Raspbian automatic forward porter [Thu, 19 Nov 2020 01:41:41 +0000 (01:41 +0000)]
Merge version 2.4.47+dfsg-3+rpi1+deb10u2 and 2.4.47+dfsg-3+deb10u4 to produce 2.4.47+dfsg-3+rpi1+deb10u4
Ryan Tandy [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
Merge openldap (2.4.47+dfsg-3+deb10u4) import into refs/heads/workingbranch
Howard Chu [Mon, 2 Nov 2020 16:01:14 +0000 (16:01 +0000)]
[PATCH] ITS#9384 remove assert in obsolete csnNormalize23()
Gbp-Pq: Name ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch
Howard Chu [Mon, 2 Nov 2020 13:12:10 +0000 (13:12 +0000)]
[PATCH] ITS#9383 remove assert in certificateListValidate
Gbp-Pq: Name ITS-9383-remove-assert-in-certificateListValidate.patch
Howard Chu [Mon, 19 Oct 2020 13:03:41 +0000 (14:03 +0100)]
[PATCH] ITS#9370 check for equality rule on old_rdn
Just skip normalization if there's no equality rule. We accept
DNs without equality rules already.
Gbp-Pq: Name ITS-9370-check-for-equality-rule-on-old_rdn.patch
Howard Chu [Thu, 16 Apr 2020 00:08:19 +0000 (01:08 +0100)]
[PATCH] ITS#9202 limit depth of nested filters
Using a hardcoded limit for now; no reasonable apps
should ever run into it.
Gbp-Pq: Name ITS-9202-limit-depth-of-nested-filters.patch
Ondřej Kuzník [Mon, 17 Jun 2019 10:49:25 +0000 (12:49 +0200)]
[PATCH] ITS#8964 Do not free original filter
Gbp-Pq: Name ITS-8964-Do-not-free-original-filter.patch
Howard Chu [Wed, 10 Jul 2019 20:29:39 +0000 (21:29 +0100)]
[PATCH] ITS#9052 zero out sasl_ssf in connection_init
Gbp-Pq: Name ITS-9052-zero-out-sasl_ssf-in-connection_init.patch
Ondřej Kuzník [Wed, 26 Jun 2019 22:45:29 +0000 (00:45 +0200)]
[PATCH] ITS#9038 Another test028 typo
Gbp-Pq: Name ITS-9038-Another-test028-typo.patch
Ondřej Kuzník [Mon, 24 Jun 2019 14:37:23 +0000 (16:37 +0200)]
[PATCH] ITS#9038 Fix typo in test script
Gbp-Pq: Name ITS-9038-Fix-typo-in-test-script.patch
Ondřej Kuzník [Wed, 19 Jun 2019 16:47:32 +0000 (18:47 +0200)]
[PATCH] ITS#9038 Update test028 to test this is enforced
Gbp-Pq: Name ITS-9038-Update-test028-to-test-this-is-enforced.patch
Howard Chu [Wed, 19 Jun 2019 11:29:02 +0000 (12:29 +0100)]
[PATCH] ITS#9038 restrict rootDN proxyauthz to its own DBs.
Treat as normal user for any other DB.
Gbp-Pq: Name ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch
Ryan Tandy [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
Do not call gnutls_global_set_mutex()
Bug-Debian: https://bugs.debian.org/803197
Forwarded: no
Since GnuTLS moved to implicit initialization on library load, calling
this function deinitializes GnuTLS and then re-initializes it.
When GnuTLS uses /dev/urandom as an entropy source (getrandom() not
available, or older versions of GnuTLS), and the application closed all
file descriptors at startup, this could result in GnuTLS opening
/dev/urandom over one of the application's file descriptors when
re-initialized.
Additionally, the custom mutex functions are never reset, so if libldap
is unloaded (for example via dlclose()) after calling this, its code
may be unmapped and the application could crash when GnuTLS calls the
mutex functions.
The default behaviour of GnuTLS, using pthreads, should be suitable on
all Debian systems, and is probably the same as what libldap uses
anyway.
Gbp-Pq: Name no-gnutls_global_set_mutex
Debian OpenLDAP Maintainers [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
set-maintainer-name
Gbp-Pq: Name set-maintainer-name
Debian OpenLDAP Maintainers [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
ITS6035-olcauthzregex-needs-restart
Gbp-Pq: Name ITS6035-olcauthzregex-needs-restart.patch
Steve Langasek [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
don't second-guess BDB ABI
Bug-Debian: http://bugs.debian.org/651333
Forwarded: not-needed
OpenLDAP upstream conservatively assumes that any change to the version
number of libdb can result in an API-breaking change that could impact
the database. In Debian, we know that such changes require bumping the
library soname and changing the package name, and demand such rigor from
our package maintainers even when upstreams don't deliver; so any such
check in the source code works against the packaging system by forcing
database upgrades when we know none are required. Disable this check
so we rely on the packaging system to do its job.
Gbp-Pq: Name no-bdb-ABI-second-guessing
Jan-Marek Glogowski [Tue, 18 May 2010 15:47:05 +0000 (17:47 +0200)]
Switch to lt_dlopenadvise() so back_perl can be opened with RTLD_GLOBAL. Open all modules with RTLD_GLOBAL, needed so that back_perl can load non-trivial Perl extensions that require symbols from back_perl.so itself.
Bug-Debian: http://bugs.debian.org/327585
Gbp-Pq: Name switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
Steve Langasek [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
don't use AM_INIT_AUTOMAKE macro when we aren't using automake
Calling AM_INIT_AUTOMAKE() in configure.in serves no purpose if we're not
using automake, and it confuses autoreconf. Use AC_INIT() instead.
Gbp-Pq: Name no-AM_INIT_AUTOMAKE
Debian OpenLDAP Maintainers [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
fix-build-top-mk
Gbp-Pq: Name fix-build-top-mk
Debian OpenLDAP Maintainers [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
add-tlscacert-option-to-ldap-conf
Gbp-Pq: Name add-tlscacert-option-to-ldap-conf
Debian OpenLDAP Maintainers [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
ldap-conf-tls-cacertdir
Gbp-Pq: Name ldap-conf-tls-cacertdir
Debian OpenLDAP Maintainers [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
lastbind-makefile-manpage
Gbp-Pq: Name lastbind-makefile-manpage
Peter Marschall [Sun, 26 Jul 2015 13:04:26 +0000 (15:04 +0200)]
[PATCH] contrib/smbk5pwd: add man page, install it too
Add a manual page slapo-smbk5pwd.5 and update smbk5pwd's Makefile to
install the new manual page.
This patch is derived from the corresponding patch upstreamed in ITS#8205
Gbp-Pq: Name smbk5pwd-makefile-manpage
Debian OpenLDAP Maintainers [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
contrib-makefiles
Gbp-Pq: Name contrib-makefiles
Debian OpenLDAP Maintainers [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
do-not-second-guess-sonames
Rip out code that second-guesses the libsasl soname / Debian shlibs. If
cyrus sasl upstream is breaking the ABI, this needs to be fixed upstream
there, not kludged around upstream here!
Debian bug #546885
Upstream ITS #6302 filed.
Gbp-Pq: Name do-not-second-guess-sonames
Steve Langasek [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
getaddrinfo-is-threadsafe
OpenLDAP upstream conservatively assumes that certain resolver functions
(getaddrinfo, getnameinfo, res_query, dn_expand) are not re-entrant; but we
know that the glibc implementations of these functions are thread-safe, so
we should bypass the use of this mutex. This fixes a locking problem when
an application uses libldap and libnss-ldap is also used for hosts
resolution.
Closes Debian bug #340601.
Not suitable for forwarding upstream; might be made suitable by adding a
configure-time check for glibc and disabling the mutex only on known
thread-safe implementations.
Gbp-Pq: Name getaddrinfo-is-threadsafe
Debian OpenLDAP Maintainers [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
libldap-symbol-versions
Add symbol versioning to the public LDAP libraries. This is required for
library transitions, such as the current transition from 2.1 to 2.4,
since programs will sometimes have both libraries loaded by different
dependency chains during the transition.
Not yet contributed upstream.
Upstream ITS #5365 filed requesting symbol versioning for libldap and
libber.
Gbp-Pq: Name libldap-symbol-versions
Debian OpenLDAP Maintainers [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
sasl-default-path
Add /etc/ldap/sasl2 to the SASL configuration search path.
Not submitted upstream. Somewhat Debian-specific and probably not of
interest upstream.
Gbp-Pq: Name sasl-default-path
Debian OpenLDAP Maintainers [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
index-files-created-as-root
Document in the man page that slapindex should be run as the same user
as slapd, and print a warning if it's run as root (since Debian defaults
to running slapd as openldap).
Not suitable for upstream in this form. This patch needs to be reworked
to check the BerkeleyDB database ownership and only warn if running as
root with a database that's not owned by root.
Upstream ITS #5356 filed requesting better handling of this. Current
upstream discussion leans towards putting the check into the database
backend and aborting if slapd is run as a different user than the database
owner, which is an even better fix.
Gbp-Pq: Name index-files-created-as-root
Debian OpenLDAP Maintainers [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
wrong-database-location
Move the default slapd database location to /var/lib/ldap instead of
/var/openldap-data.
Debian-specific.
Gbp-Pq: Name wrong-database-location
Debian OpenLDAP Maintainers [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
ldapi-socket-place
Move the ldapi socket to /var/run/slapd from /var/run, since /var/run
is only writable by root and slapd runs as openldap.
Debian-specific.
Gbp-Pq: Name ldapi-socket-place
Debian OpenLDAP Maintainers [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
slapi-errorlog-file
The slapi error log file defaults to /var/errors given our setting
of --localstatedir. Move it to /var/log/slapi-errors instead.
Debian-specific.
Gbp-Pq: Name slapi-errorlog-file
Debian OpenLDAP Maintainers [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
evolution-ntlm
Patch from evolution-exchange (2.10.3). The ldap_ntlm_bind function is
actually called by evolution-data-server, checked at version 1.12.2.
Without this patch, the Exchange addressbook integration uses simple binds
with cleartext passwords.
Russ checked with openldap-software for upstream's opinion on this patch
on 2007-12-21. Upstream had never received it as a patch submission and
given that it's apparently only for older Exchange servers that can't do
SASL and DIGEST-MD5, it's not very appealing.
Bug#457374 filed against evolution-data-server asking if this support is
still required on 2007-12-21.
Gbp-Pq: Name evolution-ntlm
Debian OpenLDAP Maintainers [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
man-slapd
Patch the slapd man page to not refer to a header file that isn't
installed with the slapd package and to reference the correct path
for slapd.
Debian-specific.
Gbp-Pq: Name man-slapd
Ryan Tandy [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
openldap (2.4.47+dfsg-3+deb10u4) buster-security; urgency=high
* Fix slapd abort due to assertion failure in Certificate List syntax
validation (ITS#9383) (CVE-2020-25709)
* Fix slapd abort due to assertion failure in CSN normalization with invalid
input (ITS#9384) (CVE-2020-25710)
[dgit import unpatched openldap 2.4.47+dfsg-3+deb10u4]
Ryan Tandy [Tue, 17 Nov 2020 01:23:45 +0000 (01:23 +0000)]
Import openldap_2.4.47+dfsg-3+deb10u4.debian.tar.xz
[dgit import tarball openldap 2.4.47+dfsg-3+deb10u4 openldap_2.4.47+dfsg-3+deb10u4.debian.tar.xz]
Ryan Tandy [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
Merge openldap (2.4.47+dfsg-3+deb10u3) import into refs/heads/workingbranch
Howard Chu [Mon, 19 Oct 2020 13:03:41 +0000 (14:03 +0100)]
[PATCH] ITS#9370 check for equality rule on old_rdn
Just skip normalization if there's no equality rule. We accept
DNs without equality rules already.
Gbp-Pq: Name ITS-9370-check-for-equality-rule-on-old_rdn.patch
Howard Chu [Thu, 16 Apr 2020 00:08:19 +0000 (01:08 +0100)]
[PATCH] ITS#9202 limit depth of nested filters
Using a hardcoded limit for now; no reasonable apps
should ever run into it.
Gbp-Pq: Name ITS-9202-limit-depth-of-nested-filters.patch
Ondřej Kuzník [Mon, 17 Jun 2019 10:49:25 +0000 (12:49 +0200)]
[PATCH] ITS#8964 Do not free original filter
Gbp-Pq: Name ITS-8964-Do-not-free-original-filter.patch
Howard Chu [Wed, 10 Jul 2019 20:29:39 +0000 (21:29 +0100)]
[PATCH] ITS#9052 zero out sasl_ssf in connection_init
Gbp-Pq: Name ITS-9052-zero-out-sasl_ssf-in-connection_init.patch
Ondřej Kuzník [Wed, 26 Jun 2019 22:45:29 +0000 (00:45 +0200)]
[PATCH] ITS#9038 Another test028 typo
Gbp-Pq: Name ITS-9038-Another-test028-typo.patch
Ondřej Kuzník [Mon, 24 Jun 2019 14:37:23 +0000 (16:37 +0200)]
[PATCH] ITS#9038 Fix typo in test script
Gbp-Pq: Name ITS-9038-Fix-typo-in-test-script.patch
Ondřej Kuzník [Wed, 19 Jun 2019 16:47:32 +0000 (18:47 +0200)]
[PATCH] ITS#9038 Update test028 to test this is enforced
Gbp-Pq: Name ITS-9038-Update-test028-to-test-this-is-enforced.patch
Howard Chu [Wed, 19 Jun 2019 11:29:02 +0000 (12:29 +0100)]
[PATCH] ITS#9038 restrict rootDN proxyauthz to its own DBs.
Treat as normal user for any other DB.
Gbp-Pq: Name ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch
Ryan Tandy [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
Do not call gnutls_global_set_mutex()
Bug-Debian: https://bugs.debian.org/803197
Forwarded: no
Since GnuTLS moved to implicit initialization on library load, calling
this function deinitializes GnuTLS and then re-initializes it.
When GnuTLS uses /dev/urandom as an entropy source (getrandom() not
available, or older versions of GnuTLS), and the application closed all
file descriptors at startup, this could result in GnuTLS opening
/dev/urandom over one of the application's file descriptors when
re-initialized.
Additionally, the custom mutex functions are never reset, so if libldap
is unloaded (for example via dlclose()) after calling this, its code
may be unmapped and the application could crash when GnuTLS calls the
mutex functions.
The default behaviour of GnuTLS, using pthreads, should be suitable on
all Debian systems, and is probably the same as what libldap uses
anyway.
Gbp-Pq: Name no-gnutls_global_set_mutex
Debian OpenLDAP Maintainers [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
set-maintainer-name
Gbp-Pq: Name set-maintainer-name
Debian OpenLDAP Maintainers [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
ITS6035-olcauthzregex-needs-restart
Gbp-Pq: Name ITS6035-olcauthzregex-needs-restart.patch
Steve Langasek [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
don't second-guess BDB ABI
Bug-Debian: http://bugs.debian.org/651333
Forwarded: not-needed
OpenLDAP upstream conservatively assumes that any change to the version
number of libdb can result in an API-breaking change that could impact
the database. In Debian, we know that such changes require bumping the
library soname and changing the package name, and demand such rigor from
our package maintainers even when upstreams don't deliver; so any such
check in the source code works against the packaging system by forcing
database upgrades when we know none are required. Disable this check
so we rely on the packaging system to do its job.
Gbp-Pq: Name no-bdb-ABI-second-guessing
Jan-Marek Glogowski [Tue, 18 May 2010 15:47:05 +0000 (17:47 +0200)]
Switch to lt_dlopenadvise() so back_perl can be opened with RTLD_GLOBAL. Open all modules with RTLD_GLOBAL, needed so that back_perl can load non-trivial Perl extensions that require symbols from back_perl.so itself.
Bug-Debian: http://bugs.debian.org/327585
Gbp-Pq: Name switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
Steve Langasek [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
don't use AM_INIT_AUTOMAKE macro when we aren't using automake
Calling AM_INIT_AUTOMAKE() in configure.in serves no purpose if we're not
using automake, and it confuses autoreconf. Use AC_INIT() instead.
Gbp-Pq: Name no-AM_INIT_AUTOMAKE
Debian OpenLDAP Maintainers [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
fix-build-top-mk
Gbp-Pq: Name fix-build-top-mk
Debian OpenLDAP Maintainers [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
add-tlscacert-option-to-ldap-conf
Gbp-Pq: Name add-tlscacert-option-to-ldap-conf
Debian OpenLDAP Maintainers [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
ldap-conf-tls-cacertdir
Gbp-Pq: Name ldap-conf-tls-cacertdir
Debian OpenLDAP Maintainers [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
lastbind-makefile-manpage
Gbp-Pq: Name lastbind-makefile-manpage
Peter Marschall [Sun, 26 Jul 2015 13:04:26 +0000 (15:04 +0200)]
[PATCH] contrib/smbk5pwd: add man page, install it too
Add a manual page slapo-smbk5pwd.5 and update smbk5pwd's Makefile to
install the new manual page.
This patch is derived from the corresponding patch upstreamed in ITS#8205
Gbp-Pq: Name smbk5pwd-makefile-manpage
Debian OpenLDAP Maintainers [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
contrib-makefiles
Gbp-Pq: Name contrib-makefiles
Debian OpenLDAP Maintainers [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
do-not-second-guess-sonames
Rip out code that second-guesses the libsasl soname / Debian shlibs. If
cyrus sasl upstream is breaking the ABI, this needs to be fixed upstream
there, not kludged around upstream here!
Debian bug #546885
Upstream ITS #6302 filed.
Gbp-Pq: Name do-not-second-guess-sonames
Steve Langasek [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
getaddrinfo-is-threadsafe
OpenLDAP upstream conservatively assumes that certain resolver functions
(getaddrinfo, getnameinfo, res_query, dn_expand) are not re-entrant; but we
know that the glibc implementations of these functions are thread-safe, so
we should bypass the use of this mutex. This fixes a locking problem when
an application uses libldap and libnss-ldap is also used for hosts
resolution.
Closes Debian bug #340601.
Not suitable for forwarding upstream; might be made suitable by adding a
configure-time check for glibc and disabling the mutex only on known
thread-safe implementations.
Gbp-Pq: Name getaddrinfo-is-threadsafe
Debian OpenLDAP Maintainers [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
libldap-symbol-versions
Add symbol versioning to the public LDAP libraries. This is required for
library transitions, such as the current transition from 2.1 to 2.4,
since programs will sometimes have both libraries loaded by different
dependency chains during the transition.
Not yet contributed upstream.
Upstream ITS #5365 filed requesting symbol versioning for libldap and
libber.
Gbp-Pq: Name libldap-symbol-versions
Debian OpenLDAP Maintainers [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
sasl-default-path
Add /etc/ldap/sasl2 to the SASL configuration search path.
Not submitted upstream. Somewhat Debian-specific and probably not of
interest upstream.
Gbp-Pq: Name sasl-default-path
Debian OpenLDAP Maintainers [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
index-files-created-as-root
Document in the man page that slapindex should be run as the same user
as slapd, and print a warning if it's run as root (since Debian defaults
to running slapd as openldap).
Not suitable for upstream in this form. This patch needs to be reworked
to check the BerkeleyDB database ownership and only warn if running as
root with a database that's not owned by root.
Upstream ITS #5356 filed requesting better handling of this. Current
upstream discussion leans towards putting the check into the database
backend and aborting if slapd is run as a different user than the database
owner, which is an even better fix.
Gbp-Pq: Name index-files-created-as-root
Debian OpenLDAP Maintainers [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
wrong-database-location
Move the default slapd database location to /var/lib/ldap instead of
/var/openldap-data.
Debian-specific.
Gbp-Pq: Name wrong-database-location
Debian OpenLDAP Maintainers [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
ldapi-socket-place
Move the ldapi socket to /var/run/slapd from /var/run, since /var/run
is only writable by root and slapd runs as openldap.
Debian-specific.
Gbp-Pq: Name ldapi-socket-place
Debian OpenLDAP Maintainers [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
slapi-errorlog-file
The slapi error log file defaults to /var/errors given our setting
of --localstatedir. Move it to /var/log/slapi-errors instead.
Debian-specific.
Gbp-Pq: Name slapi-errorlog-file
Debian OpenLDAP Maintainers [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
evolution-ntlm
Patch from evolution-exchange (2.10.3). The ldap_ntlm_bind function is
actually called by evolution-data-server, checked at version 1.12.2.
Without this patch, the Exchange addressbook integration uses simple binds
with cleartext passwords.
Russ checked with openldap-software for upstream's opinion on this patch
on 2007-12-21. Upstream had never received it as a patch submission and
given that it's apparently only for older Exchange servers that can't do
SASL and DIGEST-MD5, it's not very appealing.
Bug#457374 filed against evolution-data-server asking if this support is
still required on 2007-12-21.
Gbp-Pq: Name evolution-ntlm
Debian OpenLDAP Maintainers [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
man-slapd
Patch the slapd man page to not refer to a header file that isn't
installed with the slapd package and to reference the correct path
for slapd.
Debian-specific.
Gbp-Pq: Name man-slapd
Ryan Tandy [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
openldap (2.4.47+dfsg-3+deb10u3) buster-security; urgency=high
* Fix slapd normalization handling with modrdn (ITS#9370)
[dgit import unpatched openldap 2.4.47+dfsg-3+deb10u3]
Ryan Tandy [Fri, 30 Oct 2020 01:36:26 +0000 (01:36 +0000)]
Import openldap_2.4.47+dfsg-3+deb10u3.debian.tar.xz
[dgit import tarball openldap 2.4.47+dfsg-3+deb10u3 openldap_2.4.47+dfsg-3+deb10u3.debian.tar.xz]
Raspbian automatic forward porter [Thu, 30 Apr 2020 19:37:36 +0000 (20:37 +0100)]
Merge version 2.4.47+dfsg-3+rpi1+deb10u1 and 2.4.47+dfsg-3+deb10u2 to produce 2.4.47+dfsg-3+rpi1+deb10u2
Ryan Tandy [Mon, 20 Apr 2020 18:19:54 +0000 (19:19 +0100)]
Merge openldap (2.4.47+dfsg-3+deb10u2) import into refs/heads/workingbranch
Howard Chu [Thu, 16 Apr 2020 00:08:19 +0000 (01:08 +0100)]
[PATCH] ITS#9202 limit depth of nested filters
Using a hardcoded limit for now; no reasonable apps
should ever run into it.
Gbp-Pq: Name ITS-9202-limit-depth-of-nested-filters.patch
Ondřej Kuzník [Mon, 17 Jun 2019 10:49:25 +0000 (12:49 +0200)]
[PATCH] ITS#8964 Do not free original filter
Gbp-Pq: Name ITS-8964-Do-not-free-original-filter.patch
Howard Chu [Wed, 10 Jul 2019 20:29:39 +0000 (21:29 +0100)]
[PATCH] ITS#9052 zero out sasl_ssf in connection_init
Gbp-Pq: Name ITS-9052-zero-out-sasl_ssf-in-connection_init.patch
Ondřej Kuzník [Wed, 26 Jun 2019 22:45:29 +0000 (00:45 +0200)]
[PATCH] ITS#9038 Another test028 typo
Gbp-Pq: Name ITS-9038-Another-test028-typo.patch
Ondřej Kuzník [Mon, 24 Jun 2019 14:37:23 +0000 (16:37 +0200)]
[PATCH] ITS#9038 Fix typo in test script
Gbp-Pq: Name ITS-9038-Fix-typo-in-test-script.patch
Ondřej Kuzník [Wed, 19 Jun 2019 16:47:32 +0000 (18:47 +0200)]
[PATCH] ITS#9038 Update test028 to test this is enforced
Gbp-Pq: Name ITS-9038-Update-test028-to-test-this-is-enforced.patch
Howard Chu [Wed, 19 Jun 2019 11:29:02 +0000 (12:29 +0100)]
[PATCH] ITS#9038 restrict rootDN proxyauthz to its own DBs.
Treat as normal user for any other DB.
Gbp-Pq: Name ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch
Ryan Tandy [Mon, 20 Apr 2020 18:19:54 +0000 (19:19 +0100)]
Do not call gnutls_global_set_mutex()
Bug-Debian: https://bugs.debian.org/803197
Forwarded: no
Since GnuTLS moved to implicit initialization on library load, calling
this function deinitializes GnuTLS and then re-initializes it.
When GnuTLS uses /dev/urandom as an entropy source (getrandom() not
available, or older versions of GnuTLS), and the application closed all
file descriptors at startup, this could result in GnuTLS opening
/dev/urandom over one of the application's file descriptors when
re-initialized.
Additionally, the custom mutex functions are never reset, so if libldap
is unloaded (for example via dlclose()) after calling this, its code
may be unmapped and the application could crash when GnuTLS calls the
mutex functions.
The default behaviour of GnuTLS, using pthreads, should be suitable on
all Debian systems, and is probably the same as what libldap uses
anyway.
Gbp-Pq: Name no-gnutls_global_set_mutex
Debian OpenLDAP Maintainers [Mon, 20 Apr 2020 18:19:54 +0000 (19:19 +0100)]
set-maintainer-name
Gbp-Pq: Name set-maintainer-name
Debian OpenLDAP Maintainers [Mon, 20 Apr 2020 18:19:54 +0000 (19:19 +0100)]
ITS6035-olcauthzregex-needs-restart
Gbp-Pq: Name ITS6035-olcauthzregex-needs-restart.patch
Steve Langasek [Mon, 20 Apr 2020 18:19:54 +0000 (19:19 +0100)]
don't second-guess BDB ABI
Bug-Debian: http://bugs.debian.org/651333
Forwarded: not-needed
OpenLDAP upstream conservatively assumes that any change to the version
number of libdb can result in an API-breaking change that could impact
the database. In Debian, we know that such changes require bumping the
library soname and changing the package name, and demand such rigor from
our package maintainers even when upstreams don't deliver; so any such
check in the source code works against the packaging system by forcing
database upgrades when we know none are required. Disable this check
so we rely on the packaging system to do its job.
Gbp-Pq: Name no-bdb-ABI-second-guessing
Jan-Marek Glogowski [Tue, 18 May 2010 15:47:05 +0000 (17:47 +0200)]
Switch to lt_dlopenadvise() so back_perl can be opened with RTLD_GLOBAL. Open all modules with RTLD_GLOBAL, needed so that back_perl can load non-trivial Perl extensions that require symbols from back_perl.so itself.
Bug-Debian: http://bugs.debian.org/327585
Gbp-Pq: Name switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
Steve Langasek [Mon, 20 Apr 2020 18:19:54 +0000 (19:19 +0100)]
don't use AM_INIT_AUTOMAKE macro when we aren't using automake
Calling AM_INIT_AUTOMAKE() in configure.in serves no purpose if we're not
using automake, and it confuses autoreconf. Use AC_INIT() instead.
Gbp-Pq: Name no-AM_INIT_AUTOMAKE
Debian OpenLDAP Maintainers [Mon, 20 Apr 2020 18:19:54 +0000 (19:19 +0100)]
fix-build-top-mk
Gbp-Pq: Name fix-build-top-mk
Debian OpenLDAP Maintainers [Mon, 20 Apr 2020 18:19:54 +0000 (19:19 +0100)]
add-tlscacert-option-to-ldap-conf
Gbp-Pq: Name add-tlscacert-option-to-ldap-conf
Debian OpenLDAP Maintainers [Mon, 20 Apr 2020 18:19:54 +0000 (19:19 +0100)]
ldap-conf-tls-cacertdir
Gbp-Pq: Name ldap-conf-tls-cacertdir
Debian OpenLDAP Maintainers [Mon, 20 Apr 2020 18:19:54 +0000 (19:19 +0100)]
lastbind-makefile-manpage
Gbp-Pq: Name lastbind-makefile-manpage
Peter Marschall [Sun, 26 Jul 2015 13:04:26 +0000 (15:04 +0200)]
[PATCH] contrib/smbk5pwd: add man page, install it too
Add a manual page slapo-smbk5pwd.5 and update smbk5pwd's Makefile to
install the new manual page.
This patch is derived from the corresponding patch upstreamed in ITS#8205
Gbp-Pq: Name smbk5pwd-makefile-manpage
Debian OpenLDAP Maintainers [Mon, 20 Apr 2020 18:19:54 +0000 (19:19 +0100)]
contrib-makefiles
Gbp-Pq: Name contrib-makefiles
Debian OpenLDAP Maintainers [Mon, 20 Apr 2020 18:19:54 +0000 (19:19 +0100)]
do-not-second-guess-sonames
Rip out code that second-guesses the libsasl soname / Debian shlibs. If
cyrus sasl upstream is breaking the ABI, this needs to be fixed upstream
there, not kludged around upstream here!
Debian bug #546885
Upstream ITS #6302 filed.
Gbp-Pq: Name do-not-second-guess-sonames
Steve Langasek [Mon, 20 Apr 2020 18:19:54 +0000 (19:19 +0100)]
getaddrinfo-is-threadsafe
OpenLDAP upstream conservatively assumes that certain resolver functions
(getaddrinfo, getnameinfo, res_query, dn_expand) are not re-entrant; but we
know that the glibc implementations of these functions are thread-safe, so
we should bypass the use of this mutex. This fixes a locking problem when
an application uses libldap and libnss-ldap is also used for hosts
resolution.
Closes Debian bug #340601.
Not suitable for forwarding upstream; might be made suitable by adding a
configure-time check for glibc and disabling the mutex only on known
thread-safe implementations.
Gbp-Pq: Name getaddrinfo-is-threadsafe
Debian OpenLDAP Maintainers [Mon, 20 Apr 2020 18:19:54 +0000 (19:19 +0100)]
libldap-symbol-versions
Add symbol versioning to the public LDAP libraries. This is required for
library transitions, such as the current transition from 2.1 to 2.4,
since programs will sometimes have both libraries loaded by different
dependency chains during the transition.
Not yet contributed upstream.
Upstream ITS #5365 filed requesting symbol versioning for libldap and
libber.
Gbp-Pq: Name libldap-symbol-versions
Debian OpenLDAP Maintainers [Mon, 20 Apr 2020 18:19:54 +0000 (19:19 +0100)]
sasl-default-path
Add /etc/ldap/sasl2 to the SASL configuration search path.
Not submitted upstream. Somewhat Debian-specific and probably not of
interest upstream.
Gbp-Pq: Name sasl-default-path
Debian OpenLDAP Maintainers [Mon, 20 Apr 2020 18:19:54 +0000 (19:19 +0100)]
index-files-created-as-root
Document in the man page that slapindex should be run as the same user
as slapd, and print a warning if it's run as root (since Debian defaults
to running slapd as openldap).
Not suitable for upstream in this form. This patch needs to be reworked
to check the BerkeleyDB database ownership and only warn if running as
root with a database that's not owned by root.
Upstream ITS #5356 filed requesting better handling of this. Current
upstream discussion leans towards putting the check into the database
backend and aborting if slapd is run as a different user than the database
owner, which is an even better fix.
Gbp-Pq: Name index-files-created-as-root
Debian OpenLDAP Maintainers [Mon, 20 Apr 2020 18:19:54 +0000 (19:19 +0100)]
wrong-database-location
Move the default slapd database location to /var/lib/ldap instead of
/var/openldap-data.
Debian-specific.
Gbp-Pq: Name wrong-database-location
Debian OpenLDAP Maintainers [Mon, 20 Apr 2020 18:19:54 +0000 (19:19 +0100)]
ldapi-socket-place
Move the ldapi socket to /var/run/slapd from /var/run, since /var/run
is only writable by root and slapd runs as openldap.
Debian-specific.
Gbp-Pq: Name ldapi-socket-place
Debian OpenLDAP Maintainers [Mon, 20 Apr 2020 18:19:54 +0000 (19:19 +0100)]
slapi-errorlog-file
The slapi error log file defaults to /var/errors given our setting
of --localstatedir. Move it to /var/log/slapi-errors instead.
Debian-specific.
Gbp-Pq: Name slapi-errorlog-file
Debian OpenLDAP Maintainers [Mon, 20 Apr 2020 18:19:54 +0000 (19:19 +0100)]
evolution-ntlm
Patch from evolution-exchange (2.10.3). The ldap_ntlm_bind function is
actually called by evolution-data-server, checked at version 1.12.2.
Without this patch, the Exchange addressbook integration uses simple binds
with cleartext passwords.
Russ checked with openldap-software for upstream's opinion on this patch
on 2007-12-21. Upstream had never received it as a patch submission and
given that it's apparently only for older Exchange servers that can't do
SASL and DIGEST-MD5, it's not very appealing.
Bug#457374 filed against evolution-data-server asking if this support is
still required on 2007-12-21.
Gbp-Pq: Name evolution-ntlm
Debian OpenLDAP Maintainers [Mon, 20 Apr 2020 18:19:54 +0000 (19:19 +0100)]
man-slapd
Patch the slapd man page to not refer to a header file that isn't
installed with the slapd package and to reference the correct path
for slapd.
Debian-specific.
Gbp-Pq: Name man-slapd
projects / openldap.git / log