Ubuntu
openldap package

Change logs for openldap source package in Hirsute

  1. Hirsute (21.04)
  2. Change log 
  • openldap (2.4.57+dfsg-2ubuntu1) hirsute; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - Enable AppArmor support:
      + d/apparmor-profile: add AppArmor profile
      + d/rules: use dh_apparmor
      + d/control: Build-Depends on dh-apparmor
      + d/slapd.README.Debian: add note about AppArmor
    - Enable GSSAPI support (first added in 2.4.18-0ubuntu2):
      + d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
        - Add --with-gssapi support
        - Make guess_service_principal() more robust when determining
          principal
      + d/configure.options: Configure with --with-gssapi
      + d/control: Added heimdal-dev as a build depend
      + d/rules:
        - Explicitly add -I/usr/include/heimdal to CFLAGS.
        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
      + d/libldap-2.4-2.symbols: add symbols for GSSAPI support
      This should be dropped when the soname changes.
    - Enable ufw support:
      + d/control: suggest ufw.
      + d/rules: install ufw profile.
      + d/slapd.ufw.profile: add ufw profile.
    - Enable nss overlay:
      + d/rules:
        - add nssov to CONTRIB_MODULES
        - add sysconfdir to CONTRIB_MAKEVARS
      + d/slapd.install: install nssov overlay
      + d/slapd.manpages: install slapo-nssov(5) man page
      + d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
        Debian bug #919136, we also have to patch the nssov makefile
        accordingly and thus update this patch.
    - d/{rules,slapd.py}: Add apport hook.
    - Add support for CLDAP (UDP) support, back then required by
      likewise-open (first enabled in 2.4.17-1ubuntu2):
      + d/rules: Enable -DLDAP_CONNECTIONLESS
      + d/libldap-2.4-2.symbols: add symbols for CLDAP (UDP)
      This should be dropped when the soname changes.
    - debian/patches/fix_test_timing.patch: fix FTBFS on riscv64 because
      of test timing issue.
    - d/rules: better regexp to match the Maintainer tag in d/control,
      needed in the Ubuntu case because of XSBC-Original-Maintainer
      (Closes #960448, LP #1875697)

openldap (2.4.57+dfsg-2) unstable; urgency=medium

  * Fix slapd assertion failure in Certificate List Exact Assertion validation
    (ITS#9454) (CVE-2021-27212)

openldap (2.4.57+dfsg-1) unstable; urgency=medium

  * New upstream release.
    - Fixed slapd crashes in Certificate Exact Assertion processing
      (ITS#9404, ITS#9424) (CVE-2020-36221)
    - Fixed slapd assertion failures in saslAuthzTo validation
      (ITS#9406, ITS#9407) (CVE-2020-36222)
    - Fixed slapd crash in Values Return Filter control handling
      (ITS#9408) (CVE-2020-36223)
    - Fixed slapd crashes in saslAuthzTo processing
      (ITS#9409, ITS#9412, ITS#9413)
      (CVE-2020-36224, CVE-2020-36225, CVE-2020-36226)
    - Fixed slapd assertion failure in X.509 DN parsing
      (ITS#9423) (CVE-2020-36230)
    - Fixed slapd crash in X.509 DN parsing (ITS#9425) (CVE-2020-36229)
    - Fixed slapd crash in Certificate List Exact Assertion processing
      (ITS#9427) (CVE-2020-36228)
    - Fixed slapd infinite loop with Cancel operation
      (ITS#9428) (CVE-2020-36227)

 -- Marc Deslauriers <email address hidden>  Thu, 18 Feb 2021 10:15:38 -0500
  • openldap (2.4.56+dfsg-1ubuntu2) hirsute; urgency=medium

  * debian/apparmor-profile: add AppArmor rule for locking replay cache.
    In Hirsute, a change (presumably in src:krb5) has caused slapd to be
    denied by AppArmor for locking /var/tmp/krb5_*.rcache2. This is
    acceptable, so add it to the AppArmor profile. This fixes the dep8
    test in src:krb5 that uses slapd for testing.

 -- Robie Basak <email address hidden>  Tue, 26 Jan 2021 13:02:40 +0000
  • openldap (2.4.56+dfsg-1ubuntu1) hirsute; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - Enable AppArmor support:
      + d/apparmor-profile: add AppArmor profile
      + d/rules: use dh_apparmor
      + d/control: Build-Depends on dh-apparmor
      + d/slapd.README.Debian: add note about AppArmor
    - Enable GSSAPI support (first added in 2.4.18-0ubuntu2):
      + d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
        - Add --with-gssapi support
        - Make guess_service_principal() more robust when determining
          principal
      + d/configure.options: Configure with --with-gssapi
      + d/control: Added heimdal-dev as a build depend
      + d/rules:
        - Explicitly add -I/usr/include/heimdal to CFLAGS.
        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
      + d/libldap-2.4-2.symbols: add symbols for GSSAPI support
      This should be dropped when the soname changes.
    - Enable ufw support:
      + d/control: suggest ufw.
      + d/rules: install ufw profile.
      + d/slapd.ufw.profile: add ufw profile.
    - Enable nss overlay:
      + d/rules:
        - add nssov to CONTRIB_MODULES
        - add sysconfdir to CONTRIB_MAKEVARS
      + d/slapd.install: install nssov overlay
      + d/slapd.manpages: install slapo-nssov(5) man page
      + d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
        Debian bug #919136, we also have to patch the nssov makefile
        accordingly and thus update this patch.
    - d/{rules,slapd.py}: Add apport hook.
    - Add support for CLDAP (UDP) support, back then required by
      likewise-open (first enabled in 2.4.17-1ubuntu2):
      + d/rules: Enable -DLDAP_CONNECTIONLESS
      + d/libldap-2.4-2.symbols: add symbols for CLDAP (UDP)
      This should be dropped when the soname changes.
    - debian/patches/fix_test_timing.patch: fix FTBFS on riscv64 because
      of test timing issue.
    - d/rules: better regexp to match the Maintainer tag in d/control,
      needed in the Ubuntu case because of XSBC-Original-Maintainer
      (Closes #960448, LP #1875697)
  * d/apparmor-profile: use abstractions/ssl_keys instead of manual rules,
    allows letsencrypt to work. Thanks to Paul McEnery (LP: #1909748)

 -- Paride Legovini <email address hidden>  Mon, 04 Jan 2021 16:18:57 +0100
  • openldap (2.4.53+dfsg-1ubuntu5) hirsute; urgency=medium

  * SECURITY UPDATE: assertion failure in Certificate List syntax
    validation
    - debian/patches/CVE-2020-25709.patch: properly handle error in
      servers/slapd/schema_init.c.
    - CVE-2020-25709
  * SECURITY UPDATE: assertion failure in CSN normalization with invalid
    input
    - debian/patches/CVE-2020-25710.patch: properly handle error in
      servers/slapd/schema_init.c.
    - CVE-2020-25710

 -- Marc Deslauriers <email address hidden>  Tue, 17 Nov 2020 09:41:47 -0500
  • openldap (2.4.53+dfsg-1ubuntu4) hirsute; urgency=medium

  * SECURITY UPDATE: DoS via NULL pointer dereference
    - debian/patches/CVE-2020-25692.patch: skip normalization if there's no
      equality rule in servers/slapd/modrdn.c.
    - CVE-2020-25692

 -- Marc Deslauriers <email address hidden>  Mon, 09 Nov 2020 14:02:02 -0500
  • openldap (2.4.53+dfsg-1ubuntu3) hirsute; urgency=medium

  * No-change rebuild for the perl update.

 -- Matthias Klose <email address hidden>  Mon, 09 Nov 2020 12:53:38 +0100
  • openldap (2.4.53+dfsg-1ubuntu2) hirsute; urgency=medium

  * No-change rebuild for the perl update.

 -- Matthias Klose <email address hidden>  Mon, 09 Nov 2020 10:51:32 +0100
  • openldap (2.4.53+dfsg-1ubuntu1) groovy; urgency=medium

  * Merge with Debian unstable (LP: #1894838). Remaining changes:
    - Enable AppArmor support:
      + d/apparmor-profile: add AppArmor profile
      + d/rules: use dh_apparmor
      + d/control: Build-Depends on dh-apparmor
      + d/slapd.README.Debian: add note about AppArmor
    - Enable GSSAPI support (first added in 2.4.18-0ubuntu2):
      + d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
        - Add --with-gssapi support
        - Make guess_service_principal() more robust when determining
          principal
      + d/configure.options: Configure with --with-gssapi
      + d/control: Added heimdal-dev as a build depend
      + d/rules:
        - Explicitly add -I/usr/include/heimdal to CFLAGS.
        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
      + d/libldap-2.4-2.symbols: add symbols for GSSAPI support
      This should be dropped when the soname changes.
    - Enable ufw support:
      + d/control: suggest ufw.
      + d/rules: install ufw profile.
      + d/slapd.ufw.profile: add ufw profile.
    - Enable nss overlay:
      + d/rules:
        - add nssov to CONTRIB_MODULES
        - add sysconfdir to CONTRIB_MAKEVARS
      + d/slapd.install: install nssov overlay
      + d/slapd.manpages: install slapo-nssov(5) man page
      + d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
        Debian bug #919136, we also have to patch the nssov makefile
        accordingly and thus update this patch.
    - d/{rules,slapd.py}: Add apport hook.
    - Add support for CLDAP (UDP) support, back then required by
      likewise-open (first enabled in 2.4.17-1ubuntu2):
      + d/rules: Enable -DLDAP_CONNECTIONLESS
      + d/libldap-2.4-2.symbols: add symbols for CLDAP (UDP)
      This should be dropped when the soname changes.
    - debian/patches/fix_test_timing.patch: fix FTBFS on riscv64 because
      of test timing issue.
    - d/rules: better regexp to match the Maintainer tag in d/control,
      needed in the Ubuntu case because of XSBC-Original-Maintainer
      (Closes #960448, LP #1875697)

openldap (2.4.53+dfsg-1) unstable; urgency=medium

  * New upstream release.

 -- Andreas Hasenack <email address hidden>  Tue, 08 Sep 2020 09:36:58 -0300