New changelog entries:
* SECURITY UPDATE: rootDN proxyauthz not restricted to its own databases
- debian/patches/CVE-2019-13057-1.patch: add restriction to
servers/slapd/saslauthz.c.
- debian/patches/CVE-2019-13057-2.patch: add tests to
tests/data/idassert.out, tests/data/slapd-idassert.conf,
tests/data/test-idassert1.ldif, tests/scripts/test028-idassert.
- debian/patches/CVE-2019-13057-3.patch: fix typo in
tests/scripts/test028-idassert.
- debian/patches/CVE-2019-13057-4.patch: fix typo in
tests/scripts/test028-idassert.
- CVE-2019-13057
* SECURITY UPDATE: SASL SSF not initialized per connection
- debian/patches/CVE-2019-13565.patch: zero out sasl_ssf in
connection_init in servers/slapd/connection.c.
- CVE-2019-13565
New changelog entries:
* Fix sysv-generator unit file by customizing parameters (LP: #1821343)
- d/slapd-remain-after-exit.conf: Override RemainAfterExit to allow
correct systemctl status for slapd daemon.
- d/slapd.install: place override file in correct location.
* d/apparmor-profile: update apparmor profile to allow reading of
files needed when slapd is behaving as a kerberos/gssapi client
and acquiring its own ticket. (LP: #1783183)
New changelog entries:
* Merge from Debian unstable. Remaining changes:
- Enable AppArmor support:
- d/apparmor-profile: add AppArmor profile
- d/rules: use dh_apparmor
- d/control: Build-Depends on dh-apparmor
- d/slapd.README.Debian: add note about AppArmor
- Enable GSSAPI support:
- d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
- Add --with-gssapi support
- Make guess_service_principal() more robust when determining
principal
- d/configure.options: Configure with --with-gssapi
- d/control: Added heimdal-dev as a build depend
- d/rules:
- Explicitly add -I/usr/include/heimdal to CFLAGS.
- Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
- Enable ufw support:
- d/control: suggest ufw.
- d/rules: install ufw profile.
- d/slapd.ufw.profile: add ufw profile.
- Enable nss overlay:
- d/{patches/nssov-build,rules}: Apply, build and package the
nss overlay.
- d/{rules,slapd.py}: Add apport hook.
- d/slapd.init.ldif: don't set olcRootDN since it's not defined in
either the default DIT nor via an Authn mapping.
- d/slapd.scripts-common:
- add slapcat_opts to local variables.
- Fix backup directory naming for multiple reconfiguration.
- d/{slapd.default,slapd.README.Debian}: use the new configuration style.
- d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
in the openldap library, as required by Likewise-Open
- Show distribution in version:
- d/control: added lsb-release
- d/patches/fix-ldap-distribution.patch: show distribution in version
- d/libldap-2.4-2.symbols: Add symbols not present in Debian.
- CLDAP (UDP) was added in 2.4.17-1ubuntu2
- GSSAPI support was enabled in 2.4.18-0ubuntu2
New changelog entries:
* New upstream release.
- fixed a use-after-free in GnuTLS options handling
(ITS#8385) (Closes: #820244) (LP: #1557248)
- fixed unsafe concurrent SASL calls causing memory corruption
(ITS#8648) (Closes: #860947) (LP: #1688575)
- fixed syncrepl infinite looping with multi-master delta-syncrepl
(ITS#8432) (Closes: #868753)
* Rebase patches to apply cleanly:
- do-not-second-guess-sonames
- no-AM_INIT_AUTOMAKE
* Drop patches applied upstream:
- ITS-8554-kFreeBSD-is-like-BSD.patch
- ITS-8644-wait-for-slapd-to-start-in-test064.patch
- ITS-8655-paged-results-double-free.patch
* Upgrade to debhelper compat level 10.
- Depend on debhelper 10.
- Stop enabling parallel and autoreconf explicitly. They are now enabled
by default.
- Drop dh-autoreconf from build-depends since debhelper requires it.
* Add -Wno-format-extra-args to CFLAGS to reduce the noise in the build
logs, as this warning is emitted on each use of the Debug() macro.
* Drop libldap-2.4-4-dbg and slapd-dbg binary packages in favour of
automatic dbgsym packages.
* Update Standards-Version to 4.0.0; no changes required.
* Drop Priority and Section from binary package stanzas when they only
duplicate information from the source stanza.
* Update Priority of slapd-smbk5pwd and libldap2-dev to optional to match
the archive.
* Remove retired developer, Roland Bauerschmidt, from Uploaders.
(Closes: #856422)
* Remove Timo Aaltonen from Uploaders, with his agreement.
* debian/patches/ITS8650-retry-gnutls_handshake-after-GNUTLS_E_AGAIN.patch:
If gnutls_handshake() returns EAGAIN, call it again. Fixes TLS handshake
failures when the ServerHello message exceeds 16K.
(ITS#8650) (Closes: #861838)
* Drop time from Build-Depends. The upstream testsuite no longer calls it.
New changelog entries:
* Disable test060-mt-hot on ppc64el temporarily to avoid failing tests until
the underlying kernel bug #866122 is fixed.
* Fix FTBFS with Heimdal 7.2.0: Drop patch heimdal-fix as the
hdb_generate_key_set_password change was reverted in heimdal. Depend on an
appropriate minimum version of heimdal.
Merged
into
ubuntu/+source/openldap:ubuntu/bionic-devel
at
revision 9f80d7055dcf38e47e01817f95e7563489ca488a
