-
openldap (2.4.53+dfsg-1ubuntu1.4) groovy-security; urgency=medium
* SECURITY UPDATE: DoS via malicious packet
- debian/patches/CVE-2021-27212.patch: fix issuerAndThisUpdateCheck in
servers/slapd/schema_init.c.
- CVE-2021-27212
-- Marc Deslauriers <email address hidden> Thu, 18 Feb 2021 09:19:03 -0500
-
openldap (2.4.53+dfsg-1ubuntu1.3) groovy-security; urgency=medium
* SECURITY UPDATE: integer underflow in Certificate Exact Assertion
processing
- debian/patches/CVE-2020-36221-1.patch: fix serialNumberAndIssuerCheck
in servers/slapd/schema_init.c.
- debian/patches/CVE-2020-36221-2.patch: fix serialNumberAndIssuerCheck
in servers/slapd/schema_init.c.
- CVE-2020-36221
* SECURITY UPDATE: assert failure in saslAuthzTo validation
- debian/patches/CVE-2020-36222-1.patch: remove saslauthz asserts in
servers/slapd/saslauthz.c.
- debian/patches/CVE-2020-36222-2.patch: fix debug msg in
servers/slapd/saslauthz.c.
- CVE-2020-36222
* SECURITY UPDATE: crash in Values Return Filter control handling
- debian/patches/CVE-2020-36223.patch: fix vrfilter double-free in
servers/slapd/controls.c.
- CVE-2020-36223
* SECURITY UPDATE: DoS in saslAuthzTo processing
- debian/patches/CVE-2020-36224-1.patch: use ch_free on normalized DN
in servers/slapd/saslauthz.c.
- debian/patches/CVE-2020-36224-2.patch: use slap_sl_free in prev
commit in servers/slapd/saslauthz.c.
- CVE-2020-36224
* SECURITY UPDATE: DoS in saslAuthzTo processing
- debian/patches/CVE-2020-36225.patch: fix AVA_Sort on invalid RDN in
servers/slapd/dn.c.
- CVE-2020-36225
* SECURITY UPDATE: DoS in saslAuthzTo processing
- debian/patches/CVE-2020-36226.patch: fix slap_parse_user in
servers/slapd/saslauthz.c.
- CVE-2020-36226
* SECURITY UPDATE: infinite loop in cancel_extop Cancel operation
- debian/patches/CVE-2020-36227.patch: fix cancel exop in
servers/slapd/cancel.c.
- CVE-2020-36227
* SECURITY UPDATE: DoS in Certificate List Exact Assertion processing
- debian/patches/CVE-2020-36228.patch: fix issuerAndThisUpdateCheck in
servers/slapd/schema_init.c.
- CVE-2020-36228
* SECURITY UPDATE: DoS in X.509 DN parsing in ad_keystring
- debian/patches/CVE-2020-36229.patch: add more checks to
ldap_X509dn2bv in libraries/libldap/tls2.c.
- CVE-2020-36229
* SECURITY UPDATE: DoS in X.509 DN parsing in ber_next_element
- debian/patches/CVE-2020-36230.patch: check for invalid BER after RDN
count in libraries/libldap/tls2.c.
- CVE-2020-36230
-- Marc Deslauriers <email address hidden> Tue, 02 Feb 2021 10:37:52 -0500
-
openldap (2.4.53+dfsg-1ubuntu1.2) groovy-security; urgency=medium
* SECURITY UPDATE: assertion failure in Certificate List syntax
validation
- debian/patches/CVE-2020-25709.patch: properly handle error in
servers/slapd/schema_init.c.
- CVE-2020-25709
* SECURITY UPDATE: assertion failure in CSN normalization with invalid
input
- debian/patches/CVE-2020-25710.patch: properly handle error in
servers/slapd/schema_init.c.
- CVE-2020-25710
-- Marc Deslauriers <email address hidden> Mon, 16 Nov 2020 08:37:50 -0500
-
openldap (2.4.53+dfsg-1ubuntu1.1) groovy-security; urgency=medium
* SECURITY UPDATE: DoS via NULL pointer dereference
- debian/patches/CVE-2020-25692.patch: skip normalization if there's no
equality rule in servers/slapd/modrdn.c.
- CVE-2020-25692
-- Marc Deslauriers <email address hidden> Wed, 04 Nov 2020 09:42:03 -0500
-
openldap (2.4.53+dfsg-1ubuntu1) groovy; urgency=medium
* Merge with Debian unstable (LP: #1894838). Remaining changes:
- Enable AppArmor support:
+ d/apparmor-profile: add AppArmor profile
+ d/rules: use dh_apparmor
+ d/control: Build-Depends on dh-apparmor
+ d/slapd.README.Debian: add note about AppArmor
- Enable GSSAPI support (first added in 2.4.18-0ubuntu2):
+ d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
- Add --with-gssapi support
- Make guess_service_principal() more robust when determining
principal
+ d/configure.options: Configure with --with-gssapi
+ d/control: Added heimdal-dev as a build depend
+ d/rules:
- Explicitly add -I/usr/include/heimdal to CFLAGS.
- Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
+ d/libldap-2.4-2.symbols: add symbols for GSSAPI support
This should be dropped when the soname changes.
- Enable ufw support:
+ d/control: suggest ufw.
+ d/rules: install ufw profile.
+ d/slapd.ufw.profile: add ufw profile.
- Enable nss overlay:
+ d/rules:
- add nssov to CONTRIB_MODULES
- add sysconfdir to CONTRIB_MAKEVARS
+ d/slapd.install: install nssov overlay
+ d/slapd.manpages: install slapo-nssov(5) man page
+ d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
Debian bug #919136, we also have to patch the nssov makefile
accordingly and thus update this patch.
- d/{rules,slapd.py}: Add apport hook.
- Add support for CLDAP (UDP) support, back then required by
likewise-open (first enabled in 2.4.17-1ubuntu2):
+ d/rules: Enable -DLDAP_CONNECTIONLESS
+ d/libldap-2.4-2.symbols: add symbols for CLDAP (UDP)
This should be dropped when the soname changes.
- debian/patches/fix_test_timing.patch: fix FTBFS on riscv64 because
of test timing issue.
- d/rules: better regexp to match the Maintainer tag in d/control,
needed in the Ubuntu case because of XSBC-Original-Maintainer
(Closes #960448, LP #1875697)
openldap (2.4.53+dfsg-1) unstable; urgency=medium
* New upstream release.
-- Andreas Hasenack <email address hidden> Tue, 08 Sep 2020 09:36:58 -0300
-
openldap (2.4.51+dfsg-1ubuntu1) groovy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Enable AppArmor support:
+ d/apparmor-profile: add AppArmor profile
+ d/rules: use dh_apparmor
+ d/control: Build-Depends on dh-apparmor
+ d/slapd.README.Debian: add note about AppArmor
- Enable GSSAPI support (first added in 2.4.18-0ubuntu2):
+ d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
- Add --with-gssapi support
- Make guess_service_principal() more robust when determining
principal
+ d/configure.options: Configure with --with-gssapi
+ d/control: Added heimdal-dev as a build depend
+ d/rules:
- Explicitly add -I/usr/include/heimdal to CFLAGS.
- Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
+ d/libldap-2.4-2.symbols: add symbols for GSSAPI support
This should be dropped when the soname changes.
- Enable ufw support:
+ d/control: suggest ufw.
+ d/rules: install ufw profile.
+ d/slapd.ufw.profile: add ufw profile.
- Enable nss overlay:
+ d/rules:
- add nssov to CONTRIB_MODULES
- add sysconfdir to CONTRIB_MAKEVARS
+ d/slapd.install: install nssov overlay
+ d/slapd.manpages: install slapo-nssov(5) man page
+ d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
Debian bug #919136, we also have to patch the nssov makefile
accordingly and thus update this patch.
- d/{rules,slapd.py}: Add apport hook.
- Add support for CLDAP (UDP) support, back then required by
likewise-open (first enabled in 2.4.17-1ubuntu2):
+ d/rules: Enable -DLDAP_CONNECTIONLESS
+ d/libldap-2.4-2.symbols: add symbols for CLDAP (UDP)
This should be dropped when the soname changes.
- debian/patches/fix_test_timing.patch: fix FTBFS on riscv64 because
of test timing issue.
- d/rules: better regexp to match the Maintainer tag in d/control,
needed in the Ubuntu case because of XSBC-Original-Maintainer
(Closes #960448, LP #1875697)
* Dropped:
- d/{slapd.default,slapd.README.Debian}: use the new configuration style.
[In 2.4.51+dfsg-1]
- d/slapd.scripts-common:
+ add slapcat_opts to local variables.
+ Fix backup directory naming for multiple reconfiguration.
[In 2.4.51+dfsg-1]
- debian/patches/set-maintainer-name: our d/rules change needs to
be kept, but this patch is in 2.4.51+dfsg-1.
openldap (2.4.51+dfsg-1) unstable; urgency=medium
* New upstream release.
- Add ldap_parse_password_expiring_control to libldap-2.4-2.symbols.
* Merge some changes from Ubuntu:
- slapd.default, slapd.README.Debian: update to refer to slapd.d instead
of slapd.conf.
- debian/slapd.scripts-common: dump_databases: make slapcat_opts a local
variable.
* Drop paragraph about patch gnutls-altname-nulterminated (#465197) from
slapd.README.Debian. The patch referred to was dropped in 2.4.7-6.
* debian/patches/set-maintainer-name: Extract maintainer address dynamically
from debian/control. (Closes: #960448)
* Fix Torsten's email address in a historic debian/changelog entry to
resolve a Lintian error (bogus-mail-host-in-debian-changelog).
* Rename debian/source.lintian-overrides to debian/source/lintian-overrides.
Fixes a Lintian pedantic tag (old-source-override-location).
* Override Lintian pedantic tag maintainer-manual-page for
slapo-pw-pbkdf2.5, which will be included upstream in a future release.
* Remove the trailing whitespaces from debian/changelog, debian/control, and
debian/rules. Fixes a Lintian pedantic tag (trailing-whitespace).
* Convert debian/po/de.po to UTF-8. Fixes a Lintian warning
(national-encoding).
* Relax libldap's dependency on libldap-common to Recommends.
This is intended to mitigate the impact of bug #915948 in the case where
the arch:all build is delayed for so long that the old libldap-common
disappears. Previously, a delayed arch:all build could become
BD-Uninstallable if new amd64 binaries were published before the arch:all
build starts, due to the transitive build-dependency on libldap.
Although libldap works fine without libldap-common, in normal
installations it is still recommended to install libldap-common.
* Append a timestamp to the backup directory created by dpkg-reconfigure.
(Closes: #599585, #960449)
* Remove the redundant cn=admin,<suffix> entry from the default DIT for new
installs. For new installs going forward, the root credentials will be
stored in olcRootDN/olcRootPW only. (Closes: #821331)
* Change slapd's Suggests: ldap-utils to Recommends. While any LDAP client
suffices, ldap-utils contains the standard tools recommended by upstream
for basic administration and management.
* Relax Recommends: libsasl2-modules to Suggests on slapd and ldap-utils.
Many deployments do not use SASL at all, and therefore SASL mechanisms are
not needed "in all but unusual installations".
-- Andreas Hasenack <email address hidden> Wed, 26 Aug 2020 11:03:24 -0300
-
openldap (2.4.50+dfsg-1ubuntu3) groovy; urgency=medium
* No change rebuild against new libnettle8 and libhogweed6 ABI.
-- Dimitri John Ledkov <email address hidden> Mon, 29 Jun 2020 22:31:30 +0100
-
openldap (2.4.50+dfsg-1ubuntu2) groovy; urgency=medium
* d/apparmor-profile: Update apparmor profile to grant access to
the saslauthd socket, so that SASL authentication works. (LP: #1557157)
-- Sergio Durigan Junior <email address hidden> Fri, 12 Jun 2020 18:20:42 -0400
-
openldap (2.4.50+dfsg-1ubuntu1) groovy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Enable AppArmor support:
+ d/apparmor-profile: add AppArmor profile
+ d/rules: use dh_apparmor
+ d/control: Build-Depends on dh-apparmor
+ d/slapd.README.Debian: add note about AppArmor
- Enable GSSAPI support (first added in 2.4.18-0ubuntu2):
+ d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
- Add --with-gssapi support
- Make guess_service_principal() more robust when determining
principal
+ d/configure.options: Configure with --with-gssapi
+ d/control: Added heimdal-dev as a build depend
+ d/rules:
- Explicitly add -I/usr/include/heimdal to CFLAGS.
- Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
+ d/libldap-2.4-2.symbols: add symbols for GSSAPI support
This should be dropped when the soname changes.
- Enable ufw support:
+ d/control: suggest ufw.
+ d/rules: install ufw profile.
+ d/slapd.ufw.profile: add ufw profile.
- Enable nss overlay:
+ d/rules:
- add nssov to CONTRIB_MODULES
- add sysconfdir to CONTRIB_MAKEVARS
+ d/slapd.install:
- install nssov overlay
+ d/slapd.manpages:
- install slapo-nssov(5) man page
+ d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
Debian bug #919136, we also have to patch the nssov makefile
accordingly and thus update this patch.
- d/{rules,slapd.py}: Add apport hook.
- d/slapd.scripts-common:
+ add slapcat_opts to local variables.
+ Fix backup directory naming for multiple reconfiguration.
- d/{slapd.default,slapd.README.Debian}: use the new configuration style.
- Add support for CLDAP (UDP) support, back then required by
likewise-open (first enabled in 2.4.17-1ubuntu2):
+ d/rules: Enable -DLDAP_CONNECTIONLESS
+ d/libldap-2.4-2.symbols: add symbols for CLDAP (UDP)
This should be dropped when the soname changes.
- debian/patches/fix_test_timing.patch: fix FTBFS on riscv64 because
of test timing issue.
* Dropped:
- d/slapd.init.ldif: don't set olcRootDN since it's not defined in
either the default DIT nor via an Authn mapping.
[Not worth keeping a delta for, as having olcRootDN doesn't hurt]
- Show distribution in version:
- d/control: added lsb-release
- d/patches/fix-ldap-distribution.patch: show distribution in version
[Debian now shows the full package version]
- SECURITY UPDATE: denial of service via nested search filters
+ debian/patches/CVE-2020-12243.patch: limit depth of nested
filters in servers/slapd/filter.c.
[Fixed upstream]
* Added:
- d/rules, debian/patches/set-maintainer-name: Extract maintainer
address dynamically from debian/control. Thanks to Ryan Tandy
<email address hidden> (Closes: #960448, LP: #1875697)
openldap (2.4.50+dfsg-1) unstable; urgency=medium
* New upstream release.
- Fixed slapd to limit depth of nested filters
(ITS#9202) (CVE-2020-12243)
- Drop patches included upstream: argon2.patch, ITS#9171, ITS#8650.
* Update Spanish debconf translation.
Thanks to CamaleĆ³n. (Closes: #958869)
openldap (2.4.49+dfsg-4) unstable; urgency=medium
* Annotate libsodium-dev dependency with <!pkg.openldap.noslapd>.
Thanks to Helmut Grohne. (Closes: #955993)
* Add the man page for the Argon2 password module.
Thanks to Peter Marschall. (Closes: #955977)
* Build the Argon2 password module with libargon2-dev instead of
libsodium-dev. Rationale:
- libargon2 contains the specific functionality needed; libsodium is a
larger library and contains many features not used here
- libsodium does not support configuring the p= (parallelism) parameter
* Import upstream patch to properly retry gnutls_handshake() after it
returns GNUTLS_E_AGAIN. (ITS#8650) (Closes: #861838)
* Update the Argon2 password module to upstream commit feb6f21d2e.
openldap (2.4.49+dfsg-3) unstable; urgency=medium
* Drop patch no-AM_INIT_AUTOMAKE. Instead, configure dh_autoreconf to skip
automake by setting AUTOMAKE=/bin/true. (Closes: #864637)
* debian/patches/debian-version: Show Debian version, instead of upstream
version, in version strings.
* Add ${perl:Depends} to slapd Depends to silence a dpkg-gencontrol warning.
This is practically a no-op since slapd explicitly Depends on perl because
of the maintainer scripts.
* Import the Argon2 password module from upstream git and install it in
slapd-contrib. New Build-Depends: libsodium-dev. (Closes: #920283)
-- Andreas Hasenack <email address hidden> Mon, 01 Jun 2020 09:19:58 -0300
-
openldap (2.4.49+dfsg-2ubuntu2) groovy; urgency=medium
* SECURITY UPDATE: denial of service via nested search filters
- debian/patches/CVE-2020-12243.patch: limit depth of nested filters in
servers/slapd/filter.c.
- debian/patches/fix_test_timing.patch: fix FTBFS on riscv64 because of
test timing issue.
- CVE-2020-12243
-- Marc Deslauriers <email address hidden> Fri, 01 May 2020 13:09:12 -0400
-
openldap (2.4.49+dfsg-2ubuntu1) focal; urgency=medium
* Merge with Debian unstable (LP: #1866303). Remaining changes:
- Enable AppArmor support:
- d/apparmor-profile: add AppArmor profile
- d/rules: use dh_apparmor
- d/control: Build-Depends on dh-apparmor
- d/slapd.README.Debian: add note about AppArmor
- Enable GSSAPI support:
- d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
- Add --with-gssapi support
- Make guess_service_principal() more robust when determining
principal
[Dropped the ldap_gssapi_bind_s() hunk as that is already
- d/configure.options: Configure with --with-gssapi
- d/control: Added heimdal-dev as a build depend
- d/rules:
- Explicitly add -I/usr/include/heimdal to CFLAGS.
- Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
- Enable ufw support:
- d/control: suggest ufw.
- d/rules: install ufw profile.
- d/slapd.ufw.profile: add ufw profile.
- Enable nss overlay:
- d/rules:
- add nssov to CONTRIB_MODULES
- add sysconfdir to CONTRIB_MAKEVARS
- d/slapd.install:
- install nssov overlay
- d/slapd.manpages:
- install slapo-nssov(5) man page
- d/{rules,slapd.py}: Add apport hook.
- d/slapd.init.ldif: don't set olcRootDN since it's not defined in
either the default DIT nor via an Authn mapping.
- d/slapd.scripts-common:
- add slapcat_opts to local variables.
- Fix backup directory naming for multiple reconfiguration.
- d/{slapd.default,slapd.README.Debian}: use the new configuration style.
- d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
in the openldap library, as required by Likewise-Open
- Show distribution in version:
- d/control: added lsb-release
- d/patches/fix-ldap-distribution.patch: show distribution in version
- d/libldap-2.4-2.symbols: Add symbols not present in Debian.
- CLDAP (UDP) was added in 2.4.17-1ubuntu2
- GSSAPI support was enabled in 2.4.18-0ubuntu2
- d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
Debian bug #919136, we also have to patch the nssov makefile
accordingly and thus update this patch.
openldap (2.4.49+dfsg-2) unstable; urgency=medium
* slapd.README.Debian: Document the initial setup performed by slapd's
maintainer scripts in more detail. Thanks to Karl O. Pinc.
(Closes: #952501)
* Import upstream patch to fix slapd crashing in certain configurations when
a client attempts a login to a locked account.
(ITS#9171) (Closes: #953150)
-- Andreas Hasenack <email address hidden> Fri, 06 Mar 2020 11:39:12 -0300