-
openldap (2.4.42+dfsg-2ubuntu3.13) xenial-security; urgency=medium
* SECURITY UPDATE: DoS via malicious packet
- debian/patches/CVE-2021-27212.patch: fix issuerAndThisUpdateCheck in
servers/slapd/schema_init.c.
- CVE-2021-27212
-- Marc Deslauriers <email address hidden> Thu, 18 Feb 2021 09:23:06 -0500
-
openldap (2.4.42+dfsg-2ubuntu3.12) xenial-security; urgency=medium
* SECURITY UPDATE: integer underflow in Certificate Exact Assertion
processing
- debian/patches/CVE-2020-36221-1.patch: fix serialNumberAndIssuerCheck
in servers/slapd/schema_init.c.
- debian/patches/CVE-2020-36221-2.patch: fix serialNumberAndIssuerCheck
in servers/slapd/schema_init.c.
- CVE-2020-36221
* SECURITY UPDATE: assert failure in saslAuthzTo validation
- debian/patches/CVE-2020-36222-1.patch: remove saslauthz asserts in
servers/slapd/saslauthz.c.
- debian/patches/CVE-2020-36222-2.patch: fix debug msg in
servers/slapd/saslauthz.c.
- CVE-2020-36222
* SECURITY UPDATE: crash in Values Return Filter control handling
- debian/patches/CVE-2020-36223.patch: fix vrfilter double-free in
servers/slapd/controls.c.
- CVE-2020-36223
* SECURITY UPDATE: DoS in saslAuthzTo processing
- debian/patches/CVE-2020-36224-1.patch: use ch_free on normalized DN
in servers/slapd/saslauthz.c.
- debian/patches/CVE-2020-36224-2.patch: use slap_sl_free in prev
commit in servers/slapd/saslauthz.c.
- CVE-2020-36224
* SECURITY UPDATE: DoS in saslAuthzTo processing
- debian/patches/CVE-2020-36225.patch: fix AVA_Sort on invalid RDN in
servers/slapd/dn.c.
- CVE-2020-36225
* SECURITY UPDATE: DoS in saslAuthzTo processing
- debian/patches/CVE-2020-36226.patch: fix slap_parse_user in
servers/slapd/saslauthz.c.
- CVE-2020-36226
* SECURITY UPDATE: infinite loop in cancel_extop Cancel operation
- debian/patches/CVE-2020-36227.patch: fix cancel exop in
servers/slapd/cancel.c.
- CVE-2020-36227
* SECURITY UPDATE: DoS in Certificate List Exact Assertion processing
- debian/patches/CVE-2020-36228.patch: fix issuerAndThisUpdateCheck in
servers/slapd/schema_init.c.
- CVE-2020-36228
* SECURITY UPDATE: DoS in X.509 DN parsing in ad_keystring
- debian/patches/CVE-2020-36229.patch: add more checks to
ldap_X509dn2bv in libraries/libldap/tls2.c.
- CVE-2020-36229
* SECURITY UPDATE: DoS in X.509 DN parsing in ber_next_element
- debian/patches/CVE-2020-36230.patch: check for invalid BER after RDN
count in libraries/libldap/tls2.c.
- CVE-2020-36230
-- Marc Deslauriers <email address hidden> Tue, 02 Feb 2021 11:51:22 -0500
-
openldap (2.4.42+dfsg-2ubuntu3.11) xenial-security; urgency=medium
* SECURITY UPDATE: assertion failure in Certificate List syntax
validation
- debian/patches/CVE-2020-25709.patch: properly handle error in
servers/slapd/schema_init.c.
- CVE-2020-25709
* SECURITY UPDATE: assertion failure in CSN normalization with invalid
input
- debian/patches/CVE-2020-25710.patch: properly handle error in
servers/slapd/schema_init.c.
- CVE-2020-25710
-- Marc Deslauriers <email address hidden> Mon, 16 Nov 2020 08:41:27 -0500
-
openldap (2.4.42+dfsg-2ubuntu3.10) xenial-security; urgency=medium
* SECURITY UPDATE: DoS via NULL pointer dereference
- debian/patches/CVE-2020-25692.patch: skip normalization if there's no
equality rule in servers/slapd/modrdn.c.
- CVE-2020-25692
-- Marc Deslauriers <email address hidden> Wed, 04 Nov 2020 09:44:48 -0500
-
openldap (2.4.42+dfsg-2ubuntu3.9) xenial; urgency=medium
[ Andreas Hasenack ]
* d/p/ITS-9171-Insert-callback-in-the-right-place.patch: Import upstream
patch to fix slapd crashing in certain configurations when a client
attempts a login to a locked account. (LP: #1866303)
[ Sergio Durigan Junior]
* d/apparmor-profile: Update apparmor profile to grant access to
the saslauthd socket, so that SASL authentication works. (LP: #1557157)
-- Andreas Hasenack <email address hidden> Wed, 01 Jul 2020 16:33:08 -0300
-
openldap (2.4.42+dfsg-2ubuntu3.8) xenial-security; urgency=medium
* SECURITY UPDATE: denial of service via nested search filters
- debian/patches/CVE-2020-12243.patch: limit depth of nested filters in
servers/slapd/filter.c.
- CVE-2020-12243
-- Marc Deslauriers <email address hidden> Fri, 01 May 2020 13:11:29 -0400
-
openldap (2.4.42+dfsg-2ubuntu3.7) xenial; urgency=medium
* d/p/rwm-do-not-free-original-filter.patch: Fix slapd segfault (LP: #1838370)
-- Lucas Kanashiro <email address hidden> Thu, 08 Aug 2019 16:33:06 -0300
-
openldap (2.4.42+dfsg-2ubuntu3.6) xenial-security; urgency=medium
* SECURITY UPDATE: rootDN proxyauthz not restricted to its own databases
- debian/patches/CVE-2019-13057-1.patch: add restriction to
servers/slapd/saslauthz.c.
- debian/patches/CVE-2019-13057-2.patch: add tests to
tests/data/idassert.out, tests/data/slapd-idassert.conf,
tests/data/test-idassert1.ldif, tests/scripts/test028-idassert.
- debian/patches/CVE-2019-13057-3.patch: fix typo in
tests/scripts/test028-idassert.
- debian/patches/CVE-2019-13057-4.patch: fix typo in
tests/scripts/test028-idassert.
- CVE-2019-13057
* SECURITY UPDATE: SASL SSF not initialized per connection
- debian/patches/CVE-2019-13565.patch: zero out sasl_ssf in
connection_init in servers/slapd/connection.c.
- CVE-2019-13565
-- Marc Deslauriers <email address hidden> Fri, 26 Jul 2019 13:28:04 -0400
-
openldap (2.4.42+dfsg-2ubuntu3.5) xenial; urgency=medium
* Fix sysv-generator unit file by customizing parameters (LP: #1821343)
- d/slapd-remain-after-exit.conf: Override RemainAfterExit to allow
correct systemctl status for slapd daemon.
- d/slapd.install: place override file in correct location.
-- Heitor Alves de Siqueira <email address hidden> Wed, 10 Apr 2019 10:01:36 -0300
-
openldap (2.4.42+dfsg-2ubuntu3.4) xenial; urgency=medium
* d/apparmor-profile: update apparmor profile to allow reading of
files needed when slapd is behaving as a kerberos/gssapi client
and acquiring its own ticket. (LP: #1783183)
-- Andreas Hasenack <email address hidden> Tue, 23 Oct 2018 09:47:19 -0300
-
openldap (2.4.42+dfsg-2ubuntu3.3) xenial; urgency=medium
[ Ryan Tandy ]
* d/p/ITS-8648-check-result-of-ldap_int_initialize-in-ldap.patch,
d/p/ITS-8648-init-SASL-library-in-global-init.patch: Import upstream
patches to fix memory corruption caused by calling sasl_client_init()
multiple times and possibly concurrently. (ITS#8648) (LP: #1688575)
-- Andreas Hasenack <email address hidden> Tue, 22 May 2018 10:54:12 -0300
-
openldap (2.4.42+dfsg-2ubuntu3.2) xenial-security; urgency=medium
* SECURITY UPDATE: denial of service via search with page size of 0
- debian/patches/CVE-2017-9287.patch: fix double-free in
servers/slapd/back-mdb/search.c.
- CVE-2017-9287
-- Marc Deslauriers <email address hidden> Tue, 30 May 2017 15:20:53 -0400
-
openldap (2.4.42+dfsg-2ubuntu3.1) xenial; urgency=medium
* Fix use after free with GnuTLS. (LP: #1557248)
-- Maciej Puzio <email address hidden> Fri, 25 Mar 2016 15:24:25 -0500
-
openldap (2.4.42+dfsg-2ubuntu3) xenial; urgency=medium
* Fix building with gssapi suppport:
- Explicitly add -I/usr/include/heimdal to CFLAGS.
- Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
-- Matthias Klose <email address hidden> Thu, 18 Feb 2016 09:17:27 +0100
-
openldap (2.4.42+dfsg-2ubuntu2) xenial; urgency=medium
* No-change rebuild for gnutls transition.
-- Matthias Klose <email address hidden> Wed, 17 Feb 2016 22:27:04 +0000
-
openldap (2.4.42+dfsg-2ubuntu1) xenial; urgency=medium
* Merge from Debian testing (LP: #1532648). Remaining changes:
- Enable AppArmor support:
- d/apparmor-profile: add AppArmor profile
- d/rules: use dh_apparmor
- d/control: Build-Depends on dh-apparmor
- d/slapd.README.Debian: add note about AppArmor
- Enable GSSAPI support:
- d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
- Add --with-gssapi support
- Make guess_service_principal() more robust when determining
principal
- d/configure.options: Configure with --with-gssapi
- d/control: Added heimdal-dev as a build depend
- Enable ufw support:
- d/control: suggest ufw.
- d/rules: install ufw profile.
- d/slapd.ufw.profile: add ufw profile.
- Enable nss overlay:
- d/{patches/nssov-build,rules}: Apply, build and package the
nss overlay.
- d/{rules,slapd.py}: Add apport hook.
- d/slapd.init.ldif: don't set olcRootDN since it's not defined in
either the default DIT nor via an Authn mapping.
- d/slapd.scripts-common:
- add slapcat_opts to local variables.
- Remove unused variable new_conf.
- Fix backup directory naming for multiple reconfiguration.
- d/{slapd.default,slapd.README.Debian}: use the new configuration style.
- d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
in the openldap library, as required by Likewise-Open
- Show distribution in version:
- d/control: added lsb-release
- d/patches/fix-ldap-distribution.patch: show distribution in version
* Drop CVE-2015-6908.patch, included in Debian.
* Remove DEB_HOST_ARCH from debian/rules: left over from when mdb was
disabled on ppc64el, no longer used, and missed in the previous merge.
openldap (2.4.42+dfsg-2) unstable; urgency=medium
[ Ryan Tandy ]
* Change explicit Pre-Depends: multiarch-support to ${misc:Pre-Depends}, as
recommended by lintian.
* Omit slapd, slapd-dbg, and slapd-smbk5pwd from the stage1 build profile.
This allows the dependency loop with heimdal to be broken for
bootstrapping, and the dependency on libperl-dev to be avoided for
cross-building. Thanks Daniel Schepler and Helmut Grohne.
(Closes: #724518)
* Apply wrap-and-sort to the Build-Depends field.
* Drop libncurses5-dev from Build-Depends, no longer needed since the ud
tool was removed in OpenLDAP 2.1.4.
* Drop libltdl3-dev as an alternate Build-Depends, since that package was
removed after lenny.
* Annotate Build-Depends on perl with :any to allow running the system perl
interpreter during cross builds.
* Ensure CC is set correctly for cross builds. Thanks Helmut Grohne.
* Build-Depend on dpkg-dev (>= 1.17.14) and debhelper (>= 9.20141010) for
restriction formula support.
* Override the 'dev-pkg-without-shlib-symlink' lintian tag. The symlink is
actually in the form libldap_r.so -> libldap_r-2.4.so.xyz and the tag is a
false positive; see #687022.
* Include the smbk5pwd man page in the slapd-smbk5pwd package.
* Allow anonymous read access to the shadowLastChange attribute by default,
allowing nss-ldap/nss-ldapd to handle password expiry correctly even when
bound anonymously. This was the only restricted shadow attribute, the
others were already world-readable. (Closes: #669235)
* Drop the redundant default ACL for dn.base="" from the database entry.
It's already covered by the fallback case below.
* Copy more comments from the slapd.conf template to slapd.init.ldif. Also
comment the shadowLastChange access rule.
* Import upstream patch to remove an unnecessary assert(0) that could be
triggered remotely by an unauthenticated user by sending a malformed BER
element. (ITS#8240)
[ Peter Marschall ]
* Add a manual page slapo-smbk5pwd.5 and update smbk5pwd's Makefile to
install the new manual page. (Closes: #794998)
openldap (2.4.42+dfsg-1) unstable; urgency=medium
[ Peter Marschall ]
* slapd.scripts-common:
- Use update_permissions instead of direct calls to chown and chgrp.
- Make variables only used within a function local to that function.
- Restore databases ordered by increasing suffix path length.
This should help configurations with databases glued together using the
'subordinate' keyword / 'olcSubordinate' attribute in slapd's
configuration.
(Closes: #794996)
* Install slapo-lastbind.5 man page. (Closes: #794997)
[ Ryan Tandy ]
* slapd.scripts-common: Delete an outdated comment.
* New upstream release.
* Enable the MDB backend again on GNU/kFreeBSD. The new pthread library
provides all the required interfaces, and the test suite now passes.
Leave it disabled on the Hurd. LMDB requires POSIX semaphores, which have
not yet been implemented.
* Disable the BDB/HDB backends on the Hurd. BDB requires record locks
(F_SETLK), which have not yet been implemented; see #693971.
-- Ryan Tandy <email address hidden> Sun, 10 Jan 2016 15:50:53 -0800
-
openldap (2.4.41+dfsg-1ubuntu3) xenial; urgency=medium
* Rebuild for Perl 5.22.1.
-- Colin Watson <email address hidden> Fri, 18 Dec 2015 15:10:17 +0000
-
openldap (2.4.41+dfsg-1ubuntu2) wily; urgency=medium
* SECURITY UPDATE: denial of service via crafted BER data
- debian/patches/CVE-2015-6908.patch: remove obsolete assert in
libraries/liblber/io.c.
- CVE-2015-6908
-- Marc Deslauriers <email address hidden> Mon, 14 Sep 2015 10:25:04 -0400
