mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-04 14:39:54 +00:00
Code Issues Projects Releases Wiki Activity

openldap: upgrade to 2.4.20

Browse Source 
1. upgrade to 2.4.20
2. remove two backup patches
2. integrate two patches to fix CVE-2015-1545 and CVE-2015-1546
3. disable bdb/hdb backend, since BerkeleyDB 6.0.20+ license is
   incompatible with LDAP

Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
This commit is contained in:
Roy Li
2015-05-26 10:33:56 +08:00
committed by Martin Jansa
parent 2538cf6f7b
commit 47ca7a8403
13 changed files with 73 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-support/openldap/openldap-2.4.39/ITS-7723-fix-reference-counting.patch
-38
View File
@@ -1,38 +0,0 @@
From 59688044386dfeee0c837a15133f4e878f1bb661 Mon Sep 17 00:00:00 2001
From: Jan Synacek <jsynacek@redhat.com>
Date: Wed, 13 Nov 2013 09:06:54 +0100
Subject: [PATCH] ITS#7723 fix reference counting
Upstream-Status: Backport
Commit 59688044386dfeee0c837a15133f4e878f1bb661 upstream
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
libraries/librewrite/session.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/libraries/librewrite/session.c b/libraries/librewrite/session.c
index fcc7698..02fc054 100644
--- a/libraries/librewrite/session.c
+++ b/libraries/librewrite/session.c
@@ -161,6 +161,7 @@ rewrite_session_find(
#ifdef USE_REWRITE_LDAP_PVT_THREADS
if ( session ) {
ldap_pvt_thread_mutex_lock( &session->ls_mutex );
+ session->ls_count++;
}
ldap_pvt_thread_rdwr_runlock( &info->li_cookies_mutex );
#endif /* USE_REWRITE_LDAP_PVT_THREADS */
@@ -178,6 +179,7 @@ rewrite_session_return(
)
{
assert( session != NULL );
+ session->ls_count--;
ldap_pvt_thread_mutex_unlock( &session->ls_mutex );
}
--
1.7.5.4
meta-oe/recipes-support/openldap/openldap-2.4.39/gnutls-Avoid-use-of-deprecated-function.patch
-44
View File
@@ -1,44 +0,0 @@
From 0205e83f4670d10ad3c6ae4b8fc5ec1d0c7020c0 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Sat, 7 Sep 2013 09:39:24 -0700
Subject: [PATCH] ITS#7430 GnuTLS: Avoid use of deprecated function
Upstream-status: Backport
---
libraries/libldap/tls_g.c | 12 ++++++++++++
1 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index 9acffaf..c793828 100644
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -368,6 +368,17 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
* then we have to build the cert chain.
*/
if ( max == 1 && !gnutls_x509_crt_check_issuer( certs[0], certs[0] )) {
+#if GNUTLS_VERSION_NUMBER >= 0x020c00
+ unsigned int i;
+ for ( i = 1; i<VERIFY_DEPTH; i++ ) {
+ if ( gnutls_certificate_get_issuer( ctx->cred, certs[i-1], &certs[i], 0 ))
+ break;
+ max++;
+ /* If this CA is self-signed, we're done */
+ if ( gnutls_x509_crt_check_issuer( certs[i], certs[i] ))
+ break;
+ }
+#else
gnutls_x509_crt_t *cas;
unsigned int i, j, ncas;
@@ -387,6 +398,7 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
if ( j == ncas )
break;
}
+#endif
}
rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key );
if ( rc ) return -1;
--
1.7.4.2
meta-oe/recipes-support/openldap/openldap-2.4.40/0001-ITS-8027-require-non-empty-AttributeList.patch
+30
View File
@@ -0,0 +1,30 @@
From c32e74763f77675b9e144126e375977ed6dc562c Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 19 Jan 2015 22:25:53 +0000
Subject: [PATCH] ITS#8027 require non-empty AttributeList
Upstream-Status: Backup
Fix the CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1545
---
servers/slapd/overlays/deref.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/servers/slapd/overlays/deref.c b/servers/slapd/overlays/deref.c
index 9420e3e..05aa890 100644
--- a/servers/slapd/overlays/deref.c
+++ b/servers/slapd/overlays/deref.c
@@ -183,7 +183,8 @@ deref_parseCtrl (
ber_len_t cnt = sizeof(struct berval);
ber_len_t off = 0;
- if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR )
+ if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR
+ || !cnt )
{
rs->sr_text = "Dereference control: derefSpec decoding error";
rs->sr_err = LDAP_PROTOCOL_ERROR;
--
1.9.1
meta-oe/recipes-support/openldap/openldap-2.4.40/0001-ITS-8046-fix-vrFilter_free.patch
+38
View File
@@ -0,0 +1,38 @@
From 2f1a2dd329b91afe561cd06b872d09630d4edb6a Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 4 Feb 2015 02:03:55 +0000
Subject: [PATCH] ITS#8046 fix vrFilter_free
Upstream-Statue: Backup
Fix CVE: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1546
---
servers/slapd/filter.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c
index b859f73..22c81c8 100644
--- a/servers/slapd/filter.c
+++ b/servers/slapd/filter.c
@@ -1158,14 +1158,10 @@ get_vrFilter( Operation *op, BerElement *ber,
void
vrFilter_free( Operation *op, ValuesReturnFilter *vrf )
{
- ValuesReturnFilter *p, *next;
+ ValuesReturnFilter *next;
- if ( vrf == NULL ) {
- return;
- }
-
- for ( p = vrf; p != NULL; p = next ) {
- next = p->vrf_next;
+ for ( ; vrf != NULL; vrf = next ) {
+ next = vrf->vrf_next;
switch ( vrf->vrf_choice & SLAPD_FILTER_MASK ) {
case LDAP_FILTER_PRESENT:
--
1.9.1
meta-oe/recipes-support/openldap/openldap-2.4.39/initscript → meta-oe/recipes-support/openldap/openldap-2.4.40/initscript
View File
meta-oe/recipes-support/openldap/openldap-2.4.39/install-strip.patch → meta-oe/recipes-support/openldap/openldap-2.4.40/install-strip.patch
View File
meta-oe/recipes-support/openldap/openldap-2.4.39/kill-icu.patch → meta-oe/recipes-support/openldap/openldap-2.4.40/kill-icu.patch
View File
meta-oe/recipes-support/openldap/openldap-2.4.39/openldap-2.4.28-gnutls-gcrypt.patch → meta-oe/recipes-support/openldap/openldap-2.4.40/openldap-2.4.28-gnutls-gcrypt.patch
View File
meta-oe/recipes-support/openldap/openldap-2.4.39/openldap-m4-pthread.patch → meta-oe/recipes-support/openldap/openldap-2.4.40/openldap-m4-pthread.patch
View File
meta-oe/recipes-support/openldap/openldap-2.4.39/slapd.service → meta-oe/recipes-support/openldap/openldap-2.4.40/slapd.service
View File
meta-oe/recipes-support/openldap/openldap-2.4.39/thread_stub.patch → meta-oe/recipes-support/openldap/openldap-2.4.40/thread_stub.patch
View File
meta-oe/recipes-support/openldap/openldap-2.4.39/use-urandom.patch → meta-oe/recipes-support/openldap/openldap-2.4.40/use-urandom.patch
View File
meta-oe/recipes-support/openldap/openldap_2.4.39.bb → meta-oe/recipes-support/openldap/openldap_2.4.40.bb
+5 -5
View File
@@ -19,16 +19,16 @@ LDAP_VER = "${@'.'.join(d.getVar('PV',1).split('.')[0:2])}"
SRC_URI = "ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/${BP}.tgz \
file://openldap-m4-pthread.patch \
file://kill-icu.patch \
file://gnutls-Avoid-use-of-deprecated-function.patch \
file://openldap-2.4.28-gnutls-gcrypt.patch \
file://ITS-7723-fix-reference-counting.patch \
file://use-urandom.patch \
file://initscript \
file://slapd.service \
file://thread_stub.patch \
file://0001-ITS-8027-require-non-empty-AttributeList.patch \
file://0001-ITS-8046-fix-vrFilter_free.patch \
"
SRC_URI[md5sum] = "b0d5ee4b252c841dec6b332d679cf943"
SRC_URI[sha256sum] = "8267c87347103fef56b783b24877c0feda1063d3cb85d070e503d076584bf8a7"
SRC_URI[md5sum] = "423c1f23d2a0cb96b3e9baf7e9d7dda7"
SRC_URI[sha256sum] = "d12611a5c25b6499293c2bb7b435dc2b174db73e83f5a8cb7e34f2ce5fa6dadb"
DEPENDS = "util-linux groff-native"
@@ -53,7 +53,7 @@ EXTRA_OECONF += "--with-yielding-select=yes"
EXTRA_OECONF += "--enable-dynamic"
PACKAGECONFIG ??= "gnutls modules \
bdb hdb ldap meta monitor null passwd shell proxycache dnssrv \
ldap meta monitor null passwd shell proxycache dnssrv \
"
#--with-tls with TLS/SSL support auto|openssl|gnutls [auto]
PACKAGECONFIG[gnutls] = "--with-tls=gnutls,,gnutls libgcrypt"