[ubuntu/eoan-proposed] openldap 2.4.48+dfsg-1ubuntu1 (Accepted)
Andreas Hasenack
andreas at canonical.com
Thu Aug 1 16:56:13 UTC 2019
openldap (2.4.48+dfsg-1ubuntu1) eoan; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Enable AppArmor support:
- d/apparmor-profile: add AppArmor profile
- d/rules: use dh_apparmor
- d/control: Build-Depends on dh-apparmor
- d/slapd.README.Debian: add note about AppArmor
- Enable GSSAPI support:
- d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
- Add --with-gssapi support
- Make guess_service_principal() more robust when determining
principal
- d/configure.options: Configure with --with-gssapi
- d/control: Added heimdal-dev as a build depend
- d/rules:
- Explicitly add -I/usr/include/heimdal to CFLAGS.
- Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
- Enable ufw support:
- d/control: suggest ufw.
- d/rules: install ufw profile.
- d/slapd.ufw.profile: add ufw profile.
- Enable nss overlay:
- d/rules:
- add nssov to CONTRIB_MODULES
- add sysconfdir to CONTRIB_MAKEVARS
- d/slapd.install:
- install nssov overlay
- d/slapd.manpages:
- install slapo-nssov(5) man page
- d/{rules,slapd.py}: Add apport hook.
- d/slapd.init.ldif: don't set olcRootDN since it's not defined in
either the default DIT nor via an Authn mapping.
- d/slapd.scripts-common:
- add slapcat_opts to local variables.
- Fix backup directory naming for multiple reconfiguration.
- d/{slapd.default,slapd.README.Debian}: use the new configuration style.
- d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
in the openldap library, as required by Likewise-Open
- Show distribution in version:
- d/control: added lsb-release
- d/patches/fix-ldap-distribution.patch: show distribution in version
- d/libldap-2.4-2.symbols: Add symbols not present in Debian.
- CLDAP (UDP) was added in 2.4.17-1ubuntu2
- GSSAPI support was enabled in 2.4.18-0ubuntu2
- d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
Debian bug #919136, we also have to patch the nssov makefile
accordingly and thus update this patch.
* Dropped:
- Fix sysv-generator unit file by customizing parameters (LP #1821343)
+ d/slapd-remain-after-exit.conf: Override RemainAfterExit to allow
correct systemctl status for slapd daemon.
+ d/slapd.install: place override file in correct location.
[Included in 2.4.48+dfsg-1]
- SECURITY UPDATE: rootDN proxyauthz not restricted to its own databases
+ debian/patches/CVE-2019-13057-1.patch: add restriction to
servers/slapd/saslauthz.c.
+ debian/patches/CVE-2019-13057-2.patch: add tests to
tests/data/idassert.out, tests/data/slapd-idassert.conf,
tests/data/test-idassert1.ldif, tests/scripts/test028-idassert.
+ debian/patches/CVE-2019-13057-3.patch: fix typo in
tests/scripts/test028-idassert.
+ debian/patches/CVE-2019-13057-4.patch: fix typo in
tests/scripts/test028-idassert.
+ CVE-2019-13057
[Fixed upstream]
- SECURITY UPDATE: SASL SSF not initialized per connection
+ debian/patches/CVE-2019-13565.patch: zero out sasl_ssf in
connection_init in servers/slapd/connection.c.
+ CVE-2019-13565
[Fixed upstream]
openldap (2.4.48+dfsg-1) unstable; urgency=medium
* New upstream release.
- fixed slapd to restrict rootDN proxyauthz to its own databases
(CVE-2019-13057) (ITS#9038) (Closes: #932997)
- fixed slapd to enforce sasl_ssf ACL statement on every connection
(CVE-2019-13565) (ITS#9052) (Closes: #932998)
- added new openldap.h header with OpenLDAP specific libldap interfaces
(ITS#8671)
- updated lastbind overlay to support forwarding authTimestamp updates
(ITS#7721) (Closes: #880656)
* Update Standards-Version to 4.4.0.
* Add a systemd drop-in to set RemainAfterExit=no on the slapd service, so
that systemd marks the service as dead after it crashes or is killed.
Thanks to Heitor Alves de Siqueira. (Closes: #926657, LP: #1821343)
* Use more entropy for generating a random admin password, if none was set
during initial configuration. Thanks to Judicael Courant.
(Closes: #932270)
* Replace debian/rules calls to dpkg-architecture and dpkg-parsechangelog
with variables provided by dpkg-dev includes.
* Declare R³: no.
* Create a simple autopkgtest that tests installing slapd and connecting to
it with an ldap tool.
* Install the new openldap.h header in libldap2-dev.
Date: Wed, 31 Jul 2019 18:01:14 -0300
Changed-By: Andreas Hasenack <andreas at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/openldap/2.4.48+dfsg-1ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 31 Jul 2019 18:01:14 -0300
Source: openldap
Architecture: source
Version: 2.4.48+dfsg-1ubuntu1
Distribution: eoan
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Andreas Hasenack <andreas at canonical.com>
Closes: 880656 926657 932270 932997 932998
Launchpad-Bugs-Fixed: 1821343
Changes:
openldap (2.4.48+dfsg-1ubuntu1) eoan; urgency=medium
.
* Merge with Debian unstable. Remaining changes:
- Enable AppArmor support:
- d/apparmor-profile: add AppArmor profile
- d/rules: use dh_apparmor
- d/control: Build-Depends on dh-apparmor
- d/slapd.README.Debian: add note about AppArmor
- Enable GSSAPI support:
- d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
- Add --with-gssapi support
- Make guess_service_principal() more robust when determining
principal
- d/configure.options: Configure with --with-gssapi
- d/control: Added heimdal-dev as a build depend
- d/rules:
- Explicitly add -I/usr/include/heimdal to CFLAGS.
- Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
- Enable ufw support:
- d/control: suggest ufw.
- d/rules: install ufw profile.
- d/slapd.ufw.profile: add ufw profile.
- Enable nss overlay:
- d/rules:
- add nssov to CONTRIB_MODULES
- add sysconfdir to CONTRIB_MAKEVARS
- d/slapd.install:
- install nssov overlay
- d/slapd.manpages:
- install slapo-nssov(5) man page
- d/{rules,slapd.py}: Add apport hook.
- d/slapd.init.ldif: don't set olcRootDN since it's not defined in
either the default DIT nor via an Authn mapping.
- d/slapd.scripts-common:
- add slapcat_opts to local variables.
- Fix backup directory naming for multiple reconfiguration.
- d/{slapd.default,slapd.README.Debian}: use the new configuration style.
- d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
in the openldap library, as required by Likewise-Open
- Show distribution in version:
- d/control: added lsb-release
- d/patches/fix-ldap-distribution.patch: show distribution in version
- d/libldap-2.4-2.symbols: Add symbols not present in Debian.
- CLDAP (UDP) was added in 2.4.17-1ubuntu2
- GSSAPI support was enabled in 2.4.18-0ubuntu2
- d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
Debian bug #919136, we also have to patch the nssov makefile
accordingly and thus update this patch.
* Dropped:
- Fix sysv-generator unit file by customizing parameters (LP #1821343)
+ d/slapd-remain-after-exit.conf: Override RemainAfterExit to allow
correct systemctl status for slapd daemon.
+ d/slapd.install: place override file in correct location.
[Included in 2.4.48+dfsg-1]
- SECURITY UPDATE: rootDN proxyauthz not restricted to its own databases
+ debian/patches/CVE-2019-13057-1.patch: add restriction to
servers/slapd/saslauthz.c.
+ debian/patches/CVE-2019-13057-2.patch: add tests to
tests/data/idassert.out, tests/data/slapd-idassert.conf,
tests/data/test-idassert1.ldif, tests/scripts/test028-idassert.
+ debian/patches/CVE-2019-13057-3.patch: fix typo in
tests/scripts/test028-idassert.
+ debian/patches/CVE-2019-13057-4.patch: fix typo in
tests/scripts/test028-idassert.
+ CVE-2019-13057
[Fixed upstream]
- SECURITY UPDATE: SASL SSF not initialized per connection
+ debian/patches/CVE-2019-13565.patch: zero out sasl_ssf in
connection_init in servers/slapd/connection.c.
+ CVE-2019-13565
[Fixed upstream]
.
openldap (2.4.48+dfsg-1) unstable; urgency=medium
.
* New upstream release.
- fixed slapd to restrict rootDN proxyauthz to its own databases
(CVE-2019-13057) (ITS#9038) (Closes: #932997)
- fixed slapd to enforce sasl_ssf ACL statement on every connection
(CVE-2019-13565) (ITS#9052) (Closes: #932998)
- added new openldap.h header with OpenLDAP specific libldap interfaces
(ITS#8671)
- updated lastbind overlay to support forwarding authTimestamp updates
(ITS#7721) (Closes: #880656)
* Update Standards-Version to 4.4.0.
* Add a systemd drop-in to set RemainAfterExit=no on the slapd service, so
that systemd marks the service as dead after it crashes or is killed.
Thanks to Heitor Alves de Siqueira. (Closes: #926657, LP: #1821343)
* Use more entropy for generating a random admin password, if none was set
during initial configuration. Thanks to Judicael Courant.
(Closes: #932270)
* Replace debian/rules calls to dpkg-architecture and dpkg-parsechangelog
with variables provided by dpkg-dev includes.
* Declare R³: no.
* Create a simple autopkgtest that tests installing slapd and connecting to
it with an ldap tool.
* Install the new openldap.h header in libldap2-dev.
Checksums-Sha1:
f93c40b4c4978717ada7d7961b1cd2cb3336c2fb 2986 openldap_2.4.48+dfsg-1ubuntu1.dsc
88c4972417c09062b46055eaa9a372ea5f3d22a6 4875429 openldap_2.4.48+dfsg.orig.tar.gz
f6b005f953f03cd5926832e055a7d928b9f822ed 179116 openldap_2.4.48+dfsg-1ubuntu1.debian.tar.xz
174eef83ac078ef3923c9d05182529021a504435 7145 openldap_2.4.48+dfsg-1ubuntu1_source.buildinfo
Checksums-Sha256:
55f8393e57088acd89438cfa66e19af919edc867c8ee462d4c6132cb597a2916 2986 openldap_2.4.48+dfsg-1ubuntu1.dsc
8645601c28f094b01baed02a604479b175a45ba010e407212d214313bc6a80ba 4875429 openldap_2.4.48+dfsg.orig.tar.gz
ead23f7be35e1c9e29842b6cdd05f9109c152a48d05d6d25b338d7489b747604 179116 openldap_2.4.48+dfsg-1ubuntu1.debian.tar.xz
938a2658505eb22d38a75d4181a2812938658d7456fdbbdd6e3106c312c1994c 7145 openldap_2.4.48+dfsg-1ubuntu1_source.buildinfo
Files:
1f0658453ecb12fd3e1ecf177812f88b 2986 net optional openldap_2.4.48+dfsg-1ubuntu1.dsc
c97a336099ff37c4351933f026411134 4875429 net optional openldap_2.4.48+dfsg.orig.tar.gz
69366874b8a7e467224befd832be3fad 179116 net optional openldap_2.4.48+dfsg-1ubuntu1.debian.tar.xz
6cbac30b219c4d62587424970dbbac22 7145 net optional openldap_2.4.48+dfsg-1ubuntu1_source.buildinfo
Original-Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel at lists.alioth.debian.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEiGZB1jWM2kalbBxyrJg+tb9ry6kFAl1DGVAACgkQrJg+tb9r
y6mmXRAAsbQ4TlFtNgTz38zKJUbAEp40P5lUzsZ2zRYK/lLFQnuo03lAUv6OnT8H
Fq8lbZiXyKcsuF6FYdRKw5D43TNedW1LTWA+Mt769YJn3Vde4nxxErUH9rex+zSH
d7whMojroVxs7NOGzecNs6vO1ZkWV+0A48nh8leFfRFO/ldcXFYtXueBd6PF3kmS
9z6zkUcPBhoY5wIRbkAMD4oGMyacDNwjsV3ZPm8cBBBqDR52NY1htuee1mlCn7hj
ivXpZ5RJMd3492L/wvtQtL2bljL+0TMPN/Eiub8M0a0U3VXer479VEeznbFqIgcN
vMEvnQL/CpxedDhN8QebjoEG66TYE3YlPJi3SRXcKeuFpg9IRT1eJHFyd9oX9i1J
oce7iG20u/78o/HoGPsknv3NPeUOhjKRoQcWs7vJxDLoonzhKMTcyO80GT27R5OK
3bG6lUB6p6syfbuvMg/uMq6lIgtJa3iy6R8arWlTfufUk0j/vFZY/LckXzW0iJBK
c80N0Y+R1uxCjvqVpRK0P/r3DtYvgc1UbN8Mt13AMFdW35o5ZCmVeeZcXCFTKPhs
EmEPb/oJe67/nGApCGkO//cM47U0O2OqoSqgUoiCGhOp+YEWFlDpXWT88dGJoCtx
jCLzRoa0sKhVFL/oab/49eYBqiQtxtdCQiB0sVUb9MsC1xASlUE=
=7HDN
-----END PGP SIGNATURE-----
More information about the Eoan-changes
mailing list