Hello community, here is the log from the commit of package openldap2 for openSUSE:Factory checked in at 2015-12-06 07:38:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openldap2 (Old) and /work/SRC/openSUSE:Factory/.openldap2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "openldap2" Changes: -------- --- /work/SRC/openSUSE:Factory/openldap2/openldap2-client.changes 2015-10-24 10:23:27.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openldap2.new/openldap2-client.changes 2015-12-06 07:38:31.000000000 +0100 @@ -1,0 +2,15 @@ +Wed Dec 2 12:51:10 UTC 2015 - hguo@suse.com + +- Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch + to fix CVE-2015-6908. (bsc#945582) +- Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch + to address weak DH size vulnerability (bsc#937766) + +------------------------------------------------------------------- +Mon Nov 30 10:16:57 UTC 2015 - hguo@suse.com + +- Introduce patch 0009-Fix-ldap-host-lookup-ipv6.patch + to fix an issue with unresponsive LDAP host lookups in IPv6 environment. + (bsc#955210) + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/openldap2/openldap2.changes 2015-10-24 10:23:27.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openldap2.new/openldap2.changes 2015-12-06 07:38:31.000000000 +0100 @@ -1,0 +2,15 @@ +Wed Dec 2 12:50:47 UTC 2015 - hguo@suse.com + +- Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch + to fix CVE-2015-6908. (bsc#945582) +- Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch + to address weak DH size vulnerability (bsc#937766) + +------------------------------------------------------------------- +Mon Nov 30 10:16:57 UTC 2015 - hguo@suse.com + +- Introduce patch 0009-Fix-ldap-host-lookup-ipv6.patch + to fix an issue with unresponsive LDAP host lookups in IPv6 environment. + (bsc#955210) + +------------------------------------------------------------------- New: ---- 0009-Fix-ldap-host-lookup-ipv6.patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch 0011-Enforce-minimum-DH-size-of-1024.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openldap2-client.spec ++++++ --- /var/tmp/diff_new_pack.Iu734i/_old 2015-12-06 07:38:33.000000000 +0100 +++ /var/tmp/diff_new_pack.Iu734i/_new 2015-12-06 07:38:33.000000000 +0100 @@ -46,6 +46,9 @@ Patch6: 0006-No-Build-date-and-time-in-binaries.dif Patch7: 0007-Recover-on-DB-version-change.dif Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch +Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch +Patch10: 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch +Patch11: 0011-Enforce-minimum-DH-size-of-1024.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: cyrus-sasl-devel BuildRequires: groff @@ -177,6 +180,9 @@ %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 cp %{SOURCE5} . %build openldap2.spec: same change ++++++ 0009-Fix-ldap-host-lookup-ipv6.patch ++++++ The patch was written by Christian Kornacker on 2014-01-08 to fix an issue with unresponsive LDAP host lookups in IPv6 environment. --- libraries/libldap/util-int.c | 39 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 2 deletions(-) Index: openldap-2.4.41/libraries/libldap/util-int.c =================================================================== --- openldap-2.4.41.orig/libraries/libldap/util-int.c +++ openldap-2.4.41/libraries/libldap/util-int.c @@ -731,10 +731,16 @@ static char *safe_realloc( char **buf, i char * ldap_pvt_get_fqdn( char *name ) { - char *fqdn, *ha_buf; + int rc; + char *fqdn; char hostbuf[MAXHOSTNAMELEN+1]; +#ifdef HAVE_GETADDRINFO + struct addrinfo hints, *res; +#else + char *ha_buf; struct hostent *hp, he_buf; - int rc, local_h_errno; + int local_h_errno; +#endif if( name == NULL ) { if( gethostname( hostbuf, MAXHOSTNAMELEN ) == 0 ) { @@ -745,6 +751,33 @@ char * ldap_pvt_get_fqdn( char *name ) } } +#ifdef HAVE_GETADDRINFO + memset( &hints, '\0', sizeof( hints ) ); + hints.ai_family = AF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags |= AI_CANONNAME; + + /* most getaddrinfo(3) use non-threadsafe resolver libraries */ + LDAP_MUTEX_LOCK(&ldap_int_resolv_mutex); + + rc = getaddrinfo( name, NULL, &hints, &res ); + + LDAP_MUTEX_UNLOCK(&ldap_int_resolv_mutex); + + if ( rc != 0 ) { + fqdn = LDAP_STRDUP( name ); + } else { + while ( res ) { + if ( res->ai_canonname ) { + fqdn = LDAP_STRDUP ( res->ai_canonname ); + break; + } + res = res->ai_next; + } + freeaddrinfo( res ); + } +#else + rc = ldap_pvt_gethostbyname_a( name, &he_buf, &ha_buf, &hp, &local_h_errno ); @@ -755,6 +788,8 @@ char * ldap_pvt_get_fqdn( char *name ) } LDAP_FREE( ha_buf ); +#endif + return fqdn; } ++++++ 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch ++++++
From 844ee7df820fa397249ce76984d2e7094746cd93 Mon Sep 17 00:00:00 2001 From: Howard Chu
Date: Sat, 12 Sep 2015 22:18:22 +0100 Subject: [PATCH] Revert "Revert "ITS#8240 remove obsolete assert""
We have never documented our use of assert, so can't expect
builders to do the right thing.
This reverts commit 55dd4d3275d24c5190fdfada8dfae0320628b993.
The commit fixes CVE-2015-6908.
diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c
index 85c3e23..c05dcf8 100644
--- a/libraries/liblber/io.c
+++ b/libraries/liblber/io.c
@@ -679,7 +679,7 @@ done:
return (ber->ber_tag);
}
- assert( 0 ); /* ber structure is messed up ?*/
+ /* invalid input */
return LBER_DEFAULT;
}
--
2.6.3
++++++ 0011-Enforce-minimum-DH-size-of-1024.patch ++++++
The patch was authored by Marcus Meissner