Hello community, here is the log from the commit of package openldap2 for openSUSE:11.2 checked in at Thu Mar 3 10:34:56 CET 2011. -------- --- old-versions/11.2/UPDATES/all/openldap2/openldap2-client.changes 2010-07-01 15:40:54.000000000 +0200 +++ 11.2/openldap2/openldap2-client.changes 2011-03-03 10:34:31.917318000 +0100 @@ -1,0 +2,10 @@ +Tue Mar 1 13:15:45 UTC 2011 - rhafer@suse.de + +- ModRDN Operations with an empty old DN value and "remove old RDN" + enabled could crash the LDAP Server (bnc#674985, ITS#6768) +- Using the password policy overlay in a chainging setup (with + "ppolicy_forward_updates" enabled) could cause BIND operations + to return SUCCESS even if the wrong password was sent. + (bnc#674985, ITS#6607) + +------------------------------------------------------------------- openldap2.changes: same change calling whatdependson for 11.2-i586 New: ---- fix-modrdn-with-empty-olddn-ITS-6768-dif forwarded-bind-failure-messages-cause-success-ITS-6607-dif ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openldap2-client.spec ++++++ --- /var/tmp/diff_new_pack.HM97Sk/_old 2011-03-03 10:34:42.000000000 +0100 +++ /var/tmp/diff_new_pack.HM97Sk/_new 2011-03-03 10:34:42.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package openldap2-client (Version 2.4.17) +# spec file for package openldap2-client # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -27,7 +27,7 @@ BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel %endif Version: 2.4.17 -Release: 5.<RELEASE4> +Release: 5.<RELEASE6> Url: http://www.openldap.org License: BSD3c(or similar) ; openldap 2.8 %if "%{name}" == "openldap2" @@ -64,6 +64,8 @@ Patch15: libldap-tls_chkhost-its6239.dif Patch16: Syncprov-might-lose-deletes-ITS-6555.dif Patch17: slapd-modrdn-crash-ITS-6570.dif +Patch18: forwarded-bind-failure-messages-cause-success-ITS-6607-dif +Patch19: fix-modrdn-with-empty-olddn-ITS-6768-dif Patch100: openldap-2.3.37.dif Patch200: slapd_getaddrinfo_dupl.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -189,6 +191,8 @@ %patch15 %patch16 -p1 %patch17 -p1 +%patch18 -p1 +%patch19 -p1 %if %suse_version == 1100 %patch200 -p1 %endif openldap2.spec: same change ++++++ fix-modrdn-with-empty-olddn-ITS-6768-dif ++++++
From 80a3b25154a6d99ad154acd423ebd917abb375d7 Mon Sep 17 00:00:00 2001 From: quanah <quanah> Date: Tue, 4 Jan 2011 19:44:43 +0000 Subject: fix modrdn with empty olddn (ITS#6768)
slapd crashes when processing a modrdn operation with an empty olddn parameter and "remove old DN" enabled. (bnc#674985) diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c index e143a7b..06ea25c 100644 --- a/servers/slapd/modrdn.c +++ b/servers/slapd/modrdn.c @@ -392,7 +392,9 @@ slap_modrdn2mods( LDAPRDN new_rdn = NULL; assert( !BER_BVISEMPTY( &op->oq_modrdn.rs_newrdn ) ); - assert( !op->orr_deleteoldrdn || !BER_BVISEMPTY( &op->o_req_dn ) ); + + /* if requestDN is empty, silently reset deleteOldRDN */ + if ( BER_BVISEMPTY( &op->o_req_dn ) ) op->orr_deleteoldrdn = 0; if ( ldap_bv2rdn_x( &op->oq_modrdn.rs_newrdn, &new_rdn, (char **)&rs->sr_text, LDAP_DN_FORMAT_LDAP, op->o_tmpmemctx ) ) { -- 1.7.3.4 ++++++ forwarded-bind-failure-messages-cause-success-ITS-6607-dif ++++++
From 89beae773738d6e688e2d40e1c5536ef4075de00 Mon Sep 17 00:00:00 2001 From: quanah <quanah> Date: Mon, 10 Jan 2011 20:36:19 +0000 Subject: forwarded bind failure messages cause success (ITS#6607)
Original log from CVS: Add rev 1.77 of chain.c for control callbacks ITS#6475, ITS#6607 bnc#674985 CVE-2011-1024 diff --git a/servers/slapd/back-ldap/chain.c b/servers/slapd/back-ldap/chain.c index 4b6a24a..11e96a3 100644 --- a/servers/slapd/back-ldap/chain.c +++ b/servers/slapd/back-ldap/chain.c @@ -854,6 +854,7 @@ ldap_chain_response( Operation *op, SlapReply *rs ) /* we need this to know if back-ldap returned any result */ lb.lb_lc = lc; + sc2.sc_next = sc->sc_next; sc2.sc_private = &lb; sc2.sc_response = ldap_chain_cb_response; op->o_callback = &sc2; @@ -947,6 +948,7 @@ ldap_chain_response( Operation *op, SlapReply *rs ) case LDAP_SUCCESS: case LDAP_REFERRAL: + sr_err = rs->sr_err; /* slapd-ldap sent response */ if ( !op->o_abandon && lb.lb_status != LDAP_CH_RES ) { /* FIXME: should we send response? */ @@ -974,7 +976,7 @@ cannot_chain:; default: #endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */ if ( LDAP_CHAIN_RETURN_ERR( lc ) ) { - rs->sr_err = rc; + sr_err = rs->sr_err = rc; rs->sr_type = sr_type; } else { @@ -992,7 +994,8 @@ cannot_chain:; } if ( lb.lb_status == LDAP_CH_NONE && rc != SLAPD_ABANDON ) { - op->o_callback = NULL; + /* give the remaining callbacks a chance */ + op->o_callback = sc->sc_next; rc = rs->sr_err = slap_map_api2result( rs ); send_ldap_result( op, rs ); } -- 1.7.3.4 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org