Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
Dear SRM,
I would like to update openldap in buster to fix two CVEs and one
additional important bug. I already discussed the CVEs with the security
team and we agreed on fixing them in a point release.
The changes are in testing, backports, and Ubuntu already; no
regressions that I'm aware of. Changelog as follows:
openldap (2.4.47+dfsg-3+deb10u1) buster; urgency=medium
* Fix slapd to restrict rootDN proxyauthz to its own databases
(CVE-2019-13057) (ITS#9038) (Closes: #932997)
-> No-DSA CVE fix for an admin of one database being able to pivot their
privileges to other databases in the same slapd instance.
* Fix slapd to enforce sasl_ssf ACL statement on every connection
(CVE-2019-13565) (ITS#9052) (Closes: #932998)
-> No-DSA CVE fix for the sasl_ssf ACL variable being uninitialized on
non-SASL binds, keeping the value from the previous SASL bind.
* Fix slapo-rwm to not free original filter when rewritten filter is invalid
(ITS#8964) (Closes: #934277, LP: #1838370)
-> Fix a double-free that can be triggered remotely by a search request
with a crafted search filter, if the slapo-rwm module is loaded and
search filter rewriting is enabled.
Thank you,
Ryan
diff -Nru openldap-2.4.47+dfsg/debian/changelog
openldap-2.4.47+dfsg/debian/changelog
--- openldap-2.4.47+dfsg/debian/changelog 2019-02-02 10:30:10.0
-0800
+++ openldap-2.4.47+dfsg/debian/changelog 2019-08-10 11:58:18.0
-0700
@@ -1,3 +1,14 @@
+openldap (2.4.47+dfsg-3+deb10u1) buster; urgency=medium
+
+ * Fix slapd to restrict rootDN proxyauthz to its own databases
+(CVE-2019-13057) (ITS#9038) (Closes: #932997)
+ * Fix slapd to enforce sasl_ssf ACL statement on every connection
+(CVE-2019-13565) (ITS#9052) (Closes: #932998)
+ * Fix slapo-rwm to not free original filter when rewritten filter is invalid
+(ITS#8964) (Closes: #934277, LP: #1838370)
+
+ -- Ryan Tandy Sat, 10 Aug 2019 11:58:18 -0700
+
openldap (2.4.47+dfsg-3) unstable; urgency=medium
* Restore patches to contrib Makefiles to set CFLAGS, CPPFLAGS, and LDFLAGS
diff -Nru
openldap-2.4.47+dfsg/debian/patches/ITS-8964-Do-not-free-original-filter.patch
openldap-2.4.47+dfsg/debian/patches/ITS-8964-Do-not-free-original-filter.patch
---
openldap-2.4.47+dfsg/debian/patches/ITS-8964-Do-not-free-original-filter.patch
1969-12-31 16:00:00.0 -0800
+++
openldap-2.4.47+dfsg/debian/patches/ITS-8964-Do-not-free-original-filter.patch
2019-08-10 11:58:18.0 -0700
@@ -0,0 +1,36 @@
+From 0f7ec3a81258bb2c33b5d7c7434ef1c11d7fa7cb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?=
+Date: Mon, 17 Jun 2019 12:49:25 +0200
+Subject: [PATCH] ITS#8964 Do not free original filter
+
+---
+ servers/slapd/overlays/rwm.c | 12
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/servers/slapd/overlays/rwm.c b/servers/slapd/overlays/rwm.c
+index 36bceaffe..2e24f24cc 100644
+--- a/servers/slapd/overlays/rwm.c
b/servers/slapd/overlays/rwm.c
+@@ -125,11 +125,15 @@ rwm_op_rollback( Operation *op, SlapReply *rs,
rwm_op_state *ros )
+ break;
+ case LDAP_REQ_SEARCH:
+ op->o_tmpfree( ros->mapped_attrs, op->o_tmpmemctx );
+- filter_free_x( op, op->ors_filter, 1 );
+- op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
+ op->ors_attrs = ros->ors_attrs;
+- op->ors_filter = ros->ors_filter;
+- op->ors_filterstr = ros->ors_filterstr;
++ if ( op->ors_filter != ros->ors_filter ) {
++ filter_free_x( op, op->ors_filter, 1 );
++ op->ors_filter = ros->ors_filter;
++ }
++ if ( op->ors_filterstr.bv_val != ros->ors_filterstr.bv_val ) {
++ op->o_tmpfree( op->ors_filterstr.bv_val,
op->o_tmpmemctx );
++ op->ors_filterstr = ros->ors_filterstr;
++ }
+ break;
+ case LDAP_REQ_EXTENDED:
+ if ( op->ore_reqdata != ros->ore_reqdata ) {
+--
+2.20.1
+
diff -Nru
openldap-2.4.47+dfsg/debian/patches/ITS-9038-Another-test028-typo.patch
openldap-2.4.47+dfsg/debian/patches/ITS-9038-Another-test028-typo.patch
--- openldap-2.4.47+dfsg/debian/patches/ITS-9038-Another-test028-typo.patch
1969-12-31 16:00:00.0 -0800
+++ openldap-2.4.47+dfsg/debian/patches/ITS-9038-Another-test028-typo.patch
2019-08-10 11:58:18.0 -0700
@@ -0,0 +1,25 @@
+From 0832ec02f0679cf0862dca2cca5280be1e4fdb37 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?=
+Date: Thu, 27 Jun 2019 00:45:29 +0200
+Subject: [PATCH] ITS#9038 Another test028 typo
+
+---
+ tests/scripts/test028-idassert | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/scripts/test028-idassert b/tests/scripts/test02