf: (for server A at 10.0.0.1) loglevel 1 serverID 001 moduleload syncprov TLSCipherSuite SECURE256:-VERS-SSL3.0 TLSCACertificateFile /etc/ldap/ssl/ca.pem TLSCertificateFile /etc/ldap/ssl/srvA.pem TLSCertificateKeyFile /etc/ldap/ssl/srvA.key syncrepl rid=001 provider=ldaps://10.0.0.2 type=refreshAndPersist retry="30 10 300 +" searchbase="dc=test" attrs="*,+" bindmethod=simple binddn="cn=root,dc=test" credentials="plaintext-password" tls_reqcert=allow keepalive="240:5:10" mirrormode TRUE overlay syncprov syncprov-checkpoint 10 1440 ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1557248 Title: OpenLDAP: Backport a fix for use-after-free in GnuTLS-related code Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Wily: Fix Committed Status in openldap source package in Xenial: Fix Committed Status in openldap source package in Yakkety: Fix Released Status in openldap package in Debian: New Bug description: May I ask that you backport an upstream patch that resolves the issue of use-after-free in libldap that interferes with syncrepl, causing failures and segfaults. OpenLDAP commit: 283f3ae1713df449cc170965b311b19157f7b7ea Link: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=283f3ae1713df449cc170965b311b19157f7b7ea Modifications to file: libraries/libldap/tls_g.c This problem affects openldap 2.4.41 (in Ubuntu wily), 2.4.42 (in Ubuntu xenial), as well as in 2.4.44 (current upstream stable version). More details are availble on OpenLDAP project bug tracker at: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8385 Thank you To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1557248/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
