Bug#934507: buster-pu: package openldap/2.4.47+dfsg-3+deb10u1

2019-08-22 Thread Paul Gevers 
Hmm, sorry for the noise, that is because of bug 905563. I forgot I had
that blocked in the past.

Paul

On 22-08-2019 21:07, Paul Gevers wrote:
> Hi Ryan,
> 
> On Wed, 14 Aug 2019 09:53:22 -0700 Ryan Tandy  wrote:
>> On Tue, Aug 13, 2019 at 06:25:13PM +0100, Adam D. Barratt wrote:
>>> Please go ahead; thanks.
>>
>> Thank you. Uploaded, accepted, and visible on the queue page now.
> 
> Do you have any idea why the autopkgtest of gnupg2 (maintainers in CC)
> is failing with the new openldap package? Looking at the error it seems
> that wine32 (maintainers in CC) in a multiarch environment isn't
> installable on amd64 anymore. libwine does have a dependency on
> libldap-2.4.2 so this isn't totally weird.
> 
> Paul
> 



signature.asc
Description: OpenPGP digital signature

Bug#934507: buster-pu: package openldap/2.4.47+dfsg-3+deb10u1

2019-08-22 Thread Paul Gevers 
Hi Ryan,

On Wed, 14 Aug 2019 09:53:22 -0700 Ryan Tandy  wrote:
> On Tue, Aug 13, 2019 at 06:25:13PM +0100, Adam D. Barratt wrote:
> >Please go ahead; thanks.
> 
> Thank you. Uploaded, accepted, and visible on the queue page now.

Do you have any idea why the autopkgtest of gnupg2 (maintainers in CC)
is failing with the new openldap package? Looking at the error it seems
that wine32 (maintainers in CC) in a multiarch environment isn't
installable on amd64 anymore. libwine does have a dependency on
libldap-2.4.2 so this isn't totally weird.

Paul



signature.asc
Description: OpenPGP digital signature

Bug#934507: buster-pu: package openldap/2.4.47+dfsg-3+deb10u1

2019-08-14 Thread Ryan Tandy 

On Tue, Aug 13, 2019 at 06:25:13PM +0100, Adam D. Barratt wrote:

Please go ahead; thanks.


Thank you. Uploaded, accepted, and visible on the queue page now.

Processed: Re: Bug#934507: buster-pu: package openldap/2.4.47+dfsg-3+deb10u1

2019-08-13 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #934507 [release.debian.org] buster-pu: package 
openldap/2.4.47+dfsg-3+deb10u1
Added tag(s) confirmed.

-- 
934507: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934507
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#934507: buster-pu: package openldap/2.4.47+dfsg-3+deb10u1

2019-08-13 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sun, 2019-08-11 at 11:45 -0700, Ryan Tandy wrote:
> I would like to update openldap in buster to fix two CVEs and one 
> additional important bug. I already discussed the CVEs with the
> security 
> team and we agreed on fixing them in a point release.
> 

Please go ahead; thanks.

Regards,

Adam

Bug#934507: buster-pu: package openldap/2.4.47+dfsg-3+deb10u1

2019-08-11 Thread Ryan Tandy 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Dear SRM,

I would like to update openldap in buster to fix two CVEs and one 
additional important bug. I already discussed the CVEs with the security 
team and we agreed on fixing them in a point release.

The changes are in testing, backports, and Ubuntu already; no 
regressions that I'm aware of. Changelog as follows:

openldap (2.4.47+dfsg-3+deb10u1) buster; urgency=medium

  * Fix slapd to restrict rootDN proxyauthz to its own databases
(CVE-2019-13057) (ITS#9038) (Closes: #932997)

-> No-DSA CVE fix for an admin of one database being able to pivot their 
privileges to other databases in the same slapd instance.

  * Fix slapd to enforce sasl_ssf ACL statement on every connection
(CVE-2019-13565) (ITS#9052) (Closes: #932998)

-> No-DSA CVE fix for the sasl_ssf ACL variable being uninitialized on 
non-SASL binds, keeping the value from the previous SASL bind.

  * Fix slapo-rwm to not free original filter when rewritten filter is invalid
(ITS#8964) (Closes: #934277, LP: #1838370)

-> Fix a double-free that can be triggered remotely by a search request 
with a crafted search filter, if the slapo-rwm module is loaded and 
search filter rewriting is enabled.

Thank you,
Ryan
diff -Nru openldap-2.4.47+dfsg/debian/changelog 
openldap-2.4.47+dfsg/debian/changelog
--- openldap-2.4.47+dfsg/debian/changelog   2019-02-02 10:30:10.0 
-0800
+++ openldap-2.4.47+dfsg/debian/changelog   2019-08-10 11:58:18.0 
-0700
@@ -1,3 +1,14 @@
+openldap (2.4.47+dfsg-3+deb10u1) buster; urgency=medium
+
+  * Fix slapd to restrict rootDN proxyauthz to its own databases
+(CVE-2019-13057) (ITS#9038) (Closes: #932997)
+  * Fix slapd to enforce sasl_ssf ACL statement on every connection
+(CVE-2019-13565) (ITS#9052) (Closes: #932998)
+  * Fix slapo-rwm to not free original filter when rewritten filter is invalid
+(ITS#8964) (Closes: #934277, LP: #1838370)
+
+ -- Ryan Tandy   Sat, 10 Aug 2019 11:58:18 -0700
+
 openldap (2.4.47+dfsg-3) unstable; urgency=medium
 
   * Restore patches to contrib Makefiles to set CFLAGS, CPPFLAGS, and LDFLAGS
diff -Nru 
openldap-2.4.47+dfsg/debian/patches/ITS-8964-Do-not-free-original-filter.patch 
openldap-2.4.47+dfsg/debian/patches/ITS-8964-Do-not-free-original-filter.patch
--- 
openldap-2.4.47+dfsg/debian/patches/ITS-8964-Do-not-free-original-filter.patch  
1969-12-31 16:00:00.0 -0800
+++ 
openldap-2.4.47+dfsg/debian/patches/ITS-8964-Do-not-free-original-filter.patch  
2019-08-10 11:58:18.0 -0700
@@ -0,0 +1,36 @@
+From 0f7ec3a81258bb2c33b5d7c7434ef1c11d7fa7cb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= 
+Date: Mon, 17 Jun 2019 12:49:25 +0200
+Subject: [PATCH] ITS#8964 Do not free original filter
+
+---
+ servers/slapd/overlays/rwm.c | 12 
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/servers/slapd/overlays/rwm.c b/servers/slapd/overlays/rwm.c
+index 36bceaffe..2e24f24cc 100644
+--- a/servers/slapd/overlays/rwm.c
 b/servers/slapd/overlays/rwm.c
+@@ -125,11 +125,15 @@ rwm_op_rollback( Operation *op, SlapReply *rs, 
rwm_op_state *ros )
+   break;
+   case LDAP_REQ_SEARCH:
+   op->o_tmpfree( ros->mapped_attrs, op->o_tmpmemctx );
+-  filter_free_x( op, op->ors_filter, 1 );
+-  op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
+   op->ors_attrs = ros->ors_attrs;
+-  op->ors_filter = ros->ors_filter;
+-  op->ors_filterstr = ros->ors_filterstr;
++  if ( op->ors_filter != ros->ors_filter ) {
++  filter_free_x( op, op->ors_filter, 1 );
++  op->ors_filter = ros->ors_filter;
++  }
++  if ( op->ors_filterstr.bv_val != ros->ors_filterstr.bv_val ) {
++  op->o_tmpfree( op->ors_filterstr.bv_val, 
op->o_tmpmemctx );
++  op->ors_filterstr = ros->ors_filterstr;
++  }
+   break;
+   case LDAP_REQ_EXTENDED:
+   if ( op->ore_reqdata != ros->ore_reqdata ) {
+-- 
+2.20.1
+
diff -Nru 
openldap-2.4.47+dfsg/debian/patches/ITS-9038-Another-test028-typo.patch 
openldap-2.4.47+dfsg/debian/patches/ITS-9038-Another-test028-typo.patch
--- openldap-2.4.47+dfsg/debian/patches/ITS-9038-Another-test028-typo.patch 
1969-12-31 16:00:00.0 -0800
+++ openldap-2.4.47+dfsg/debian/patches/ITS-9038-Another-test028-typo.patch 
2019-08-10 11:58:18.0 -0700
@@ -0,0 +1,25 @@
+From 0832ec02f0679cf0862dca2cca5280be1e4fdb37 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= 
+Date: Thu, 27 Jun 2019 00:45:29 +0200
+Subject: [PATCH] ITS#9038 Another test028 typo
+
+---
+ tests/scripts/test028-idassert | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/scripts/test028-idassert b/tests/scripts/test02