Timo Aaltonen [Thu, 21 Jan 2021 20:16:28 +0000 (20:16 +0000)]
Merge 389-ds-base (1.4.4.10-1) import into refs/heads/workingbranch
William Brown [Thu, 18 Jan 2018 01:27:58 +0000 (11:27 +1000)]
[PATCH] Ticket bz1525628 - invalid password migration causes unauth bind
Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.
Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.
This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.
Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)
https://bugzilla.redhat.com/show_bug.cgi?id=
1525628
Author: wibrown
Review by: ???
Gbp-Pq: Name CVE-2017-15135.patch
Debian FreeIPA Team [Thu, 21 Jan 2021 20:16:28 +0000 (20:16 +0000)]
fix-saslpath
Gbp-Pq: Name fix-saslpath.diff
Timo Aaltonen [Thu, 21 Jan 2021 20:16:28 +0000 (20:16 +0000)]
389-ds-base (1.4.4.10-1) unstable; urgency=medium
* New upstream release.
* CVE-2017-15135.patch: Refreshed.
* source: Update diff-ignore.
* install: Drop libsds which got removed.
* control: Add libnss3-tools to cockpit-389-ds Depends. (Closes:
#965004)
* control: Drop python3-six from depends.
[dgit import unpatched 389-ds-base 1.4.4.10-1]
Timo Aaltonen [Thu, 21 Jan 2021 20:16:28 +0000 (20:16 +0000)]
Import 389-ds-base_1.4.4.10.orig.tar.bz2
[dgit import orig 389-ds-base_1.4.4.10.orig.tar.bz2]
Timo Aaltonen [Thu, 21 Jan 2021 20:16:28 +0000 (20:16 +0000)]
Import 389-ds-base_1.4.4.10-1.debian.tar.xz
[dgit import tarball 389-ds-base 1.4.4.10-1 389-ds-base_1.4.4.10-1.debian.tar.xz]
Timo Aaltonen [Fri, 18 Dec 2020 13:29:20 +0000 (13:29 +0000)]
Merge 389-ds-base (1.4.4.9-1) import into refs/heads/workingbranch
William Brown [Thu, 18 Jan 2018 01:27:58 +0000 (11:27 +1000)]
[PATCH] Ticket bz1525628 - invalid password migration causes unauth bind
Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.
Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.
This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.
Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)
https://bugzilla.redhat.com/show_bug.cgi?id=
1525628
Author: wibrown
Review by: ???
Gbp-Pq: Name CVE-2017-15135.patch
Debian FreeIPA Team [Fri, 18 Dec 2020 13:29:20 +0000 (13:29 +0000)]
fix-saslpath
Gbp-Pq: Name fix-saslpath.diff
Timo Aaltonen [Fri, 18 Dec 2020 13:29:20 +0000 (13:29 +0000)]
389-ds-base (1.4.4.9-1) unstable; urgency=medium
* New upstream release.
* fix-prlog-include.diff: Dropped, upstream.
[dgit import unpatched 389-ds-base 1.4.4.9-1]
Timo Aaltonen [Fri, 18 Dec 2020 13:29:20 +0000 (13:29 +0000)]
Import 389-ds-base_1.4.4.9.orig.tar.bz2
[dgit import orig 389-ds-base_1.4.4.9.orig.tar.bz2]
Timo Aaltonen [Fri, 18 Dec 2020 13:29:20 +0000 (13:29 +0000)]
Import 389-ds-base_1.4.4.9-1.debian.tar.xz
[dgit import tarball 389-ds-base 1.4.4.9-1 389-ds-base_1.4.4.9-1.debian.tar.xz]
Timo Aaltonen [Thu, 12 Nov 2020 13:57:11 +0000 (13:57 +0000)]
Merge 389-ds-base (1.4.4.8-1) import into refs/heads/workingbranch
Debian FreeIPA Team [Thu, 12 Nov 2020 13:57:11 +0000 (13:57 +0000)]
fix-prlog-include
Gbp-Pq: Name fix-prlog-include.diff
William Brown [Thu, 18 Jan 2018 01:27:58 +0000 (11:27 +1000)]
[PATCH] Ticket bz1525628 - invalid password migration causes unauth bind
Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.
Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.
This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.
Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)
https://bugzilla.redhat.com/show_bug.cgi?id=
1525628
Author: wibrown
Review by: ???
Gbp-Pq: Name CVE-2017-15135.patch
Debian FreeIPA Team [Thu, 12 Nov 2020 13:57:11 +0000 (13:57 +0000)]
fix-saslpath
Gbp-Pq: Name fix-saslpath.diff
Timo Aaltonen [Thu, 12 Nov 2020 13:57:11 +0000 (13:57 +0000)]
389-ds-base (1.4.4.8-1) unstable; urgency=medium
* New upstream release.
* fix-systemctl-path.diff, drop-old-man.diff: Dropped, obsolete.
* fix-prlog-include.diff: Fix build by dropping nspr4/ prefix.
* install, rules: Clean up perl cruft that got removed upstream.
* install: Add openldap_to_ds.
* watch: Follow 1.4.4.x.
[dgit import unpatched 389-ds-base 1.4.4.8-1]
Timo Aaltonen [Thu, 12 Nov 2020 13:57:11 +0000 (13:57 +0000)]
Import 389-ds-base_1.4.4.8.orig.tar.bz2
[dgit import orig 389-ds-base_1.4.4.8.orig.tar.bz2]
Timo Aaltonen [Thu, 12 Nov 2020 13:57:11 +0000 (13:57 +0000)]
Import 389-ds-base_1.4.4.8-1.debian.tar.xz
[dgit import tarball 389-ds-base 1.4.4.8-1 389-ds-base_1.4.4.8-1.debian.tar.xz]
Timo Aaltonen [Tue, 22 Sep 2020 06:23:30 +0000 (07:23 +0100)]
Merge 389-ds-base (1.4.4.4-1) import into refs/heads/workingbranch
Debian FreeIPA Team [Tue, 22 Sep 2020 06:23:30 +0000 (07:23 +0100)]
drop-old-man
Gbp-Pq: Name drop-old-man.diff
William Brown [Thu, 18 Jan 2018 01:27:58 +0000 (11:27 +1000)]
[PATCH] Ticket bz1525628 - invalid password migration causes unauth bind
Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.
Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.
This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.
Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)
https://bugzilla.redhat.com/show_bug.cgi?id=
1525628
Author: wibrown
Review by: ???
Gbp-Pq: Name CVE-2017-15135.patch
Timo Aaltonen [Tue, 22 Sep 2020 06:23:30 +0000 (07:23 +0100)]
Fix the path to systemctl binary
Gbp-Pq: Name fix-systemctl-path.diff
Debian FreeIPA Team [Tue, 22 Sep 2020 06:23:30 +0000 (07:23 +0100)]
fix-saslpath
Gbp-Pq: Name fix-saslpath.diff
Timo Aaltonen [Tue, 22 Sep 2020 06:23:30 +0000 (07:23 +0100)]
389-ds-base (1.4.4.4-1) unstable; urgency=medium
* New upstream release.
* watch: Update upstream git repo url.
* control: Add python3-dateutil to build-depends.
* copyright: Drop duplicate globbing patterns.
* lintian: Drop obsolete overrides.
* postinst: Drop obsolete rule to upgrade the instances.
* prerm: Use dsctl instead of remove-ds.
[dgit import unpatched 389-ds-base 1.4.4.4-1]
Timo Aaltonen [Tue, 22 Sep 2020 06:23:30 +0000 (07:23 +0100)]
Import 389-ds-base_1.4.4.4.orig.tar.bz2
[dgit import orig 389-ds-base_1.4.4.4.orig.tar.bz2]
Timo Aaltonen [Tue, 22 Sep 2020 06:23:30 +0000 (07:23 +0100)]
Import 389-ds-base_1.4.4.4-1.debian.tar.xz
[dgit import tarball 389-ds-base 1.4.4.4-1 389-ds-base_1.4.4.4-1.debian.tar.xz]
Timo Aaltonen [Tue, 2 Jun 2020 08:33:44 +0000 (09:33 +0100)]
Merge 389-ds-base (1.4.4.3-1) import into refs/heads/workingbranch
Debian FreeIPA Team [Tue, 2 Jun 2020 08:33:44 +0000 (09:33 +0100)]
drop-old-man
Gbp-Pq: Name drop-old-man.diff
William Brown [Thu, 18 Jan 2018 01:27:58 +0000 (11:27 +1000)]
[PATCH] Ticket bz1525628 - invalid password migration causes unauth bind
Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.
Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.
This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.
Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)
https://bugzilla.redhat.com/show_bug.cgi?id=
1525628
Author: wibrown
Review by: ???
Gbp-Pq: Name CVE-2017-15135.patch
Timo Aaltonen [Tue, 2 Jun 2020 08:33:44 +0000 (09:33 +0100)]
Fix the path to systemctl binary
Gbp-Pq: Name fix-systemctl-path.diff
Debian FreeIPA Team [Tue, 2 Jun 2020 08:33:44 +0000 (09:33 +0100)]
fix-saslpath
Gbp-Pq: Name fix-saslpath.diff
Timo Aaltonen [Tue, 2 Jun 2020 08:33:44 +0000 (09:33 +0100)]
389-ds-base (1.4.4.3-1) unstable; urgency=medium
* New upstream release.
* fix-db-home-dir.diff: Dropped, upstream.
[dgit import unpatched 389-ds-base 1.4.4.3-1]
Timo Aaltonen [Tue, 2 Jun 2020 08:33:44 +0000 (09:33 +0100)]
Import 389-ds-base_1.4.4.3.orig.tar.bz2
[dgit import orig 389-ds-base_1.4.4.3.orig.tar.bz2]
Timo Aaltonen [Tue, 2 Jun 2020 08:33:44 +0000 (09:33 +0100)]
Import 389-ds-base_1.4.4.3-1.debian.tar.xz
[dgit import tarball 389-ds-base 1.4.4.3-1 389-ds-base_1.4.4.3-1.debian.tar.xz]
Timo Aaltonen [Tue, 21 Apr 2020 17:19:06 +0000 (18:19 +0100)]
Merge 389-ds-base (1.4.3.6-2) import into refs/heads/workingbranch
Debian FreeIPA Team [Tue, 21 Apr 2020 17:19:06 +0000 (18:19 +0100)]
fix-db-home-dir
Gbp-Pq: Name fix-db-home-dir.diff
Debian FreeIPA Team [Tue, 21 Apr 2020 17:19:06 +0000 (18:19 +0100)]
drop-old-man
Gbp-Pq: Name drop-old-man.diff
William Brown [Thu, 18 Jan 2018 01:27:58 +0000 (11:27 +1000)]
[PATCH] Ticket bz1525628 - invalid password migration causes unauth bind
Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.
Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.
This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.
Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)
https://bugzilla.redhat.com/show_bug.cgi?id=
1525628
Author: wibrown
Review by: ???
Gbp-Pq: Name CVE-2017-15135.patch
Timo Aaltonen [Tue, 21 Apr 2020 17:19:06 +0000 (18:19 +0100)]
Fix the path to systemctl binary
Gbp-Pq: Name fix-systemctl-path.diff
Debian FreeIPA Team [Tue, 21 Apr 2020 17:19:06 +0000 (18:19 +0100)]
fix-saslpath
Gbp-Pq: Name fix-saslpath.diff
Timo Aaltonen [Tue, 21 Apr 2020 17:19:06 +0000 (18:19 +0100)]
389-ds-base (1.4.3.6-2) unstable; urgency=medium
* fix-db-home-dir.diff: Set db_home_dir same as db_dir to fix an issue
starting a newly created instance.
[dgit import unpatched 389-ds-base 1.4.3.6-2]
Timo Aaltonen [Tue, 21 Apr 2020 17:19:06 +0000 (18:19 +0100)]
Import 389-ds-base_1.4.3.6-2.debian.tar.xz
[dgit import tarball 389-ds-base 1.4.3.6-2 389-ds-base_1.4.3.6-2.debian.tar.xz]
Timo Aaltonen [Mon, 20 Apr 2020 12:01:35 +0000 (13:01 +0100)]
Import 389-ds-base_1.4.3.6.orig.tar.bz2
[dgit import orig 389-ds-base_1.4.3.6.orig.tar.bz2]
Timo Aaltonen [Wed, 18 Mar 2020 06:47:32 +0000 (06:47 +0000)]
Merge 389-ds-base (1.4.3.4-1) import into refs/heads/workingbranch
Debian FreeIPA Team [Wed, 18 Mar 2020 06:47:32 +0000 (06:47 +0000)]
drop-old-man
Gbp-Pq: Name drop-old-man.diff
William Brown [Thu, 18 Jan 2018 01:27:58 +0000 (11:27 +1000)]
[PATCH] Ticket bz1525628 - invalid password migration causes unauth bind
Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.
Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.
This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.
Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)
https://bugzilla.redhat.com/show_bug.cgi?id=
1525628
Author: wibrown
Review by: ???
Gbp-Pq: Name CVE-2017-15135.patch
Timo Aaltonen [Wed, 18 Mar 2020 06:47:32 +0000 (06:47 +0000)]
Fix the path to systemctl binary
Gbp-Pq: Name fix-systemctl-path.diff
Debian FreeIPA Team [Wed, 18 Mar 2020 06:47:32 +0000 (06:47 +0000)]
fix-saslpath
Gbp-Pq: Name fix-saslpath.diff
Timo Aaltonen [Wed, 18 Mar 2020 06:47:32 +0000 (06:47 +0000)]
389-ds-base (1.4.3.4-1) unstable; urgency=medium
* New upstream release.
* Add debian/gitlab-ci.yml.
- allow blhc to fail
* control: Bump policy to 4.5.0.
* control: Use https url for upstream.
* control: Use canonical URL in Vcs-Browser.
* copyright: Use spaces rather than tabs to start continuation lines.
* Add lintian-overrides for the source, cockpit index.js has long lines.
[dgit import unpatched 389-ds-base 1.4.3.4-1]
Timo Aaltonen [Wed, 18 Mar 2020 06:47:32 +0000 (06:47 +0000)]
Import 389-ds-base_1.4.3.4.orig.tar.bz2
[dgit import orig 389-ds-base_1.4.3.4.orig.tar.bz2]
Timo Aaltonen [Wed, 18 Mar 2020 06:47:32 +0000 (06:47 +0000)]
Import 389-ds-base_1.4.3.4-1.debian.tar.xz
[dgit import tarball 389-ds-base 1.4.3.4-1 389-ds-base_1.4.3.4-1.debian.tar.xz]
Timo Aaltonen [Wed, 12 Feb 2020 17:39:22 +0000 (17:39 +0000)]
Merge 389-ds-base (1.4.3.2-1) import into refs/heads/workingbranch
Debian FreeIPA Team [Wed, 12 Feb 2020 17:39:22 +0000 (17:39 +0000)]
drop-old-man
Gbp-Pq: Name drop-old-man.diff
William Brown [Thu, 18 Jan 2018 01:27:58 +0000 (11:27 +1000)]
[PATCH] Ticket bz1525628 - invalid password migration causes unauth bind
Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.
Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.
This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.
Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)
https://bugzilla.redhat.com/show_bug.cgi?id=
1525628
Author: wibrown
Review by: ???
Gbp-Pq: Name CVE-2017-15135.patch
Timo Aaltonen [Wed, 12 Feb 2020 17:39:22 +0000 (17:39 +0000)]
Fix the path to systemctl binary
Gbp-Pq: Name fix-systemctl-path.diff
Debian FreeIPA Team [Wed, 12 Feb 2020 17:39:22 +0000 (17:39 +0000)]
fix-saslpath
Gbp-Pq: Name fix-saslpath.diff
Timo Aaltonen [Wed, 12 Feb 2020 17:39:22 +0000 (17:39 +0000)]
389-ds-base (1.4.3.2-1) unstable; urgency=medium
* New upstream release.
* prerm: Fix slapd install path. (Closes: #945583)
* install: Updated.
* control: Use debhelper-compat.
[dgit import unpatched 389-ds-base 1.4.3.2-1]
Timo Aaltonen [Wed, 12 Feb 2020 17:39:22 +0000 (17:39 +0000)]
Import 389-ds-base_1.4.3.2.orig.tar.bz2
[dgit import orig 389-ds-base_1.4.3.2.orig.tar.bz2]
Timo Aaltonen [Wed, 12 Feb 2020 17:39:22 +0000 (17:39 +0000)]
Import 389-ds-base_1.4.3.2-1.debian.tar.xz
[dgit import tarball 389-ds-base 1.4.3.2-1 389-ds-base_1.4.3.2-1.debian.tar.xz]
Timo Aaltonen [Tue, 26 Nov 2019 22:00:59 +0000 (22:00 +0000)]
Merge 389-ds-base (1.4.2.4-1) import into refs/heads/workingbranch
Debian FreeIPA Team [Tue, 26 Nov 2019 22:00:59 +0000 (22:00 +0000)]
drop-old-man
Gbp-Pq: Name drop-old-man.diff
William Brown [Thu, 18 Jan 2018 01:27:58 +0000 (11:27 +1000)]
Ticket bz1525628 - invalid password migration causes unauth bind
Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.
Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.
This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.
Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)
https://bugzilla.redhat.com/show_bug.cgi?id=
1525628
Author: wibrown
Review by: ???
Gbp-Pq: Name CVE-2017-15135.patch
Debian FreeIPA Team [Tue, 26 Nov 2019 22:00:59 +0000 (22:00 +0000)]
fix-systemctl-path
Gbp-Pq: Name fix-systemctl-path.diff
Debian FreeIPA Team [Tue, 26 Nov 2019 22:00:59 +0000 (22:00 +0000)]
fix-saslpath
Gbp-Pq: Name fix-saslpath.diff
Timo Aaltonen [Tue, 26 Nov 2019 22:00:59 +0000 (22:00 +0000)]
389-ds-base (1.4.2.4-1) unstable; urgency=medium
* New upstream release.
- CVE-2019-14824 deref plugin displays restricted attributes
(Closes: #944150)
* fix-obsolete-target.diff: Dropped, obsolete
drop-old-man.diff: Refreshed
* control: Add python3-packaging to build-depends and python3-lib389 depends.
* dev,libs.install: Nunc-stans got dropped.
* source/local-options: Add some files to diff-ignore.
* rules: Refresh list of files to purge.
* rules: Update dh_auto_clean override.
[dgit import unpatched 389-ds-base 1.4.2.4-1]
Timo Aaltonen [Tue, 26 Nov 2019 22:00:59 +0000 (22:00 +0000)]
Import 389-ds-base_1.4.2.4.orig.tar.bz2
[dgit import orig 389-ds-base_1.4.2.4.orig.tar.bz2]
Timo Aaltonen [Tue, 26 Nov 2019 22:00:59 +0000 (22:00 +0000)]
Import 389-ds-base_1.4.2.4-1.debian.tar.xz
[dgit import tarball 389-ds-base 1.4.2.4-1 389-ds-base_1.4.2.4-1.debian.tar.xz]
Timo Aaltonen [Mon, 16 Sep 2019 22:37:39 +0000 (23:37 +0100)]
Merge 389-ds-base (1.4.1.6-4) import into refs/heads/workingbranch
Debian FreeIPA Team [Mon, 16 Sep 2019 22:37:39 +0000 (23:37 +0100)]
drop-old-man
Gbp-Pq: Name drop-old-man.diff
William Brown [Thu, 18 Jan 2018 01:27:58 +0000 (11:27 +1000)]
Ticket bz1525628 - invalid password migration causes unauth bind
Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.
Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.
This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.
Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)
https://bugzilla.redhat.com/show_bug.cgi?id=
1525628
Author: wibrown
Review by: ???
Gbp-Pq: Name CVE-2017-15135.patch
Debian FreeIPA Team [Mon, 16 Sep 2019 22:37:39 +0000 (23:37 +0100)]
fix-systemctl-path
Gbp-Pq: Name fix-systemctl-path.diff
Debian FreeIPA Team [Mon, 16 Sep 2019 22:37:39 +0000 (23:37 +0100)]
fix-saslpath
Gbp-Pq: Name fix-saslpath.diff
Debian FreeIPA Team [Mon, 16 Sep 2019 22:37:39 +0000 (23:37 +0100)]
fix-obsolete-target
Gbp-Pq: Name fix-obsolete-target.diff
Timo Aaltonen [Mon, 16 Sep 2019 22:37:39 +0000 (23:37 +0100)]
389-ds-base (1.4.1.6-4) unstable; urgency=medium
* tests: Redirect stderr to stdout.
[dgit import unpatched 389-ds-base 1.4.1.6-4]
Timo Aaltonen [Mon, 16 Sep 2019 22:37:39 +0000 (23:37 +0100)]
Import 389-ds-base_1.4.1.6-4.debian.tar.xz
[dgit import tarball 389-ds-base 1.4.1.6-4 389-ds-base_1.4.1.6-4.debian.tar.xz]
Timo Aaltonen [Wed, 11 Sep 2019 14:01:03 +0000 (15:01 +0100)]
Import 389-ds-base_1.4.1.6.orig.tar.bz2
[dgit import orig 389-ds-base_1.4.1.6.orig.tar.bz2]
Timo Aaltonen [Wed, 10 Jul 2019 07:05:31 +0000 (08:05 +0100)]
Merge 389-ds-base (1.4.1.5-1) import into refs/heads/workingbranch
Debian FreeIPA Team [Wed, 10 Jul 2019 07:05:31 +0000 (08:05 +0100)]
perl-use-move-instead-of-rename
Gbp-Pq: Name perl-use-move-instead-of-rename.diff
William Brown [Thu, 18 Jan 2018 01:27:58 +0000 (11:27 +1000)]
Ticket bz1525628 - invalid password migration causes unauth bind
Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.
Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.
This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.
Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)
https://bugzilla.redhat.com/show_bug.cgi?id=
1525628
Author: wibrown
Review by: ???
Gbp-Pq: Name CVE-2017-15135.patch
Debian FreeIPA Team [Wed, 10 Jul 2019 07:05:31 +0000 (08:05 +0100)]
fix-systemctl-path
Gbp-Pq: Name fix-systemctl-path.diff
Debian FreeIPA Team [Wed, 10 Jul 2019 07:05:31 +0000 (08:05 +0100)]
fix-saslpath
Gbp-Pq: Name fix-saslpath.diff
Debian FreeIPA Team [Wed, 10 Jul 2019 07:05:31 +0000 (08:05 +0100)]
fix-obsolete-target
Gbp-Pq: Name fix-obsolete-target.diff
Debian FreeIPA Team [Wed, 10 Jul 2019 07:05:31 +0000 (08:05 +0100)]
rename-online-scripts
Gbp-Pq: Name rename-online-scripts.diff
Debian FreeIPA Team [Wed, 10 Jul 2019 07:05:31 +0000 (08:05 +0100)]
use-bash-instead-of-sh
Gbp-Pq: Name use-bash-instead-of-sh.diff
Timo Aaltonen [Wed, 10 Jul 2019 07:05:31 +0000 (08:05 +0100)]
389-ds-base (1.4.1.5-1) unstable; urgency=medium
* New upstream release.
* watch: Use https.
* control: Bump policy to 4.4.0.
* Bump debhelper to 12.
* patches: fix-dsctl-remove.diff, fix-nss-path.diff, icu_pkg-config.patch
removed, upstream. Others refreshed.
* rules: Pass --enable-perl, we still need the perl tools.
* *.install: Updated.
[dgit import unpatched 389-ds-base 1.4.1.5-1]
Timo Aaltonen [Wed, 10 Jul 2019 07:05:31 +0000 (08:05 +0100)]
Import 389-ds-base_1.4.1.5.orig.tar.bz2
[dgit import orig 389-ds-base_1.4.1.5.orig.tar.bz2]
Timo Aaltonen [Wed, 10 Jul 2019 07:05:31 +0000 (08:05 +0100)]
Import 389-ds-base_1.4.1.5-1.debian.tar.xz
[dgit import tarball 389-ds-base 1.4.1.5-1 389-ds-base_1.4.1.5-1.debian.tar.xz]
Timo Aaltonen [Fri, 5 Apr 2019 21:32:06 +0000 (22:32 +0100)]
Merge 389-ds-base (1.4.0.22-1) import into refs/heads/workingbranch
Debian FreeIPA Team [Fri, 5 Apr 2019 21:32:06 +0000 (22:32 +0100)]
fix-dsctl-remove
Gbp-Pq: Name fix-dsctl-remove.diff
Debian FreeIPA Team [Fri, 5 Apr 2019 21:32:06 +0000 (22:32 +0100)]
fix-nss-path
Gbp-Pq: Name fix-nss-path.diff
Debian FreeIPA Team [Fri, 5 Apr 2019 21:32:06 +0000 (22:32 +0100)]
icu_pkg-config
Gbp-Pq: Name icu_pkg-config.patch
Debian FreeIPA Team [Fri, 5 Apr 2019 21:32:06 +0000 (22:32 +0100)]
perl-use-move-instead-of-rename
Gbp-Pq: Name perl-use-move-instead-of-rename.diff
William Brown [Thu, 18 Jan 2018 01:27:58 +0000 (11:27 +1000)]
Ticket bz1525628 - invalid password migration causes unauth bind
Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.
Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.
This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.
Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)
https://bugzilla.redhat.com/show_bug.cgi?id=
1525628
Author: wibrown
Review by: ???
Gbp-Pq: Name CVE-2017-15135.patch
Debian FreeIPA Team [Fri, 5 Apr 2019 21:32:06 +0000 (22:32 +0100)]
fix-systemctl-path
Gbp-Pq: Name fix-systemctl-path.diff
Debian FreeIPA Team [Fri, 5 Apr 2019 21:32:06 +0000 (22:32 +0100)]
fix-saslpath
Gbp-Pq: Name fix-saslpath.diff
Debian FreeIPA Team [Fri, 5 Apr 2019 21:32:06 +0000 (22:32 +0100)]
fix-obsolete-target
Gbp-Pq: Name fix-obsolete-target.diff
Debian FreeIPA Team [Fri, 5 Apr 2019 21:32:06 +0000 (22:32 +0100)]
rename-online-scripts
Gbp-Pq: Name rename-online-scripts.diff
Debian FreeIPA Team [Fri, 5 Apr 2019 21:32:06 +0000 (22:32 +0100)]
use-bash-instead-of-sh
Gbp-Pq: Name use-bash-instead-of-sh.diff
Timo Aaltonen [Fri, 5 Apr 2019 21:32:06 +0000 (22:32 +0100)]
389-ds-base (1.4.0.22-1) unstable; urgency=medium
* New upstream bugfix release.
* control: Drop 389-ds-base from -legacy-tools Depends. (Closes:
#924265)
* fix-dsctl-remove.diff: Don't hardcode sysconfig. (Closes: #925221)
[dgit import unpatched 389-ds-base 1.4.0.22-1]
projects / 389-ds-base.git / log