diff options
author | Roy Li <rongqing.li@windriver.com> | 2015-05-26 10:33:56 +0800 |
---|---|---|
committer | Martin Jansa <Martin.Jansa@gmail.com> | 2015-05-28 10:35:16 +0200 |
commit | 47ca7a840302a6b4c59c6b1689559de7bdbf9c6b (patch) | |
tree | 1afdde6cfb61e25534e66c9a67a0545b9504a060 | |
parent | 2538cf6f7b2ed384b3880fee2942b7287acfa9d4 (diff) | |
download | meta-openembedded-47ca7a840302a6b4c59c6b1689559de7bdbf9c6b.tar.gz |
openldap: upgrade to 2.4.20
1. upgrade to 2.4.20
2. remove two backup patches
2. integrate two patches to fix CVE-2015-1545 and CVE-2015-1546
3. disable bdb/hdb backend, since BerkeleyDB 6.0.20+ license is
incompatible with LDAP
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
13 files changed, 73 insertions, 87 deletions
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/ITS-7723-fix-reference-counting.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/ITS-7723-fix-reference-counting.patch deleted file mode 100644 index 9a0f4cb14..000000000 --- a/meta-oe/recipes-support/openldap/openldap-2.4.39/ITS-7723-fix-reference-counting.patch +++ /dev/null | |||
@@ -1,38 +0,0 @@ | |||
1 | From 59688044386dfeee0c837a15133f4e878f1bb661 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jan Synacek <jsynacek@redhat.com> | ||
3 | Date: Wed, 13 Nov 2013 09:06:54 +0100 | ||
4 | Subject: [PATCH] ITS#7723 fix reference counting | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | |||
8 | Commit 59688044386dfeee0c837a15133f4e878f1bb661 upstream | ||
9 | |||
10 | Signed-off-by: Yue Tao <Yue.Tao@windriver.com> | ||
11 | Signed-off-by: Jackie Huang <jackie.huang@windriver.com> | ||
12 | --- | ||
13 | libraries/librewrite/session.c | 2 ++ | ||
14 | 1 files changed, 2 insertions(+), 0 deletions(-) | ||
15 | |||
16 | diff --git a/libraries/librewrite/session.c b/libraries/librewrite/session.c | ||
17 | index fcc7698..02fc054 100644 | ||
18 | --- a/libraries/librewrite/session.c | ||
19 | +++ b/libraries/librewrite/session.c | ||
20 | @@ -161,6 +161,7 @@ rewrite_session_find( | ||
21 | #ifdef USE_REWRITE_LDAP_PVT_THREADS | ||
22 | if ( session ) { | ||
23 | ldap_pvt_thread_mutex_lock( &session->ls_mutex ); | ||
24 | + session->ls_count++; | ||
25 | } | ||
26 | ldap_pvt_thread_rdwr_runlock( &info->li_cookies_mutex ); | ||
27 | #endif /* USE_REWRITE_LDAP_PVT_THREADS */ | ||
28 | @@ -178,6 +179,7 @@ rewrite_session_return( | ||
29 | ) | ||
30 | { | ||
31 | assert( session != NULL ); | ||
32 | + session->ls_count--; | ||
33 | ldap_pvt_thread_mutex_unlock( &session->ls_mutex ); | ||
34 | } | ||
35 | |||
36 | -- | ||
37 | 1.7.5.4 | ||
38 | |||
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/gnutls-Avoid-use-of-deprecated-function.patch b/meta-oe/recipes-support/openldap/openldap-2.4.39/gnutls-Avoid-use-of-deprecated-function.patch deleted file mode 100644 index dffd3ca51..000000000 --- a/meta-oe/recipes-support/openldap/openldap-2.4.39/gnutls-Avoid-use-of-deprecated-function.patch +++ /dev/null | |||
@@ -1,44 +0,0 @@ | |||
1 | From 0205e83f4670d10ad3c6ae4b8fc5ec1d0c7020c0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Howard Chu <hyc@openldap.org> | ||
3 | Date: Sat, 7 Sep 2013 09:39:24 -0700 | ||
4 | Subject: [PATCH] ITS#7430 GnuTLS: Avoid use of deprecated function | ||
5 | |||
6 | Upstream-status: Backport | ||
7 | |||
8 | --- | ||
9 | libraries/libldap/tls_g.c | 12 ++++++++++++ | ||
10 | 1 files changed, 12 insertions(+), 0 deletions(-) | ||
11 | |||
12 | diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c | ||
13 | index 9acffaf..c793828 100644 | ||
14 | --- a/libraries/libldap/tls_g.c | ||
15 | +++ b/libraries/libldap/tls_g.c | ||
16 | @@ -368,6 +368,17 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) | ||
17 | * then we have to build the cert chain. | ||
18 | */ | ||
19 | if ( max == 1 && !gnutls_x509_crt_check_issuer( certs[0], certs[0] )) { | ||
20 | +#if GNUTLS_VERSION_NUMBER >= 0x020c00 | ||
21 | + unsigned int i; | ||
22 | + for ( i = 1; i<VERIFY_DEPTH; i++ ) { | ||
23 | + if ( gnutls_certificate_get_issuer( ctx->cred, certs[i-1], &certs[i], 0 )) | ||
24 | + break; | ||
25 | + max++; | ||
26 | + /* If this CA is self-signed, we're done */ | ||
27 | + if ( gnutls_x509_crt_check_issuer( certs[i], certs[i] )) | ||
28 | + break; | ||
29 | + } | ||
30 | +#else | ||
31 | gnutls_x509_crt_t *cas; | ||
32 | unsigned int i, j, ncas; | ||
33 | |||
34 | @@ -387,6 +398,7 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) | ||
35 | if ( j == ncas ) | ||
36 | break; | ||
37 | } | ||
38 | +#endif | ||
39 | } | ||
40 | rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key ); | ||
41 | if ( rc ) return -1; | ||
42 | -- | ||
43 | 1.7.4.2 | ||
44 | |||
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.40/0001-ITS-8027-require-non-empty-AttributeList.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/0001-ITS-8027-require-non-empty-AttributeList.patch new file mode 100644 index 000000000..91c2178c3 --- /dev/null +++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/0001-ITS-8027-require-non-empty-AttributeList.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | From c32e74763f77675b9e144126e375977ed6dc562c Mon Sep 17 00:00:00 2001 | ||
2 | From: Howard Chu <hyc@openldap.org> | ||
3 | Date: Mon, 19 Jan 2015 22:25:53 +0000 | ||
4 | Subject: [PATCH] ITS#8027 require non-empty AttributeList | ||
5 | |||
6 | Upstream-Status: Backup | ||
7 | |||
8 | Fix the CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1545 | ||
9 | |||
10 | --- | ||
11 | servers/slapd/overlays/deref.c | 3 ++- | ||
12 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
13 | |||
14 | diff --git a/servers/slapd/overlays/deref.c b/servers/slapd/overlays/deref.c | ||
15 | index 9420e3e..05aa890 100644 | ||
16 | --- a/servers/slapd/overlays/deref.c | ||
17 | +++ b/servers/slapd/overlays/deref.c | ||
18 | @@ -183,7 +183,8 @@ deref_parseCtrl ( | ||
19 | ber_len_t cnt = sizeof(struct berval); | ||
20 | ber_len_t off = 0; | ||
21 | |||
22 | - if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR ) | ||
23 | + if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR | ||
24 | + || !cnt ) | ||
25 | { | ||
26 | rs->sr_text = "Dereference control: derefSpec decoding error"; | ||
27 | rs->sr_err = LDAP_PROTOCOL_ERROR; | ||
28 | -- | ||
29 | 1.9.1 | ||
30 | |||
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.40/0001-ITS-8046-fix-vrFilter_free.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/0001-ITS-8046-fix-vrFilter_free.patch new file mode 100644 index 000000000..8a5c95f7a --- /dev/null +++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/0001-ITS-8046-fix-vrFilter_free.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 2f1a2dd329b91afe561cd06b872d09630d4edb6a Mon Sep 17 00:00:00 2001 | ||
2 | From: Howard Chu <hyc@openldap.org> | ||
3 | Date: Wed, 4 Feb 2015 02:03:55 +0000 | ||
4 | Subject: [PATCH] ITS#8046 fix vrFilter_free | ||
5 | |||
6 | Upstream-Statue: Backup | ||
7 | |||
8 | Fix CVE: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1546 | ||
9 | |||
10 | --- | ||
11 | servers/slapd/filter.c | 10 +++------- | ||
12 | 1 file changed, 3 insertions(+), 7 deletions(-) | ||
13 | |||
14 | diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c | ||
15 | index b859f73..22c81c8 100644 | ||
16 | --- a/servers/slapd/filter.c | ||
17 | +++ b/servers/slapd/filter.c | ||
18 | @@ -1158,14 +1158,10 @@ get_vrFilter( Operation *op, BerElement *ber, | ||
19 | void | ||
20 | vrFilter_free( Operation *op, ValuesReturnFilter *vrf ) | ||
21 | { | ||
22 | - ValuesReturnFilter *p, *next; | ||
23 | + ValuesReturnFilter *next; | ||
24 | |||
25 | - if ( vrf == NULL ) { | ||
26 | - return; | ||
27 | - } | ||
28 | - | ||
29 | - for ( p = vrf; p != NULL; p = next ) { | ||
30 | - next = p->vrf_next; | ||
31 | + for ( ; vrf != NULL; vrf = next ) { | ||
32 | + next = vrf->vrf_next; | ||
33 | |||
34 | switch ( vrf->vrf_choice & SLAPD_FILTER_MASK ) { | ||
35 | case LDAP_FILTER_PRESENT: | ||
36 | -- | ||
37 | 1.9.1 | ||
38 | |||
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/initscript b/meta-oe/recipes-support/openldap/openldap-2.4.40/initscript index 08d1067a7..08d1067a7 100644 --- a/meta-oe/recipes-support/openldap/openldap-2.4.39/initscript +++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/initscript | |||
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/install-strip.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/install-strip.patch index 2992b7030..2992b7030 100644 --- a/meta-oe/recipes-support/openldap/openldap-2.4.39/install-strip.patch +++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/install-strip.patch | |||
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/kill-icu.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/kill-icu.patch index dcf541137..dcf541137 100644 --- a/meta-oe/recipes-support/openldap/openldap-2.4.39/kill-icu.patch +++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/kill-icu.patch | |||
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/openldap-2.4.28-gnutls-gcrypt.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/openldap-2.4.28-gnutls-gcrypt.patch index c7b1552c1..c7b1552c1 100644 --- a/meta-oe/recipes-support/openldap/openldap-2.4.39/openldap-2.4.28-gnutls-gcrypt.patch +++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/openldap-2.4.28-gnutls-gcrypt.patch | |||
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/openldap-m4-pthread.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/openldap-m4-pthread.patch index b669b7254..b669b7254 100644 --- a/meta-oe/recipes-support/openldap/openldap-2.4.39/openldap-m4-pthread.patch +++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/openldap-m4-pthread.patch | |||
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/slapd.service b/meta-oe/recipes-support/openldap/openldap-2.4.40/slapd.service index f5f83fdc3..f5f83fdc3 100644 --- a/meta-oe/recipes-support/openldap/openldap-2.4.39/slapd.service +++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/slapd.service | |||
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/thread_stub.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/thread_stub.patch index 540ba4a63..540ba4a63 100644 --- a/meta-oe/recipes-support/openldap/openldap-2.4.39/thread_stub.patch +++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/thread_stub.patch | |||
diff --git a/meta-oe/recipes-support/openldap/openldap-2.4.39/use-urandom.patch b/meta-oe/recipes-support/openldap/openldap-2.4.40/use-urandom.patch index e7b988faf..e7b988faf 100644 --- a/meta-oe/recipes-support/openldap/openldap-2.4.39/use-urandom.patch +++ b/meta-oe/recipes-support/openldap/openldap-2.4.40/use-urandom.patch | |||
diff --git a/meta-oe/recipes-support/openldap/openldap_2.4.39.bb b/meta-oe/recipes-support/openldap/openldap_2.4.40.bb index 0183d029d..5afcb6a58 100644 --- a/meta-oe/recipes-support/openldap/openldap_2.4.39.bb +++ b/meta-oe/recipes-support/openldap/openldap_2.4.40.bb | |||
@@ -19,16 +19,16 @@ LDAP_VER = "${@'.'.join(d.getVar('PV',1).split('.')[0:2])}" | |||
19 | SRC_URI = "ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/${BP}.tgz \ | 19 | SRC_URI = "ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/${BP}.tgz \ |
20 | file://openldap-m4-pthread.patch \ | 20 | file://openldap-m4-pthread.patch \ |
21 | file://kill-icu.patch \ | 21 | file://kill-icu.patch \ |
22 | file://gnutls-Avoid-use-of-deprecated-function.patch \ | ||
23 | file://openldap-2.4.28-gnutls-gcrypt.patch \ | 22 | file://openldap-2.4.28-gnutls-gcrypt.patch \ |
24 | file://ITS-7723-fix-reference-counting.patch \ | ||
25 | file://use-urandom.patch \ | 23 | file://use-urandom.patch \ |
26 | file://initscript \ | 24 | file://initscript \ |
27 | file://slapd.service \ | 25 | file://slapd.service \ |
28 | file://thread_stub.patch \ | 26 | file://thread_stub.patch \ |
27 | file://0001-ITS-8027-require-non-empty-AttributeList.patch \ | ||
28 | file://0001-ITS-8046-fix-vrFilter_free.patch \ | ||
29 | " | 29 | " |
30 | SRC_URI[md5sum] = "b0d5ee4b252c841dec6b332d679cf943" | 30 | SRC_URI[md5sum] = "423c1f23d2a0cb96b3e9baf7e9d7dda7" |
31 | SRC_URI[sha256sum] = "8267c87347103fef56b783b24877c0feda1063d3cb85d070e503d076584bf8a7" | 31 | SRC_URI[sha256sum] = "d12611a5c25b6499293c2bb7b435dc2b174db73e83f5a8cb7e34f2ce5fa6dadb" |
32 | 32 | ||
33 | DEPENDS = "util-linux groff-native" | 33 | DEPENDS = "util-linux groff-native" |
34 | 34 | ||
@@ -53,7 +53,7 @@ EXTRA_OECONF += "--with-yielding-select=yes" | |||
53 | EXTRA_OECONF += "--enable-dynamic" | 53 | EXTRA_OECONF += "--enable-dynamic" |
54 | 54 | ||
55 | PACKAGECONFIG ??= "gnutls modules \ | 55 | PACKAGECONFIG ??= "gnutls modules \ |
56 | bdb hdb ldap meta monitor null passwd shell proxycache dnssrv \ | 56 | ldap meta monitor null passwd shell proxycache dnssrv \ |
57 | " | 57 | " |
58 | #--with-tls with TLS/SSL support auto|openssl|gnutls [auto] | 58 | #--with-tls with TLS/SSL support auto|openssl|gnutls [auto] |
59 | PACKAGECONFIG[gnutls] = "--with-tls=gnutls,,gnutls libgcrypt" | 59 | PACKAGECONFIG[gnutls] = "--with-tls=gnutls,,gnutls libgcrypt" |