dgit.raspbian.org Git - 389-ds-base.git/log

Merge 389-ds-base (1.4.4.11-1) import into refs/heads/workingbranch

fix-s390x-failure

commit 900e6fdcf152dd696b5ae189cb1d7c67ab143bae
Author: tbordaz <tbordaz@redhat.com>
Date:   Thu Jan 28 10:39:31 2021 +0100

    Issue 4563 - Failure on s390x: 'Fails to split RDN "o=pki-tomcat-CA" into components' (#4573)

    Bug description:
            SLAPI_OPERATION_TYPE is a stored/read as an int (slapi_pblock_get/set).
            This although the storage field is an unsigned long.
            Calling slapi_pblock_get with an long (8 btyes) destination creates
            a problem on big-endian (s390x).

    Fix description:
            Define destination op_type as an int (4 bytes)

    relates: https://github.com/389ds/389-ds-base/issues/4563

    Reviewed by: Mark Reynolds, William Brown

    Platforms tested: F31 (little endian), Debian (big endian)

Gbp-Pq: Name fix-s390x-failure.diff

[PATCH] Ticket bz1525628 - invalid password migration causes unauth bind

Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.

Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.

This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.

Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)

https://bugzilla.redhat.com/show_bug.cgi?id=1525628

Author: wibrown

Review by: ???

Gbp-Pq: Name CVE-2017-15135.patch

fix-saslpath

Gbp-Pq: Name fix-saslpath.diff

389-ds-base (1.4.4.11-1) unstable; urgency=medium

  * New upstream release.
  * fix-s390x-failure.diff: Fix a crash on big-endian architectures like
    s390x.

[dgit import unpatched 389-ds-base 1.4.4.11-1]

Import 389-ds-base_1.4.4.11.orig.tar.bz2

[dgit import orig 389-ds-base_1.4.4.11.orig.tar.bz2]

Import 389-ds-base_1.4.4.11-1.debian.tar.xz

[dgit import tarball 389-ds-base 1.4.4.11-1 389-ds-base_1.4.4.11-1.debian.tar.xz]

Merge 389-ds-base (1.4.4.10-1) import into refs/heads/workingbranch

[PATCH] Ticket bz1525628 - invalid password migration causes unauth bind

Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.

Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.

This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.

Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)

https://bugzilla.redhat.com/show_bug.cgi?id=1525628

Author: wibrown

Review by: ???

Gbp-Pq: Name CVE-2017-15135.patch

fix-saslpath

Gbp-Pq: Name fix-saslpath.diff

389-ds-base (1.4.4.10-1) unstable; urgency=medium

  * New upstream release.
  * CVE-2017-15135.patch: Refreshed.
  * source: Update diff-ignore.
  * install: Drop libsds which got removed.
  * control: Add libnss3-tools to cockpit-389-ds Depends. (Closes:
    #965004)
  * control: Drop python3-six from depends.

[dgit import unpatched 389-ds-base 1.4.4.10-1]

Import 389-ds-base_1.4.4.10.orig.tar.bz2

[dgit import orig 389-ds-base_1.4.4.10.orig.tar.bz2]

Import 389-ds-base_1.4.4.10-1.debian.tar.xz

[dgit import tarball 389-ds-base 1.4.4.10-1 389-ds-base_1.4.4.10-1.debian.tar.xz]

Merge 389-ds-base (1.4.4.9-1) import into refs/heads/workingbranch

[PATCH] Ticket bz1525628 - invalid password migration causes unauth bind

Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.

Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.

This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.

Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)

https://bugzilla.redhat.com/show_bug.cgi?id=1525628

Author: wibrown

Review by: ???

Gbp-Pq: Name CVE-2017-15135.patch

fix-saslpath

Gbp-Pq: Name fix-saslpath.diff

389-ds-base (1.4.4.9-1) unstable; urgency=medium

* New upstream release.
* fix-prlog-include.diff: Dropped, upstream.

[dgit import unpatched 389-ds-base 1.4.4.9-1]

Import 389-ds-base_1.4.4.9.orig.tar.bz2

[dgit import orig 389-ds-base_1.4.4.9.orig.tar.bz2]

Import 389-ds-base_1.4.4.9-1.debian.tar.xz

[dgit import tarball 389-ds-base 1.4.4.9-1 389-ds-base_1.4.4.9-1.debian.tar.xz]

Merge 389-ds-base (1.4.4.8-1) import into refs/heads/workingbranch

fix-prlog-include

Gbp-Pq: Name fix-prlog-include.diff

[PATCH] Ticket bz1525628 - invalid password migration causes unauth bind

Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.

Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.

This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.

Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)

https://bugzilla.redhat.com/show_bug.cgi?id=1525628

Author: wibrown

Review by: ???

Gbp-Pq: Name CVE-2017-15135.patch

fix-saslpath

Gbp-Pq: Name fix-saslpath.diff

389-ds-base (1.4.4.8-1) unstable; urgency=medium

  * New upstream release.
  * fix-systemctl-path.diff, drop-old-man.diff: Dropped, obsolete.
  * fix-prlog-include.diff: Fix build by dropping nspr4/ prefix.
  * install, rules: Clean up perl cruft that got removed upstream.
  * install: Add openldap_to_ds.
  * watch: Follow 1.4.4.x.

[dgit import unpatched 389-ds-base 1.4.4.8-1]

Import 389-ds-base_1.4.4.8.orig.tar.bz2

[dgit import orig 389-ds-base_1.4.4.8.orig.tar.bz2]

Import 389-ds-base_1.4.4.8-1.debian.tar.xz

[dgit import tarball 389-ds-base 1.4.4.8-1 389-ds-base_1.4.4.8-1.debian.tar.xz]

Merge 389-ds-base (1.4.4.4-1) import into refs/heads/workingbranch

drop-old-man

Gbp-Pq: Name drop-old-man.diff

[PATCH] Ticket bz1525628 - invalid password migration causes unauth bind

Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.

Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.

This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.

Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)

https://bugzilla.redhat.com/show_bug.cgi?id=1525628

Author: wibrown

Review by: ???

Gbp-Pq: Name CVE-2017-15135.patch

Fix the path to systemctl binary

Gbp-Pq: Name fix-systemctl-path.diff

fix-saslpath

Gbp-Pq: Name fix-saslpath.diff

389-ds-base (1.4.4.4-1) unstable; urgency=medium

  * New upstream release.
  * watch: Update upstream git repo url.
  * control: Add python3-dateutil to build-depends.
  * copyright: Drop duplicate globbing patterns.
  * lintian: Drop obsolete overrides.
  * postinst: Drop obsolete rule to upgrade the instances.
  * prerm: Use dsctl instead of remove-ds.

[dgit import unpatched 389-ds-base 1.4.4.4-1]

Import 389-ds-base_1.4.4.4.orig.tar.bz2

[dgit import orig 389-ds-base_1.4.4.4.orig.tar.bz2]

Import 389-ds-base_1.4.4.4-1.debian.tar.xz

[dgit import tarball 389-ds-base 1.4.4.4-1 389-ds-base_1.4.4.4-1.debian.tar.xz]

Merge 389-ds-base (1.4.4.3-1) import into refs/heads/workingbranch

drop-old-man

Gbp-Pq: Name drop-old-man.diff

[PATCH] Ticket bz1525628 - invalid password migration causes unauth bind

Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.

Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.

This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.

Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)

https://bugzilla.redhat.com/show_bug.cgi?id=1525628

Author: wibrown

Review by: ???

Gbp-Pq: Name CVE-2017-15135.patch

Fix the path to systemctl binary

Gbp-Pq: Name fix-systemctl-path.diff

fix-saslpath

Gbp-Pq: Name fix-saslpath.diff

389-ds-base (1.4.4.3-1) unstable; urgency=medium

* New upstream release.
* fix-db-home-dir.diff: Dropped, upstream.

[dgit import unpatched 389-ds-base 1.4.4.3-1]

Import 389-ds-base_1.4.4.3.orig.tar.bz2

[dgit import orig 389-ds-base_1.4.4.3.orig.tar.bz2]

Import 389-ds-base_1.4.4.3-1.debian.tar.xz

[dgit import tarball 389-ds-base 1.4.4.3-1 389-ds-base_1.4.4.3-1.debian.tar.xz]

Merge 389-ds-base (1.4.3.6-2) import into refs/heads/workingbranch

fix-db-home-dir

Gbp-Pq: Name fix-db-home-dir.diff

drop-old-man

Gbp-Pq: Name drop-old-man.diff

[PATCH] Ticket bz1525628 - invalid password migration causes unauth bind

Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.

Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.

This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.

Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)

https://bugzilla.redhat.com/show_bug.cgi?id=1525628

Author: wibrown

Review by: ???

Gbp-Pq: Name CVE-2017-15135.patch

Fix the path to systemctl binary

Gbp-Pq: Name fix-systemctl-path.diff

fix-saslpath

Gbp-Pq: Name fix-saslpath.diff

389-ds-base (1.4.3.6-2) unstable; urgency=medium

* fix-db-home-dir.diff: Set db_home_dir same as db_dir to fix an issue
starting a newly created instance.

[dgit import unpatched 389-ds-base 1.4.3.6-2]

Import 389-ds-base_1.4.3.6-2.debian.tar.xz

[dgit import tarball 389-ds-base 1.4.3.6-2 389-ds-base_1.4.3.6-2.debian.tar.xz]

Import 389-ds-base_1.4.3.6.orig.tar.bz2

[dgit import orig 389-ds-base_1.4.3.6.orig.tar.bz2]

Merge 389-ds-base (1.4.3.4-1) import into refs/heads/workingbranch

drop-old-man

Gbp-Pq: Name drop-old-man.diff

[PATCH] Ticket bz1525628 - invalid password migration causes unauth bind

Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.

Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.

This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.

Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)

https://bugzilla.redhat.com/show_bug.cgi?id=1525628

Author: wibrown

Review by: ???

Gbp-Pq: Name CVE-2017-15135.patch

Fix the path to systemctl binary

Gbp-Pq: Name fix-systemctl-path.diff

fix-saslpath

Gbp-Pq: Name fix-saslpath.diff

389-ds-base (1.4.3.4-1) unstable; urgency=medium

  * New upstream release.
  * Add debian/gitlab-ci.yml.
    - allow blhc to fail
  * control: Bump policy to 4.5.0.
  * control: Use https url for upstream.
  * control: Use canonical URL in Vcs-Browser.
  * copyright: Use spaces rather than tabs to start continuation lines.
  * Add lintian-overrides for the source, cockpit index.js has long lines.

[dgit import unpatched 389-ds-base 1.4.3.4-1]

Import 389-ds-base_1.4.3.4.orig.tar.bz2

[dgit import orig 389-ds-base_1.4.3.4.orig.tar.bz2]

Import 389-ds-base_1.4.3.4-1.debian.tar.xz

[dgit import tarball 389-ds-base 1.4.3.4-1 389-ds-base_1.4.3.4-1.debian.tar.xz]

Merge 389-ds-base (1.4.3.2-1) import into refs/heads/workingbranch

drop-old-man

Gbp-Pq: Name drop-old-man.diff

[PATCH] Ticket bz1525628 - invalid password migration causes unauth bind

Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.

Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.

This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.

Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)

https://bugzilla.redhat.com/show_bug.cgi?id=1525628

Author: wibrown

Review by: ???

Gbp-Pq: Name CVE-2017-15135.patch

Fix the path to systemctl binary

Gbp-Pq: Name fix-systemctl-path.diff

fix-saslpath

Gbp-Pq: Name fix-saslpath.diff

389-ds-base (1.4.3.2-1) unstable; urgency=medium

  * New upstream release.
  * prerm: Fix slapd install path. (Closes: #945583)
  * install: Updated.
  * control: Use debhelper-compat.

[dgit import unpatched 389-ds-base 1.4.3.2-1]

Import 389-ds-base_1.4.3.2.orig.tar.bz2

[dgit import orig 389-ds-base_1.4.3.2.orig.tar.bz2]

Import 389-ds-base_1.4.3.2-1.debian.tar.xz

[dgit import tarball 389-ds-base 1.4.3.2-1 389-ds-base_1.4.3.2-1.debian.tar.xz]

Merge 389-ds-base (1.4.2.4-1) import into refs/heads/workingbranch

drop-old-man

Gbp-Pq: Name drop-old-man.diff

Ticket bz1525628 - invalid password migration causes unauth bind

Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.

Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.

This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.

Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)

https://bugzilla.redhat.com/show_bug.cgi?id=1525628

Author: wibrown

Review by: ???

Gbp-Pq: Name CVE-2017-15135.patch

fix-systemctl-path

Gbp-Pq: Name fix-systemctl-path.diff

fix-saslpath

Gbp-Pq: Name fix-saslpath.diff

389-ds-base (1.4.2.4-1) unstable; urgency=medium

  * New upstream release.
    - CVE-2019-14824 deref plugin displays restricted attributes
      (Closes: #944150)
  * fix-obsolete-target.diff: Dropped, obsolete
    drop-old-man.diff: Refreshed
  * control: Add python3-packaging to build-depends and python3-lib389 depends.
  * dev,libs.install: Nunc-stans got dropped.
  * source/local-options: Add some files to diff-ignore.
  * rules: Refresh list of files to purge.
  * rules: Update dh_auto_clean override.

[dgit import unpatched 389-ds-base 1.4.2.4-1]

Import 389-ds-base_1.4.2.4.orig.tar.bz2

[dgit import orig 389-ds-base_1.4.2.4.orig.tar.bz2]

Import 389-ds-base_1.4.2.4-1.debian.tar.xz

[dgit import tarball 389-ds-base 1.4.2.4-1 389-ds-base_1.4.2.4-1.debian.tar.xz]

Merge 389-ds-base (1.4.1.6-4) import into refs/heads/workingbranch

drop-old-man

Gbp-Pq: Name drop-old-man.diff

Ticket bz1525628 - invalid password migration causes unauth bind

Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.

Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.

This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.

Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)

https://bugzilla.redhat.com/show_bug.cgi?id=1525628

Author: wibrown

Review by: ???

Gbp-Pq: Name CVE-2017-15135.patch

fix-systemctl-path

Gbp-Pq: Name fix-systemctl-path.diff

fix-saslpath

Gbp-Pq: Name fix-saslpath.diff

fix-obsolete-target

Gbp-Pq: Name fix-obsolete-target.diff

389-ds-base (1.4.1.6-4) unstable; urgency=medium

* tests: Redirect stderr to stdout.

[dgit import unpatched 389-ds-base 1.4.1.6-4]

Import 389-ds-base_1.4.1.6-4.debian.tar.xz

[dgit import tarball 389-ds-base 1.4.1.6-4 389-ds-base_1.4.1.6-4.debian.tar.xz]

Import 389-ds-base_1.4.1.6.orig.tar.bz2

[dgit import orig 389-ds-base_1.4.1.6.orig.tar.bz2]

Merge 389-ds-base (1.4.1.5-1) import into refs/heads/workingbranch

perl-use-move-instead-of-rename

Gbp-Pq: Name perl-use-move-instead-of-rename.diff

Ticket bz1525628 - invalid password migration causes unauth bind

Bug Description: Slapi_ct_memcmp expects both inputs to be
at LEAST size n. If they are not, we only compared UP to n.

Invalid migrations of passwords (IE {CRYPT}XX) would create
a pw which is just salt and no hash. ct_memcmp would then
only verify the salt bits and would allow the authentication.

This relies on an administrative mistake both of allowing
password migration (nsslapd-allow-hashed-passwords) and then
subsequently migrating an INVALID password to the server.

Fix Description: slapi_ct_memcmp now access n1, n2 size
and will FAIL if they are not the same, but will still compare
n bytes, where n is the "longest" memory, to the first byte
of the other to prevent length disclosure of the shorter
value (generally the mis-migrated password)

https://bugzilla.redhat.com/show_bug.cgi?id=1525628

Author: wibrown

Review by: ???

Gbp-Pq: Name CVE-2017-15135.patch

fix-systemctl-path

Gbp-Pq: Name fix-systemctl-path.diff

fix-saslpath

Gbp-Pq: Name fix-saslpath.diff

fix-obsolete-target

Gbp-Pq: Name fix-obsolete-target.diff

rename-online-scripts

Gbp-Pq: Name rename-online-scripts.diff

use-bash-instead-of-sh

Gbp-Pq: Name use-bash-instead-of-sh.diff

389-ds-base (1.4.1.5-1) unstable; urgency=medium

  * New upstream release.
  * watch: Use https.
  * control: Bump policy to 4.4.0.
  * Bump debhelper to 12.
  * patches: fix-dsctl-remove.diff, fix-nss-path.diff, icu_pkg-config.patch
    removed, upstream. Others refreshed.
  * rules: Pass --enable-perl, we still need the perl tools.
  * *.install: Updated.

[dgit import unpatched 389-ds-base 1.4.1.5-1]

Import 389-ds-base_1.4.1.5.orig.tar.bz2

[dgit import orig 389-ds-base_1.4.1.5.orig.tar.bz2]

Import 389-ds-base_1.4.1.5-1.debian.tar.xz

[dgit import tarball 389-ds-base 1.4.1.5-1 389-ds-base_1.4.1.5-1.debian.tar.xz]

Merge 389-ds-base (1.4.0.22-1) import into refs/heads/workingbranch

fix-dsctl-remove

Gbp-Pq: Name fix-dsctl-remove.diff

fix-nss-path

Gbp-Pq: Name fix-nss-path.diff

icu_pkg-config

Gbp-Pq: Name icu_pkg-config.patch

perl-use-move-instead-of-rename

Gbp-Pq: Name perl-use-move-instead-of-rename.diff