diff --git a/389-ds-base-2.3.2.tar.bz2 b/389-ds-base-3.1.1.tar.bz2 similarity index 61% rename from 389-ds-base-2.3.2.tar.bz2 rename to 389-ds-base-3.1.1.tar.bz2 index d53fe47a3d6307eee87ddc2ce5c495778e8a7979..8cf38b53d265664d97ce63476109bca9fc35805b 100644 Binary files a/389-ds-base-2.3.2.tar.bz2 and b/389-ds-base-3.1.1.tar.bz2 differ diff --git a/389-ds-base.spec b/389-ds-base.spec index c329352429e1e935ad6ca05c5270470e515eb6d8..18f669acacde54925456f3e8a4f346eee1e68395 100644 --- a/389-ds-base.spec +++ b/389-ds-base.spec @@ -5,22 +5,16 @@ ExcludeArch: i686 Name: 389-ds-base Summary: Base 389 Directory Server -Version: 2.3.2 -Release: 7 +Version: 3.1.1 +Release: 1 License: GPLv3+ URL: https://www.port389.org Source0: https://releases.pagure.org/389-ds-base/389-ds-base-%{version}.tar.bz2 Source1: 389-ds-base-git.sh Source2: 389-ds-base-devel.README -Patch0: Replace-LegacyVersion-with-DSVersion-to-fix-build-error.patch -Patch1: fix-using-borrow-on-a-double-reference.patch # Refer: https://github.com/389ds/389-ds-base/pull/5374 -Patch2: fix-dsidm-posixgroup-get_dn-fails-with-search_ext.patch -Patch3: CVE-2024-1062-1.patch -Patch4: CVE-2024-1062-2.patch -Patch5: CVE-2024-2199.patch -Patch6: CVE-2024-3657.patch +Patch0: fix-dsidm-posixgroup-get_dn-fails-with-search_ext.patch BuildRequires: nspr-devel nss-devel >= 3.34 perl-generators openldap-devel libdb-devel cyrus-sasl-devel icu BuildRequires: libicu-devel pcre-devel cracklib-devel gcc-c++ net-snmp-devel lm_sensors-devel bzip2-devel @@ -32,7 +26,7 @@ BuildRequires: python%{python3_pkgversion}-pyasn1-modules python%{python3_pkgver BuildRequires: python%{python3_pkgversion}-argcomplete python%{python3_pkgversion}-argparse-manpage BuildRequires: python%{python3_pkgversion}-libselinux python%{python3_pkgversion}-policycoreutils BuildRequires: python%{python3_pkgversion}-packaging rsync npm nodejs libtalloc-devel libtevent-devel -BuildRequires: lmdb-devel json-c-devel cargo +BuildRequires: lmdb-devel json-c-devel cargo python3-cryptography Requires: 389-ds-base-libs = %{version}-%{release} Requires: python%{python3_pkgversion}-lib389 = %{version}-%{release} Requires: policycoreutils-python-utils /usr/sbin/semanage libsemanage-python%{python3_pkgversion} @@ -121,6 +115,7 @@ autoreconf -fiv --with-systemdgroupname=dirsrv.target --libexecdir=%{_libexecdir}/dirsrv \ $NSSARGS $ASAN_FLAGS $RUST_FLAGS $PERL_FLAGS $CLANG_FLAGS $LEGACY_FLAGS --enable-cmocka --enable-perl --with-libldap-r=no +make src/lib389/setup.py cd ./src/lib389 %py3_build cd - @@ -326,6 +321,28 @@ exit 0 %{_mandir}/*/* %changelog +* Thu Aug 01 2024 yaoxin - 3.1.1-1 +- Update to 3.1.1 + * Security fix for CVE-2024-6237,CVE-2024-5953,CVE-2024-3657,CVE-2024-2199 + * Issue 6172 - RFE: improve the performance of evaluation of filter component + when tested against a large valueset (like group members) #6173 + * Issue 6181 - RFE - Allow system to manage uid/gid at startup + * Issue 6238 - RFE - add option to write audit log in JSON format + * Issue 6241 - Add support for CRYPT-YESCRYPT #6242 + * Issue 5772 - ONE LEVEL search fails to return sub-suffixes #6219 + * Issue 6123 - Allow DNA plugin to reuse global config for bind method and connection protocol #6124 + * Issue 6155 - ldap-agent fails to start because of permission error #6179 + * Issue 6170 - audit log buffering doesn’t handle large updates + * Issue 6175 - Referential integrity plugin - in referint_thread_func does not handle null from ldap_utf8strtok #6168 + * Issue 6183 - Slow ldif2db import on a newly created BDB backend #6208 + * Issue 6199 - unprotected search query during certificate based authentication #6205 + * Issue 6224 - d2entry - Could not open id2entry err 0 - at startup when having sub-suffixes #6225 + * Issue 6229 - After an initial failure, subsequent online backups fail #6230 + * Issue 6254 - Enabling replication for a sub suffix crashes browser #6255 + * Issue 6256 - nsslapd-numlisteners limit is not enforced + * Issue 6265 - lmdb - missing entries in range searches #6266 + * Please see log - https://www.port389.org/docs/389ds/releases/release-3-1-1 + * Wed Jun 05 2024 wangkai <13474090681@163.com> - 2.3.2-7 - Fix CVE-2024-2199 and CVE-2024-3657 diff --git a/CVE-2024-1062-1.patch b/CVE-2024-1062-1.patch deleted file mode 100644 index ce86c6eb344ce8eab8fe169d9940b4248e06f538..0000000000000000000000000000000000000000 --- a/CVE-2024-1062-1.patch +++ /dev/null @@ -1,116 +0,0 @@ -From db7be9fbea1603202fe5829f7ae46bfb83d951c0 Mon Sep 17 00:00:00 2001 -From: progier389 -Date: Tue, 14 Feb 2023 13:34:10 +0100 -Subject: [PATCH] issue 5647 - covscan: memory leak in audit log when adding - entries (#5650) - -covscan reported an issue about "vals" variable in auditlog.c:231 and indeed a charray_free is missing. -Issue: 5647 -Reviewed by: @mreynolds389, @droideck ---- - ldap/servers/slapd/auditlog.c | 71 +++++++++++++++++++---------------- - 1 file changed, 38 insertions(+), 33 deletions(-) - -diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c -index 68cbc674dc..3128e04974 100644 ---- a/ldap/servers/slapd/auditlog.c -+++ b/ldap/servers/slapd/auditlog.c -@@ -177,6 +177,40 @@ write_auditfail_log_entry(Slapi_PBlock *pb) - slapi_ch_free_string(&audit_config); - } - -+/* -+ * Write the attribute values to the audit log as "comments" -+ * -+ * Slapi_Attr *entry - the attribute begin logged. -+ * char *attrname - the attribute name. -+ * lenstr *l - the audit log buffer -+ * -+ * Resulting output in the log: -+ * -+ * #ATTR: VALUE -+ * #ATTR: VALUE -+ */ -+static void -+log_entry_attr(Slapi_Attr *entry_attr, char *attrname, lenstr *l) -+{ -+ Slapi_Value **vals = attr_get_present_values(entry_attr); -+ for(size_t i = 0; vals && vals[i]; i++) { -+ char log_val[256] = ""; -+ const struct berval *bv = slapi_value_get_berval(vals[i]); -+ if (bv->bv_len >= 256) { -+ strncpy(log_val, bv->bv_val, 252); -+ strcpy(log_val+252, "..."); -+ } else { -+ strncpy(log_val, bv->bv_val, bv->bv_len); -+ log_val[bv->bv_len] = 0; -+ } -+ addlenstr(l, "#"); -+ addlenstr(l, attrname); -+ addlenstr(l, ": "); -+ addlenstr(l, log_val); -+ addlenstr(l, "\n"); -+ } -+} -+ - /* - * Write "requested" attributes from the entry to the audit log as "comments" - * -@@ -212,21 +246,9 @@ add_entry_attrs(Slapi_Entry *entry, lenstr *l) - for (req_attr = ldap_utf8strtok_r(display_attrs, ", ", &last); req_attr; - req_attr = ldap_utf8strtok_r(NULL, ", ", &last)) - { -- char **vals = slapi_entry_attr_get_charray(entry, req_attr); -- for(size_t i = 0; vals && vals[i]; i++) { -- char log_val[256] = {0}; -- -- if (strlen(vals[i]) > 256) { -- strncpy(log_val, vals[i], 252); -- strcat(log_val, "..."); -- } else { -- strcpy(log_val, vals[i]); -- } -- addlenstr(l, "#"); -- addlenstr(l, req_attr); -- addlenstr(l, ": "); -- addlenstr(l, log_val); -- addlenstr(l, "\n"); -+ slapi_entry_attr_find(entry, req_attr, &entry_attr); -+ if (entry_attr) { -+ log_entry_attr(entry_attr, req_attr, l); - } - } - } else { -@@ -234,7 +256,6 @@ add_entry_attrs(Slapi_Entry *entry, lenstr *l) - for (; entry_attr; entry_attr = entry_attr->a_next) { - Slapi_Value **vals = attr_get_present_values(entry_attr); - char *attr = NULL; -- const char *val = NULL; - - slapi_attr_get_type(entry_attr, &attr); - if (strcmp(attr, PSEUDO_ATTR_UNHASHEDUSERPASSWORD) == 0) { -@@ -251,23 +272,7 @@ add_entry_attrs(Slapi_Entry *entry, lenstr *l) - addlenstr(l, ": ****************************\n"); - continue; - } -- -- for(size_t i = 0; vals && vals[i]; i++) { -- char log_val[256] = {0}; -- -- val = slapi_value_get_string(vals[i]); -- if (strlen(val) > 256) { -- strncpy(log_val, val, 252); -- strcat(log_val, "..."); -- } else { -- strcpy(log_val, val); -- } -- addlenstr(l, "#"); -- addlenstr(l, attr); -- addlenstr(l, ": "); -- addlenstr(l, log_val); -- addlenstr(l, "\n"); -- } -+ log_entry_attr(entry_attr, attr, l); - } - } - slapi_ch_free_string(&display_attrs); diff --git a/CVE-2024-1062-2.patch b/CVE-2024-1062-2.patch deleted file mode 100644 index 0ec92a55fe9dbdf0055801ceeecff1308d2354b5..0000000000000000000000000000000000000000 --- a/CVE-2024-1062-2.patch +++ /dev/null @@ -1,24 +0,0 @@ -From fd6b417fc53d1c97675638c5489b122e1cf4f1d6 Mon Sep 17 00:00:00 2001 -From: progier389 -Date: Mon, 20 Feb 2023 16:14:05 +0100 -Subject: [PATCH] Issue 5647 - Fix unused variable warning from previous commit - (#5670) - -* issue 5647 - memory leak in audit log when adding entries -* Issue 5647 - Fix unused variable warning from previous commit ---- - ldap/servers/slapd/auditlog.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c -index 3128e04974..0597ecc6f1 100644 ---- a/ldap/servers/slapd/auditlog.c -+++ b/ldap/servers/slapd/auditlog.c -@@ -254,7 +254,6 @@ add_entry_attrs(Slapi_Entry *entry, lenstr *l) - } else { - /* Return all attributes */ - for (; entry_attr; entry_attr = entry_attr->a_next) { -- Slapi_Value **vals = attr_get_present_values(entry_attr); - char *attr = NULL; - - slapi_attr_get_type(entry_attr, &attr); diff --git a/CVE-2024-2199.patch b/CVE-2024-2199.patch deleted file mode 100644 index 0be2a194c0f6d21455c0534d46919bf9860cd47c..0000000000000000000000000000000000000000 --- a/CVE-2024-2199.patch +++ /dev/null @@ -1,110 +0,0 @@ -Origin: https://git.centos.org/rpms/389-ds-base/raw/bdd565525ec24ecfb7b354f73b602209e570aee5/f/SOURCES/0048-CVE-2024-2199.patch - -From 23956cfb86a312318667fb9376322574fa8ec7f4 Mon Sep 17 00:00:00 2001 -From: James Chapman -Date: Wed, 1 May 2024 15:01:33 +0100 -Subject: [PATCH] CVE-2024-2199 - ---- - .../tests/suites/password/password_test.py | 56 +++++++++++++++++++ - ldap/servers/slapd/modify.c | 8 ++- - 2 files changed, 62 insertions(+), 2 deletions(-) - -diff --git a/dirsrvtests/tests/suites/password/password_test.py b/dirsrvtests/tests/suites/password/password_test.py -index 1245feb31..e4abd9907 100644 ---- a/dirsrvtests/tests/suites/password/password_test.py -+++ b/dirsrvtests/tests/suites/password/password_test.py -@@ -63,6 +63,62 @@ def test_password_delete_specific_password(topology_st): - log.info('test_password_delete_specific_password: PASSED') - - -+def test_password_modify_non_utf8(topology_st): -+ """Attempt a modify of the userPassword attribute with -+ an invalid non utf8 value -+ -+ :id: a31af9d5-d665-42b9-8d6e-fea3d0837d36 -+ :setup: Standalone instance -+ :steps: -+ 1. Add a user if it doesnt exist and set its password -+ 2. Verify password with a bind -+ 3. Modify userPassword attr with invalid value -+ 4. Attempt a bind with invalid password value -+ 5. Verify original password with a bind -+ :expectedresults: -+ 1. The user with userPassword should be added successfully -+ 2. Operation should be successful -+ 3. Server returns ldap.UNWILLING_TO_PERFORM -+ 4. Server returns ldap.INVALID_CREDENTIALS -+ 5. Operation should be successful -+ """ -+ -+ log.info('Running test_password_modify_non_utf8...') -+ -+ # Create user and set password -+ standalone = topology_st.standalone -+ users = UserAccounts(standalone, DEFAULT_SUFFIX) -+ if not users.exists(TEST_USER_PROPERTIES['uid'][0]): -+ user = users.create(properties=TEST_USER_PROPERTIES) -+ else: -+ user = users.get(TEST_USER_PROPERTIES['uid'][0]) -+ user.set('userpassword', PASSWORD) -+ -+ # Verify password -+ try: -+ user.bind(PASSWORD) -+ except ldap.LDAPError as e: -+ log.fatal('Failed to bind as {}, error: '.format(user.dn) + e.args[0]['desc']) -+ assert False -+ -+ # Modify userPassword with an invalid value -+ password = b'tes\x82t-password' # A non UTF-8 encoded password -+ with pytest.raises(ldap.UNWILLING_TO_PERFORM): -+ user.replace('userpassword', password) -+ -+ # Verify a bind fails with invalid pasword -+ with pytest.raises(ldap.INVALID_CREDENTIALS): -+ user.bind(password) -+ -+ # Verify we can still bind with original password -+ try: -+ user.bind(PASSWORD) -+ except ldap.LDAPError as e: -+ log.fatal('Failed to bind as {}, error: '.format(user.dn) + e.args[0]['desc']) -+ assert False -+ -+ log.info('test_password_modify_non_utf8: PASSED') -+ - if __name__ == '__main__': - # Run isolated - # -s for DEBUG mode -diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c -index a20984e0b..fb65d58b3 100644 ---- a/ldap/servers/slapd/modify.c -+++ b/ldap/servers/slapd/modify.c -@@ -762,8 +762,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw) - * flagged - leave mod attributes alone */ - if (!repl_op && !skip_modified_attrs && lastmod) { - modify_update_last_modified_attr(pb, &smods); -+ slapi_pblock_set(pb, SLAPI_MODIFY_MODS, slapi_mods_get_ldapmods_byref(&smods)); - } - -+ - if (0 == slapi_mods_get_num_mods(&smods)) { - /* nothing to do - no mods - this is not an error - just - send back LDAP_SUCCESS */ -@@ -930,8 +932,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw) - - /* encode password */ - if (pw_encodevals_ext(pb, sdn, va)) { -- slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s.\n", slapi_entry_get_dn_const(e)); -- send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to store attribute \"userPassword\" correctly\n", 0, NULL); -+ slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s, " -+ "check value is utf8 string.\n", slapi_entry_get_dn_const(e)); -+ send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to hash \"userPassword\" attribute, " -+ "check value is utf8 string.\n", 0, NULL); - valuearray_free(&va); - goto free_and_return; - } --- -2.41.0 - diff --git a/CVE-2024-3657.patch b/CVE-2024-3657.patch deleted file mode 100644 index 5ac8bcf65e696a215293ca97c57f6c494b369e50..0000000000000000000000000000000000000000 --- a/CVE-2024-3657.patch +++ /dev/null @@ -1,150 +0,0 @@ -Origin: https://git.centos.org/rpms/389-ds-base/blob/bdd565525ec24ecfb7b354f73b602209e570aee5/f/SOURCES/0049-CVE-2024-3657-7.9.patch - -From 7f5ac2097be424a55248e391c6b40635d01b1fa6 Mon Sep 17 00:00:00 2001 -From: Pierre Rogier -Date: Wed, 17 Apr 2024 18:18:04 +0200 -Subject: [PATCH] CVE-2024-3657-7.9 - ---- - ldap/servers/slapd/back-ldbm/index.c | 111 ++++++++++++++------------- - 1 file changed, 59 insertions(+), 52 deletions(-) - -diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c -index f0b969ff4..53a041ad1 100644 ---- a/ldap/servers/slapd/back-ldbm/index.c -+++ b/ldap/servers/slapd/back-ldbm/index.c -@@ -71,6 +71,32 @@ typedef struct _index_buffer_handle index_buffer_handle; - #define INDEX_BUFFER_FLAG_SERIALIZE 1 - #define INDEX_BUFFER_FLAG_STATS 2 - -+/* -+ * space needed to encode a byte: -+ * 0x00-0x31 and 0x7f-0xff requires 3 bytes: \xx -+ * 0x22 and 0x5C requires 2 bytes: \" and \\ -+ * other requires 1 byte: c -+ */ -+static char encode_size[] = { -+ /* 0x00 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, -+ /* 0x10 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, -+ /* 0x20 */ 1, 1, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, -+ /* 0x30 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, -+ /* 0x40 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, -+ /* 0x50 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 1, 1, 1, -+ /* 0x60 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, -+ /* 0x70 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3, -+ /* 0x80 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, -+ /* 0x90 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, -+ /* 0xA0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, -+ /* 0xB0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, -+ /* 0xC0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, -+ /* 0xD0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, -+ /* 0xE0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, -+ /* 0xF0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, -+}; -+ -+ - /* Index buffering functions */ - - static int -@@ -800,65 +826,46 @@ index_add_mods( - - /* - * Convert a 'struct berval' into a displayable ASCII string -+ * returns the printable string - */ -- --#define SPECIAL(c) (c < 32 || c > 126 || c == '\\' || c == '"') -- - const char * - encode(const struct berval *data, char buf[BUFSIZ]) - { -- char *s; -- char *last; -- if (data == NULL || data->bv_len == 0) -- return ""; -- last = data->bv_val + data->bv_len - 1; -- for (s = data->bv_val; s < last; ++s) { -- if (SPECIAL(*s)) { -- char *first = data->bv_val; -- char *bufNext = buf; -- size_t bufSpace = BUFSIZ - 4; -- while (1) { -- /* printf ("%lu bytes ASCII\n", (unsigned long)(s - first)); */ -- if (bufSpace < (size_t)(s - first)) -- s = first + bufSpace - 1; -- if (s != first) { -- memcpy(bufNext, first, s - first); -- bufNext += (s - first); -- bufSpace -= (s - first); -- } -- do { -- if (bufSpace) { -- *bufNext++ = '\\'; -- --bufSpace; -- } -- if (bufSpace < 2) { -- memcpy(bufNext, "..", 2); -- bufNext += 2; -- goto bail; -- } -- if (*s == '\\' || *s == '"') { -- *bufNext++ = *s; -- --bufSpace; -- } else { -- sprintf(bufNext, "%02x", (unsigned)*(unsigned char *)s); -- bufNext += 2; -- bufSpace -= 2; -- } -- } while (++s <= last && SPECIAL(*s)); -- if (s > last) -- break; -- first = s; -- while (!SPECIAL(*s) && s <= last) -- ++s; -- } -- bail: -- *bufNext = '\0'; -- /* printf ("%lu chars in buffer\n", (unsigned long)(bufNext - buf)); */ -+ if (!data || !data->bv_val) { -+ strcpy(buf, ""); -+ return buf; -+ } -+ char *endbuff = &buf[BUFSIZ-4]; /* Reserve space to append "...\0" */ -+ char *ptout = buf; -+ unsigned char *ptin = (unsigned char*) data->bv_val; -+ unsigned char *endptin = ptin+data->bv_len; -+ -+ while (ptin < endptin) { -+ if (ptout >= endbuff) { -+ /* -+ * BUFSIZ(8K) > SLAPI_LOG_BUFSIZ(2K) so the error log message will be -+ * truncated anyway. So there is no real interrest to test if the original -+ * data contains no special characters and return it as is. -+ */ -+ strcpy(endbuff, "..."); - return buf; - } -+ switch (encode_size[*ptin]) { -+ case 1: -+ *ptout++ = *ptin++; -+ break; -+ case 2: -+ *ptout++ = '\\'; -+ *ptout++ = *ptin++; -+ break; -+ case 3: -+ sprintf(ptout, "\\%02x", *ptin++); -+ ptout += 3; -+ break; -+ } - } -- /* printf ("%lu bytes, all ASCII\n", (unsigned long)(s - data->bv_val)); */ -- return data->bv_val; -+ *ptout = 0; -+ return buf; - } - - static const char * --- -2.41.0 - diff --git a/Replace-LegacyVersion-with-DSVersion-to-fix-build-error.patch b/Replace-LegacyVersion-with-DSVersion-to-fix-build-error.patch deleted file mode 100644 index 27fb8ba6d16453f685d55b173668b027f982df69..0000000000000000000000000000000000000000 --- a/Replace-LegacyVersion-with-DSVersion-to-fix-build-error.patch +++ /dev/null @@ -1,177 +0,0 @@ -From a0ed3c81b0ccb8340e7554a6a53e6a6395fce5dd Mon Sep 17 00:00:00 2001 -From: Viktor Ashirov -Date: Mon, 13 Feb 2023 18:39:20 +0100 -Subject: [PATCH] Issue 5642 - Build fails against setuptools 67.0.0 - -Bug Description: -`setuptools` 67.0.0 vendors `packaging` 23.0 which dropped `LegacyVersion`. - -Fix Description: -Replace `LegacyVersion` with `DSVersion` to compare version strings that are -not compatible with PEP 440 and PEP 508. - -Reviewed by: @mreynolds389, @progier389 - -Fixes: https://github.com/389ds/389-ds-base/issues/5642 ---- - src/lib389/lib389/nss_ssl.py | 11 +--- - src/lib389/lib389/tests/dsversion_test.py | 12 ++++ - src/lib389/lib389/utils.py | 80 ++++++++++++++++++++--- - 3 files changed, 86 insertions(+), 17 deletions(-) - create mode 100644 src/lib389/lib389/tests/dsversion_test.py - -diff --git a/src/lib389/lib389/nss_ssl.py b/src/lib389/lib389/nss_ssl.py -index 9e4ac09f80..d5e5c4679a 100644 ---- a/src/lib389/lib389/nss_ssl.py -+++ b/src/lib389/lib389/nss_ssl.py -@@ -23,16 +23,9 @@ - from lib389.passwd import password_generate - from lib389._mapped_object_lint import DSLint - from lib389.lint import DSCERTLE0001, DSCERTLE0002 --from lib389.utils import ensure_str, format_cmd_list -+from lib389.utils import ensure_str, format_cmd_list, DSVersion - import uuid - --# Setuptools ships with 'packaging' module, let's use it from there --try: -- from pkg_resources.extern.packaging.version import LegacyVersion --# Fallback to a normal 'packaging' module in case 'setuptools' is stripped --except: -- from packaging.version import LegacyVersion -- - KEYBITS = 4096 - CA_NAME = 'Self-Signed-CA' - CERT_NAME = 'Server-Cert' -@@ -249,7 +242,7 @@ def openssl_rehash(self, certdir): - openssl_version = check_output(['/usr/bin/openssl', 'version']).decode('utf-8').strip() - except subprocess.CalledProcessError as e: - raise ValueError(e.output.decode('utf-8').rstrip()) -- rehash_available = LegacyVersion(openssl_version.split(' ')[1]) >= LegacyVersion('1.1.0') -+ rehash_available = DSVersion(openssl_version.split(' ')[1]) >= DSVersion('1.1.0') - - if rehash_available: - cmd = ['/usr/bin/openssl', 'rehash', certdir] -diff --git a/src/lib389/lib389/tests/dsversion_test.py b/src/lib389/lib389/tests/dsversion_test.py -new file mode 100644 -index 0000000000..2a420067fa ---- /dev/null -+++ b/src/lib389/lib389/tests/dsversion_test.py -@@ -0,0 +1,12 @@ -+from lib389.utils import DSVersion -+import pytest -+ -+versions = [('1.3.10.1', '1.3.2.1'), -+ ('2.3.2', '1.4.4.4'), -+ ('2.3.2.202302121950git1b4f5a5bf', '2.3.2'), -+ ('1.1.0a', '1.1.0')] -+ -+@pytest.mark.parametrize("x,y", versions) -+def test_dsversion(x, y): -+ assert DSVersion(x) > DSVersion(y) -+ -diff --git a/src/lib389/lib389/utils.py b/src/lib389/lib389/utils.py -index 4e58341f4e..3d90560d08 100644 ---- a/src/lib389/lib389/utils.py -+++ b/src/lib389/lib389/utils.py -@@ -42,12 +42,6 @@ def wait(self): - import subprocess - import math - import errno --# Setuptools ships with 'packaging' module, let's use it from there --try: -- from pkg_resources.extern.packaging.version import LegacyVersion --# Fallback to a normal 'packaging' module in case 'setuptools' is stripped --except: -- from packaging.version import LegacyVersion - from socket import getfqdn - from ldapurl import LDAPUrl - from contextlib import closing -@@ -1215,6 +1209,76 @@ def generate_ds_params(inst_num, role=ReplicaRole.STANDALONE): - - return instance_data - -+class DSVersion(): -+ def __init__(self, version): -+ self._version = str(version) -+ self._key = _cmpkey(self._version) -+ -+ def __str__(self): -+ return self._version -+ -+ def __repr__(self): -+ return f"" -+ -+ def __hash__(self): -+ return hash(self._key) -+ -+ def __lt__(self, other): -+ if not isinstance(other, DSVersion): -+ return NotImplemented -+ -+ return self._key < other._key -+ -+ def __le__(self, other): -+ if not isinstance(other, DSVersion): -+ return NotImplemented -+ -+ return self._key <= other._key -+ -+ def __eq__(self, other): -+ if not isinstance(other, DSVersion): -+ return NotImplemented -+ -+ return self._key == other._key -+ -+ def __ge__(self, other): -+ if not isinstance(other, DSVersion): -+ return NotImplemented -+ -+ return self._key >= other._key -+ -+ def __gt__(self, other): -+ if not isinstance(other, DSVersion): -+ return NotImplemented -+ -+ return self._key > other._key -+ -+ def __ne__(self, other): -+ if not isinstance(other, DSVersion): -+ return NotImplemented -+ -+ return self._key != other._key -+ -+ -+def _parse_version_parts(s): -+ for part in re.compile(r"(\d+ | [a-z]+ | \. | -)", re.VERBOSE).split(s): -+ -+ if not part or part == ".": -+ continue -+ -+ if part[:1] in "0123456789": -+ # pad for numeric comparison -+ yield part.zfill(8) -+ else: -+ yield "*" + part -+ -+def _cmpkey(version): -+ parts = [] -+ for part in _parse_version_parts(version.lower()): -+ parts.append(part) -+ -+ return tuple(parts) -+ - - def get_ds_version(paths=None): - """ -@@ -1242,9 +1306,9 @@ def ds_is_related(relation, *ver, instance=None): - if len(ver) > 1: - for cmp_ver in ver: - if cmp_ver.startswith(ds_ver[:3]): -- return ops[relation](LegacyVersion(ds_ver),LegacyVersion(cmp_ver)) -+ return ops[relation](DSVersion(ds_ver), DSVersion(cmp_ver)) - else: -- return ops[relation](LegacyVersion(ds_ver), LegacyVersion(ver[0])) -+ return ops[relation](DSVersion(ds_ver), DSVersion(ver[0])) - - - def ds_is_older(*ver, instance=None): diff --git a/fix-dsidm-posixgroup-get_dn-fails-with-search_ext.patch b/fix-dsidm-posixgroup-get_dn-fails-with-search_ext.patch index c429911f278608a3d0469a1259fa142f294e2f48..a7b3314945fbee4713bcfc9f90f40a6a7a941cea 100644 --- a/fix-dsidm-posixgroup-get_dn-fails-with-search_ext.patch +++ b/fix-dsidm-posixgroup-get_dn-fails-with-search_ext.patch @@ -1,11 +1,12 @@ ---- 389-ds-base-2.3.2/src/lib389/lib389/cli_idm/posixgroup.py 2022-09-28 22:32:51.000000000 +0800 -+++ 389-ds-base-2.3.2/src/lib389/lib389/cli_idm/posixgroup.py_bak 2023-10-27 09:52:31.896331122 +0800 -@@ -34,7 +34,7 @@ - _generic_get(inst, basedn, log.getChild('_generic_get'), MANY, rdn, args) +diff -Naur a/src/lib389/lib389/cli_idm/posixgroup.py b/src/lib389/lib389/cli_idm/posixgroup.py +--- a/src/lib389/lib389/cli_idm/posixgroup.py 2024-08-01 15:51:12.699551420 +0800 ++++ b/src/lib389/lib389/cli_idm/posixgroup.py 2024-08-01 15:52:34.075551420 +0800 +@@ -38,7 +38,7 @@ + def get_dn(inst, basedn, log, args): - dn = lambda args: _get_arg( args.dn, msg="Enter dn to retrieve") + dn = _get_arg( args.dn, msg="Enter dn to retrieve") _generic_get_dn(inst, basedn, log.getChild('_generic_get_dn'), MANY, dn, args) - def create(inst, basedn, log, args): + diff --git a/fix-using-borrow-on-a-double-reference.patch b/fix-using-borrow-on-a-double-reference.patch deleted file mode 100644 index 443acdd811fd6467abd61634635a3e760c2e5769..0000000000000000000000000000000000000000 --- a/fix-using-borrow-on-a-double-reference.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 1d5586780b7144b3e1fa17b827f461b10f076be4 Mon Sep 17 00:00:00 2001 -From: Simon Pichugin -Date: Mon, 24 Jul 2023 15:42:11 -0700 -Subject: [PATCH] fix using borrow() on a double reference -Reference: https://github.com/389ds/389-ds-base/pull/5854 - -error: using `.borrow()` on a double reference, which returns -`&concread::cowcell::CowCellReadTxn` instead of borrowing the inner type - -We're getting the error about borrowing a double reference because -we're trying to borrow a type that is already a reference. -Fix - use the type directly. - ---- - src/librslapd/src/cache.rs | 4 +--- - src/slapi_r_plugin/src/value.rs | 2 +- - 2 files changed, 2 insertions(+), 4 deletions(-) - -diff --git a/src/librslapd/src/cache.rs b/src/librslapd/src/cache.rs -index 092c81d..b025c83 100644 ---- a/src/librslapd/src/cache.rs -+++ b/src/librslapd/src/cache.rs -@@ -1,6 +1,5 @@ - // This exposes C-FFI capable bindings for the concread concurrently readable cache. - use concread::arcache::{ARCache, ARCacheBuilder, ARCacheReadTxn, ARCacheWriteTxn}; --use std::borrow::Borrow; - use std::convert::TryInto; - use std::ffi::{CStr, CString}; - use std::os::raw::c_char; -@@ -56,8 +55,7 @@ pub extern "C" fn cache_char_stats( - debug_assert!(!cache.is_null()); - &(*cache) as &ARCacheChar - }; -- let stat_rguard = cache_ref.inner.view_stats(); -- let stats = stat_rguard.borrow(); -+ let stats = cache_ref.inner.view_stats(); - *reader_hits = stats.reader_hits.try_into().unwrap(); - *reader_includes = stats.reader_includes.try_into().unwrap(); - *write_hits = stats.write_hits.try_into().unwrap(); -diff --git a/src/slapi_r_plugin/src/value.rs b/src/slapi_r_plugin/src/value.rs -index cd56529..2fd35c8 100644 ---- a/src/slapi_r_plugin/src/value.rs -+++ b/src/slapi_r_plugin/src/value.rs -@@ -182,7 +182,7 @@ impl From<&Uuid> for Value { - let s_ptr = cstr.as_ptr(); - Box::leak(cstr); - -- let mut v = unsafe { slapi_value_new() }; -+ let v = unsafe { slapi_value_new() }; - unsafe { - (*v).bv.len = len; - (*v).bv.data = s_ptr as *const u8; --- -2.27.0 -