Please merge openldap 2.4.40-4 (main) from Debian unstable (main)

Status changed to 'Confirmed' because the bug affects multiple users.

Hello server team, hello sponsors,

Please consider reviewing and sponsoring the attached openldap merge.

Build/test results: https://launchpad.net/~rtandy/+archive/ubuntu/lp1395098

I would be happy to answer questions or address any comments.

Thank you!

Hi,

We are going to do another Debian upload to fix two bugs described here: http://www.openwall.com/lists/oss-security/2015/02/06/3

I'll rebase this merge on top of that once it's finalized.

Rebased, sorry it took me a while to get to this.

I guess this has missed freeze for 15.04 now, but I'd still welcome reviews in case changes are needed before getting it merged next cycle.

Packages for testing are in ppa:rtandy/lp1395098.

Unsubscribed sponsors for now. Needs rebasing again for Ubuntu changes, and there will probably be another Debian upload too. I'll try again for W.

Hello sponsors, hello server team,

(OK, let's try this again...)

Here is an updated rebase of openldap on to current Debian unstable.

A test build can be seen in my PPA: https://launchpad.net/~rtandy/+archive/ubuntu/lp1395098

orig.tar.gz can be downloaded from there too: https://launchpad.net/~rtandy/+archive/ubuntu/lp1395098/+files/openldap_2.4.40+dfsg.orig.tar.gz

Please consider reviewing and uploading this. Thank you!

oh, for crying out loud. I added "* Enable the mdb backend again on ppc64el ...", but didn't drop " * Disable mdb backend ..." from the "Remaining changes" section... :)

leaving it alone for now, anyway, in case a reviewer spots something else I need to fix.

ACK on the merge. Thanks!

I've uploaded it to wily with a couple of changes:
- removed the extra "Disable mdb backend..." from changelog
- removed "d/slapd.dirs: add etc/apparmor.d/force-complain" from changelog, as it looks like that hasn't actually been done in a long time.

Thanks!

This bug was fixed in the package openldap - 2.4.40+dfsg-1ubuntu1

---------------
openldap (2.4.40+dfsg-1ubuntu1) wily; urgency=low

  * Merge from Debian testing (LP: #1395098, LP: #1316124). Remaining changes:
    - Enable AppArmor support:
      - d/apparmor-profile: add AppArmor profile
      - d/rules: use dh_apparmor
      - d/control: Build-Depends on dh-apparmor
      - d/slapd.README.Debian: add note about AppArmor
    - Enable GSSAPI support:
      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
        - Add --with-gssapi support
        - Make guess_service_principal() more robust when determining
          principal
      - d/configure.options: Configure with --with-gssapi
      - d/control: Added heimdal-dev as a build depend
    - Enable ufw support:
      - d/control: suggest ufw.
      - d/rules: install ufw profile.
      - d/slapd.ufw.profile: add ufw profile.
    - Enable nss overlay:
      - d/{patches/nssov-build,rules}: Apply, build and package the
        nss overlay.
    - d/{rules,slapd.py}: Add apport hook.
    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
      either the default DIT nor via an Authn mapping.
    - d/slapd.scripts-common:
      - add slapcat_opts to local variables.
      - Remove unused variable new_conf.
      - Fix backup directory naming for multiple reconfiguration.
    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
      in the openldap library, as required by Likewise-Open
    - Show distribution in version:
      - d/control: added lsb-release
      - d/patches/fix-ldap-distribution.patch: show distribution in version
  * Drop patches included upstream:
    - d/patches/0001-ITS-7430-GnuTLS-Avoid-use-of-deprecated-function.patch
    - d/patches/bdb-deadlock.patch
    - d/patches/its-7354-fix-delta-sync-mmr.diff
  * Drop hardening-wrapper as Debian now sets PIE and bindnow flags.
  * debian/patches/nssov-build: Adjust for upstream changes.
  * debian/apparmor-profile:
    - Change 'r' to 'rw' for ldapi and nslcd sockets, required for apparmor
      kernel ABI v7 (utopic and later). (LP: #1392018)
    - Reduce permissions on /run/nslcd to just the nslcd socket.
  * Enable the mdb backend again on ppc64el, fixed upstream in ITS#7713.
    (LP: #1293250)

openldap (2.4.40+dfsg-1) unstable; urgency=medium

  * Remove inetorgperson.schema from the upstream source. Replace it with a
    copy stripped of RFC text. (Closes: #780283)
  * Adjust debian/watch for +dfsg versioning.
  * debian/patches/ITS7975-fix-mdb-onelevel-search.patch: Import upstream
    patch to fix scope=onelevel searches wrongly including the search base in
    results under the MDB backend. (ITS#7975) (Closes: #782212)

openldap (2.4.40-4) unstable; urgency=medium

  * debian/patches/ITS8027-deref-reject-empty-attr-list.patch: Import upstream
    patch to fix a crash when a search includes the Deref control with an
    empty attribute list. (ITS#8027) (CVE-2015-1545, Closes: #776988)
  * debian/patches/ITS8046-fix-vrFilter_free-crash.patch: Import upstream
    patch to fix a double free triggered by...