openldap: upgrade to 2.4.20

1. upgrade to 2.4.20
2. remove two backup patches
2. integrate two patches to fix CVE-2015-1545 and CVE-2015-1546
3. disable bdb/hdb backend, since BerkeleyDB 6.0.20+ license is
   incompatible with LDAP

Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>

13 files changed, 73 insertions, 87 deletions

diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/ITS-7723-fix-reference-counting.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/ITS-7723-fix-reference-counting.patch
deleted file mode 100644
index 9a0f4cb14..000000000
--- a/meta-oe/recipes-support/openldap/openldap-2.4.39/ITS-7723-fix-reference-counting.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 59688044386dfeee0c837a15133f4e878f1bb661 Mon Sep 17 00:00:00 2001
-From: Jan Synacek <jsynacek@redhat.com>
-Date: Wed, 13 Nov 2013 09:06:54 +0100
-Subject: [PATCH] ITS#7723 fix reference counting
-
-Upstream-Status: Backport
-
-Commit 59688044386dfeee0c837a15133f4e878f1bb661 upstream
-
-Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
----
- libraries/librewrite/session.c |    2 ++
- 1 files changed, 2 insertions(+), 0 deletions(-)
-
-diff --git a/libraries/librewrite/session.c b/libraries/librewrite/session.c
-index fcc7698..02fc054 100644
---- a/libraries/librewrite/session.c
-+++ b/libraries/librewrite/session.c
-@@ -161,6 +161,7 @@ rewrite_session_find(
- #ifdef USE_REWRITE_LDAP_PVT_THREADS
-        if ( session ) {
-                ldap_pvt_thread_mutex_lock( &session->ls_mutex );
-+               session->ls_count++;
-        }
-        ldap_pvt_thread_rdwr_runlock( &info->li_cookies_mutex );
- #endif /* USE_REWRITE_LDAP_PVT_THREADS */
-@@ -178,6 +179,7 @@ rewrite_session_return(
- )
- {
-        assert( session != NULL );
-+       session->ls_count--;
-        ldap_pvt_thread_mutex_unlock( &session->ls_mutex );
- }
- 
--- 
-1.7.5.4
-
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/gnutls-Avoid-use-of-deprecated-function.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/gnutls-Avoid-use-of-deprecated-function.patch
deleted file mode 100644
index dffd3ca51..000000000
--- a/meta-oe/recipes-support/openldap/openldap-2.4.39/gnutls-Avoid-use-of-deprecated-function.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 0205e83f4670d10ad3c6ae4b8fc5ec1d0c7020c0 Mon Sep 17 00:00:00 2001
-From: Howard Chu <hyc@openldap.org>
-Date: Sat, 7 Sep 2013 09:39:24 -0700
-Subject: [PATCH] ITS#7430 GnuTLS: Avoid use of deprecated function
-
-Upstream-status: Backport
-
----
- libraries/libldap/tls_g.c |   12 ++++++++++++
- 1 files changed, 12 insertions(+), 0 deletions(-)
-
-diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
-index 9acffaf..c793828 100644
---- a/libraries/libldap/tls_g.c
-+++ b/libraries/libldap/tls_g.c
-@@ -368,6 +368,17 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
-                 * then we have to build the cert chain.
-                 */
-                if ( max == 1 && !gnutls_x509_crt_check_issuer( certs[0], certs[0] )) {
-+#if GNUTLS_VERSION_NUMBER >= 0x020c00
-+                       unsigned int i;
-+                       for ( i = 1; i<VERIFY_DEPTH; i++ ) {
-+                               if ( gnutls_certificate_get_issuer( ctx->cred, certs[i-1], &certs[i], 0 ))
-+                                       break;
-+                               max++;
-+                               /* If this CA is self-signed, we're done */
-+                               if ( gnutls_x509_crt_check_issuer( certs[i], certs[i] ))
-+                                       break;
-+                       }
-+#else
-                        gnutls_x509_crt_t *cas;
-                        unsigned int i, j, ncas;
- 
-@@ -387,6 +398,7 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
-                                if ( j == ncas )
-                                        break;
-                        }
-+#endif
-                }
-                rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key );
-                if ( rc ) return -1;
--- 
-1.7.4.2
-
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.40/0001-ITS-8027-require-non-empty-AttributeList.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/0001-ITS-8027-require-non-empty-AttributeList.patch
new file mode 100644
index 000000000..91c2178c3
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/0001-ITS-8027-require-non-empty-AttributeList.patch
@@ -0,0 +1,30 @@
+From c32e74763f77675b9e144126e375977ed6dc562c Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 19 Jan 2015 22:25:53 +0000
+Subject: [PATCH] ITS#8027 require non-empty AttributeList
+
+Upstream-Status: Backup
+
+Fix the CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1545
+
+---
+ servers/slapd/overlays/deref.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/servers/slapd/overlays/deref.c b/servers/slapd/overlays/deref.c
+index 9420e3e..05aa890 100644
+--- a/servers/slapd/overlays/deref.c
++++ b/servers/slapd/overlays/deref.c
+@@ -183,7 +183,8 @@ deref_parseCtrl (
+                ber_len_t cnt = sizeof(struct berval);
+                ber_len_t off = 0;
+ 
+-               if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR )
++               if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR
++                       || !cnt )
+                {
+                        rs->sr_text = "Dereference control: derefSpec decoding error";
+                        rs->sr_err = LDAP_PROTOCOL_ERROR;
+-- 
+1.9.1
+
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.40/0001-ITS-8046-fix-vrFilter_free.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/0001-ITS-8046-fix-vrFilter_free.patch
new file mode 100644
index 000000000..8a5c95f7a
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/0001-ITS-8046-fix-vrFilter_free.patch
@@ -0,0 +1,38 @@
+From 2f1a2dd329b91afe561cd06b872d09630d4edb6a Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Wed, 4 Feb 2015 02:03:55 +0000
+Subject: [PATCH] ITS#8046 fix vrFilter_free
+
+Upstream-Statue: Backup
+
+Fix CVE: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1546
+
+---
+ servers/slapd/filter.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c
+index b859f73..22c81c8 100644
+--- a/servers/slapd/filter.c
++++ b/servers/slapd/filter.c
+@@ -1158,14 +1158,10 @@ get_vrFilter( Operation *op, BerElement *ber,
+ void
+ vrFilter_free( Operation *op, ValuesReturnFilter *vrf )
+ {
+-       ValuesReturnFilter      *p, *next;
++       ValuesReturnFilter      *next;
+ 
+-       if ( vrf == NULL ) {
+-               return;
+-       }
+-
+-       for ( p = vrf; p != NULL; p = next ) {
+-               next = p->vrf_next;
++       for ( ; vrf != NULL; vrf = next ) {
++               next = vrf->vrf_next;
+ 
+                switch ( vrf->vrf_choice & SLAPD_FILTER_MASK ) {
+                case LDAP_FILTER_PRESENT:
+-- 
+1.9.1
+
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/initscript b/meta-oe/recipes-support/openldap/openldap-2.4.40/initscript
index 08d1067a7..08d1067a7 100644
--- a/meta-oe/recipes-support/openldap/openldap-2.4.39/initscript
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/initscript
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/install-strip.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/install-strip.patch
index 2992b7030..2992b7030 100644
--- a/meta-oe/recipes-support/openldap/openldap-2.4.39/install-strip.patch
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/install-strip.patch
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/kill-icu.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/kill-icu.patch
index dcf541137..dcf541137 100644
--- a/meta-oe/recipes-support/openldap/openldap-2.4.39/kill-icu.patch
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/kill-icu.patch
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/openldap-2.4.28-gnutls-gcrypt.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/openldap-2.4.28-gnutls-gcrypt.patch
index c7b1552c1..c7b1552c1 100644
--- a/meta-oe/recipes-support/openldap/openldap-2.4.39/openldap-2.4.28-gnutls-gcrypt.patch
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/openldap-2.4.28-gnutls-gcrypt.patch
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/openldap-m4-pthread.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/openldap-m4-pthread.patch
index b669b7254..b669b7254 100644
--- a/meta-oe/recipes-support/openldap/openldap-2.4.39/openldap-m4-pthread.patch
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/openldap-m4-pthread.patch
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/slapd.service b/meta-oe/recipes-support/openldap/openldap-2.4.40/slapd.service
index f5f83fdc3..f5f83fdc3 100644
--- a/meta-oe/recipes-support/openldap/openldap-2.4.39/slapd.service
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/slapd.service
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/thread_stub.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/thread_stub.patch
index 540ba4a63..540ba4a63 100644
--- a/meta-oe/recipes-support/openldap/openldap-2.4.39/thread_stub.patch
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/thread_stub.patch
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/use-urandom.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/use-urandom.patch
index e7b988faf..e7b988faf 100644
--- a/meta-oe/recipes-support/openldap/openldap-2.4.39/use-urandom.patch
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/use-urandom.patch
diff --git a/meta-oe/recipes-support/openldap/openldap_2.4.39.bb b/meta-oe/recipes-support/openldap/openldap_2.4.40.bb
index 0183d029d..5afcb6a58 100644
--- a/meta-oe/recipes-support/openldap/openldap_2.4.39.bb
+++ b/meta-oe/recipes-support/openldap/openldap_2.4.40.bb
@@ -19,16 +19,16 @@ LDAP_VER = "${@'.'.join(d.getVar('PV',1).split('.')[0:2])}"
 SRC_URI = "ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/${BP}.tgz \
     file://openldap-m4-pthread.patch \
     file://kill-icu.patch \
-    file://gnutls-Avoid-use-of-deprecated-function.patch \
     file://openldap-2.4.28-gnutls-gcrypt.patch \
-    file://ITS-7723-fix-reference-counting.patch \
     file://use-urandom.patch \
     file://initscript \
     file://slapd.service \
     file://thread_stub.patch \
+    file://0001-ITS-8027-require-non-empty-AttributeList.patch \
+    file://0001-ITS-8046-fix-vrFilter_free.patch \
 "
-SRC_URI[md5sum] = "b0d5ee4b252c841dec6b332d679cf943"
-SRC_URI[sha256sum] = "8267c87347103fef56b783b24877c0feda1063d3cb85d070e503d076584bf8a7"
+SRC_URI[md5sum] = "423c1f23d2a0cb96b3e9baf7e9d7dda7"
+SRC_URI[sha256sum] = "d12611a5c25b6499293c2bb7b435dc2b174db73e83f5a8cb7e34f2ce5fa6dadb"
 
 DEPENDS = "util-linux groff-native"
 
@@ -53,7 +53,7 @@ EXTRA_OECONF += "--with-yielding-select=yes"
 EXTRA_OECONF += "--enable-dynamic"
 
 PACKAGECONFIG ??= "gnutls modules \
-                   bdb hdb ldap meta monitor null passwd shell proxycache dnssrv \
+                   ldap meta monitor null passwd shell proxycache dnssrv \
 "
 #--with-tls              with TLS/SSL support auto|openssl|gnutls [auto]
 PACKAGECONFIG[gnutls] = "--with-tls=gnutls,,gnutls libgcrypt"