Steve Langasek [Thu, 13 Jun 2024 02:23:12 +0000 (19:23 -0700)]
handle sizeof(time_t) > sizeof(long) in format strings
Last-Update: 2024-03-11
Forwarded: no
64-bit time_t means that on some architectures, time_t is now larger than
a long, and making some references in format strings incorrect. To avoid
truncation or other size mismatch issues, always cast to a long long and
read using %lld.
Fixes an assertion failure detected during build-time tests on armhf:
slapd: ../../../../../servers/slapd/overlays/dds.c:422: dds_op_add: Assertion `bv.bv_len < sizeof( ttlbuf )' failed.
Switch to lt_dlopenadvise() so back_perl can be opened with RTLD_GLOBAL. Open all modules with RTLD_GLOBAL, needed so that back_perl can load non-trivial Perl extensions that require symbols from back_perl.so itself.
Bug-Debian: http://bugs.debian.org/327585
Gbp-Pq: Name switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
Rip out code that second-guesses the libsasl soname / Debian shlibs. If
cyrus sasl upstream is breaking the ABI, this needs to be fixed upstream
there, not kludged around upstream here!
Steve Langasek [Thu, 13 Jun 2024 02:23:12 +0000 (19:23 -0700)]
getaddrinfo-is-threadsafe
OpenLDAP upstream conservatively assumes that certain resolver functions
(getaddrinfo, getnameinfo, res_query, dn_expand) are not re-entrant; but we
know that the glibc implementations of these functions are thread-safe, so
we should bypass the use of this mutex. This fixes a locking problem when
an application uses libldap and libnss-ldap is also used for hosts
resolution.
Closes Debian bug #340601.
Not suitable for forwarding upstream; might be made suitable by adding a
configure-time check for glibc and disabling the mutex only on known
thread-safe implementations.
Document in the man page that slapindex should be run as the same user
as slapd, and print a warning if it's run as root (since Debian defaults
to running slapd as openldap).
Not suitable for upstream in this form. This patch needs to be reworked
to check the BerkeleyDB database ownership and only warn if running as
root with a database that's not owned by root.
Upstream ITS #5356 filed requesting better handling of this. Current
upstream discussion leans towards putting the check into the database
backend and aborting if slapd is run as a different user than the database
owner, which is an even better fix.
Steve Langasek [Fri, 26 Apr 2024 23:09:29 +0000 (16:09 -0700)]
handle sizeof(time_t) > sizeof(long) in format strings
Last-Update: 2024-03-11
Forwarded: no
64-bit time_t means that on some architectures, time_t is now larger than
a long, and making some references in format strings incorrect. To avoid
truncation or other size mismatch issues, always cast to a long long and
read using %lld.
Fixes an assertion failure detected during build-time tests on armhf:
slapd: ../../../../../servers/slapd/overlays/dds.c:422: dds_op_add: Assertion `bv.bv_len < sizeof( ttlbuf )' failed.
Switch to lt_dlopenadvise() so back_perl can be opened with RTLD_GLOBAL. Open all modules with RTLD_GLOBAL, needed so that back_perl can load non-trivial Perl extensions that require symbols from back_perl.so itself.
Bug-Debian: http://bugs.debian.org/327585
Gbp-Pq: Name switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
Rip out code that second-guesses the libsasl soname / Debian shlibs. If
cyrus sasl upstream is breaking the ABI, this needs to be fixed upstream
there, not kludged around upstream here!
Steve Langasek [Fri, 26 Apr 2024 23:09:29 +0000 (16:09 -0700)]
getaddrinfo-is-threadsafe
OpenLDAP upstream conservatively assumes that certain resolver functions
(getaddrinfo, getnameinfo, res_query, dn_expand) are not re-entrant; but we
know that the glibc implementations of these functions are thread-safe, so
we should bypass the use of this mutex. This fixes a locking problem when
an application uses libldap and libnss-ldap is also used for hosts
resolution.
Closes Debian bug #340601.
Not suitable for forwarding upstream; might be made suitable by adding a
configure-time check for glibc and disabling the mutex only on known
thread-safe implementations.
Document in the man page that slapindex should be run as the same user
as slapd, and print a warning if it's run as root (since Debian defaults
to running slapd as openldap).
Not suitable for upstream in this form. This patch needs to be reworked
to check the BerkeleyDB database ownership and only warn if running as
root with a database that's not owned by root.
Upstream ITS #5356 filed requesting better handling of this. Current
upstream discussion leans towards putting the check into the database
backend and aborting if slapd is run as a different user than the database
owner, which is an even better fix.
Ryan Tandy [Fri, 26 Apr 2024 23:09:29 +0000 (16:09 -0700)]
openldap (2.5.17+dfsg-1) unstable; urgency=medium
* New upstream release.
- fixed slapo-dynlist so it can't be global (ITS#10091) (Closes: #1040382)
* debian/copyright: Exclude doc/guide/admin/guide.html from the upstream
source, because the tool required to build it from source is not packaged
in Debian. Fixes a Lintian error (source-is-missing).
* Update Swedish debconf translation. (Closes: #1056955)
Thanks to Martin Bagge and Anders Jonsson.
* debian/salsa-ci.yml: Enable Salsa CI pipeline.
Switch to lt_dlopenadvise() so back_perl can be opened with RTLD_GLOBAL. Open all modules with RTLD_GLOBAL, needed so that back_perl can load non-trivial Perl extensions that require symbols from back_perl.so itself.
Bug-Debian: http://bugs.debian.org/327585
Gbp-Pq: Name switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
Rip out code that second-guesses the libsasl soname / Debian shlibs. If
cyrus sasl upstream is breaking the ABI, this needs to be fixed upstream
there, not kludged around upstream here!
Steve Langasek [Wed, 8 Feb 2023 01:56:12 +0000 (01:56 +0000)]
getaddrinfo-is-threadsafe
OpenLDAP upstream conservatively assumes that certain resolver functions
(getaddrinfo, getnameinfo, res_query, dn_expand) are not re-entrant; but we
know that the glibc implementations of these functions are thread-safe, so
we should bypass the use of this mutex. This fixes a locking problem when
an application uses libldap and libnss-ldap is also used for hosts
resolution.
Closes Debian bug #340601.
Not suitable for forwarding upstream; might be made suitable by adding a
configure-time check for glibc and disabling the mutex only on known
thread-safe implementations.
Document in the man page that slapindex should be run as the same user
as slapd, and print a warning if it's run as root (since Debian defaults
to running slapd as openldap).
Not suitable for upstream in this form. This patch needs to be reworked
to check the BerkeleyDB database ownership and only warn if running as
root with a database that's not owned by root.
Upstream ITS #5356 filed requesting better handling of this. Current
upstream discussion leans towards putting the check into the database
backend and aborting if slapd is run as a different user than the database
owner, which is an even better fix.
Ryan Tandy [Wed, 8 Feb 2023 01:56:12 +0000 (01:56 +0000)]
openldap (2.5.13+dfsg-5) unstable; urgency=medium
* Fix sha2-contrib autopkgtest failure. Call slappasswd using its full path.
(Closes: #1030814)
* Disable flaky test test069-delta-multiprovider-starttls.
Switch to lt_dlopenadvise() so back_perl can be opened with RTLD_GLOBAL. Open all modules with RTLD_GLOBAL, needed so that back_perl can load non-trivial Perl extensions that require symbols from back_perl.so itself.
Bug-Debian: http://bugs.debian.org/327585
Gbp-Pq: Name switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
Rip out code that second-guesses the libsasl soname / Debian shlibs. If
cyrus sasl upstream is breaking the ABI, this needs to be fixed upstream
there, not kludged around upstream here!
Steve Langasek [Sat, 14 Jan 2023 00:29:59 +0000 (00:29 +0000)]
getaddrinfo-is-threadsafe
OpenLDAP upstream conservatively assumes that certain resolver functions
(getaddrinfo, getnameinfo, res_query, dn_expand) are not re-entrant; but we
know that the glibc implementations of these functions are thread-safe, so
we should bypass the use of this mutex. This fixes a locking problem when
an application uses libldap and libnss-ldap is also used for hosts
resolution.
Closes Debian bug #340601.
Not suitable for forwarding upstream; might be made suitable by adding a
configure-time check for glibc and disabling the mutex only on known
thread-safe implementations.
Document in the man page that slapindex should be run as the same user
as slapd, and print a warning if it's run as root (since Debian defaults
to running slapd as openldap).
Not suitable for upstream in this form. This patch needs to be reworked
to check the BerkeleyDB database ownership and only warn if running as
root with a database that's not owned by root.
Upstream ITS #5356 filed requesting better handling of this. Current
upstream discussion leans towards putting the check into the database
backend and aborting if slapd is run as a different user than the database
owner, which is an even better fix.
Ryan Tandy [Sat, 14 Jan 2023 00:29:59 +0000 (00:29 +0000)]
openldap (2.5.13+dfsg-3) unstable; urgency=medium
[ Ryan Tandy ]
* Disable flaky test test063-delta-multiprovider. Mitigates #1010608.
[ Gioele Barabucci ]
* slapd.scripts-common: Avoid double-UTF8-encoding org name (Closes: #1016185)
* d/slapd.scripts-common: Remove outdated `migrate_to_slapd_d_style`
* d/slapd.postinst: Remove test for ancient version
* slapd.scripts-common: Remove unused `normalize_ldif`
* d/slapd.scripts-common: Use sed instead of perl in `release_diagnostics`
Switch to lt_dlopenadvise() so back_perl can be opened with RTLD_GLOBAL. Open all modules with RTLD_GLOBAL, needed so that back_perl can load non-trivial Perl extensions that require symbols from back_perl.so itself.
Bug-Debian: http://bugs.debian.org/327585
Gbp-Pq: Name switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
Rip out code that second-guesses the libsasl soname / Debian shlibs. If
cyrus sasl upstream is breaking the ABI, this needs to be fixed upstream
there, not kludged around upstream here!
Steve Langasek [Wed, 5 Oct 2022 12:38:13 +0000 (13:38 +0100)]
getaddrinfo-is-threadsafe
OpenLDAP upstream conservatively assumes that certain resolver functions
(getaddrinfo, getnameinfo, res_query, dn_expand) are not re-entrant; but we
know that the glibc implementations of these functions are thread-safe, so
we should bypass the use of this mutex. This fixes a locking problem when
an application uses libldap and libnss-ldap is also used for hosts
resolution.
Closes Debian bug #340601.
Not suitable for forwarding upstream; might be made suitable by adding a
configure-time check for glibc and disabling the mutex only on known
thread-safe implementations.
Document in the man page that slapindex should be run as the same user
as slapd, and print a warning if it's run as root (since Debian defaults
to running slapd as openldap).
Not suitable for upstream in this form. This patch needs to be reworked
to check the BerkeleyDB database ownership and only warn if running as
root with a database that's not owned by root.
Upstream ITS #5356 filed requesting better handling of this. Current
upstream discussion leans towards putting the check into the database
backend and aborting if slapd is run as a different user than the database
owner, which is an even better fix.
projects / openldap.git / log