-
openldap (2.4.49+dfsg-2ubuntu1.10) focal-security; urgency=medium
* SECURITY UPDATE: DoS via lack of strdup return code checking
- debian/patches/CVE-2023-2953-1.patch: check for ber_strdup failure in
libraries/libldap/fetch.c.
- debian/patches/CVE-2023-2953-2.patch: check for strdup failure in
libraries/libldap/url.c.
- CVE-2023-2953
-- Marc Deslauriers <email address hidden> Thu, 25 Jan 2024 13:43:43 -0500
-
openldap (2.4.49+dfsg-2ubuntu1.9) focal-security; urgency=medium
* SECURITY UPDATE: SQL injection in experimental back-sql backend
- debian/patches/CVE-2022-29155.patch: escape filter values in
servers/slapd/back-sql/search.c.
- CVE-2022-29155
-- Marc Deslauriers <email address hidden> Thu, 12 May 2022 09:11:05 -0400
-
openldap (2.4.49+dfsg-2ubuntu1.8) focal; urgency=medium
* d/p/ITS-8650-loop-on-incomplete-TLS-handshake.patch:
Import upstream patch to properly retry gnutls_handshake() after it
returns GNUTLS_E_AGAIN. (ITS#8650) (LP: #1921562)
-- Utkarsh Gupta <email address hidden> Thu, 08 Apr 2021 09:52:01 +0530
-
openldap (2.4.49+dfsg-2ubuntu1.7) focal-security; urgency=medium
* SECURITY UPDATE: DoS via malicious packet
- debian/patches/CVE-2021-27212.patch: fix issuerAndThisUpdateCheck in
servers/slapd/schema_init.c.
- CVE-2021-27212
-- Marc Deslauriers <email address hidden> Thu, 18 Feb 2021 09:22:15 -0500
-
openldap (2.4.49+dfsg-2ubuntu1.6) focal-security; urgency=medium
* SECURITY UPDATE: integer underflow in Certificate Exact Assertion
processing
- debian/patches/CVE-2020-36221-1.patch: fix serialNumberAndIssuerCheck
in servers/slapd/schema_init.c.
- debian/patches/CVE-2020-36221-2.patch: fix serialNumberAndIssuerCheck
in servers/slapd/schema_init.c.
- CVE-2020-36221
* SECURITY UPDATE: assert failure in saslAuthzTo validation
- debian/patches/CVE-2020-36222-1.patch: remove saslauthz asserts in
servers/slapd/saslauthz.c.
- debian/patches/CVE-2020-36222-2.patch: fix debug msg in
servers/slapd/saslauthz.c.
- CVE-2020-36222
* SECURITY UPDATE: crash in Values Return Filter control handling
- debian/patches/CVE-2020-36223.patch: fix vrfilter double-free in
servers/slapd/controls.c.
- CVE-2020-36223
* SECURITY UPDATE: DoS in saslAuthzTo processing
- debian/patches/CVE-2020-36224-1.patch: use ch_free on normalized DN
in servers/slapd/saslauthz.c.
- debian/patches/CVE-2020-36224-2.patch: use slap_sl_free in prev
commit in servers/slapd/saslauthz.c.
- CVE-2020-36224
* SECURITY UPDATE: DoS in saslAuthzTo processing
- debian/patches/CVE-2020-36225.patch: fix AVA_Sort on invalid RDN in
servers/slapd/dn.c.
- CVE-2020-36225
* SECURITY UPDATE: DoS in saslAuthzTo processing
- debian/patches/CVE-2020-36226.patch: fix slap_parse_user in
servers/slapd/saslauthz.c.
- CVE-2020-36226
* SECURITY UPDATE: infinite loop in cancel_extop Cancel operation
- debian/patches/CVE-2020-36227.patch: fix cancel exop in
servers/slapd/cancel.c.
- CVE-2020-36227
* SECURITY UPDATE: DoS in Certificate List Exact Assertion processing
- debian/patches/CVE-2020-36228.patch: fix issuerAndThisUpdateCheck in
servers/slapd/schema_init.c.
- CVE-2020-36228
* SECURITY UPDATE: DoS in X.509 DN parsing in ad_keystring
- debian/patches/CVE-2020-36229.patch: add more checks to
ldap_X509dn2bv in libraries/libldap/tls2.c.
- CVE-2020-36229
* SECURITY UPDATE: DoS in X.509 DN parsing in ber_next_element
- debian/patches/CVE-2020-36230.patch: check for invalid BER after RDN
count in libraries/libldap/tls2.c.
- CVE-2020-36230
-- Marc Deslauriers <email address hidden> Tue, 02 Feb 2021 11:06:34 -0500
-
openldap (2.4.49+dfsg-2ubuntu1.5) focal-security; urgency=medium
* SECURITY UPDATE: assertion failure in Certificate List syntax
validation
- debian/patches/CVE-2020-25709.patch: properly handle error in
servers/slapd/schema_init.c.
- CVE-2020-25709
* SECURITY UPDATE: assertion failure in CSN normalization with invalid
input
- debian/patches/CVE-2020-25710.patch: properly handle error in
servers/slapd/schema_init.c.
- CVE-2020-25710
-- Marc Deslauriers <email address hidden> Mon, 16 Nov 2020 08:39:57 -0500
-
openldap (2.4.49+dfsg-2ubuntu1.4) focal-security; urgency=medium
* SECURITY UPDATE: DoS via NULL pointer dereference
- debian/patches/CVE-2020-25692.patch: skip normalization if there's no
equality rule in servers/slapd/modrdn.c.
- CVE-2020-25692
-- Marc Deslauriers <email address hidden> Wed, 04 Nov 2020 09:43:57 -0500
-
openldap (2.4.49+dfsg-2ubuntu1.3) focal; urgency=medium
* d/apparmor-profile: Update apparmor profile to grant access to
the saslauthd socket, so that SASL authentication works. (LP: #1557157)
-- Sergio Durigan Junior <email address hidden> Fri, 12 Jun 2020 18:18:58 -0400
-
openldap (2.4.49+dfsg-2ubuntu1.2) focal-security; urgency=medium
* SECURITY UPDATE: denial of service via nested search filters
- debian/patches/CVE-2020-12243.patch: limit depth of nested filters in
servers/slapd/filter.c.
- debian/patches/fix_test_timing.patch: fix FTBFS on riscv64 because of
test timing issue.
- CVE-2020-12243
-- Marc Deslauriers <email address hidden> Fri, 01 May 2020 13:09:12 -0400
-
openldap (2.4.49+dfsg-2ubuntu1) focal; urgency=medium
* Merge with Debian unstable (LP: #1866303). Remaining changes:
- Enable AppArmor support:
- d/apparmor-profile: add AppArmor profile
- d/rules: use dh_apparmor
- d/control: Build-Depends on dh-apparmor
- d/slapd.README.Debian: add note about AppArmor
- Enable GSSAPI support:
- d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
- Add --with-gssapi support
- Make guess_service_principal() more robust when determining
principal
[Dropped the ldap_gssapi_bind_s() hunk as that is already
- d/configure.options: Configure with --with-gssapi
- d/control: Added heimdal-dev as a build depend
- d/rules:
- Explicitly add -I/usr/include/heimdal to CFLAGS.
- Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
- Enable ufw support:
- d/control: suggest ufw.
- d/rules: install ufw profile.
- d/slapd.ufw.profile: add ufw profile.
- Enable nss overlay:
- d/rules:
- add nssov to CONTRIB_MODULES
- add sysconfdir to CONTRIB_MAKEVARS
- d/slapd.install:
- install nssov overlay
- d/slapd.manpages:
- install slapo-nssov(5) man page
- d/{rules,slapd.py}: Add apport hook.
- d/slapd.init.ldif: don't set olcRootDN since it's not defined in
either the default DIT nor via an Authn mapping.
- d/slapd.scripts-common:
- add slapcat_opts to local variables.
- Fix backup directory naming for multiple reconfiguration.
- d/{slapd.default,slapd.README.Debian}: use the new configuration style.
- d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
in the openldap library, as required by Likewise-Open
- Show distribution in version:
- d/control: added lsb-release
- d/patches/fix-ldap-distribution.patch: show distribution in version
- d/libldap-2.4-2.symbols: Add symbols not present in Debian.
- CLDAP (UDP) was added in 2.4.17-1ubuntu2
- GSSAPI support was enabled in 2.4.18-0ubuntu2
- d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
Debian bug #919136, we also have to patch the nssov makefile
accordingly and thus update this patch.
openldap (2.4.49+dfsg-2) unstable; urgency=medium
* slapd.README.Debian: Document the initial setup performed by slapd's
maintainer scripts in more detail. Thanks to Karl O. Pinc.
(Closes: #952501)
* Import upstream patch to fix slapd crashing in certain configurations when
a client attempts a login to a locked account.
(ITS#9171) (Closes: #953150)
-- Andreas Hasenack <email address hidden> Fri, 06 Mar 2020 11:39:12 -0300
-
openldap (2.4.49+dfsg-1ubuntu1) focal; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Enable AppArmor support:
- d/apparmor-profile: add AppArmor profile
- d/rules: use dh_apparmor
- d/control: Build-Depends on dh-apparmor
- d/slapd.README.Debian: add note about AppArmor
- Enable GSSAPI support:
- d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
- Add --with-gssapi support
- Make guess_service_principal() more robust when determining
principal
[Dropped the ldap_gssapi_bind_s() hunk as that is already
- d/configure.options: Configure with --with-gssapi
- d/control: Added heimdal-dev as a build depend
- d/rules:
- Explicitly add -I/usr/include/heimdal to CFLAGS.
- Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
- Enable ufw support:
- d/control: suggest ufw.
- d/rules: install ufw profile.
- d/slapd.ufw.profile: add ufw profile.
- Enable nss overlay:
- d/rules:
- add nssov to CONTRIB_MODULES
- add sysconfdir to CONTRIB_MAKEVARS
- d/slapd.install:
- install nssov overlay
- d/slapd.manpages:
- install slapo-nssov(5) man page
- d/{rules,slapd.py}: Add apport hook.
- d/slapd.init.ldif: don't set olcRootDN since it's not defined in
either the default DIT nor via an Authn mapping.
- d/slapd.scripts-common:
- add slapcat_opts to local variables.
- Fix backup directory naming for multiple reconfiguration.
- d/{slapd.default,slapd.README.Debian}: use the new configuration style.
- d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
in the openldap library, as required by Likewise-Open
- Show distribution in version:
- d/control: added lsb-release
- d/patches/fix-ldap-distribution.patch: show distribution in version
- d/libldap-2.4-2.symbols: Add symbols not present in Debian.
- CLDAP (UDP) was added in 2.4.17-1ubuntu2
- GSSAPI support was enabled in 2.4.18-0ubuntu2
- d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
Debian bug #919136, we also have to patch the nssov makefile
accordingly and thus update this patch.
* Dropped:
- d/control: slapd can depend on perl:any since it only uses perl for
some maintainer and helper scripts.
[In 2.4.49+dfsg-1]
openldap (2.4.49+dfsg-1) unstable; urgency=medium
* New upstream release.
- Drop patch no-gnutls_global_set_mutex, applied upstream.
* When validating the DNS domain chosen for slapd's default suffix, set
LC_COLLATE explicitly for grep to ensure character ranges behave as
expected. Thanks to Fredrik Roubert. (Closes: #940908)
* Backport proposed upstream patch to emit detailed messages about errors in
the TLS configuration. (ITS#9086) (Closes: #837341)
* slapd.scripts-common: Delete unused copy_example_DB_CONFIG function.
* Remove debconf support for choosing a database backend. Always use the
LMDB backend for new installs, as recommended by upstream.
* Remove the empty olcBackend section from the default configuration.
* Remove the unused slapd.conf template from /usr/share/slapd. Continue
shipping it as an example in /usr/share/doc/slapd.
* Fix a typo in index-files-created-as-root patch.
Thanks to Quanah Gibson-Mount.
* Annotate slapd's Depends on perl with :any. Fixes installation of
foreign-arch slapd. Thanks to Andreas Hasenack.
* Rename 'stage1' build profile to 'pkg.openldap.noslapd'.
Thanks to Helmut Grohne. (Closes: #949722)
* Drop Build-Conflicts: libicu-dev as upstream's configure no longer tests
for or links with libicu.
* Note ITS#9126 recommendation in slapd.NEWS.
* Update Standards-Version to 4.5.0; no changes required.
-- Andreas Hasenack <email address hidden> Mon, 10 Feb 2020 12:13:47 -0300
-
openldap (2.4.48+dfsg-1ubuntu4) focal; urgency=medium
* d/control: slapd can depend on perl:any since it only uses perl for
some maintainer and helper scripts. The perl backend links against
the correct architecture perl libraries already. Can be dropped
after https://salsa.debian.org/openldap-team/openldap/commit/794c736
is in a Debian upload.
-- Andreas Hasenack <email address hidden> Mon, 06 Jan 2020 16:46:11 -0300
-
openldap (2.4.48+dfsg-1ubuntu3) focal; urgency=medium
* No-change rebuild against libnettle7
-- Steve Langasek <email address hidden> Thu, 31 Oct 2019 22:13:44 +0000
-
openldap (2.4.48+dfsg-1ubuntu2) focal; urgency=medium
* No-change rebuild for the perl update.
-- Matthias Klose <email address hidden> Fri, 18 Oct 2019 19:37:23 +0000
-
openldap (2.4.48+dfsg-1ubuntu1) eoan; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Enable AppArmor support:
- d/apparmor-profile: add AppArmor profile
- d/rules: use dh_apparmor
- d/control: Build-Depends on dh-apparmor
- d/slapd.README.Debian: add note about AppArmor
- Enable GSSAPI support:
- d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
- Add --with-gssapi support
- Make guess_service_principal() more robust when determining
principal
- d/configure.options: Configure with --with-gssapi
- d/control: Added heimdal-dev as a build depend
- d/rules:
- Explicitly add -I/usr/include/heimdal to CFLAGS.
- Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
- Enable ufw support:
- d/control: suggest ufw.
- d/rules: install ufw profile.
- d/slapd.ufw.profile: add ufw profile.
- Enable nss overlay:
- d/rules:
- add nssov to CONTRIB_MODULES
- add sysconfdir to CONTRIB_MAKEVARS
- d/slapd.install:
- install nssov overlay
- d/slapd.manpages:
- install slapo-nssov(5) man page
- d/{rules,slapd.py}: Add apport hook.
- d/slapd.init.ldif: don't set olcRootDN since it's not defined in
either the default DIT nor via an Authn mapping.
- d/slapd.scripts-common:
- add slapcat_opts to local variables.
- Fix backup directory naming for multiple reconfiguration.
- d/{slapd.default,slapd.README.Debian}: use the new configuration style.
- d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
in the openldap library, as required by Likewise-Open
- Show distribution in version:
- d/control: added lsb-release
- d/patches/fix-ldap-distribution.patch: show distribution in version
- d/libldap-2.4-2.symbols: Add symbols not present in Debian.
- CLDAP (UDP) was added in 2.4.17-1ubuntu2
- GSSAPI support was enabled in 2.4.18-0ubuntu2
- d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
Debian bug #919136, we also have to patch the nssov makefile
accordingly and thus update this patch.
* Dropped:
- Fix sysv-generator unit file by customizing parameters (LP #1821343)
+ d/slapd-remain-after-exit.conf: Override RemainAfterExit to allow
correct systemctl status for slapd daemon.
+ d/slapd.install: place override file in correct location.
[Included in 2.4.48+dfsg-1]
- SECURITY UPDATE: rootDN proxyauthz not restricted to its own databases
+ debian/patches/CVE-2019-13057-1.patch: add restriction to
servers/slapd/saslauthz.c.
+ debian/patches/CVE-2019-13057-2.patch: add tests to
tests/data/idassert.out, tests/data/slapd-idassert.conf,
tests/data/test-idassert1.ldif, tests/scripts/test028-idassert.
+ debian/patches/CVE-2019-13057-3.patch: fix typo in
tests/scripts/test028-idassert.
+ debian/patches/CVE-2019-13057-4.patch: fix typo in
tests/scripts/test028-idassert.
+ CVE-2019-13057
[Fixed upstream]
- SECURITY UPDATE: SASL SSF not initialized per connection
+ debian/patches/CVE-2019-13565.patch: zero out sasl_ssf in
connection_init in servers/slapd/connection.c.
+ CVE-2019-13565
[Fixed upstream]
openldap (2.4.48+dfsg-1) unstable; urgency=medium
* New upstream release.
- fixed slapd to restrict rootDN proxyauthz to its own databases
(CVE-2019-13057) (ITS#9038) (Closes: #932997)
- fixed slapd to enforce sasl_ssf ACL statement on every connection
(CVE-2019-13565) (ITS#9052) (Closes: #932998)
- added new openldap.h header with OpenLDAP specific libldap interfaces
(ITS#8671)
- updated lastbind overlay to support forwarding authTimestamp updates
(ITS#7721) (Closes: #880656)
* Update Standards-Version to 4.4.0.
* Add a systemd drop-in to set RemainAfterExit=no on the slapd service, so
that systemd marks the service as dead after it crashes or is killed.
Thanks to Heitor Alves de Siqueira. (Closes: #926657, LP: #1821343)
* Use more entropy for generating a random admin password, if none was set
during initial configuration. Thanks to Judicael Courant.
(Closes: #932270)
* Replace debian/rules calls to dpkg-architecture and dpkg-parsechangelog
with variables provided by dpkg-dev includes.
* Declare R³: no.
* Create a simple autopkgtest that tests installing slapd and connecting to
it with an ldap tool.
* Install the new openldap.h header in libldap2-dev.
-- Andreas Hasenack <email address hidden> Wed, 31 Jul 2019 18:01:14 -0300
