Mailinglist Archive: opensuse-commit (849 mails)

< Previous Next >
commit openldap2 for openSUSE:11.4

Hello community,

here is the log from the commit of package openldap2 for openSUSE:11.4
checked in at Fri Mar 4 16:15:36 CET 2011.



--------
--- old-versions/11.4/all/openldap2/openldap2-client.changes 2011-01-19
17:54:59.000000000 +0100
+++ 11.4/openldap2/openldap2-client.changes 2011-03-02 10:44:41.000000000
+0100
@@ -1,0 +2,14 @@
+Tue Mar 1 13:15:45 UTC 2011 - rhafer@xxxxxxx
+
+- ModRDN Operations with an empty old DN value and "remove old RDN"
+ enabled could crash the LDAP Server (bnc#674985, ITS#6768)
+- Using the password policy overlay in a chainging setup (with
+ "ppolicy_forward_updates" enabled) could cause BIND operations
+ to return SUCCESS even if the wrong password was sent.
+ (bnc#674985, ITS#6607)
+- Only expose SSS/VLV controls in rootDSE if the sssvlv overlay is
+ at least instanciated once. Solaris clients (and Outlook) have
+ problems connecting to OpenLDAP otherwise (bnc#648479, includes
+ fixes for ITS#6647, ITS#6649 and ITS#6685)
+
+-------------------------------------------------------------------
openldap2.changes: same change

Package does not exist at destination yet. Using Fallback
old-versions/11.4/all/openldap2
Destination is old-versions/11.4/UPDATES/all/openldap2
calling whatdependson for 11.4-i586


New:
----
0010-unregister_supported_control-backport-dif
0011-Fix-exposure-of-SSS-VLV-controls-ITS-6647-dif
0012-forwarded-bind-failure-messages-cause-success-ITS-6607-dif
0013-fix-modrdn-with-empty-olddn-ITS-6768-dif

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ openldap2-client.spec ++++++
--- /var/tmp/diff_new_pack.feYpTh/_old 2011-03-04 16:15:17.000000000 +0100
+++ /var/tmp/diff_new_pack.feYpTh/_new 2011-03-04 16:15:17.000000000 +0100
@@ -25,7 +25,7 @@
BuildRequires: -libopenssl-devel -pwdutils openssl-devel
%endif
Version: 2.4.23
-Release: 6
+Release: 6.<RELEASE2>
Url: http://www.openldap.org
License: BSD3c(or similar) ; openldap 2.8
%if "%{name}" == "openldap2"
@@ -63,6 +63,10 @@
Patch7: 0007-No-Build-date-and-time-in-binaries.dif
Patch8: 0008-Recover-on-DB-version-change.dif
Patch9: 0009-List-static-overlays-backends-when-with-VVV.dif
+Patch10: 0010-unregister_supported_control-backport-dif
+Patch11: 0011-Fix-exposure-of-SSS-VLV-controls-ITS-6647-dif
+Patch12: 0012-forwarded-bind-failure-messages-cause-success-ITS-6607-dif
+Patch13: 0013-fix-modrdn-with-empty-olddn-ITS-6768-dif
Patch100: openldap-2.3.37.dif
Patch200: slapd_getaddrinfo_dupl.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -88,6 +92,25 @@
The OpenLDAP Project <project@xxxxxxxxxxxx>


+The Lightweight Directory Access Protocol (LDAP) is used to access
+online directory services. It runs directly over TCP and can be used to
+access a stand-alone LDAP directory service or to access a directory
+service that has an X.500 back-end.
+
+
+
+Authors:
+--------
+ The OpenLDAP Project <project@xxxxxxxxxxxx>
+
+This package contains the OpenLDAP client utilities.
+
+
+Authors:
+--------
+ The OpenLDAP Project <project@xxxxxxxxxxxx>
+
+
%package -n openldap2-back-perl
License: BSD3c(or similar) ; openldap 2.8
Summary: OpenLDAP Perl Back-End
@@ -182,6 +205,25 @@
The OpenLDAP Project <project@xxxxxxxxxxxx>


+The Lightweight Directory Access Protocol (LDAP) is used to access
+online directory services. It runs directly over TCP and can be used to
+access a stand-alone LDAP directory service or to access a directory
+service that has an X.500 back-end.
+
+
+
+Authors:
+--------
+ The OpenLDAP Project <project@xxxxxxxxxxxx>
+
+This package contains the OpenLDAP client utilities.
+
+
+Authors:
+--------
+ The OpenLDAP Project <project@xxxxxxxxxxxx>
+
+
%package -n openldap2-devel
License: BSD3c(or similar) ; openldap 2.8
Summary: Libraries, Header Files and Documentation for OpenLDAP
@@ -239,6 +281,10 @@
%patch7 -p1
%patch8 -p1
%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
%if %suse_version == 1100
%patch200 -p1
%endif

++++++ openldap2.spec ++++++
--- /var/tmp/diff_new_pack.feYpTh/_old 2011-03-04 16:15:17.000000000 +0100
+++ /var/tmp/diff_new_pack.feYpTh/_new 2011-03-04 16:15:17.000000000 +0100
@@ -25,7 +25,7 @@
BuildRequires: -libopenssl-devel -pwdutils openssl-devel
%endif
Version: 2.4.23
-Release: 6
+Release: 11.<RELEASE2>
Url: http://www.openldap.org
License: BSD3c(or similar) ; openldap 2.8
%if "%{name}" == "openldap2"
@@ -63,6 +63,10 @@
Patch7: 0007-No-Build-date-and-time-in-binaries.dif
Patch8: 0008-Recover-on-DB-version-change.dif
Patch9: 0009-List-static-overlays-backends-when-with-VVV.dif
+Patch10: 0010-unregister_supported_control-backport-dif
+Patch11: 0011-Fix-exposure-of-SSS-VLV-controls-ITS-6647-dif
+Patch12: 0012-forwarded-bind-failure-messages-cause-success-ITS-6607-dif
+Patch13: 0013-fix-modrdn-with-empty-olddn-ITS-6768-dif
Patch100: openldap-2.3.37.dif
Patch200: slapd_getaddrinfo_dupl.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -220,6 +224,10 @@
%patch7 -p1
%patch8 -p1
%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
%if %suse_version == 1100
%patch200 -p1
%endif

++++++ 0010-unregister_supported_control-backport-dif ++++++
From 7fd700941fb1d735a78073124fb8f473eaf9b1b4 Mon Sep 17 00:00:00 2001
From: ralf <ralf>
Date: Wed, 30 Jun 2010 10:38:01 +0000
Subject: unregister_supported_control() backport

The fix for bnc#648479/ITS#6647 makes use of this call

Original log-message:
new call unregister_supported_control(), will be
needed for cn=config delete support

Also included: use be_ctrls[cid] for counting the number of overlay
instances that have registered the control for a specific BackendDB to make
sure that the control is unregistered only after the last instance calls
overlay_unregister_control().

diff --git a/servers/slapd/backover.c b/servers/slapd/backover.c
index cef3286..d2065dc 100644
--- a/servers/slapd/backover.c
+++ b/servers/slapd/backover.c
@@ -1074,14 +1074,22 @@ overlay_register_control( BackendDB *be, const char
*oid )
gotit = 1;
}

- bd->be_ctrls[ cid ] = 1;
+ /* overlays can be instanciated multiple times, use
+ * be_ctrls[ cid ] as an instance counter, so that the
+ * overlay's controls are only really disabled after the
+ * last instance called overlay_register_control() */
+ bd->be_ctrls[ cid ]++;
bd->be_ctrls[ SLAP_MAX_CIDS ] = 1;
}

}

if ( !gotit ) {
- be->bd_self->be_ctrls[ cid ] = 1;
+ /* overlays can be instanciated multiple times, use
+ * be_ctrls[ cid ] as an instance counter, so that the
+ * overlay's controls are only really unregistered after the
+ * last instance called overlay_register_control() */
+ be->bd_self->be_ctrls[ cid ]++;
be->bd_self->be_ctrls[ SLAP_MAX_CIDS ] = 1;
}

@@ -1089,6 +1097,34 @@ overlay_register_control( BackendDB *be, const char *oid
)
}

void
+overlay_unregister_control( BackendDB *be, const char *oid )
+{
+ int gotit = 0;
+ int cid;
+
+ if ( slap_find_control_id( oid, &cid ) == LDAP_CONTROL_NOT_FOUND ) {
+ return;
+ }
+
+ if ( SLAP_ISGLOBALOVERLAY( be ) ) {
+ BackendDB *bd;
+
+ /* remove from all backends... */
+ LDAP_STAILQ_FOREACH( bd, &backendDB, be_next ) {
+ if ( bd == be->bd_self ) {
+ gotit = 1;
+ }
+
+ bd->be_ctrls[ cid ]--;
+ }
+ }
+
+ if ( !gotit ) {
+ be->bd_self->be_ctrls[ cid ]--;
+ }
+}
+
+void
overlay_destroy_one( BackendDB *be, slap_overinst *on )
{
slap_overinfo *oi = on->on_info;
diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
index 5cdfaf0..0aaac3a 100644
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@@ -344,6 +344,38 @@ register_supported_control2(const char *controloid,
return LDAP_SUCCESS;
}

+#ifdef SLAP_CONFIG_DELETE
+int
+unregister_supported_control( const char *controloid )
+{
+ struct slap_control *sc;
+ int i;
+
+ if ( controloid == NULL || (sc = find_ctrl( controloid )) == NULL ){
+ return -1;
+ }
+
+ for ( i = 0; slap_known_controls[ i ]; i++ ) {
+ if ( strcmp( controloid, slap_known_controls[ i ] ) == 0 ) {
+ do {
+ slap_known_controls[ i ] = slap_known_controls[
i+1 ];
+ } while ( slap_known_controls[ i++ ] );
+ num_known_controls--;
+ break;
+ }
+ }
+
+ LDAP_SLIST_REMOVE(&controls_list, sc, slap_control, sc_next);
+ ch_free( sc->sc_oid );
+ if ( sc->sc_extendedopsbv != NULL ) {
+ ber_bvarray_free( sc->sc_extendedopsbv );
+ }
+ ch_free( sc );
+
+ return 0;
+}
+#endif /* SLAP_CONFIG_DELETE */
+
/*
* One-time initialization of internal controls.
*/
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index fa225d9..65015cb 100644
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -647,6 +647,10 @@ LDAP_SLAPD_F (int) register_supported_control2 LDAP_P((
int *controlcid ));
#define register_supported_control(oid, mask, exops, fn, cid) \
register_supported_control2((oid), (mask), (exops), (fn), 0, (cid))
+#ifdef SLAP_CONFIG_DELETE
+LDAP_SLAPD_F (int) unregister_supported_control LDAP_P((
+ const char* controloid ));
+#endif /* SLAP_CONFIG_DELETE */
LDAP_SLAPD_F (int) slap_controls_init LDAP_P ((void));
LDAP_SLAPD_F (void) controls_destroy LDAP_P ((void));
LDAP_SLAPD_F (int) controls_root_dse_info LDAP_P ((Entry *e));
--
1.7.3.4

++++++ 0011-Fix-exposure-of-SSS-VLV-controls-ITS-6647-dif ++++++
From 829dc9ac421c3a69e20b016f405d93ff263f124f Mon Sep 17 00:00:00 2001
From: ralf <ralf>
Date: Fri, 22 Jan 2010 17:01:25 +0000
Subject: Fix exposure of SSS/VLV controls (ITS#6647)

Fixes bnc#648479

Contains the following upstream commits:

- plugged one time memory leak (found with valgrind)
- Quit send loops if slapd is shutting down
- make sure so is correctly initialized (spotted by
valgrind, possibly related to ITS#6649)
- do not expose control until sssvlv overlay is
actually instantiated at least once (ITS#6647)
- ITS#6685 fix result code tag
- Unregister VLV control as well when last overlay instance
is removed (additional fix for ITS#6647)

diff --git a/servers/slapd/overlays/sssvlv.c b/servers/slapd/overlays/sssvlv.c
index 10dde1f..38e9e2d 100644
--- a/servers/slapd/overlays/sssvlv.c
+++ b/servers/slapd/overlays/sssvlv.c
@@ -198,7 +198,7 @@ static int pack_vlv_response_control(
ber_init2( ber, NULL, LBER_USE_DER );
ber_set_option( ber, LBER_OPT_BER_MEMCTX, &op->o_tmpmemctx );

- rc = ber_printf( ber, "{iii", so->so_vlv_target, so->so_nentries,
+ rc = ber_printf( ber, "{iie", so->so_vlv_target, so->so_nentries,
so->so_vlv_rc );

if ( rc != -1 && so->so_vcontext ) {
@@ -801,9 +801,9 @@ static int sssvlv_op_search(
op->o_tmpmemctx );
/* Install serversort response callback to handle a new
search */
if ( ps || vc ) {
- so = ch_malloc( sizeof(sort_op));
+ so = ch_calloc( 1, sizeof(sort_op));
} else {
- so = op->o_tmpalloc( sizeof(sort_op),
op->o_tmpmemctx );
+ so = op->o_tmpcalloc( 1, sizeof(sort_op),
op->o_tmpmemctx );
}
sort_conns[op->o_conn->c_conn_idx] = so;

@@ -1158,6 +1158,38 @@ static int sssvlv_db_init(
{
slap_overinst *on = (slap_overinst *)be->bd_info;
sssvlv_info *si;
+
+ if ( ov_count == 0 ) {
+ int rc;
+
+ rc = register_supported_control2( LDAP_CONTROL_SORTREQUEST,
+ SLAP_CTRL_SEARCH,
+ NULL,
+ sss_parseCtrl,
+ 1 /* replace */,
+ &sss_cid );
+ if ( rc != LDAP_SUCCESS ) {
+ Debug( LDAP_DEBUG_ANY, "Failed to register Sort Request
control '%s' (%d)\n",
+ LDAP_CONTROL_SORTREQUEST, rc, 0 );
+ return rc;
+ }
+
+ rc = register_supported_control2( LDAP_CONTROL_VLVREQUEST,
+ SLAP_CTRL_SEARCH,
+ NULL,
+ vlv_parseCtrl,
+ 1 /* replace */,
+ &vlv_cid );
+ if ( rc != LDAP_SUCCESS ) {
+ Debug( LDAP_DEBUG_ANY, "Failed to register VLV Request
control '%s' (%d)\n",
+ LDAP_CONTROL_VLVREQUEST, rc, 0 );
+#ifdef SLAP_CONFIG_DELETE
+ overlay_unregister_control( be,
LDAP_CONTROL_SORTREQUEST );
+ unregister_supported_control( LDAP_CONTROL_SORTREQUEST
);
+#endif /* SLAP_CONFIG_DELETE */
+ return rc;
+ }
+ }

si = (sssvlv_info *)ch_malloc(sizeof(sssvlv_info));
on->on_bi.bi_private = si;
@@ -1183,14 +1215,23 @@ static int sssvlv_db_destroy(
{
slap_overinst *on = (slap_overinst *)be->bd_info;
sssvlv_info *si = (sssvlv_info *)on->on_bi.bi_private;
-
+
ov_count--;
if ( !ov_count && sort_conns) {
sort_conns--;
ch_free(sort_conns);
ldap_pvt_thread_mutex_destroy( &sort_conns_mutex );
}
-
+
+#ifdef SLAP_CONFIG_DELETE
+ overlay_unregister_control( be, LDAP_CONTROL_SORTREQUEST );
+ overlay_unregister_control( be, LDAP_CONTROL_VLVREQUEST );
+ if ( ov_count == 0 ) {
+ unregister_supported_control( LDAP_CONTROL_SORTREQUEST );
+ unregister_supported_control( LDAP_CONTROL_VLVREQUEST );
+ }
+#endif /* SLAP_CONFIG_DELETE */
+
if ( si ) {
ch_free( si );
on->on_bi.bi_private = NULL;
@@ -1217,30 +1258,9 @@ int sssvlv_initialize()
if ( rc )
return rc;

- rc = register_supported_control2( LDAP_CONTROL_SORTREQUEST,
- SLAP_CTRL_SEARCH,
- NULL,
- sss_parseCtrl,
- 1 /* replace */,
- &sss_cid );
-
- if ( rc == LDAP_SUCCESS ) {
- rc = register_supported_control2( LDAP_CONTROL_VLVREQUEST,
- SLAP_CTRL_SEARCH,
- NULL,
- vlv_parseCtrl,
- 1 /* replace */,
- &vlv_cid );
- }
-
- if ( rc == LDAP_SUCCESS ) {
- rc = overlay_register( &sssvlv );
- if ( rc != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY, "Failed to register server side
sort overlay\n", 0, 0, 0 );
- }
- }
- else {
- Debug( LDAP_DEBUG_ANY, "Failed to register control %d\n", rc,
0, 0 );
+ rc = overlay_register( &sssvlv );
+ if ( rc != LDAP_SUCCESS ) {
+ Debug( LDAP_DEBUG_ANY, "Failed to register server side sort
overlay\n", 0, 0, 0 );
}

return rc;
--
1.7.3.4

++++++ 0012-forwarded-bind-failure-messages-cause-success-ITS-6607-dif ++++++
From 2fd270af43c3a952f999fa1de3e9e6c9275e9d08 Mon Sep 17 00:00:00 2001
From: quanah <quanah>
Date: Mon, 10 Jan 2011 20:36:19 +0000
Subject: forwarded bind failure messages cause success (ITS#6607)

Original log from CVS:
Add rev 1.77 of chain.c for control callbacks

ITS#6475, ITS#6607
bnc#674985
CVE-2011-1024

diff --git a/servers/slapd/back-ldap/chain.c b/servers/slapd/back-ldap/chain.c
index c517f15..6b7036a 100644
--- a/servers/slapd/back-ldap/chain.c
+++ b/servers/slapd/back-ldap/chain.c
@@ -854,6 +854,7 @@ ldap_chain_response( Operation *op, SlapReply *rs )

/* we need this to know if back-ldap returned any result */
lb.lb_lc = lc;
+ sc2.sc_next = sc->sc_next;
sc2.sc_private = &lb;
sc2.sc_response = ldap_chain_cb_response;
op->o_callback = &sc2;
@@ -947,6 +948,7 @@ ldap_chain_response( Operation *op, SlapReply *rs )

case LDAP_SUCCESS:
case LDAP_REFERRAL:
+ sr_err = rs->sr_err;
/* slapd-ldap sent response */
if ( !op->o_abandon && lb.lb_status != LDAP_CH_RES ) {
/* FIXME: should we send response? */
@@ -974,7 +976,7 @@ cannot_chain:;
default:
#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
if ( LDAP_CHAIN_RETURN_ERR( lc ) ) {
- rs->sr_err = rc;
+ sr_err = rs->sr_err = rc;
rs->sr_type = sr_type;

} else {
@@ -992,7 +994,8 @@ cannot_chain:;
}

if ( lb.lb_status == LDAP_CH_NONE && rc != SLAPD_ABANDON ) {
- op->o_callback = NULL;
+ /* give the remaining callbacks a chance */
+ op->o_callback = sc->sc_next;
rc = rs->sr_err = slap_map_api2result( rs );
send_ldap_result( op, rs );
}
--
1.7.3.4

++++++ 0013-fix-modrdn-with-empty-olddn-ITS-6768-dif ++++++
From 65dd46e08db6fb93c7e5515c2ced2f0f444f241d Mon Sep 17 00:00:00 2001
From: quanah <quanah>
Date: Tue, 4 Jan 2011 19:44:43 +0000
Subject: fix modrdn with empty olddn (ITS#6768)

slapd crashes when processing a modrdn operation with an empty olddn
parameter and "remove old DN" enabled. (bnc#674985)

diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c
index e2e4bf0..562da72 100644
--- a/servers/slapd/modrdn.c
+++ b/servers/slapd/modrdn.c
@@ -392,7 +392,9 @@ slap_modrdn2mods(
LDAPRDN new_rdn = NULL;

assert( !BER_BVISEMPTY( &op->oq_modrdn.rs_newrdn ) );
- assert( !op->orr_deleteoldrdn || !BER_BVISEMPTY( &op->o_req_dn ) );
+
+ /* if requestDN is empty, silently reset deleteOldRDN */
+ if ( BER_BVISEMPTY( &op->o_req_dn ) ) op->orr_deleteoldrdn = 0;

if ( ldap_bv2rdn_x( &op->oq_modrdn.rs_newrdn, &new_rdn,
(char **)&rs->sr_text, LDAP_DN_FORMAT_LDAP, op->o_tmpmemctx ) )
{
--
1.7.3.4


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Remember to have fun...

--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-commit+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages