diff --git a/389-ds-base-1.4.3.20.tar.bz2 b/389-ds-base-1.4.3.20.tar.bz2 deleted file mode 100644 index 158ada2..0000000 Binary files a/389-ds-base-1.4.3.20.tar.bz2 and /dev/null differ diff --git a/389-ds-base-2.3.2.tar.bz2 b/389-ds-base-2.3.2.tar.bz2 new file mode 100644 index 0000000..d53fe47 Binary files /dev/null and b/389-ds-base-2.3.2.tar.bz2 differ diff --git a/389-ds-base.spec b/389-ds-base.spec index 3421bb9..363a4db 100644 --- a/389-ds-base.spec +++ b/389-ds-base.spec @@ -5,19 +5,13 @@ ExcludeArch: i686 Name: 389-ds-base Summary: Base 389 Directory Server -Version: 1.4.3.20 +Version: 2.3.2 Release: 1 License: GPLv3+ URL: https://www.port389.org Source0: https://releases.pagure.org/389-ds-base/389-ds-base-%{version}.tar.bz2 Source1: 389-ds-base-git.sh Source2: 389-ds-base-devel.README -Source3: https://github.com/jemalloc/jemalloc/releases/download/5.2.1/jemalloc-5.2.1.tar.bz2 - -Patch0: CVE-2021-3652.patch -Patch1: CVE-2021-3514.patch -# https://github.com/389ds/389-ds-base/commit/5a18aeb49c357a16c138d37a8251d73d8ed35319 -Patch2: Fix-attributeError-type-object-build_manpages.patch BuildRequires: nspr-devel nss-devel >= 3.34 perl-generators openldap-devel libdb-devel cyrus-sasl-devel icu BuildRequires: libicu-devel pcre-devel cracklib-devel gcc-c++ net-snmp-devel lm_sensors-devel bzip2-devel @@ -29,6 +23,7 @@ BuildRequires: python%{python3_pkgversion}-pyasn1-modules python%{python3_pkgver BuildRequires: python%{python3_pkgversion}-argcomplete python%{python3_pkgversion}-argparse-manpage BuildRequires: python%{python3_pkgversion}-libselinux python%{python3_pkgversion}-policycoreutils BuildRequires: python%{python3_pkgversion}-packaging rsync npm nodejs libtalloc-devel libtevent-devel +BuildRequires: lmdb-devel json-c-devel cargo Requires: 389-ds-base-libs = %{version}-%{release} Requires: python%{python3_pkgversion}-lib389 = %{version}-%{release} Requires: policycoreutils-python-utils /usr/sbin/semanage libsemanage-python%{python3_pkgversion} @@ -47,19 +42,6 @@ Conflicts: svrcore selinux-policy-base < 3.9.8 freeipa-server < 4.0.3 389-ds-base is an LDAPv3 compliant server which includes the LDAP server and command line utilities for server administration. -%package legacy-tools -Summary: Legacy utilities for 389 Directory Server -Obsoletes: 389-ds-base <= 1.4.0.9 -Requires: 389-ds-base = %{version}-%{release} perl-Socket perl-NetAddr-IP -Requires: perl-Mozilla-LDAP bind-utils -Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) -%global __provides_exclude_from %{_libdir}/dirsrv/perl -%global __requires_exclude perl\\((DSCreate|DSMigration|DSUpdate|DSUtil|Dialog|DialogManager|FileConn|Inf|Migration|Resource|Setup|SetupLog) -%{?perl_default_filter} - -%description legacy-tools -Legacy and deprecated utilities for 389 Directory Server. - %package devel Summary: Development libraries for 389 Directory Server Requires: 389-ds-base-libs = %{version}-%{release} pkgconfig nspr-devel nss-devel >= 3.34 @@ -110,8 +92,6 @@ Documentation for 389 Directory Server. %prep %autosetup -n 389-ds-base-%{version} -p1 -%setup -n 389-ds-base-%{version} -T -D -b 3 - cp %{SOURCE2} README.devel %build @@ -120,11 +100,9 @@ OPENLDAP_FLAG="--with-openldap" %{?with_tmpfiles_d: TMPFILES_FLAG="--with-tmpfiles-d=%{with_tmpfiles_d}"} NSSARGS="--with-nss-lib=%{_libdir} --with-nss-inc=%{_includedir}/nss3" +RUST_FLAGS="--enable-rust --enable-rust-offline" + LEGACY_FLAGS="--enable-legacy --enable-perl" -cd ../jemalloc-5.2.1 -%configure --libdir=%{_libdir}/dirsrv/lib --bindir=%{_libdir}/dirsrv/bin --enable-prof -%make_build -cd - %define _strict_symbol_defs_build 1 autoreconf -fiv @@ -132,7 +110,7 @@ autoreconf -fiv --with-systemdsystemunitdir=%{_unitdir} \ --with-systemdsystemconfdir=%{_sysconfdir}/systemd/system \ --with-systemdgroupname=dirsrv.target --libexecdir=%{_libexecdir}/dirsrv \ - $NSSARGS $ASAN_FLAGS $RUST_FLAGS $PERL_FLAGS $CLANG_FLAGS $LEGACY_FLAGS --enable-cmocka --enable-perl + $NSSARGS $ASAN_FLAGS $RUST_FLAGS $PERL_FLAGS $CLANG_FLAGS $LEGACY_FLAGS --enable-cmocka --enable-perl --with-libldap-r=no cd ./src/lib389 %py3_build @@ -164,14 +142,6 @@ install -d $RPM_BUILD_ROOT%{_sysconfdir}/systemd/system/dirsrv.target.wants %delete_la -sed -i -e 's|#{{PERL-EXEC}}|#!/usr/bin/perl|' $RPM_BUILD_ROOT%{_datadir}/dirsrv/script-templates/template-*.pl - -cd ../jemalloc-5.2.1 -make DESTDIR="$RPM_BUILD_ROOT" install_lib install_bin -cp -pa COPYING ../389-ds-base-%{version}/COPYING.jemalloc -cp -pa README ../389-ds-base-%{version}/README.jemalloc -cd - - cd $RPM_BUILD_ROOT/usr file `find -type f`| grep -w ELF | awk -F":" '{print $1}' | for i in `xargs` do @@ -181,6 +151,8 @@ cd - mkdir -p $RPM_BUILD_ROOT/etc/ld.so.conf.d echo "%{_bindir}/%{name}" > $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf echo "%{_libdir}/%{name}" >> $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf +echo "%{_libdir}/dirsrv/plugins" >> $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf +echo "%{_libdir}/dirsrv" >> $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf %check if ! make DESTDIR="$RPM_BUILD_ROOT" check; then @@ -216,35 +188,6 @@ fi sysctl --system &> $output; true -%preun -if [ $1 -eq 0 ]; then - rm -rf %{_sysconfdir}/systemd/system/dirsrv.target.wants/* > /dev/null 2>&1 || : -fi - -%postun -/sbin/ldconfig -if [ $1 = 0 ]; then - rm -rf /var/run/dirsrv -fi - -%post snmp -%systemd_post dirsrv-snmp.service - -%preun snmp -%systemd_preun dirsrv-snmp.service dirsrv.target - -%postun snmp -%systemd_postun_with_restart dirsrv-snmp.service - -%post legacy-tools -if [ -n "$DEBUGPOSTTRANS" ] ; then - output=$DEBUGPOSTTRANS - output2=${DEBUGPOSTTRANS}.upgrade -else - output=/dev/null - output2=/dev/null -fi - instances="" ninst=0 @@ -291,14 +234,33 @@ for inst in $instances ; do /bin/systemctl start $inst >> $output 2>&1 || : done +%preun +if [ $1 -eq 0 ]; then + rm -rf %{_sysconfdir}/systemd/system/dirsrv.target.wants/* > /dev/null 2>&1 || : +fi + +%postun +/sbin/ldconfig +if [ $1 = 0 ]; then + rm -rf /var/run/dirsrv +fi + +%post snmp +mkdir -p /run/dirsrv +%systemd_post dirsrv-snmp.service + +%preun snmp +%systemd_preun dirsrv-snmp.service dirsrv.target + +%postun snmp +%systemd_postun_with_restart dirsrv-snmp.service + exit 0 %files -%doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.jemalloc -%license COPYING.jemalloc +%doc LICENSE LICENSE.GPLv3+ LICENSE.openssl %{_libdir}/libsvrcore.so.* -%{_libdir}/dirsrv/{libslapd.so.*,libns-dshttpd-*.so,libsds.so.*,libldaputil.so.*,librewriters.so*} -%{_libdir}/dirsrv/lib/libjemalloc.so.2 +%{_libdir}/dirsrv/{libslapd.so.*,libns-dshttpd.so.*,libsds.so.*,libldaputil.so.*,librewriters.so*} %dir %{_sysconfdir}/dirsrv %dir %{_sysconfdir}/dirsrv/schema %config(noreplace)%{_sysconfdir}/dirsrv/schema/*.ldif @@ -310,7 +272,11 @@ exit 0 %{_unitdir} %{_bindir}/{dbscan,ds-replcheck,ds-logpipe.py,ldclt,logconv.pl,pwdhash,readnsstate} %{_sbindir}/ns-slapd +%{_mandir}/man8/ns-slapd.8.gz +%{_sbindir}/openldap_to_ds +%{_mandir}/man8/openldap_to_ds.8.gz %{_libexecdir}/dirsrv/ds_systemd_ask_password_acl +%{_libexecdir}/dirsrv/ds_selinux_restorecon.sh %{_libdir}/dirsrv/python %dir %{_libdir}/dirsrv/plugins %{_libdir}/dirsrv/plugins/*.so @@ -320,35 +286,17 @@ exit 0 %ghost %dir %{_localstatedir}/lock/dirsrv %exclude %{_sbindir}/ldap-agent* %exclude %{_unitdir}/dirsrv-snmp.service -%{_libdir}/dirsrv/lib/ -%{_libdir}/dirsrv/bin/ -%exclude %{_libdir}/dirsrv/bin/{jemalloc-config,jemalloc.sh} -%exclude %{_libdir}/dirsrv/lib/{libjemalloc.a,libjemalloc.so,libjemalloc_pic.a,pkgconfig} %config(noreplace) /etc/ld.so.conf.d/* %files devel %doc LICENSE LICENSE.GPLv3+ LICENSE.openssl +%{_mandir}/man3/* %{_includedir}/svrcore.h %{_includedir}/dirsrv %{_libdir}/libsvrcore.so %{_libdir}/dirsrv/{libslapd.so,libns-dshttpd.so,libsds.so,libldaputil.so} %{_libdir}/pkgconfig/{svrcore.pc,dirsrv.pc,libsds.pc} -%files legacy-tools -%doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.devel -%{_bindir}/{infadd,ldif,migratecred,mmldif,rsearch,repl-monitor,cl-dump} -%config(noreplace)%{_sysconfdir}/dirsrv/config/template-initconfig -%{_sbindir}/{ldif2ldap,bak2db,db2bak,db2index,db2ldif,dbverify,ldif2db,restart-dirsrv} -%{_sbindir}/{start-dirsrv,status-dirsrv,stop-dirsrv,upgradedb,vlvindex} -%{_sbindir}/{monitor,dbmon.sh,dn2rdn,restoreconfig,saveconfig,suffix2instance,upgradednformat} -%{_libexecdir}/dirsrv/{ds_selinux_enabled,ds_selinux_port_query} -%{_datadir}/dirsrv/properties/*.res -%{_datadir}/dirsrv/script-templates -%{_datadir}/dirsrv/updates -%{_bindir}/{repl-monitor.pl,cl-dump.pl,dbgen.pl} -%{_sbindir}/*.pl -%{_libdir}/dirsrv/perl - %files snmp %doc LICENSE LICENSE.GPLv3+ LICENSE.openssl %config(noreplace)%{_sysconfdir}/dirsrv/config/ldap-agent.conf @@ -365,10 +313,13 @@ exit 0 %{_datarootdir}/metainfo/389-console/org.port389.cockpit_console.metainfo.xml %files help -%doc README.md README.devel README.jemalloc +%doc README.md README.devel %{_mandir}/*/* %changelog +* Fri Apr 21 2023 wulei - 2.3.2-1 +- Upgrade package to version 2.3.2 + * Fri Aug 05 2022 wangkai - 1.4.3.20-1 - Update to 1.4.3.20 for fix CVE-2020-35518 diff --git a/CVE-2021-3514.patch b/CVE-2021-3514.patch deleted file mode 100644 index 887f5b2..0000000 --- a/CVE-2021-3514.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 2e5b526012612d1d6ccace46398bee679a730271 Mon Sep 17 00:00:00 2001 -From: tbordaz -Date: Tue, 27 Apr 2021 09:29:32 +0200 -Subject: [PATCH] Issue 4711 - SIGSEV with sync_repl (#4738) - -Bug description: - sync_repl sends back entries identified with a unique - identifier that is 'nsuniqueid'. If 'nsuniqueid' is - missing, then it may crash - -Fix description: - Check a nsuniqueid is available else returns OP_ERR - -relates: https://github.com/389ds/389-ds-base/issues/4711 - -Reviewed by: Pierre Rogier, James Chapman, William Brown (Thanks!) - -Platforms tested: F33 ---- - ldap/servers/plugins/sync/sync_util.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/ldap/servers/plugins/sync/sync_util.c b/ldap/servers/plugins/sync/sync_util.c -index e64d519e1a..3dacee8cad 100644 ---- a/ldap/servers/plugins/sync/sync_util.c -+++ b/ldap/servers/plugins/sync/sync_util.c -@@ -127,8 +127,8 @@ sync_create_state_control(Slapi_Entry *e, LDAPControl **ctrlp, int type, Sync_Co - BerElement *ber; - struct berval *bvp; - char *uuid; -- Slapi_Attr *attr; -- Slapi_Value *val; -+ Slapi_Attr *attr = NULL; -+ Slapi_Value *val = NULL; - - if (type == LDAP_SYNC_NONE || ctrlp == NULL || (ber = der_alloc()) == NULL) { - return (LDAP_OPERATIONS_ERROR); -@@ -138,6 +138,14 @@ sync_create_state_control(Slapi_Entry *e, LDAPControl **ctrlp, int type, Sync_Co - - slapi_entry_attr_find(e, SLAPI_ATTR_UNIQUEID, &attr); - slapi_attr_first_value(attr, &val); -+ if ((attr == NULL) || (val == NULL)) { -+ /* It may happen with entries in special backends -+ * such like cn=config, cn=shema, cn=monitor... -+ */ -+ slapi_log_err(SLAPI_LOG_ERR, SYNC_PLUGIN_SUBSYSTEM, -+ "sync_create_state_control - Entries are missing nsuniqueid. Unable to proceed.\n"); -+ return (LDAP_OPERATIONS_ERROR); -+ } - uuid = sync_nsuniqueid2uuid(slapi_value_get_string(val)); - if ((rc = ber_printf(ber, "{eo", type, uuid, 16)) != -1) { - if (cookie) { diff --git a/CVE-2021-3652.patch b/CVE-2021-3652.patch deleted file mode 100644 index 7670873..0000000 --- a/CVE-2021-3652.patch +++ /dev/null @@ -1,118 +0,0 @@ -From c1926dfc6591b55c4d33f9944de4d7ebe077e964 Mon Sep 17 00:00:00 2001 -From: Firstyear -Date: Fri, 9 Jul 2021 11:53:35 +1000 -Subject: [PATCH] Issue 4817 - BUG - locked crypt accounts on import may allow - all passwords (#4819) - -Bug Description: Due to mishanding of short dbpwd hashes, the -crypt_r algorithm was misused and was only comparing salts -in some cases, rather than checking the actual content -of the password. - -Fix Description: Stricter checks on dbpwd lengths to ensure -that content passed to crypt_r has at least 2 salt bytes and -1 hash byte, as well as stricter checks on ct_memcmp to ensure -that compared values are the same length, rather than potentially -allowing overruns/short comparisons. - -fixes: https://github.com/389ds/389-ds-base/issues/4817 - -Author: William Brown - -Review by: @mreynolds389 ---- - .../password/pwd_crypt_asterisk_test.py | 50 +++++++++++++++++++ - ldap/servers/plugins/pwdstorage/crypt_pwd.c | 20 +++++--- - 2 files changed, 64 insertions(+), 6 deletions(-) - create mode 100644 dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py - -diff --git a/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py b/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py -new file mode 100644 -index 0000000000..d76614db1c ---- /dev/null -+++ b/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py -@@ -0,0 +1,50 @@ -+# --- BEGIN COPYRIGHT BLOCK --- -+# Copyright (C) 2021 William Brown -+# All rights reserved. -+# -+# License: GPL (version 3 or any later version). -+# See LICENSE for details. -+# --- END COPYRIGHT BLOCK --- -+# -+import ldap -+import pytest -+from lib389.topologies import topology_st -+from lib389.idm.user import UserAccounts -+from lib389._constants import (DEFAULT_SUFFIX, PASSWORD) -+ -+pytestmark = pytest.mark.tier1 -+ -+def test_password_crypt_asterisk_is_rejected(topology_st): -+ """It was reported that {CRYPT}* was allowing all passwords to be -+ valid in the bind process. This checks that we should be rejecting -+ these as they should represent locked accounts. Similar, {CRYPT}! -+ -+ :id: 0b8f1a6a-f3eb-4443-985e-da14d0939dc3 -+ :setup: Single instance -+ :steps: 1. Set a password hash in with CRYPT and the content * -+ 2. Test a bind -+ 3. Set a password hash in with CRYPT and the content ! -+ 4. Test a bind -+ :expectedresults: -+ 1. Successfully set the values -+ 2. The bind fails -+ 3. Successfully set the values -+ 4. The bind fails -+ """ -+ topology_st.standalone.config.set('nsslapd-allow-hashed-passwords', 'on') -+ topology_st.standalone.config.set('nsslapd-enable-upgrade-hash', 'off') -+ -+ users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX) -+ user = users.create_test_user() -+ -+ user.set('userPassword', "{CRYPT}*") -+ -+ # Attempt to bind with incorrect password. -+ with pytest.raises(ldap.INVALID_CREDENTIALS): -+ badconn = user.bind('badpassword') -+ -+ user.set('userPassword', "{CRYPT}!") -+ # Attempt to bind with incorrect password. -+ with pytest.raises(ldap.INVALID_CREDENTIALS): -+ badconn = user.bind('badpassword') -+ -diff --git a/ldap/servers/plugins/pwdstorage/crypt_pwd.c b/ldap/servers/plugins/pwdstorage/crypt_pwd.c -index 9031b21996..1b37d41ede 100644 ---- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c -+++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c -@@ -48,15 +48,23 @@ static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ - int - crypt_pw_cmp(const char *userpwd, const char *dbpwd) - { -- int rc; -- char *cp; -+ int rc = -1; -+ char *cp = NULL; -+ size_t dbpwd_len = strlen(dbpwd); - struct crypt_data data; - data.initialized = 0; - -- /* we use salt (first 2 chars) of encoded password in call to crypt_r() */ -- cp = crypt_r(userpwd, dbpwd, &data); -- if (cp) { -- rc = slapi_ct_memcmp(dbpwd, cp, strlen(dbpwd)); -+ /* -+ * there MUST be at least 2 chars of salt and some pw bytes, else this is INVALID and will -+ * allow any password to bind as we then only compare SALTS. -+ */ -+ if (dbpwd_len >= 3) { -+ /* we use salt (first 2 chars) of encoded password in call to crypt_r() */ -+ cp = crypt_r(userpwd, dbpwd, &data); -+ } -+ /* If these are not the same length, we can not proceed safely with memcmp. */ -+ if (cp && dbpwd_len == strlen(cp)) { -+ rc = slapi_ct_memcmp(dbpwd, cp, dbpwd_len); - } else { - rc = -1; - } diff --git a/Fix-attributeError-type-object-build_manpages.patch b/Fix-attributeError-type-object-build_manpages.patch deleted file mode 100644 index 939b58a..0000000 --- a/Fix-attributeError-type-object-build_manpages.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 5a18aeb49c357a16c138d37a8251d73d8ed35319 Mon Sep 17 00:00:00 2001 -From: Viktor Ashirov -Date: Tue, 18 Jan 2022 13:24:53 +0100 -Subject: [PATCH] Issue 5115 - AttributeError: type object 'build_manpages' - has no attribute 'build_manpages' - -Bug Description: -Starting from v2.1, argparse-manpage provides methods build_manpages, -get_build_py_cmd and get_install_cmd in the top-level module. -This breaks installation of lib389 on systems with the newer version -of argparse-manpage. - -Fix Description: -Update setup.py to be aware of the module version and import methods -based on it. - -Fixes: https://github.com/389ds/389-ds-base/issues/5115 - -Reviewed by: @tbordaz, @mreynolds389 (Thanks!) ---- - src/lib389/setup.py | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/src/lib389/setup.py b/src/lib389/setup.py -index cadec25..5974d2c 100644 ---- a/src/lib389/setup.py -+++ b/src/lib389/setup.py -@@ -14,7 +14,9 @@ - - from setuptools import setup, find_packages - from os import path --from build_manpages import build_manpages -+import build_manpages as bm -+if bm.__version__ < '2.1': -+ from build_manpages import build_manpages as bm - from setuptools.command.build_py import build_py - - here = path.abspath(path.dirname(__file__)) -@@ -89,8 +91,8 @@ setup( - - cmdclass={ - # Dynamically build man pages for cli tools -- 'build_manpages': build_manpages.build_manpages, -- 'build_py': build_manpages.get_build_py_cmd(build_py), -+ 'build_manpages': bm.build_manpages, -+ 'build_py': bm.get_build_py_cmd(build_py), - } - - ) --- -2.27.0 - diff --git a/jemalloc-5.2.1.tar.bz2 b/jemalloc-5.2.1.tar.bz2 deleted file mode 100644 index 75baa3f..0000000 Binary files a/jemalloc-5.2.1.tar.bz2 and /dev/null differ diff --git a/jemalloc.yaml b/jemalloc.yaml deleted file mode 100644 index 32576a6..0000000 --- a/jemalloc.yaml +++ /dev/null @@ -1,4 +0,0 @@ -version_control: github -src_repo: jemalloc/jemalloc -tag_prefix: ^ -seperator: .