-
openldap (2.4.28-1.1ubuntu4.12) precise-security; urgency=medium
[ Marc Deslauriers ]
* SECURITY UPDATE: assertion failure in Certificate List syntax
validation
- debian/patches/CVE-2020-25709.patch: properly handle error in
servers/slapd/schema_init.c.
- CVE-2020-25709
* SECURITY UPDATE: assertion failure in CSN normalization with invalid
input
- debian/patches/CVE-2020-25710.patch: properly handle error in
servers/slapd/schema_init.c.
- CVE-2020-25710
-- <email address hidden> (Leonidas S. Barbosa) Fri, 20 Nov 2020 11:16:57 -0300
-
openldap (2.4.28-1.1ubuntu4.6) precise-security; urgency=medium
* SECURITY UPDATE: denial of service via crafted BER data
- debian/patches/CVE-2015-6908.patch: remove obsolete assert in
libraries/liblber/io.c.
- CVE-2015-6908
* SECURITY UPDATE: user impersonation via incorrect default permissions
- debian/slapd.init.ldif: disallow modifying one's own entry by
default.
- CVE-2014-9713
-- Marc Deslauriers <email address hidden> Mon, 14 Sep 2015 10:37:35 -0400
-
openldap (2.4.28-1.1ubuntu4.5) precise-security; urgency=medium
* SECURITY UPDATE: denial of service via an LDAP search query
with attrsOnly set to true. (LP: #1446809)
- debian/patches/CVE-2012-1164.1.patch: don't leave empty slots in
normalized attr values
- debian/patches/CVE-2012-1164.2.patch: add FIXME comment, note that
current patch is not ideal
- debian/patches/CVE-2012-1164.3.patch: fix attr_dup2 when no values are
present (attrsOnly = TRUE)
- CVE-2012-1164
* SECURITY UPDATE: fix rwm overlay reference counting
- debian/patches/CVE-2013-4449.patch: fix reference counting
- CVE-2013-4449
* SECURITY UPDATE: fix NULL pointer dereference in deref_parseCtrl()
- debian/patches/CVE-2015-1545.patch: require non-empty AttributeList
- CVE-2015-1545
-- Felipe Reyes <email address hidden> Tue, 19 May 2015 11:53:17 -0300
-
openldap (2.4.28-1.1ubuntu4.4) precise-proposed; urgency=low
* Backport fix for back-mdb, fixes crash when deleting an entry
that contains an indexed numeric attribute (LP: #1216650):
- d/patches/its-7174-lutil_str2bin-cant-modify-input-strings.patch:
Upstream patch to make sure that lutil_str2bin does not
attempt to modify its input.
-- Roel Standaert <email address hidden> Sat, 31 Aug 2013 08:29:45 +0200
-
openldap (2.4.28-1.1ubuntu4.3) precise-proposed; urgency=low
* Avoid deadlocks in back-bdb that truncate slapcat output (LP: #1185908):
- d/patches/bdb-deadlock.patch: Patch copied from Debian #673038
-- Ryan Tandy <email address hidden> Tue, 04 Jun 2013 09:00:09 -0700
-
openldap (2.4.28-1.1ubuntu4.2) precise-proposed; urgency=low
* Backport fix for shell backend configuration (LP: #1048787)
- d/patches/shell-config: Use the same patch as in the Debian NMU
used to fix the same issue in debian (BTS #662940) - patch is
extracted from upstream git repository.
-- Mattias Ellert <email address hidden> Mon, 10 Sep 2012 17:08:53 +0200
-
openldap (2.4.28-1.1ubuntu4.1) precise-proposed; urgency=low
* Fix issue with intermittent connection issues when using LDAPv3
protocol (LP: #1023025):
- d/patches/its-7107-fix-Operation-init-on-reuse.diff: Cherry picked
patch from upstream VCS which ensures objects are initialized before
re-use.
-- Pierre Fersing <email address hidden> Thu, 19 Jul 2012 14:28:34 +0100
-
openldap (2.4.28-1.1ubuntu4) precise; urgency=low
* debian/control: Build-Depends on dh-apparmor (LP: #948481)
-- Jamie Strandboge <email address hidden> Thu, 05 Apr 2012 09:34:37 -0500
-
openldap (2.4.28-1.1ubuntu3) precise; urgency=low
* Add its-7176-only-poll-sockets-for-write-as-needed.diff
(LP: #932823).
-- Timo Aaltonen <email address hidden> Tue, 21 Feb 2012 15:36:29 +0200
-
openldap (2.4.28-1.1ubuntu2) precise; urgency=low
* Remove debian/patches/CVE-2011-4079; it's already in this upstream
version. Fixes FTBFS.
-- Daniel T Chen <email address hidden> Wed, 25 Jan 2012 17:26:17 -0500
-
openldap (2.4.28-1.1ubuntu1) precise; urgency=low
* Merge from Debian testing. Remaining changes:
- Install a default DIT (LP: #442498).
- Document cn=config in README file (LP: #370784).
- remaining changes:
+ AppArmor support:
- debian/apparmor-profile: add AppArmor profile
- use dh_apparmor:
- debian/rules: use dh_apparmor
- debian/control: Build-Depends on debhelper 7.4.20ubuntu5
- updated debian/slapd.README.Debian for note on AppArmor
- debian/slapd.dirs: add etc/apparmor.d/force-complain
+ Enable GSSAPI support (LP: #495418):
- debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
- Add --with-gssapi support
- Make guess_service_principal() more robust when determining
principal
- debian/patches/series: apply gssapi.diff patch.
- debian/configure.options: Configure with --with-gssapi
- debian/control: Added libkrb5-dev as a build depend
+ debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
in the openldap library, as required by Likewise-Open (LP: #390579)
+ Don't build smbk5pwd overlay since it uses heimdal instead of krb5:
- debian/control:
- remove build-dependency on heimdal-dev.
- remove slapd-smbk5pwd binary package.
- debian/rules: don't build smbk5pwd slapd module.
+ debian/{control,rules}: enable PIE hardening
+ ufw support (LP: #423246):
- debian/control: suggest ufw.
- debian/rules: install ufw profile.
- debian/slapd.ufw.profile: add ufw profile.
+ Enable nssoverlay:
- debian/patches/nssov-build, debian/series, debian/rules:
Apply, build and package the nss overlay.
- debian/schema/extra/misc.ldif: add ldif file for the misc schema
which defines rfc822MailMember (required by the nss overlay).
+ debian/rules, debian/schema/extra/:
Fix configure rule to supports extra schemas shipped as part
of the debian/schema/ directory.
+ debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
+ debian/slapd.init.ldif: don't set olcRootDN since it's not defined in
neither the default DIT nor via an Authn mapping.
+ debian/slapd.scripts-common: adjust minimum version that triggers a
database upgrade. Upgrade from maverick shouldn't trigger database
upgrade (which would happen with the version used in Debian).
+ debian/slapd.scripts-common: add slapcat_opts to local variables.
Remove unused variable new_conf.
+ debian/slapd.script-common: Fix package reconfiguration.
- Fix backup directory naming for multiple reconfiguration.
+ debian/slapd.default, debian/slapd.README.Debian:
use the new configuration style.
+ Install nss overlay (LP: #675391):
- debian/rules: run install target for nssov module.
- debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema
+ debian/patches/gssapi.diff:
- Update patch so that likewise-open is usuable again. (LP: #661547)
+ debian/patches/service-operational-before-detach: New patch replacing old one
of the same name as previous could cause database corruption based on upstream commits.
(LP: #727973)
+ debian/patches/CVE-2011-4079: fix off by one error in postalAddressNormalize()
(CVE-2011-4079)
openldap (2.4.28-1.1) unstable; urgency=low
* Non-maintainer upload.
* Disable the mdb backend on non-Linux, it looks like it doesn't work with
linuxthreads (closes: #654824).
openldap (2.4.28-1) unstable; urgency=low
* New upstream release.
- Fixes CVE-2011-4079. Closes: #647610.
- Fixes support for proxy authorization with SASL-GSSAPI.
Closes: #608815.
- Drop patch service-operational-before-detach, which came from upstream.
- Drop patch fix-its6898-locking-issue, included upstream.
- Refresh other patches as needed.
* debian/slapd.scripts-common: quote the argument to slappasswd, to cope
with shell characters in the string. Thanks to Nicolai Ehemann
<email address hidden> for the patch. Closes: #635931.
* Install ldif.h in libldap2-dev, now that it's been blessed upstream.
Closes: #644985.
* debian/patches/no-bdb-ABI-second-guessing: don't force an exact match on
the upstream version of libdb; this is redundant with our packaging
system, and causes spurious errors when there's a non-ABI-breaking
BDB upstream release. Closes: #651333.
* Build-conflict with the ancient autoconf2.13, which is incompatible with
dh-autoreconf. (Maybe dh-autoreconf itself should conflict with it?)
Closes: #651598.
[ Updated debconf translations ]
* Dutch, thanks to Jeroen Schot <email address hidden>. Closes: #651400.
-- Chuck Short <email address hidden> Mon, 23 Jan 2012 10:01:13 -0500
-
openldap (2.4.25-4ubuntu1) precise; urgency=low
* Merge from Debian testing. Remaining changes:
- Install a default DIT (LP: #442498).
- Document cn=config in README file (LP: #370784).
- remaining changes:
+ AppArmor support:
- debian/apparmor-profile: add AppArmor profile
- use dh_apparmor:
- debian/rules: use dh_apparmor
- debian/control: Build-Depends on debhelper 7.4.20ubuntu5
- updated debian/slapd.README.Debian for note on AppArmor
- debian/slapd.dirs: add etc/apparmor.d/force-complain
+ Enable GSSAPI support (LP: #495418):
- debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
- Add --with-gssapi support
- Make guess_service_principal() more robust when determining
principal
- debian/patches/series: apply gssapi.diff patch.
- debian/configure.options: Configure with --with-gssapi
- debian/control: Added libkrb5-dev as a build depend
+ debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
in the openldap library, as required by Likewise-Open (LP: #390579)
+ Don't build smbk5pwd overlay since it uses heimdal instead of krb5:
- debian/control:
- remove build-dependency on heimdal-dev.
- remove slapd-smbk5pwd binary package.
- debian/rules: don't build smbk5pwd slapd module.
+ debian/{control,rules}: enable PIE hardening
+ ufw support (LP: #423246):
- debian/control: suggest ufw.
- debian/rules: install ufw profile.
- debian/slapd.ufw.profile: add ufw profile.
+ Enable nssoverlay:
- debian/patches/nssov-build, debian/series, debian/rules:
Apply, build and package the nss overlay.
- debian/schema/extra/misc.ldif: add ldif file for the misc schema
which defines rfc822MailMember (required by the nss overlay).
+ debian/rules, debian/schema/extra/:
Fix configure rule to supports extra schemas shipped as part
of the debian/schema/ directory.
+ debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
+ debian/slapd.init.ldif: don't set olcRootDN since it's not defined in
neither the default DIT nor via an Authn mapping.
+ debian/slapd.scripts-common: adjust minimum version that triggers a
database upgrade. Upgrade from maverick shouldn't trigger database
upgrade (which would happen with the version used in Debian).
+ debian/slapd.scripts-common: add slapcat_opts to local variables.
Remove unused variable new_conf.
+ debian/slapd.script-common: Fix package reconfiguration.
- Fix backup directory naming for multiple reconfiguration.
+ debian/slapd.default, debian/slapd.README.Debian:
use the new configuration style.
+ Install nss overlay (LP: #675391):
- debian/rules: run install target for nssov module.
- debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema
+ debian/patches/gssapi.diff:
- Update patch so that likewise-open is usuable again. (LP: #661547)
+ debian/patches/service-operational-before-detach: New patch replacing old one
of the same name as previous could cause database corruption based on upstream commits.
(LP: #727973)
+ debian/patches/CVE-2011-4079: fix off by one error in postalAddressNormalize()
(CVE-2011-4079)
openldap (2.4.25-4) unstable; urgency=low
* Drop explicit depends on libdb4.8, since we're now linking against
libdb5.1. Thanks to Peter Marschall for catching. Closes: #621403
again.
* Rebuild against cyrus-sasl2 2.1.25. Closes: #628237.
* Use dh_autoreconf instead of a locally-patched autogen.sh.
* debian/patches/no-AM_INIT_AUTOMAKE: don't use AM_INIT_AUTOMAKE macro
when we aren't using automake.
* Convert debian/rules to dh(1).
* use DEB_CFLAGS_MAINT_APPEND with appropriate versioned dependency on
debhelper and dpkg-dev, so we can pick up dpkg-buildflags for our
policy-mandated flags - as well as our security-enhancing ones!
Closes: #644427.
* Also set hardening=+pie,+bindnow buildflags options for maximum
security, since this is a security-sensitive daemon dealing with
untrusted input. Ubuntu has been building with these flags for a
while via hardening-wrappers, so the change is presumed safe.
* Drop debian/check_config. The upstream configure script now enforces
--with-cyrus-sasl, so there's no need for a second check.
* debian/po/es.po: tweak an ambiguous string in the Spanish debconf
translation, noticed in response to a submitted Catalan translation
* debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff:
Switch to lt_dlopenadvise() so back_perl can be opened with RTLD_GLOBAL.
Thanks to Jan-Marek Glogowski <email address hidden> for the
patch. Closes: #327585.
[ Updated debconf translations ]
* Catalan, thanks to Innocent De Marchi <email address hidden>.
Closes: #644274.
-- Chuck Short <email address hidden> Tue, 22 Nov 2011 06:17:49 +0000
-
openldap (2.4.25-3ubuntu3) precise; urgency=low
* Rebuild for Perl 5.14.
-- Colin Watson <email address hidden> Tue, 15 Nov 2011 20:50:09 +0000
-
openldap (2.4.25-3ubuntu2) precise; urgency=low
* SECURITY UPDATE: potential denial of service (LP: #884163)
- debian/patches/CVE-2011-4079: fix off by one error in
postalAddressNormalize()
- CVE-2011-4079
-- Jamie Strandboge <email address hidden> Mon, 14 Nov 2011 13:59:56 -0600
-
openldap (2.4.25-3ubuntu1) precise; urgency=low
* Merge from debian unstable. Remaining changes:
- Install a default DIT (LP: #442498).
- Document cn=config in README file (LP: #370784).
- remaining changes:
+ AppArmor support:
- debian/apparmor-profile: add AppArmor profile
- use dh_apparmor:
- debian/rules: use dh_apparmor
- debian/control: Build-Depends on debhelper 7.4.20ubuntu5
- updated debian/slapd.README.Debian for note on AppArmor
- debian/slapd.dirs: add etc/apparmor.d/force-complain
+ Enable GSSAPI support (LP: #495418):
- debian/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
- Add --with-gssapi support
- Make guess_service_principal() more robust when determining
principal
- debian/patches/series: apply gssapi.diff patch.
- debian/configure.options: Configure with --with-gssapi
- debian/control: Added libkrb5-dev as a build depend
+ debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
in the openldap library, as required by Likewise-Open (LP: #390579)
+ Don't build smbk5pwd overlay since it uses heimdal instead of krb5:
- debian/control:
- remove build-dependency on heimdal-dev.
- remove slapd-smbk5pwd binary package.
- debian/rules: don't build smbk5pwd slapd module.
+ debian/{control,rules}: enable PIE hardening
+ ufw support (LP: #423246):
- debian/control: suggest ufw.
- debian/rules: install ufw profile.
- debian/slapd.ufw.profile: add ufw profile.
+ Enable nssoverlay:
- debian/patches/nssov-build, debian/series, debian/rules:
Apply, build and package the nss overlay.
- debian/schema/extra/misc.ldif: add ldif file for the misc schema
which defines rfc822MailMember (required by the nss overlay).
+ debian/rules, debian/schema/extra/:
Fix configure rule to supports extra schemas shipped as part
of the debian/schema/ directory.
+ debian/rules, debian/slapd.py: Add apport hook. (LP: #610544)
+ debian/slapd.init.ldif: don't set olcRootDN since it's not defined in
neither the default DIT nor via an Authn mapping.
+ debian/slapd.scripts-common: adjust minimum version that triggers a
database upgrade. Upgrade from maverick shouldn't trigger database
upgrade (which would happen with the version used in Debian).
+ debian/slapd.scripts-common: add slapcat_opts to local variables.
Remove unused variable new_conf.
+ debian/slapd.script-common: Fix package reconfiguration.
- Fix backup directory naming for multiple reconfiguration.
+ debian/slapd.default, debian/slapd.README.Debian:
use the new configuration style.
+ Install nss overlay (LP: #675391):
- debian/rules: run install target for nssov module.
- debian/patches/nssov-build: fix patch to install schema in /etc/ldap/schema
+ debian/patches/gssapi.diff:
- Update patch so that likewise-open is usuable again. (LP: #661547)
+ debian/patches/service-operational-before-detach: New patch replacing old one
of the same name as previous could cause database corruption based on upstream commits.
(LP: #727973)
openldap (2.4.25-3) unstable; urgency=low
* Brown paper bag: really fix the .links.in handling, so we don't generate
broken /usr/lib/${DEB_HOST_MULTIARCH} dirs.
openldap (2.4.25-2) unstable; urgency=low
[ Matthijs Möhlmann ]
* Change to bdb 5.1 (Closes: #621403)
* Add note to ldap-utils package how to unfold lines. (Closes: #530519)
(Thanks to Peter Marschall and Javier Barroso)
[ Steve Langasek ]
* Acknowledge NMU for bug #596343; thanks to Thijs Kinkhorst for the fix!
* Bump to compat level 7, so we don't have to spell out debian/tmp in
every single .install file
* Build for multiarch.
-- Chuck Short <email address hidden> Wed, 19 Oct 2011 20:53:08 +0000
-
openldap (2.4.25-1.1ubuntu4) oneiric; urgency=low
* Brown paper bag: really fix the .links.in handling, so we don't generate
broken /usr/lib/${DEB_HOST_MULTIARCH} dirs.
-- Steve Langasek <email address hidden> Mon, 15 Aug 2011 09:43:29 +0000