diff --git a/bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch b/bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch deleted file mode 100644 index 54b3d8e86f399d8c776acef7114831189ae3efdd..0000000000000000000000000000000000000000 --- a/bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 85fc8974f5c32a9a052baafaa9499c8484e043c2 Mon Sep 17 00:00:00 2001 -From: Quanah Gibson-Mount -Date: Tue, 28 Apr 2020 20:49:53 +0000 -Subject: [PATCH] ITS#8650 - Fix Debug usage to follow RE24 format - ---- - libraries/libldap/tls2.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c -index c1f15cb..ebe5bf1 100644 ---- a/libraries/libldap/tls2.c -+++ b/libraries/libldap/tls2.c -@@ -907,8 +907,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) - } else if ( sb->sb_trans_needs_write ) { - wr=1; - } -- Debug1( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n", -- wr ? "write": "read" ); -+ Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n", -+ wr ? "write": "read", 0, 0 ); - - /* This is mostly copied from result.c:wait4msg(), should - * probably be moved into a separate function */ -@@ -946,7 +946,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) - start_time_tv.tv_sec = curr_time_tv.tv_sec; - start_time_tv.tv_usec = curr_time_tv.tv_usec; - tv = tv0; -- Debug3( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n", -+ Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n", - (void *)ld, (long) tv.tv_sec, (long) tv.tv_usec ); - ret = ldap_int_poll( ld, sd, &tv, wr); - if ( ret < 0 ) { --- -1.8.3.1 - diff --git a/openldap-2.4.50.tgz b/openldap-2.4.59.tgz similarity index 43% rename from openldap-2.4.50.tgz rename to openldap-2.4.59.tgz index 786a4ab7a6fa914ac945e38bedd2449c10d2a113..da28bb38da7ac866dadf96b73911b9d2673377b7 100644 Binary files a/openldap-2.4.50.tgz and b/openldap-2.4.59.tgz differ diff --git a/openldap.spec b/openldap.spec index 881cd3af1ff89a7df391082ca2c9388c57e8d93b..de039fad0e629f7379a77b6bd2b084f2dbd450b5 100644 --- a/openldap.spec +++ b/openldap.spec @@ -1,8 +1,9 @@ %global systemctl_bin /usr/bin/systemctl +%global so_ver 2 Name: openldap -Version: 2.4.50 -Release: 8 +Version: 2.4.59 +Release: 1 Summary: LDAP support libraries License: OpenLDAP URL: https://www.openldap.org/ @@ -41,29 +42,28 @@ Patch20: Fix-calls-to-SLAP_DEVPOLL_SOCK_LX-for-multi-listener.patch Patch21: Fixup-for-binary-config-attrs.patch Patch22: bugfix-openldap-ITS9160-OOM-Handing.patch Patch23: bugfix-openldap-fix-implicit-function-declaration.patch -Patch24: bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch -Patch25: CVE-2020-15719.patch -Patch26: CVE-2020-25692.patch -Patch27: CVE-2020-36221-1.patch -Patch28: CVE-2020-36221-2.patch -Patch29: CVE-2020-36222-1.patch -Patch30: CVE-2020-36222-2.patch -Patch31: CVE-2020-36223.patch -Patch32: CVE-2020-36224_36225_36226-1.patch -Patch33: CVE-2020-36224_36225_36226-2.patch -Patch34: CVE-2020-36224_36225_36226-3.patch -Patch35: CVE-2020-36224_36225_36226-4.patch -Patch36: CVE-2020-36227.patch -Patch37: CVE-2020-36228.patch -Patch38: CVE-2020-36230.patch -Patch39: CVE-2020-36229.patch -Patch40: backport-delete-back-bdb-back-hdb.patch -Patch41: backport-Fix-test-suite.patch -Patch42: backport-ITS-9010-regenerate-configure.patch -Patch43: backport-ITS-9010-More-BDB-HDB-cleanup.patch -Patch44: CVE-2021-27212.patch -Patch45: CVE-2020-25709.patch -Patch46: CVE-2020-25710.patch +Patch24: CVE-2020-15719.patch +Patch25: CVE-2020-25692.patch +Patch26: CVE-2020-36221-1.patch +Patch27: CVE-2020-36221-2.patch +Patch28: CVE-2020-36222-1.patch +Patch29: CVE-2020-36222-2.patch +Patch30: CVE-2020-36223.patch +Patch31: CVE-2020-36224_36225_36226-1.patch +Patch32: CVE-2020-36224_36225_36226-2.patch +Patch33: CVE-2020-36224_36225_36226-3.patch +Patch34: CVE-2020-36224_36225_36226-4.patch +Patch35: CVE-2020-36227.patch +Patch36: CVE-2020-36228.patch +Patch37: CVE-2020-36230.patch +Patch38: CVE-2020-36229.patch +Patch39: backport-delete-back-bdb-back-hdb.patch +Patch40: backport-Fix-test-suite.patch +Patch41: backport-ITS-9010-regenerate-configure.patch +Patch42: backport-ITS-9010-More-BDB-HDB-cleanup.patch +Patch43: CVE-2021-27212.patch +Patch44: CVE-2020-25709.patch +Patch45: CVE-2020-25710.patch BuildRequires: cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel BuildRequires: glibc-devel libtool libtool-ltdl-devel groff perl-interpreter perl-devel perl-generators perl-ExtUtils-Embed @@ -89,6 +89,17 @@ protocols for enabling directory services over the Internet. Install this package only if you plan to develop or will need to compile customized LDAP clients. +%package compat +Summary: Package providing legacy non-threaded libldap +Requires: openldap%{?_isa} = %{version}-%{release} +# since libldap is manually linked from libldap_r, the provides is not generated automatically +Provides: libldap-2.4.so.%{so_ver}()(%{__isa_bits}bit) + +%description compat +The openldap-compat package contains non-threaded variant of libldap +which should not be used. Instead, applications should link to libldap_r +which provides thread-safe variant with the very same API. + %package servers Summary: LDAP server License: OpenLDAP @@ -127,8 +138,6 @@ programs needed for accessing and modifying OpenLDAP directories. pushd openldap-%{version} -AUTOMAKE=%{_bindir}/true autoreconf -fi - %patch0 -p1 %patch1 -p1 %patch2 -p1 @@ -174,7 +183,10 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch43 -p1 %patch44 -p1 %patch45 -p1 -%patch46 -p1 + +# The change is needed for autoconf-2.71 +sed 's@^AM_INIT_AUTOMAKE.*@AC_PROG_MAKE_SET@' -i configure.in +AUTOMAKE=%{_bindir}/true autoreconf -f -i ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd @@ -199,7 +211,7 @@ popd %build %set_build_flags -export CFLAGS="${CFLAGS} ${LDFLAGS} -Wl,--as-needed -DLDAP_CONNECTIONLESS -DLDAP_USE_NON_BLOCKING_TLS" +export CFLAGS="${CFLAGS} ${LDFLAGS} -Wl,--as-needed -DLDAP_CONNECTIONLESS -DLDAP_USE_NON_BLOCKING_TLS -DOPENSSL_NO_MD2" pushd openldap-%{version} %configure \ @@ -290,8 +302,29 @@ v=%{version} version=$(echo ${v%.[0-9]*}) for lib in liblber libldap libldap_r libslapi; do rm -f ${lib}.so - ln -s ${lib}-${version}.so.2 ${lib}.so + ln -s ${lib}-${version}.so.%{so_ver} ${lib}.so +done + +# provide only libldap_r and copy it to libldap, make a versioned lib link +rm -f libldap.so +ln -s libldap_r.so "%{buildroot}%{_libdir}/libldap.so" +rm -f libldap-*.so.* +for lib in $(ls | grep libldap_r-); do + IFS='.' + read -r -a libsplit <<< "$lib" + if [ -z "${libsplit[4]}" ] + then + so_ver_short="${libsplit[3]}" + unset IFS + gcc -shared -o "%{buildroot}%{_libdir}/libldap-${version}.so.${so_ver_short}" -Wl,--no-as-needed \ + -Wl,-soname -Wl,libldap-${version}.so.${so_ver_short} -L "%{buildroot}%{_libdir}" -lldap_r + else + so_ver_full="${libsplit[3]}.${libsplit[4]}.${libsplit[5]}" + unset IFS + fi done +ln -s libldap-${version}.so.{${so_ver_short},${so_ver_full}} + popd chmod 0755 %{buildroot}%{_libdir}/lib*.so* @@ -411,7 +444,9 @@ popd %dir %{_sysconfdir}/openldap/certs %config(noreplace) %{_sysconfdir}/openldap/ldap.conf %dir %{_libexecdir}/openldap/ -%{_libdir}/lib*.so.* +%{_libdir}/liblber-2.4*.so.* +%{_libdir}/libldap_r-2.4*.so.* +%{_libdir}/libslapi-2.4*.so.* %files servers %defattr(-,root,root) @@ -439,6 +474,9 @@ popd %{_libdir}/lib*.so %{_includedir}/* +%files compat +%{_libdir}/libldap-2.4*.so.* + %files help %defattr(-,root,root) %{_mandir}/man*/* @@ -454,6 +492,12 @@ popd %doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd %changelog +* Sat Dec 04 2021 xinghe - 2.4.59-1 +- Type:requirements +- ID:NA +- SUG:NA +- DESC:update to 2.4.59 + * Fri Jul 09 2021 gaihuiying - 2.4.50-8 - fix CVE-2020-25709 CVE-2020-25710 diff --git a/slapd.tmpfiles b/slapd.tmpfiles index 56aa32eed6ef2678096dc8dd09281bfbfb2062cb..634cea1642a91c005c8be7f9fd66aa936704168b 100644 --- a/slapd.tmpfiles +++ b/slapd.tmpfiles @@ -1,2 +1,2 @@ # openldap runtime directory for slapd.arg and slapd.pid -d /var/run/openldap 0755 ldap ldap - +d /run/openldap 0755 ldap ldap -