Changelog for
libldap-2_4-2-32bit-2.4.46-150200.14.8.1.x86_64.rpm :
* Fri May 06 2022 william.brownAATTsuse.com- bsc#1199240 - CVE-2022-29155 - Resolve sql injection in back-sql
* 0242-ITS-9815-slapd-sql-escape-filter-values.patch
* Thu Apr 14 2022 william.brownAATTsuse.com- bsc#1191157 - Correct version specification in ppolicy to allow submission to SP3 for TLS1.3
* Wed Mar 23 2022 william.brownAATTsuse.com- bsc#1191157 - allow specification of max/min TLS version with TLS1.3
* 0239-ITS-9422-Update-for-TLS-v1.3.patch
* 0240-ITS-9518-add-LDAP_OPT_X_TLS_PROTOCOL_MAX-option.patch
* 0241-TLS-set-protocol-version.patch
* Wed Mar 23 2022 william.brownAATTsuse.com- bsc#1197004 - libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol resolution failures. openldap2 and libldap now are locked to their related release versions.
* Fri Mar 18 2022 william.brownAATTsuse.com- jsc#PM-3288 - restore CLDAP functionality in CLI tools
* Mon Mar 14 2022 william.brownAATTsuse.com- Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression reporting is bsc#1197004 causing SSSD to have faults.
* Tue Feb 08 2022 william.brownAATTsuse.com- jsc#PM-3288 - restore CLDAP functionality in CLI tools
* Wed Jun 16 2021 william.brownAATTsuse.com- bsc#1187210 - Resolve bug in the idle / connection TTL timeout implementation in OpenLDAP.
* 0231-ITS-9468-Added-test-case-for-proxy-re-binding-anonym.patch
* 0232-ITS-9468-back-ldap-Return-disconect-if-rebind-cannot.patch
* 0233-ITS-9468-removed-accidental-unicode-characters.patch
* 0234-ITS-9468-documented-that-re-connecting-does-not-happ.patch
* 0235-ITS-9468-summarize-discussion-about-rebind-as-user.patch
* 0236-ITS-9468-fixed-typos.patch
* 0237-ITS-9468-always-init-lc_time-and-lc_create_time.patch
* 0238-ITS-9468-do-not-arm-expire-timer-for-connections-tha.patch
* Fri Mar 12 2021 william.brownAATTsuse.com- bsc#1182791 - improve proxy connection timout options to correctly prune connections.
* 0225-ITS-8625-Separate-Avlnode-and-TAvlnode-types.patch
* 0226-ITS-9197-back-ldap-added-task-that-prunes-expired-co.patch
* 0227-ITS-9197-Increase-timeouts-in-test-case-due-to-spora.patch
* 0228-ITS-9197-fix-typo-in-prev-commit.patch
* 0229-ITS-9197-Fix-test-script.patch
* 0230-ITS-9197-fix-info-msg-for-slapd-check.patch
* Fri Feb 19 2021 william.brownAATTsuse.com- bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service.
* 0220-ITS-9423-ldap_X509dn2bv-check-for-invalid-BER-after-.patch- bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service.
* 0222-ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch- bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service.
* 0223-ITS-9427-fix-issuerAndThisUpdateCheck.patch- bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service.
* 0224-ITS-9428-fix-cancel-exop.patch- bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service.
* 0218-ITS-9412-fix-AVA_Sort-on-invalid-RDN.patch- bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service.
* 0217-ITS-9409-saslauthz-use-slap_sl_free-in-prev-commit.patch
* 0216-ITS-9409-saslauthz-use-ch_free-on-normalized-DN.patch- bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service.
* 0219-ITS-9413-fix-slap_parse_user.patch- bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service.
* 0213-ITS-9406-9407-remove-saslauthz-asserts.patch
* 0214-ITS-9406-fix-debug-msg.patch- bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck).
* 0212-ITS-9404-fix-serialNumberAndIssuerCheck.patch
* 0221-ITS-9424-fix-serialNumberAndIssuerSerialCheck.patch- bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read).
* 0215-ITS-9408-fix-vrfilter-double-free.patch
* Tue Feb 16 2021 william.brownAATTsuse.com- bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.
* patch: 0211-ITS-9454-fix-issuerAndThisUpdateCheck.patch
* Tue Jan 12 2021 william.brownAATTsuse.com- bsc#1178909 CVE-2020-25709 CVE-2020-25710 - Resolves two issues where openldap would crash due to malformed inputs.
* patch: 0209-ITS-9383-remove-assert-in-certificateListValidate.patch
* patch: 0210-ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch
* Mon Jan 04 2021 william.brownAATTsuse.com- bsc#1179503 - fix proxy retry binds to a remote server
* patch: 0208-ITS-9400-back-ldap-fix-retry-binds.patch
* Mon Nov 09 2020 william.brownAATTsuse.com- bsc#1178387 (CVE-2020-25692) - unauthenticated remote denial of service due to incorrect validation of modrdn equality rules.
* patch: 0207-ITS-9370-check-for-equality-rule-on-old_rdn.patch
* Wed Aug 26 2020 william.brownAATTsuse.com- bsc#1175568 CVE-2020-8027 openldap_update_modules_path.sh has a number of issues in it\'s design that lead to security issues. This file has been removed, from the package, and the %post execution of the install. The function is replaced by /usr/sbin/slapd-ldif-update-crc and /usr/lib/openldap/fixup-modulepath, through the addition of the source files:
* fixup-modulepath.sh
* slapd-ldif-update-crc.sh
* update-crc.sh
* Fri Aug 21 2020 william.brownAATTsuse.com- bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509 SAN\'s falling back to CN validation in violation of rfc6125.
* 0206-openldap-tlso-use-openssl-api-to-verify-host.patch
* Thu Jun 11 2020 william.brownAATTsuse.com- bsc#1172704 - Change DB_CONFIG to root:ldap permissions.- bsc#1172698 (CVE-2020-8023) - local priv esc via start script chown -R on olcdbdirectory path. Remove chown -R on start to resolve.
* Thu Apr 30 2020 william.brownAATTsuse.com- bsc#1170771 (CVE-2020-12243) - recursive filters may crash server
* patch: 0205-bsc-1170771-limit-depth-of-nested-filters.patch
* Fri Jan 24 2020 william.brownAATTsuse.com- bsc#1158921 libldap-data should be requires, not recommends to help prevent user confusion around configuration ownership.
* Thu Aug 01 2019 william.brownAATTsuse.com- bsc#1143194 (CVE-2019-13565) - ssf memory reuse leads to incorrect authorisation of another connection, granting excess connection rights (ssf).
* patch: 0201-ITS-9052-zero-out-sasl_ssf-in-connection_init.patch- bsc#1143273 (CVE-2019-13057) - rootDN of a backend may proxyauth incorrectly to another backend, violating multi-tenant isolation.
* patch: 0202-ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch
* patch: 0203-ITS-9038-Update-test028-to-test-this-is-enforced.patch
* patch: 0204-ITS-9038-Another-test028-typo.patch
* Tue May 14 2019 william.brownAATTsuse.com- bsc#1111388 - incorrect post script call causes tmpfiles create not to be run.
* Mon Apr 15 2019 varkolyAATTsuse.com- bsc#1114845 - broken shebang line in openldap_update_modules_path.sh - fix the script
* Wed Nov 21 2018 varkolyAATTsuse.com- Emergency fix: move tmpfiles_create post from the library package to the main package\'s post script, which ships the tmpfiles.d configuration. Fixes the post script of the library (-p /sbin/ldconfig does not allow more statements in the script).- bsc#1111388 openldap and /var/lib/ldap/DB_CONFIG
* (transactional-update)
* source: openldap2.conf- Added a patch to let slapd return the uniqueness check filter used before constraint violation to the client. Fixed broken memory handling in affecting error response of slapo-unique ITS#8866 slapo-unique to return filter used in diagnostic message
* patch: 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch- Don\'t require systemd explicit, spec file can handle both cases correct and in containers we don\'t have systemd.
* Tue Nov 20 2018 ckowalczykAATTsuse.com- Fix CVE-2017-17740: when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack
* patch: 0017-Fix-segfault-in-nops.patch (bsc#1073313)
* Fri Aug 17 2018 ckowalczykAATTsuse.com- Fix slapd segfaults in mdb_env_reader_dest with patch 0016-Clear-shared-key-only-in-close-function.patch (bsc#1089640)
* Tue Apr 24 2018 zsolt.kalmarAATTsuse.com- bsc#1085064 Packaging issues have been discovered around the openldap_update_modules_path.sh which has been corrected: - the spec file was wrongly configured, therefore the script has never been called - the script should create the symlinks first, as slapcat is useless on a system which is already affected.
* Fri Apr 06 2018 zsolt.kalmarAATTsuse.com- bsc#1085064 Add script \"openldap_update_modules_path.sh\" which which removes the configuration item olcModulePath in cn=config which is after upgrade from SLE12 to SLE15 holds inappropriate information. If the cn=config is being used on a system, the conflicting items in slapd.conf are ignored, despite of it, the backend DB configuration section has been also commented out in the default slapd.conf. In case of correct cn=config (the olcModulePath has been already removed), the script stops without touching anything.
* Fri Mar 23 2018 michaelAATTstroeder.com- Upgrade to upstream 2.4.46 release- removed obsolete back-port patches:
* 0013-ITS-8692-let-back-sock-generate-increment-line.patch
* 0016-ITS-8782-fix-cancel-memleak.patch OpenLDAP 2.4.46 Release (2018/03/22) Fixed libldap connection delete callbacks when TLS fails to start (ITS#8717) Fixed libldap to not reuse tls_session if TLS hostname check fails (ITS#7373) Fixed libldap cross-compiling with OpenSSL 1.1 (ITS#8687) Fixed libldap OpenSSL 1.1.1 compatibility with BIO_method (ITS#8791) Fixed libldap MozNSS CA certificate hash matching (ITS#7374) Fixed libldap MozNSS with PEM certs when also using an NSS cert db (ITS#7389) Fixed libldap MozNSS initialization (ITS#8484) Fixed libldap GnuTLS with GNUTLS_E_AGAIN (ITS#8650) Fixed libldap memory leak with cancel operations (ITS#8782) Fixed slapd Eventlog registry key creation on 64-bit Windows (ITS#8705) Fixed slapd to maintain SSF across SASL binds (ITS#8796) Fixed slapd syncrepl deadlock when updating cookie (ITS#8752) Fixed slapd syncrepl callback to always be last in the stack (ITS#8752) Fixed slapd telephoneNumberNormalize when the value is spaces and hyphens (ITS#8778) Fixed slapd CSN queue processing (ITS#8801) Fixed slapd-ldap TLS connection timeout with high latency connections (ITS#8720) Fixed slapd-ldap to ignore unknown schema when omit-unknown-schema is set (ITS#7520) Fixed slapd-mdb with an optimization for long lived read transactions (ITS#8226) Fixed slapd-meta assert when olcDbRewrite is modified (ITS#8404) Fixed slapd-sock with LDAP_MOD_INCREMENT operations (ITS#8692) Fixed slapo-accesslog cleanup to only occur on failed operations (ITS#8752) Fixed slapo-dds entryTTL to actually decrease as per RFC 2589 (ITS#7100) Fixed slapo-syncprov memory leak with delete operations (ITS#8690) Fixed slapo-syncprov to not clear pending operation when checkpointing (ITS#8444) Fixed slapo-syncprov to correctly record contextCSN values in the accesslog (ITS#8100) Fixed slapo-syncprov not to log checkpoints to accesslog db (ITS#8607) Fixed slapo-syncprov to process changes from this SID on REFRESH (ITS#8800) Fixed slapo-syncprov session log parsing to not block other operations (ITS#8486) Build Environment Fixed Windows build with newer MINGW version (ITS#8697) Fixed compiler warnings and removed unused variables (ITS#8578) Contrib Fixed ldapc++ Control structure (ITS#8583) Documentation Delete stub manpage for back-ldbm (ITS#8713) Fixed ldap_bind(3) to mention the LDAP_SASL_SIMPLE mechanism (ITS#8121) Fixed ldap.conf(5) to note SASL_MECH/SASL_REALM are no longer user-only (ITS#8818) Fixed slapd-config(5) typo for olcTLSCipherSuite (ITS#8715) Fixed slapo-syncprov(5) indexing requirements (ITS#5048)
* Thu Feb 22 2018 fvogtAATTsuse.com- Use %license (boo#1082318)
* Mon Dec 11 2017 michaelAATTstroeder.com- added 0016-ITS-8782-fix-cancel-memleak.patch
* Thu Nov 23 2017 rbrownAATTsuse.com- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)
* Mon Oct 02 2017 jengelhAATTinai.de- Add openldap-r-only.dif so that openldap2\'s own tools also link against libldap_r rather than libldap.- Make libldap equivalent to libldap_r (like Debian) to avoid crashes in threaded programs which unknowingly get both libraries inserted into their process image. [rh#1370065, boo#996551]
* Mon Oct 02 2017 mrueckertAATTsuse.de- use existing groups instead of inventing new ones
* Mon Sep 18 2017 michaelAATTstroeder.com- added 0012-ITS8051-sockdnpat.patch
* Wed Sep 06 2017 michaelAATTstroeder.com- updated 0014-ITS-8714-Send-out-EXTENDED-operation-message-from-back-sock.patch
* Fri Aug 18 2017 michaelAATTstroeder.com- Added OpenLDAP new feature implementing OpenLDAP ITS#8714 0014-ITS-8714-Send-out-EXTENDED-operation-message-from-back-sock.patch
* Thu Jul 20 2017 michaelAATTstroeder.com- added overlay trace to package openldap2-contrib
* Wed Jul 12 2017 michaelAATTstroeder.com- Upgrade to upstream 2.4.45 release- removed obsolete 0010-Enforce-minimum-DH-size-of-1024.patch and 0012-use-system-wide-cert-dir-by-default.patch- added 0013-ITS-8692-let-back-sock-generate-increment-line.patch for supporting modify increment operations with back-sock- added overlay addpartial to package openldap2-contrib
* Wed Jun 07 2017 hguoAATTsuse.com- Remove legacy daemon control that was used to migrate from SLE 11 to 12. (bsc#1038405)
* Tue Jun 06 2017 hguoAATTsuse.com- There is no change made about the package itself, this is only copying over some changelog texts from SLE package:- bug#976172 owned by hguoAATTsuse.com: openldap2 - missing /usr/share/doc/packages/openldap2/guide/admin/guide.html- bug#916914 owned by varkolyAATTsuse.com: VUL-0: CVE-2015-1546: openldap2: slapd crash in valueReturnFilter cleanup- [fate#319300](https://fate.suse.com/319300)- [CVE-2015-1545](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1545)- bug#905959 owned by hguoAATTsuse.com: L3-Question: Are multiple \"Connection 0\" in a Multi Master setup normal ?- [CVE-2015-1546](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546)- bug#916897 owned by varkolyAATTsuse.com: VUL-0: CVE-2015-1545: openldap2: slapd crashes on search with deref control and empty attr list
* Fri Apr 07 2017 jengelhAATTinai.de- Drop binutils requirement; the code using /usr/bin/strings has been dropped in openSUSE:Factory/openldap2 revision 112.
* Sat Feb 18 2017 kukukAATTsuse.com- Remove superfluous insserv PreReq.
* Thu Nov 10 2016 hguoAATTsuse.com- Introduce patch 0012-use-system-wide-cert-dir-by-default.patch to let OpenLDAP read system wide certificate directory by default and avoid hiding the error if user specified CA location cannot be read (bsc#1009470).
* Fri Oct 14 2016 hguoAATTsuse.com- Add more details in the comments of slapd.conf concerning file permission and StartTLS capability.
* Thu Jun 23 2016 jengelhAATTinai.de- Test for user/group existence before trying to add them. Summary spello update.
* Thu Jun 16 2016 hguoAATTsuse.com- Move schema files into tarball addonschema.tar.gz: ldapns.ldif ldapns.schema rfc2307bis.ldif rfc2307bis.schema yast.ldif yast.schema- Package previously missing schema files in LDIF format: amavisd-new.ldif dhcp.ldif dlz.ldif dnszone.ldif samba3.ldif sudo.ldif suse-mailserver.ldif (bsc#984691)- Fix a minor issue in schema2ldif script that led to missing attribute in the generated LDIF.
* Tue May 17 2016 hguoAATTsuse.com- Enable build flag LDAP_USE_NON_BLOCKING_TLS to fix bsc#978408.
* Thu Feb 25 2016 hguoAATTsuse.com- Move ldap.conf into libldap-data package, per convention.
* Sun Feb 21 2016 jengelhAATTinai.de- Move ldap.conf out of shlib package again, they are not allowed there for obvious reasons (conflict with future package).
* Thu Feb 18 2016 hguoAATTsuse.com- Build password strength enforcer as an implementation of ppolicy password checker, introducing: ppolicy-check-password-1.2.tar.gz ppolicy-check-password.Makefile ppolicy-check-password.conf ppolicy-check-password.5 0200-Fix-incorrect-calculation-of-consecutive-number-of-c.patch (Implements fate#319461)
* Thu Feb 18 2016 lmuelleAATTsuse.com- Remove redundant -n openldap2- package name prefix.
* Mon Feb 08 2016 hguoAATTsuse.com- Remove openldap2-client.spec and openldap2-client.changes openldap2.spec now builds client utilities and libraries. Thus pre_checkin.sh is removed.- Move ldap.conf and its manual page from openldap2-client package to libldap-2_4-2 package, which is more appropriate.- Use RPM_OPT_FLAGS in build flags.- Macros dealing with old/unsupported distributions are removed.- Remove 0002-slapd.conf.dif and install improved slapd.conf from new source file slapd.conf.- Install slapd.conf.olctemplate to assist in preparing slapd.d for OLC.- Be explicit in sysconfig that by default openldap will use static file configuration.- Add the following schemas in LDIF format:
* rfc2307bis.ldif
* ldapns.ldif
* yast.ldif- Other minor clean-ups in the spec file.
* Mon Feb 08 2016 mpluskalAATTsuse.com- Use optflags when building
* Sat Feb 06 2016 michaelAATTstroeder.com- Upgrade to upstream 2.4.44 release with accumulated bug fixes.- Specify source with FTP URL- Removed obsolete 0012-openldap-re24-its8336.patch
* Mon Jan 25 2016 hguoAATTsuse.com- Relabel patch 0011-Enforce-minimum-DH-size-of-1024.patch into 0010-Enforce-minimum-DH-size-of-1024.patch
* Tue Dec 08 2015 michaelAATTstroeder.com- Upgrade to upstream 2.4.43 release with accumulated bug fixes.- Still build on SLES12- Loadable backend and overlay modules are now installed into arch-specific path %{_libdir}/openldap- All backends and overlays as modules for smaller memory footprint on memory constrained systems- Added extra package for back-sock- Consequent use of %{_rundir} everywhere- Rely on upstream ./configure script instead of any other macro foo- Dropped linking with libwrap- Dropped 0004-libldap-use-gethostbyname_r.dif because this work-around for nss_ldap is obsolete- New sub-package openldap2-contrib with selected contrib/ overlays- Replaced addonschema.tar.gz with separate schema sources- Updated ldapns.schema from recent slapo-nssov source tree- Added symbolic link to slapd executable in /usr/sbin/- Added more complex example configuration file /etc/openldap/slapd.conf.example- Set OPENLDAP_START_LDAPI=\"yes\" in /etc/sysconfig/openldap- Set OPENLDAP_REGISTER_SLP=\"no\" in /etc/sysconfig/openldap- Added patch for OpenLDAP ITS#7796 to avoid excessive \"not index\" logging: 0011-openldap-re24-its7796.patch- Replaced openldap-rc.tgz with single source files- Added soft dependency (Recommends) to cyrus-sasl- Added soft dependency (Recommends) to cyrus-sasl-devel to openldap2-devel- Added patch for OpenLDAP ITS#8336 (assert in liblmdb): 0012-openldap-re24-its8336.patch- Remove obsolete patch 0001-build-adjustments.dif
* Wed Dec 02 2015 hguoAATTsuse.com- Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch to fix CVE-2015-6908. (bsc#945582)- Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch to address weak DH size vulnerability (bsc#937766)
* Mon Nov 30 2015 hguoAATTsuse.com- Introduce patch 0009-Fix-ldap-host-lookup-ipv6.patch to fix an issue with unresponsive LDAP host lookups in IPv6 environment. (bsc#955210)
* Fri Oct 09 2015 hguoAATTsuse.com- Remove OpenLDAP 2.3 code and patches from build source. Compatibility libraries for OpenLDAP 2.3 are built in package: compat-libldap-2_3-0 Removed source files: openldap-2.3.37-liblber-length-decoding.dif openldap-2.3.37-libldap-ntlm.diff openldap-2.3.37-libldap-ssl.dif openldap-2.3.37-libldap-sasl-max-buff-size.dif openldap-2.3.37-libldap-tls_chkhost-its6239.dif openldap-2.3.37-libldap-gethostbyname_r.dif openldap-2.3.37-libldap-suid.diff openldap-2.3.37.dif openldap-2.3.37-libldap-ld_defconn-ldap_free_connection.dif openldap-2.3.37-libldap-ldapi_url.dif openldap-2.3.37.tgz openldap-2.3.37-libldap-utf8-ADcanonical.dif README.update check-build.sh
* Thu Oct 01 2015 hguoAATTsuse.com- Upgrade to upstream 2.4.42 release with accumulated bug fixes.
* Tue Jul 21 2015 hguoAATTsuse.com- Upgrade to upstream 2.4.41 release with accumulcated bug fixes and stability improvements.
* Add patch 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
* Remove already applied patch 0008-ITS-7723-fix-reference-counting.patch
* Remove already applied patch 0009-gcc5.patch (Implements fate#319301)
* Thu Feb 19 2015 rguentherAATTsuse.com- Add 0009-gcc5.patch to pass -P to the preprocessor in configure checks for Berkeley DB version
* Wed Nov 26 2014 jengelhAATTinai.de- binutils is required for \"strings\" utility invocation in %pre [bnc#904028]- Remove SLE10 definitions