lp:ubuntu/karmic-security/openldap
- Get this branch:
- bzr branch lp:ubuntu/karmic-security/openldap
Branch merges
Related source package recipes
Branch information
Recent revisions
- 21. By Jamie Strandboge
-
* SECURITY UPDATE: fix successful anonymous bind via chain overlay when
using forwarded authentication failures
- debian/patches/ CVE-2011- 1024
- CVE-2011-1024
* SECURITY UPDATE: verify password when authenticating to rootdn and using ndb
backend. Note: Ubuntu is not compiled with --enable-ndb by default
- debian/patches/ CVE-2011- 1025
- CVE-2011-1025
* SECURITY UPDATE: fix DoS when processing unauthenticated modrdn requests
and requestDN is empty
- debian/patches/ CVE-2011- 1081
- CVE-2011-1081 - 20. By Steve Beattie
-
* SECURITY UPDATE: null ptr deref, free uninitialized data in modrdn calls
- openldap-2.4.22- CVE-2010- 0211-modrdn_ check_error. patch:
- check return for errors and clean up uninitialized data
- openldap-2.4.22- CVE-2010- 0212-modrdn_ null_deref. patch:
- return error on 0-length or binary RDNs
- CVE-2010-0211, CVE-2010-0212 - 19. By Mathias Gug
-
* New upstream release: (LP: #419515):
+ pcache overlay supports disconnected mode.
* Fix nss overlay load (LP: #417163). - 18. By Mathias Gug
-
* Install a minimal slapd configuration instead of creating a default
database with a default DIT:
+ Move openldap user home from /var/lib/ldap to /nonexistent.
+ Remove all code and templates dealing with the default database and DIT
creation.
+ Add an Authz map from root user (UID=0) to cn=localroot,cn=config and
grant all access to the latter in the cn=config database as well as the
default backend configuration.
* Add cn=localroot,cn=config authz mapping on upgrades. - 17. By Mathias Gug
-
[ Thierry Carrez ]
* debian/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
in the openldap library, as required by Likewise-Open (LP: #390579)[ Mathias Gug ]
* debian/patches/ its6077- uniqueness- overlay: fixes some issues with the
uniqueness overlay.
* debian/patches/ its6220- writetimeout- directive: fixes a problem with the
writetimeout directive being in effect even if it wasn't set,
closing connections incorrectly.
* debian/patches/ its6222- dncachesize- parameter: fixes the behavior of the
dncachesize parameter that was added in RE24, so that if it is set to
"0" (now the default), it has an unlimited DN cache (RE23 always
had an unlimited DN cache). - 16. By Mathias Gug
-
[ Steve Langasek ]
* Fix up the lintian warnings:
- add missing misc-depends on all packages
- slapd, libldap-2.4-2-dbg sections changed to 'debug' to match archive
overrides
- bump Standards-Version to 3.8.2, no changes required.[ Mathias Gug ]
* Resynchronise with Debian. Remaining changes:
- AppArmor support:
- debian/apparmor- profile: add AppArmor profile
- updated debian/slapd.README. Debian for note on AppArmor
- debian/slapd.dirs: add etc/apparmor.d/force- complain
- debian/slapd.postrm: remove symlink in force-complain/ on purge
- debian/rules: install apparmor profile.
- Don't use local statement in config script as it fails if /bin/sh
points to bash.
- debian/slapd.postinst, debian/ slapd.script- common: set correct
ownership and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group
readable) and /var/run/slapd (world readable).
- Enable nssoverlay:
- debian/patches/ nssov-build, debian/rules: Build and package the nss
overlay.
- debian/schema/ misc.ldif: add ldif file for the misc schema which
defines rfc822MailMember (required by the nss overlay).
- debian/{control, rules}: enable PIE hardening
- Use cn=config as the default configuration backend instead of
slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade
asking the end user to enter a new password to control the access to
the cn=config tree.
- debian/slapd.postinst: create /var/run/slapd before updating its
permissions.
- debian/slapd.init: Correctly set slapd config backend option even if
the pidfile is configured in slapd default file.
* Dropped:
- Merged in Debian:
- Update priority of libldap-2.4-2 to match the archive override.
- Add the missing ldapexop and ldapurl tools to ldap-utils, as well as
the ldapurl(1) manpage.
- Bump build-dependency on debhelper to 6 instead of 5, since that's
what we're using.
- Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using
the built-in default of ldap:/// only.
- Fixed in upstream release:
- debian/patches/ fix-ldap_ back_entry_ get_rwa. patch: fix test-0034
failure when built with PIE.
- debian/patches/ gnutls- enable- v1-ca-certs: Enable V1 CA certs to be
trusted.
- Update Apparmor profile support: don't support upgrade from pre-hardy
systems:
- debian/slapd.postinst: Reload AA profile on configuration
- debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
- debian/control: Conflicts with apparmor-profiles <<
2.1+1075- 0ubuntu4 to make sure that if earlier version of
apparmor-profiles gets installed it won't overwrite our profile.
- follow ApparmorProfileMigration and force apparmor complain mode on
some upgrades
- debian/slapd.preinst: create symlink for force-complain on
pre-feisty upgrades, upgrades where apparmor-profiles profile is
unchanged (ie non-enforcing) and upgrades where apparmor profile
does not exist.
- debian/patches/ autogen. sh: no longer needed with karmic libtool.
- Call libtoolize with the --install option to install
config.{guess, sub} files. - 15. By Colin Watson
-
* Resynchronise with Debian. Remaining changes:
- AppArmor support:
- debian/apparmor- profile: add AppArmor profile
- debian/slapd.postinst: Reload AA profile on configuration
- updated debian/slapd.README. Debian for note on AppArmor
- debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
- debian/control: Conflicts with apparmor-profiles <<
2.1+1075- 0ubuntu4 to make sure that if earlier version of
apparmor-profiles gets installed it won't overwrite our profile.
- follow ApparmorProfileMigration and force apparmor complain mode on
some upgrades
- debian/slapd.dirs: add etc/apparmor.d/force- complain
- debian/slapd.preinst: create symlink for force-complain on
pre-feisty upgrades, upgrades where apparmor-profiles profile is
unchanged (ie non-enforcing) and upgrades where apparmor profile
does not exist.
- debian/slapd.postrm: remove symlink in force-complain/ on purge
- debian/patches/ autogen. sh:
- Call libtoolize with the --install option to install
config.{guess, sub} files.
- Don't use local statement in config script as it fails if /bin/sh
points to bash.
- debian/slapd.postinst, debian/ slapd.script- common: set correct
ownership and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group
readable) and /var/run/slapd (world readable).
- Enable nssoverlay:
- debian/patches/ nssov-build, debian/rules: Build and package the nss
overlay.
- debian/schema/ misc.ldif: add ldif file for the misc schema which
defines rfc822MailMember (required by the nss overlay).
- debian/{control, rules}: enable PIE hardening
- Use cn=config as the default configuration backend instead of
slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade
asking the end user to enter a new password to control the access to
the cn=config tree.
- Update priority of libldap-2.4-2 to match the archive override.
- Add the missing ldapexop and ldapurl tools to ldap-utils, as well as
the ldapurl(1) manpage.
- Bump build-dependency on debhelper to 6 instead of 5, since that's
what we're using.
- Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using
the built-in default of ldap:/// only.
- debian/patches/ fix-ldap_ back_entry_ get_rwa. patch: fix test-0034
failure when built with PIE.
- debian/patches/ gnutls- enable- v1-ca-certs: Enable V1 CA certs to be
trusted.
- debian/slapd.postinst: create /var/run/slapd before updating its
permissions.
- debian/slapd.init: Correctly set slapd config backend option even if
the pidfile is configured in slapd default file.
* Drop patch to avoid the test suite on hppa, as hppa is EOL. - 13. By Mathias Gug
-
* debian/
slapd.postinst: create /var/run/slapd before updating its
permissions (LP: #298928).
* debian/slapd.init: Correclty set slapd config backend option even if the
pidfile is configured in slapd default file (LP: #292364).
* debian/apparmor- profile: support multiple databases to be stored under
/var/lib/ldap/. (LP: #286614). - 12. By Mathias Gug
-
[ Steve Langasek ]
* Update priority of libldap-2.4-2 to match the archive override.
* Add the missing ldapexop and ldapurl tools to ldap-utils, as well as the
ldapurl(1) manpage. Thanks to Peter Marschall for the patch.
Closes: #496749.
* Bump build-dependency on debhelper to 6 instead of 5, since that's
what we're using. Closes: #498116.
* Set the default SLAPD_SERVICES to ldap:/// ldapi:///, instead of using
the built-in default of ldap:/// only.[ Mathias Gug ]
* Merge from debian unstable, remaining changes:
- Modify Maintainer value to match the DebianMaintainerField
speficication.
- AppArmor support:
- debian/apparmor- profile: add AppArmor profile
- debian/slapd.postinst: Reload AA profile on configuration
- updated debian/slapd.README. Debian for note on AppArmor
- debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
- debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
to make sure that if earlier version of apparmour-profiles gets
installed it won't overwrite our profile.
- follow ApparmorProfileMigration and force apparmor compalin mode on
some upgrades (LP: #203529)
- debian/slapd.dirs: add etc/apparmor.d/force- complain
- debian/slapd.preinst: create symlink for force-complain on pre-feisty
upgrades, upgrades where apparmor-profiles profile is unchanged (ie
non-enforcing) and upgrades where apparmor profile does not exist.
- debian/slapd.postrm: remove symlink in force-complain/ on purge
- debian/control:
- Build-depend on libltdl7-dev rather then libltdl3-dev.
- debian/patches/ autogen. sh:
- Call libtoolize with the --install option to install config.{guess,sub}
files.
- Don't use local statement in config script as it fails if /bin/sh
points to bash (LP: #286063).
- Disable the testsuite on hppa. Allows building of packages on this
architecture again, once this package is in the archive.
LP: #288908.
- debian/slapd.postinst, debian/ slapd.script- common: set correct ownership
and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group readable) and
/var/run/slapd (world readable). (LP: #257667).
- Enable nssoverlay:
- debian/patches/ nssov-build, debian/rules: Build and package
the nss overlay.
- debian/schema/ misc.ldif: add ldif file for the misc schema
which defines rfc822MailMember (required by the nss overlay).
- debian/{control, rules}: enable PIE hardening
- Use cn=config as the default configuration backend instead of
slapd.conf. Migrate slapd.conf file to /etc/ldap/slapd.d/ on upgrade
asking the end user to enter a new password to control the access to the
cn=config tree.
* Dropped:
- debian/patches/ corrupt- contextCSN: The contextCSN can get corrupted at
times. (ITS: #5947) Fixed in new upstream version 2.4.15.
- debian/patches/ fix-ucred- libc due to changes how newer glibc handle
the ucred struct now. Implemented in Debian.
* debian/patches/ fix-ldap_ back_entry_ get_rwa. patch: fix test-0034 failure
when built with PIE.
* debian/patches/ gnutls- enable- v1-ca-certs: Enable V1 CA certs to be
trusted (LP: #305264).
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/maverick/openldap
