summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoy Li <rongqing.li@windriver.com>2015-05-26 10:33:56 +0800
committerMartin Jansa <Martin.Jansa@gmail.com>2015-05-28 10:35:16 +0200
commit47ca7a840302a6b4c59c6b1689559de7bdbf9c6b (patch)
tree1afdde6cfb61e25534e66c9a67a0545b9504a060
parent2538cf6f7b2ed384b3880fee2942b7287acfa9d4 (diff)
downloadmeta-openembedded-47ca7a840302a6b4c59c6b1689559de7bdbf9c6b.tar.gz
openldap: upgrade to 2.4.20
1. upgrade to 2.4.20 2. remove two backup patches 2. integrate two patches to fix CVE-2015-1545 and CVE-2015-1546 3. disable bdb/hdb backend, since BerkeleyDB 6.0.20+ license is incompatible with LDAP Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
-rw-r--r--meta-oe/recipes-support/openldap/openldap-2.4.39/ITS-7723-fix-reference-counting.patch38
-rw-r--r--meta-oe/recipes-support/openldap/openldap-2.4.39/gnutls-Avoid-use-of-deprecated-function.patch44
-rw-r--r--meta-oe/recipes-support/openldap/openldap-2.4.40/0001-ITS-8027-require-non-empty-AttributeList.patch30
-rw-r--r--meta-oe/recipes-support/openldap/openldap-2.4.40/0001-ITS-8046-fix-vrFilter_free.patch38
-rw-r--r--meta-oe/recipes-support/openldap/openldap-2.4.40/initscript (renamed from meta-oe/recipes-support/openldap/openldap-2.4.39/initscript)0
-rw-r--r--meta-oe/recipes-support/openldap/openldap-2.4.40/install-strip.patch (renamed from meta-oe/recipes-support/openldap/openldap-2.4.39/install-strip.patch)0
-rw-r--r--meta-oe/recipes-support/openldap/openldap-2.4.40/kill-icu.patch (renamed from meta-oe/recipes-support/openldap/openldap-2.4.39/kill-icu.patch)0
-rw-r--r--meta-oe/recipes-support/openldap/openldap-2.4.40/openldap-2.4.28-gnutls-gcrypt.patch (renamed from meta-oe/recipes-support/openldap/openldap-2.4.39/openldap-2.4.28-gnutls-gcrypt.patch)0
-rw-r--r--meta-oe/recipes-support/openldap/openldap-2.4.40/openldap-m4-pthread.patch (renamed from meta-oe/recipes-support/openldap/openldap-2.4.39/openldap-m4-pthread.patch)0
-rw-r--r--meta-oe/recipes-support/openldap/openldap-2.4.40/slapd.service (renamed from meta-oe/recipes-support/openldap/openldap-2.4.39/slapd.service)0
-rw-r--r--meta-oe/recipes-support/openldap/openldap-2.4.40/thread_stub.patch (renamed from meta-oe/recipes-support/openldap/openldap-2.4.39/thread_stub.patch)0
-rw-r--r--meta-oe/recipes-support/openldap/openldap-2.4.40/use-urandom.patch (renamed from meta-oe/recipes-support/openldap/openldap-2.4.39/use-urandom.patch)0
-rw-r--r--meta-oe/recipes-support/openldap/openldap_2.4.40.bb (renamed from meta-oe/recipes-support/openldap/openldap_2.4.39.bb)10
13 files changed, 73 insertions, 87 deletions
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/ITS-7723-fix-reference-counting.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/ITS-7723-fix-reference-counting.patch
deleted file mode 100644
index 9a0f4cb14..000000000
--- a/meta-oe/recipes-support/openldap/openldap-2.4.39/ITS-7723-fix-reference-counting.patch
+++ /dev/null
@@ -1,38 +0,0 @@
1From 59688044386dfeee0c837a15133f4e878f1bb661 Mon Sep 17 00:00:00 2001
2From: Jan Synacek <jsynacek@redhat.com>
3Date: Wed, 13 Nov 2013 09:06:54 +0100
4Subject: [PATCH] ITS#7723 fix reference counting
5
6Upstream-Status: Backport
7
8Commit 59688044386dfeee0c837a15133f4e878f1bb661 upstream
9
10Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
11Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
12---
13 libraries/librewrite/session.c | 2 ++
14 1 files changed, 2 insertions(+), 0 deletions(-)
15
16diff --git a/libraries/librewrite/session.c b/libraries/librewrite/session.c
17index fcc7698..02fc054 100644
18--- a/libraries/librewrite/session.c
19+++ b/libraries/librewrite/session.c
20@@ -161,6 +161,7 @@ rewrite_session_find(
21 #ifdef USE_REWRITE_LDAP_PVT_THREADS
22 if ( session ) {
23 ldap_pvt_thread_mutex_lock( &session->ls_mutex );
24+ session->ls_count++;
25 }
26 ldap_pvt_thread_rdwr_runlock( &info->li_cookies_mutex );
27 #endif /* USE_REWRITE_LDAP_PVT_THREADS */
28@@ -178,6 +179,7 @@ rewrite_session_return(
29 )
30 {
31 assert( session != NULL );
32+ session->ls_count--;
33 ldap_pvt_thread_mutex_unlock( &session->ls_mutex );
34 }
35
36--
371.7.5.4
38
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/gnutls-Avoid-use-of-deprecated-function.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/gnutls-Avoid-use-of-deprecated-function.patch
deleted file mode 100644
index dffd3ca51..000000000
--- a/meta-oe/recipes-support/openldap/openldap-2.4.39/gnutls-Avoid-use-of-deprecated-function.patch
+++ /dev/null
@@ -1,44 +0,0 @@
1From 0205e83f4670d10ad3c6ae4b8fc5ec1d0c7020c0 Mon Sep 17 00:00:00 2001
2From: Howard Chu <hyc@openldap.org>
3Date: Sat, 7 Sep 2013 09:39:24 -0700
4Subject: [PATCH] ITS#7430 GnuTLS: Avoid use of deprecated function
5
6Upstream-status: Backport
7
8---
9 libraries/libldap/tls_g.c | 12 ++++++++++++
10 1 files changed, 12 insertions(+), 0 deletions(-)
11
12diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
13index 9acffaf..c793828 100644
14--- a/libraries/libldap/tls_g.c
15+++ b/libraries/libldap/tls_g.c
16@@ -368,6 +368,17 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
17 * then we have to build the cert chain.
18 */
19 if ( max == 1 && !gnutls_x509_crt_check_issuer( certs[0], certs[0] )) {
20+#if GNUTLS_VERSION_NUMBER >= 0x020c00
21+ unsigned int i;
22+ for ( i = 1; i<VERIFY_DEPTH; i++ ) {
23+ if ( gnutls_certificate_get_issuer( ctx->cred, certs[i-1], &certs[i], 0 ))
24+ break;
25+ max++;
26+ /* If this CA is self-signed, we're done */
27+ if ( gnutls_x509_crt_check_issuer( certs[i], certs[i] ))
28+ break;
29+ }
30+#else
31 gnutls_x509_crt_t *cas;
32 unsigned int i, j, ncas;
33
34@@ -387,6 +398,7 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
35 if ( j == ncas )
36 break;
37 }
38+#endif
39 }
40 rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key );
41 if ( rc ) return -1;
42--
431.7.4.2
44
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.40/0001-ITS-8027-require-non-empty-AttributeList.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/0001-ITS-8027-require-non-empty-AttributeList.patch
new file mode 100644
index 000000000..91c2178c3
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/0001-ITS-8027-require-non-empty-AttributeList.patch
@@ -0,0 +1,30 @@
1From c32e74763f77675b9e144126e375977ed6dc562c Mon Sep 17 00:00:00 2001
2From: Howard Chu <hyc@openldap.org>
3Date: Mon, 19 Jan 2015 22:25:53 +0000
4Subject: [PATCH] ITS#8027 require non-empty AttributeList
5
6Upstream-Status: Backup
7
8Fix the CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1545
9
10---
11 servers/slapd/overlays/deref.c | 3 ++-
12 1 file changed, 2 insertions(+), 1 deletion(-)
13
14diff --git a/servers/slapd/overlays/deref.c b/servers/slapd/overlays/deref.c
15index 9420e3e..05aa890 100644
16--- a/servers/slapd/overlays/deref.c
17+++ b/servers/slapd/overlays/deref.c
18@@ -183,7 +183,8 @@ deref_parseCtrl (
19 ber_len_t cnt = sizeof(struct berval);
20 ber_len_t off = 0;
21
22- if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR )
23+ if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR
24+ || !cnt )
25 {
26 rs->sr_text = "Dereference control: derefSpec decoding error";
27 rs->sr_err = LDAP_PROTOCOL_ERROR;
28--
291.9.1
30
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.40/0001-ITS-8046-fix-vrFilter_free.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/0001-ITS-8046-fix-vrFilter_free.patch
new file mode 100644
index 000000000..8a5c95f7a
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/0001-ITS-8046-fix-vrFilter_free.patch
@@ -0,0 +1,38 @@
1From 2f1a2dd329b91afe561cd06b872d09630d4edb6a Mon Sep 17 00:00:00 2001
2From: Howard Chu <hyc@openldap.org>
3Date: Wed, 4 Feb 2015 02:03:55 +0000
4Subject: [PATCH] ITS#8046 fix vrFilter_free
5
6Upstream-Statue: Backup
7
8Fix CVE: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1546
9
10---
11 servers/slapd/filter.c | 10 +++-------
12 1 file changed, 3 insertions(+), 7 deletions(-)
13
14diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c
15index b859f73..22c81c8 100644
16--- a/servers/slapd/filter.c
17+++ b/servers/slapd/filter.c
18@@ -1158,14 +1158,10 @@ get_vrFilter( Operation *op, BerElement *ber,
19 void
20 vrFilter_free( Operation *op, ValuesReturnFilter *vrf )
21 {
22- ValuesReturnFilter *p, *next;
23+ ValuesReturnFilter *next;
24
25- if ( vrf == NULL ) {
26- return;
27- }
28-
29- for ( p = vrf; p != NULL; p = next ) {
30- next = p->vrf_next;
31+ for ( ; vrf != NULL; vrf = next ) {
32+ next = vrf->vrf_next;
33
34 switch ( vrf->vrf_choice & SLAPD_FILTER_MASK ) {
35 case LDAP_FILTER_PRESENT:
36--
371.9.1
38
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/initscript b/meta-oe/recipes-support/openldap/openldap-2.4.40/initscript
index 08d1067a7..08d1067a7 100644
--- a/meta-oe/recipes-support/openldap/openldap-2.4.39/initscript
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/initscript
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/install-strip.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/install-strip.patch
index 2992b7030..2992b7030 100644
--- a/meta-oe/recipes-support/openldap/openldap-2.4.39/install-strip.patch
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/install-strip.patch
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/kill-icu.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/kill-icu.patch
index dcf541137..dcf541137 100644
--- a/meta-oe/recipes-support/openldap/openldap-2.4.39/kill-icu.patch
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/kill-icu.patch
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/openldap-2.4.28-gnutls-gcrypt.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/openldap-2.4.28-gnutls-gcrypt.patch
index c7b1552c1..c7b1552c1 100644
--- a/meta-oe/recipes-support/openldap/openldap-2.4.39/openldap-2.4.28-gnutls-gcrypt.patch
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/openldap-2.4.28-gnutls-gcrypt.patch
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/openldap-m4-pthread.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/openldap-m4-pthread.patch
index b669b7254..b669b7254 100644
--- a/meta-oe/recipes-support/openldap/openldap-2.4.39/openldap-m4-pthread.patch
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/openldap-m4-pthread.patch
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/slapd.service b/meta-oe/recipes-support/openldap/openldap-2.4.40/slapd.service
index f5f83fdc3..f5f83fdc3 100644
--- a/meta-oe/recipes-support/openldap/openldap-2.4.39/slapd.service
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/slapd.service
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/thread_stub.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/thread_stub.patch
index 540ba4a63..540ba4a63 100644
--- a/meta-oe/recipes-support/openldap/openldap-2.4.39/thread_stub.patch
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/thread_stub.patch
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/use-urandom.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/use-urandom.patch
index e7b988faf..e7b988faf 100644
--- a/meta-oe/recipes-support/openldap/openldap-2.4.39/use-urandom.patch
+++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/use-urandom.patch
diff --git a/meta-oe/recipes-support/openldap/openldap_2.4.39.bb b/meta-oe/recipes-support/openldap/openldap_2.4.40.bb
index 0183d029d..5afcb6a58 100644
--- a/meta-oe/recipes-support/openldap/openldap_2.4.39.bb
+++ b/meta-oe/recipes-support/openldap/openldap_2.4.40.bb
@@ -19,16 +19,16 @@ LDAP_VER = "${@'.'.join(d.getVar('PV',1).split('.')[0:2])}"
19SRC_URI = "ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/${BP}.tgz \ 19SRC_URI = "ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/${BP}.tgz \
20 file://openldap-m4-pthread.patch \ 20 file://openldap-m4-pthread.patch \
21 file://kill-icu.patch \ 21 file://kill-icu.patch \
22 file://gnutls-Avoid-use-of-deprecated-function.patch \
23 file://openldap-2.4.28-gnutls-gcrypt.patch \ 22 file://openldap-2.4.28-gnutls-gcrypt.patch \
24 file://ITS-7723-fix-reference-counting.patch \
25 file://use-urandom.patch \ 23 file://use-urandom.patch \
26 file://initscript \ 24 file://initscript \
27 file://slapd.service \ 25 file://slapd.service \
28 file://thread_stub.patch \ 26 file://thread_stub.patch \
27 file://0001-ITS-8027-require-non-empty-AttributeList.patch \
28 file://0001-ITS-8046-fix-vrFilter_free.patch \
29" 29"
30SRC_URI[md5sum] = "b0d5ee4b252c841dec6b332d679cf943" 30SRC_URI[md5sum] = "423c1f23d2a0cb96b3e9baf7e9d7dda7"
31SRC_URI[sha256sum] = "8267c87347103fef56b783b24877c0feda1063d3cb85d070e503d076584bf8a7" 31SRC_URI[sha256sum] = "d12611a5c25b6499293c2bb7b435dc2b174db73e83f5a8cb7e34f2ce5fa6dadb"
32 32
33DEPENDS = "util-linux groff-native" 33DEPENDS = "util-linux groff-native"
34 34
@@ -53,7 +53,7 @@ EXTRA_OECONF += "--with-yielding-select=yes"
53EXTRA_OECONF += "--enable-dynamic" 53EXTRA_OECONF += "--enable-dynamic"
54 54
55PACKAGECONFIG ??= "gnutls modules \ 55PACKAGECONFIG ??= "gnutls modules \
56 bdb hdb ldap meta monitor null passwd shell proxycache dnssrv \ 56 ldap meta monitor null passwd shell proxycache dnssrv \
57" 57"
58#--with-tls with TLS/SSL support auto|openssl|gnutls [auto] 58#--with-tls with TLS/SSL support auto|openssl|gnutls [auto]
59PACKAGECONFIG[gnutls] = "--with-tls=gnutls,,gnutls libgcrypt" 59PACKAGECONFIG[gnutls] = "--with-tls=gnutls,,gnutls libgcrypt"