Hello community, here is the log from the commit of package openldap2 for openSUSE:11.3 checked in at Thu Mar 3 10:35:40 CET 2011. -------- --- old-versions/11.3/all/openldap2/openldap2-client.changes 2010-07-05 15:27:17.000000000 +0200 +++ 11.3/openldap2/openldap2-client.changes 2011-03-03 10:35:09.253341000 +0100 @@ -1,0 +2,17 @@ +Tue Mar 1 13:15:45 UTC 2011 - rhafer@suse.de + +- ModRDN Operations with an empty old DN value and "remove old RDN" + enabled could crash the LDAP Server (bnc#674985, ITS#6768) +- Using the password policy overlay in a chainging setup (with + "ppolicy_forward_updates" enabled) could cause BIND operations + to return SUCCESS even if the wrong password was sent. + (bnc#674985, ITS#6607) + +------------------------------------------------------------------- +Thu Aug 26 13:58:02 UTC 2010 - rhafer@novell.com + +- Fix RPM Group and Summary Tags (bnc#624980) +- Fix listener URIs in init script to make SLP registration work + again (bnc#620389) + +------------------------------------------------------------------- openldap2.changes: same change Package does not exist at destination yet. Using Fallback old-versions/11.3/all/openldap2 Destination is old-versions/11.3/UPDATES/all/openldap2 calling whatdependson for 11.3-i586 New: ---- fix-modrdn-with-empty-olddn-ITS-6768-dif forwarded-bind-failure-messages-cause-success-ITS-6607-dif ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openldap2-client.spec ++++++ --- /var/tmp/diff_new_pack.1qEk1l/_old 2011-03-03 10:35:17.000000000 +0100 +++ /var/tmp/diff_new_pack.1qEk1l/_new 2011-03-03 10:35:17.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package openldap2-client (Version 2.4.21) +# spec file for package openldap2-client # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -28,7 +28,7 @@ BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel %endif Version: 2.4.21 -Release: 7 +Release: 10.<RELEASE2> Url: http://www.openldap.org License: BSD3c(or similar) ; openldap 2.8 %if "%{name}" == "openldap2" @@ -62,6 +62,8 @@ Patch11: slapd-bconfig-del-db.dif Patch12: Syncprov-might-lose-deletes-ITS-6555.dif Patch13: slapd-modrdn-crash-ITS-6570.dif +Patch14: forwarded-bind-failure-messages-cause-success-ITS-6607-dif +Patch15: fix-modrdn-with-empty-olddn-ITS-6768-dif Patch100: openldap-2.3.37.dif Patch200: slapd_getaddrinfo_dupl.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -184,6 +186,8 @@ %patch11 %patch12 -p1 %patch13 -p1 +%patch14 -p1 +%patch15 -p1 %if %suse_version == 1100 %patch200 -p1 %endif openldap2.spec: same change ++++++ fix-modrdn-with-empty-olddn-ITS-6768-dif ++++++
From ba289e47bdabdbfd5849254e34143b100fe4778d Mon Sep 17 00:00:00 2001 From: quanah <quanah> Date: Tue, 4 Jan 2011 19:44:43 +0000 Subject: fix modrdn with empty olddn (ITS#6768)
slapd crashes when processing a modrdn operation with an empty olddn parameter and "remove old DN" enabled. (bnc#674985) diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c index e143a7b..06ea25c 100644 --- a/servers/slapd/modrdn.c +++ b/servers/slapd/modrdn.c @@ -392,7 +392,9 @@ slap_modrdn2mods( LDAPRDN new_rdn = NULL; assert( !BER_BVISEMPTY( &op->oq_modrdn.rs_newrdn ) ); - assert( !op->orr_deleteoldrdn || !BER_BVISEMPTY( &op->o_req_dn ) ); + + /* if requestDN is empty, silently reset deleteOldRDN */ + if ( BER_BVISEMPTY( &op->o_req_dn ) ) op->orr_deleteoldrdn = 0; if ( ldap_bv2rdn_x( &op->oq_modrdn.rs_newrdn, &new_rdn, (char **)&rs->sr_text, LDAP_DN_FORMAT_LDAP, op->o_tmpmemctx ) ) { -- 1.7.3.4 ++++++ forwarded-bind-failure-messages-cause-success-ITS-6607-dif ++++++
From b25bdefdd9f2331f9094ee082b15571ba9921483 Mon Sep 17 00:00:00 2001 From: quanah <quanah> Date: Mon, 10 Jan 2011 20:36:19 +0000 Subject: forwarded bind failure messages cause success (ITS#6607)
Original log from CVS: Add rev 1.77 of chain.c for control callbacks ITS#6475, ITS#6607 bnc#674985 CVE-2011-1024 diff --git a/servers/slapd/back-ldap/chain.c b/servers/slapd/back-ldap/chain.c index d7d4f64..c0a1ed4 100644 --- a/servers/slapd/back-ldap/chain.c +++ b/servers/slapd/back-ldap/chain.c @@ -854,6 +854,7 @@ ldap_chain_response( Operation *op, SlapReply *rs ) /* we need this to know if back-ldap returned any result */ lb.lb_lc = lc; + sc2.sc_next = sc->sc_next; sc2.sc_private = &lb; sc2.sc_response = ldap_chain_cb_response; op->o_callback = &sc2; @@ -947,6 +948,7 @@ ldap_chain_response( Operation *op, SlapReply *rs ) case LDAP_SUCCESS: case LDAP_REFERRAL: + sr_err = rs->sr_err; /* slapd-ldap sent response */ if ( !op->o_abandon && lb.lb_status != LDAP_CH_RES ) { /* FIXME: should we send response? */ @@ -974,7 +976,7 @@ cannot_chain:; default: #endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */ if ( LDAP_CHAIN_RETURN_ERR( lc ) ) { - rs->sr_err = rc; + sr_err = rs->sr_err = rc; rs->sr_type = sr_type; } else { @@ -992,7 +994,8 @@ cannot_chain:; } if ( lb.lb_status == LDAP_CH_NONE && rc != SLAPD_ABANDON ) { - op->o_callback = NULL; + /* give the remaining callbacks a chance */ + op->o_callback = sc->sc_next; rc = rs->sr_err = slap_map_api2result( rs ); send_ldap_result( op, rs ); } -- 1.7.3.4 ++++++ openldap-rc.tgz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rc.ldap new/rc.ldap --- old/rc.ldap 2010-05-10 14:37:08.000000000 +0200 +++ new/rc.ldap 2010-08-26 15:57:37.000000000 +0200 @@ -57,7 +57,7 @@ LDAP_URLS="$LDAP_URLS ldap://$iface" done else - LDAP_URLS="ldap://" + LDAP_URLS="ldap:///" fi ;; esac @@ -73,7 +73,7 @@ LDAPI_URLS="$LDAPI_URLS ldapi://$esc_iface" done else - LDAPI_URLS="ldapi://" + LDAPI_URLS="ldapi:///" fi ;; esac @@ -88,7 +88,7 @@ LDAPS_URLS="$LDAPS_URLS ldaps://$iface" done else - LDAPS_URLS="ldaps://" + LDAPS_URLS="ldaps:///" fi ;; esac ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org