diff --git a/CVE-2020-12243.patch b/CVE-2020-12243.patch deleted file mode 100644 index eb224f8a68d274bc2b24475386b97d5d77811908..0000000000000000000000000000000000000000 --- a/CVE-2020-12243.patch +++ /dev/null @@ -1,125 +0,0 @@ -From 98464c11df8247d6a11b52e294ba5dd4f0380440 Mon Sep 17 00:00:00 2001 -From: Howard Chu -Date: Thu, 16 Apr 2020 01:08:19 +0100 -Subject: [PATCH] ITS#9202 limit depth of nested filters - -Using a hardcoded limit for now; no reasonable apps -should ever run into it. ---- - servers/slapd/filter.c | 41 ++++++++++++++++++++++++++++++++--------- - 1 file changed, 32 insertions(+), 9 deletions(-) - -diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c -index 3252cf2..ed57bbd 100644 ---- a/servers/slapd/filter.c -+++ b/servers/slapd/filter.c -@@ -37,11 +37,16 @@ - const Filter *slap_filter_objectClass_pres; - const struct berval *slap_filterstr_objectClass_pres; - -+#ifndef SLAPD_MAX_FILTER_DEPTH -+#define SLAPD_MAX_FILTER_DEPTH 5000 -+#endif -+ - static int get_filter_list( - Operation *op, - BerElement *ber, - Filter **f, -- const char **text ); -+ const char **text, -+ int depth ); - - static int get_ssa( - Operation *op, -@@ -80,12 +85,13 @@ filter_destroy( void ) - return; - } - --int --get_filter( -+static int -+get_filter0( - Operation *op, - BerElement *ber, - Filter **filt, -- const char **text ) -+ const char **text, -+ int depth ) - { - ber_tag_t tag; - ber_len_t len; -@@ -126,6 +132,11 @@ get_filter( - * - */ - -+ if( depth > SLAPD_MAX_FILTER_DEPTH ) { -+ *text = "filter nested too deeply"; -+ return SLAPD_DISCONNECT; -+ } -+ - tag = ber_peek_tag( ber, &len ); - - if( tag == LBER_ERROR ) { -@@ -221,7 +232,7 @@ get_filter( - - case LDAP_FILTER_AND: - Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 ); -- err = get_filter_list( op, ber, &f.f_and, text ); -+ err = get_filter_list( op, ber, &f.f_and, text, depth+1 ); - if ( err != LDAP_SUCCESS ) { - break; - } -@@ -234,7 +245,7 @@ get_filter( - - case LDAP_FILTER_OR: - Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 ); -- err = get_filter_list( op, ber, &f.f_or, text ); -+ err = get_filter_list( op, ber, &f.f_or, text, depth+1 ); - if ( err != LDAP_SUCCESS ) { - break; - } -@@ -248,7 +259,7 @@ get_filter( - case LDAP_FILTER_NOT: - Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 ); - (void) ber_skip_tag( ber, &len ); -- err = get_filter( op, ber, &f.f_not, text ); -+ err = get_filter0( op, ber, &f.f_not, text, depth+1 ); - if ( err != LDAP_SUCCESS ) { - break; - } -@@ -311,10 +322,22 @@ get_filter( - return( err ); - } - -+int -+get_filter( -+ Operation *op, -+ BerElement *ber, -+ Filter **filt, -+ const char **text ) -+{ -+ return get_filter0( op, ber, filt, text, 0 ); -+} -+ -+ - static int - get_filter_list( Operation *op, BerElement *ber, - Filter **f, -- const char **text ) -+ const char **text, -+ int depth ) - { - Filter **new; - int err; -@@ -328,7 +351,7 @@ get_filter_list( Operation *op, BerElement *ber, - tag != LBER_DEFAULT; - tag = ber_next_element( ber, &len, last ) ) - { -- err = get_filter( op, ber, new, text ); -+ err = get_filter0( op, ber, new, text, depth ); - if ( err != LDAP_SUCCESS ) - return( err ); - new = &(*new)->f_next; --- -1.8.3.1 - diff --git a/README.en.md b/README.en.md new file mode 100644 index 0000000000000000000000000000000000000000..0efb4ac2a150de7b41a5df7f552b167e2a0e25b3 --- /dev/null +++ b/README.en.md @@ -0,0 +1,36 @@ +# openldap + +#### Description +{**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**} + +#### Software Architecture +Software architecture description + +#### Installation + +1. xxxx +2. xxxx +3. xxxx + +#### Instructions + +1. xxxx +2. xxxx +3. xxxx + +#### Contribution + +1. Fork the repository +2. Create Feat_xxx branch +3. Commit your code +4. Create Pull Request + + +#### Gitee Feature + +1. You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md +2. Gitee blog [blog.gitee.com](https://blog.gitee.com) +3. Explore open source project [https://gitee.com/explore](https://gitee.com/explore) +4. The most valuable open source project [GVP](https://gitee.com/gvp) +5. The manual of Gitee [https://gitee.com/help](https://gitee.com/help) +6. The most popular members [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/README.md b/README.md new file mode 100644 index 0000000000000000000000000000000000000000..5ea4ed790fd53b714970d267a27b345b7a1a385d --- /dev/null +++ b/README.md @@ -0,0 +1,39 @@ +# openldap + +#### 介绍 +{**以下是码云平台说明,您可以替换此简介** +码云是 OSCHINA 推出的基于 Git 的代码托管平台(同时支持 SVN)。专为开发者提供稳定、高效、安全的云端软件开发协作平台 +无论是个人、团队、或是企业,都能够用码云实现代码托管、项目管理、协作开发。企业项目请看 [https://gitee.com/enterprises](https://gitee.com/enterprises)} + +#### 软件架构 +软件架构说明 + + +#### 安装教程 + +1. xxxx +2. xxxx +3. xxxx + +#### 使用说明 + +1. xxxx +2. xxxx +3. xxxx + +#### 参与贡献 + +1. Fork 本仓库 +2. 新建 Feat_xxx 分支 +3. 提交代码 +4. 新建 Pull Request + + +#### 码云特技 + +1. 使用 Readme\_XXX.md 来支持不同的语言,例如 Readme\_en.md, Readme\_zh.md +2. 码云官方博客 [blog.gitee.com](https://blog.gitee.com) +3. 你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解码云上的优秀开源项目 +4. [GVP](https://gitee.com/gvp) 全称是码云最有价值开源项目,是码云综合评定出的优秀开源项目 +5. 码云官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help) +6. 码云封面人物是一档用来展示码云会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch b/bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch new file mode 100644 index 0000000000000000000000000000000000000000..54b3d8e86f399d8c776acef7114831189ae3efdd --- /dev/null +++ b/bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch @@ -0,0 +1,36 @@ +From 85fc8974f5c32a9a052baafaa9499c8484e043c2 Mon Sep 17 00:00:00 2001 +From: Quanah Gibson-Mount +Date: Tue, 28 Apr 2020 20:49:53 +0000 +Subject: [PATCH] ITS#8650 - Fix Debug usage to follow RE24 format + +--- + libraries/libldap/tls2.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c +index c1f15cb..ebe5bf1 100644 +--- a/libraries/libldap/tls2.c ++++ b/libraries/libldap/tls2.c +@@ -907,8 +907,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) + } else if ( sb->sb_trans_needs_write ) { + wr=1; + } +- Debug1( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n", +- wr ? "write": "read" ); ++ Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n", ++ wr ? "write": "read", 0, 0 ); + + /* This is mostly copied from result.c:wait4msg(), should + * probably be moved into a separate function */ +@@ -946,7 +946,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) + start_time_tv.tv_sec = curr_time_tv.tv_sec; + start_time_tv.tv_usec = curr_time_tv.tv_usec; + tv = tv0; +- Debug3( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n", ++ Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n", + (void *)ld, (long) tv.tv_sec, (long) tv.tv_usec ); + ret = ldap_int_poll( ld, sd, &tv, wr); + if ( ret < 0 ) { +-- +1.8.3.1 + diff --git a/ITS9160-OOM-Handing.patch b/bugfix-openldap-ITS9160-OOM-Handing.patch similarity index 100% rename from ITS9160-OOM-Handing.patch rename to bugfix-openldap-ITS9160-OOM-Handing.patch diff --git a/fix-implicit-function-declaration.patch b/bugfix-openldap-fix-implicit-function-declaration.patch similarity index 100% rename from fix-implicit-function-declaration.patch rename to bugfix-openldap-fix-implicit-function-declaration.patch diff --git a/openldap-2.4.49.tgz b/openldap-2.4.50.tgz similarity index 43% rename from openldap-2.4.49.tgz rename to openldap-2.4.50.tgz index 634b85165969f972ecd1e48137d675dac7ed4a05..786a4ab7a6fa914ac945e38bedd2449c10d2a113 100644 Binary files a/openldap-2.4.49.tgz and b/openldap-2.4.50.tgz differ diff --git a/openldap.spec b/openldap.spec index 5342bcf43bda9806834347bf55ee6662219ed9c2..ab6ae7b9c925f534f29c4d3b1b59705dbcb84d12 100644 --- a/openldap.spec +++ b/openldap.spec @@ -1,8 +1,8 @@ %global systemctl_bin /usr/bin/systemctl Name: openldap -Version: 2.4.49 -Release: 4 +Version: 2.4.50 +Release: 1 Summary: LDAP support libraries License: OpenLDAP URL: https://www.openldap.org/ @@ -23,25 +23,26 @@ Patch3: openldap-ai-addrconfig.patch Patch4: openldap-allop-overlay.patch # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585 Patch5: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch -Patch6: check-password-makefile.patch -Patch7: check-password.patch -Patch8: bugfix-openldap-autoconf-pkgconfig-nss.patch -Patch9: bugfix-openldap-nss-ciphers-use-nss-defaults.patch -Patch10: bugfix-openldap-nss-ignore-certdb-type-prefix.patch -Patch11: bugfix-openldap-nss-pk11-freeslot.patch -Patch12: bugfix-openldap-nss-protocol-version-new-api.patch -Patch13: bugfix-openldap-nss-unregister-on-unload.patch -Patch14: bugfix-openldap-nss-update-list-of-ciphers.patch -Patch15: bugfix-openldap-nss-ciphersuite-handle-masks-correctly.patch -Patch16: bugfix-openldap-ssl-deadlock-revert.patch -Patch17: bugfix-openldap-support-tlsv1-and-later.patch -Patch18: bugfix-openldap-temporary-ssl-thr-init-race.patch -Patch19: Fix-calls-to-SLAP_DEVPOLL_SOCK_LX-for-multi-listener.patch -Patch20: Fixup-for-binary-config-attrs.patch -Patch21: ITS9160-OOM-Handing.patch -Patch22: fix-implicit-function-declaration.patch -Patch23: CVE-2020-12243.patch -Patch24: CVE-2020-15719.patch +Patch6: openldap-openssl-allow-ssl3.patch +Patch7: check-password-makefile.patch +Patch8: check-password.patch +Patch9: bugfix-openldap-autoconf-pkgconfig-nss.patch +Patch10: bugfix-openldap-nss-ciphers-use-nss-defaults.patch +Patch11: bugfix-openldap-nss-ignore-certdb-type-prefix.patch +Patch12: bugfix-openldap-nss-pk11-freeslot.patch +Patch13: bugfix-openldap-nss-protocol-version-new-api.patch +Patch14: bugfix-openldap-nss-unregister-on-unload.patch +Patch15: bugfix-openldap-nss-update-list-of-ciphers.patch +Patch16: bugfix-openldap-nss-ciphersuite-handle-masks-correctly.patch +Patch17: bugfix-openldap-ssl-deadlock-revert.patch +Patch18: bugfix-openldap-support-tlsv1-and-later.patch +Patch19: bugfix-openldap-temporary-ssl-thr-init-race.patch +Patch20: Fix-calls-to-SLAP_DEVPOLL_SOCK_LX-for-multi-listener.patch +Patch21: Fixup-for-binary-config-attrs.patch +Patch22: bugfix-openldap-ITS9160-OOM-Handing.patch +Patch23: bugfix-openldap-fix-implicit-function-declaration.patch +Patch24: bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch +Patch25: CVE-2020-15719.patch BuildRequires: cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel chrpath BuildRequires: glibc-devel libtool libtool-ltdl-devel groff perl-interpreter perl-devel perl-generators perl-ExtUtils-Embed @@ -113,8 +114,8 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 -%patch8 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 @@ -131,6 +132,7 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch22 -p1 %patch23 -p1 %patch24 -p1 +%patch25 -p1 ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd @@ -148,8 +150,8 @@ done popd pushd ltb-project-openldap-ppolicy-check-password-1.1 -%patch6 -p1 %patch7 -p1 +%patch8 -p1 popd %build @@ -271,11 +273,6 @@ rmdir %{buildroot}%{_localstatedir}/openldap-data mkdir -p %{buildroot}/etc/ld.so.conf.d echo "/usr/lib64/perl5/CORE" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf -%check -pushd openldap-%{version} -make check -popd - %pre servers getent group ldap &>/dev/null || groupadd -r -g 55 ldap @@ -365,6 +362,11 @@ fi exit 0 +%check +pushd openldap-%{version} +make check +popd + %files %defattr(-,root,root) %license openldap-%{version}/COPYRIGHT @@ -416,6 +418,12 @@ exit 0 %doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd %changelog +* Tue Aug 25 2020 lunankun - 2.4.50-1 +- Type:requirement +- ID:NA +- SUG:NA +- DESC:update to 2.4.50 + * Wed Aug 05 2020 lunankun - 2.4.49-4 - Type:cves - ID:CVE-2020-15719