lp:ubuntu/hardy-updates/openldap2.3
- Get this branch:
- bzr branch lp:ubuntu/hardy-updates/openldap2.3
Branch merges
Branch information
- Owner:
- Ubuntu branches
- Status:
- Mature
Recent revisions
- 19. By Jamie Strandboge
-
* SECURITY UPDATE: fix successful anonymous bind via chain overlay when
using forwarded authentication failures
- debian/patches/ CVE-2011- 1024
- CVE-2011-1024
* SECURITY UPDATE: fix DoS when processing unauthenticated modrdn requests
and requestDN is empty
- debian/patches/ CVE-2011- 1081
- CVE-2011-1081 - 18. By Steve Beattie
-
* SECURITY UPDATE: null ptr deref, free uninitialized data in modrdn calls
- openldap-2.4.22- CVE-2010- 0211-modrdn_ check_error. patch:
- check return for errors and clean up uninitialized data
- openldap-2.4.22- CVE-2010- 0212-modrdn_ null_deref. patch:
- return error on 0-length or binary RDNs
- CVE-2010-0211, CVE-2010-0212 - 17. By Kees Cook
-
* SECURITY UPDATE: denial of service via broken BER decoding.
* Added debian/patches/ security- ber-decoding. patch: upstream fixes.
* References
CVE-2008-2952 - 16. By Jamie Strandboge
-
remove apparmor-profile workaround for Launchpad #202161 (it's now fixed
in klibc) - 15. By Jamie Strandboge
-
* apparmor-profile workaround for Launchpad #202161
* follow ApparmorProfileMigration and force apparmor complain mode on some
upgrades (LP: #203529)
- debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
- debian/slapd.dirs: add etc/apparmor.d/force- complain
- debian/slapd.preinst: create symlink for force-complain/ on pre-feisty
upgrades, upgrades where apparmor-profiles profile is unchanged (ie
non-enforcing) and upgrades where apparmor profile does not exist
- debian/slapd.postrm: remove symlink in force-complain/ on purge
* debian/rules, debian/slapd.links: use hard links to slapd instead of
symlinks for slap* so these applications aren't confined by apparmor
(LP: #203898) - 14. By Steve Langasek
-
* Merge from Debian unstable, remaining changes:
+ debian/patches/ SECURITY_ CVE-2008- 0658.patch (LP: #197077)
slapd/back-bdb/ modrdn. c in the BDB backend for slapd in OpenLDAP 2.3.39
allows remote authenticated users to cause a denial of service (daemon
crash) via a modrdn operation with a NOOP (LDAP_X_NO_OPERATION)
control, a related issue to CVE-2007-6698.
+ debian/apparmor- profile: add AppArmor profile
+ debian/slapd.postinst: Reload AA profile on configuration
+ updated debian/slapd.README. Debian for note on AppArmor
+ debian/control: Replaces apparmor-profiles << 2.1+1075-0ubuntu4 as we
should now take control
+ debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
to make sure that if earlier version of apparmor-profiles gets
installed it won't overwrite our profile
+ Modify Maintainer value to match the DebianMaintainerField
specification. - 13. By Emanuele Gentili
-
* SECURITY UPDATE:
+ debian/patches/ SECURITY_ CVE-2008- 0658.patch (LP: #197077)
slapd/back-bdb/ modrdn. c in the BDB backend for slapd in OpenLDAP 2.3.39
allows remote authenticated users to cause a denial of service (daemon crash)
via a modrdn operation with a NOOP (LDAP_X_NO_OPERATION) control, a related
issue to CVE-2007-6698.* References
- http://www.cve. mitre.org/ cgi-bin/ cvename. cgi?name= 2008-0658
- http://www.openldap. org/its/ index.cgi/ Software% 20Bugs? id=5358 - 12. By Jamie Strandboge
-
* add AppArmor profile
+ debian/apparmor- profile
+ debian/slapd.postinst: Reload AA profile on configuration
* updated debian/slapd.README. Debian for note on AppArmor
* debian/control: Replaces apparmor-profiles << 2.1+1075-0ubuntu4 as we
should now take control
* debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
to make sure that if earlier version of apparmor-profiles gets installed
it won't overwrite our profile
* Modify Maintainer value to match the DebianMaintainerField
specification. - 11. By Steve Langasek
-
[ Updated debconf translations ]
* Finnish, thanks to Esko Arajärvi <email address hidden>. Closes: #462688.
* Galician, thanks to Jacobo Tarrio <email address hidden>. Closes: #462987.
* French, thanks to Christian Perrier <email address hidden>.
Closes: #463149.
* Russian, thanks to Yuri Kozlov <email address hidden>. Closes: #463442.
* Czech, thanks to Miroslav Kure <email address hidden>. Closes: #463472.
* German, thanks to Helge Kreutzmann <email address hidden>.
Closes: #464718.[ Steve Langasek ]
* Fix various regressions related to the introduction of GnuTLS:
- Add new patch, gnutls-ciphers, to fix support for specifying multiple
ciphers with TLSCipherSuite option in slapd.conf. Thanks to Kyle
Moffett <email address hidden> for the patch. Closes LP: #188200.
- Add new patch, slapd-tlsverifyclient- default, to set the intended
default value of "TLSVerifyClient never" in the right place.
- Add new patch, gnutls-altname- nulterminated, to account for differences
in how the "length" is returned for commonName vs. subjectAltName.
- Comment out TLSCipherSuite settings on upgrade from all versions prior
to 2.4.7-5, and throw a debconf error to the user notifying them of
this, since all OpenSSL cipher suite values are incompatible with
GnuTLS.
Closes: #462588.
* Add new patch from upstream, entryCSN-backwards- compatibility, to support
auto-converting entryCSN attributes in a previously supported old format,
fixing an upgrade failure. Closes: #462099.
* Use --retry TERM/10 instead of --retry 10 when stopping slapd, since the
latter resorts to a SIGKILL and may corrupt backend data; whereas the
former will exit non-zero if slapd is still running but won't directly
cause data-loss. Thanks to Mark McDonald for the patch. LP: #92139.
* Fix manpage symlinks in libldap2-dev; thanks to Reuben Thomas for
reporting. Closes: #463971.
* Fix a superfluous space in the debconf templates, due to a trailing space
in the templates. Closes: #464719. - 10. By Steve Langasek
-
[ Steve Langasek ]
* Build-conflict with libicu-dev, for consistent dependencies in all
build environments.
* Fix an oversight in the checkpoint migration, which caused the checkpoint
option to not be moved far enough down. Closes: #462304, LP: #185257.
* Build-depend on unixodbc instead of iODBC.[ Updated debconf translations ]
* Japanese, thanks to Kenshi Muto <email address hidden>. Closes: #462191.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)