2018-12-20 18:54:09 by Adam Ciarcinski | Files touched by this commit (8) | |
Log message:
openldap: updated to 2.4.47
OpenLDAP 2.4.47:
Added slapd-sock DN qualifier for subtrees to be processed
Added slapd-sock ability to send extended operations to external listeners
Fixed liblber to avoid incremental access to user-supplied bv in dupbv
Fixed libldap dn to domain parsing with bad input
Fixed slapd slapcat to correctly honor -g option
Fixed slapd to correctly handle NO_SUCH_OBJECT with dynamic groups
Fixed slapd to check status of rdnNormalize
Fixed slapd cn=config when modifying slapo-syncprov config
Fixed slapd sasl authz-policy "all" behavior
Fixed slapd sasl minor typo
Fixed slapd to correctly hide hidden DBs in the rootDSE
Fixed slapd domainScope control to match Microsoft specification
Fixed slapd-bdb/hdb/mdb to not convert certain IDLs to ranges
Fixed slapo-accesslog deadlock during cleanup
Fixed slapo-memberof cn=config modifications
Fixed slapo-ppolicy with multimaster replication
Fixed slapo-syncprov with NULL modlist
Build Environment
Added slapd reproducible build support
Fixed missing includes with OpenSSL 1.0.2
Contrib
Fixed slapo-pbkdf2 hash generation
Documentation
admin24 fixed minor typo
|
2017-06-28 11:11:39 by Jonathan Perkin | Files touched by this commit (1) |
Log message:
SunOS requires -D_POSIX_PTHREAD_SEMANTICS for sigwait()
|
2017-06-02 10:29:57 by Adam Ciarcinski | Files touched by this commit (14) | |
Log message:
OpenLDAP 2.4.45 Release (2017/06/01)
Added slapd support for OpenSSL 1.1.0 series (ITS-8353, ITS-8533, ITS-8634)
Fixed libldap to fail ldap_result if the handle is already bad (ITS-8585)
Fixed libldap to expose error if user specified CA doesn't exist (ITS-8529)
Fixed libldap handling of Diffie-Hellman parameters (ITS-7506)
Fixed libldap GnuTLS use after free (ITS-8385)
Fixed libldap SASL initialization (ITS-8648)
Fixed slapd bconfig rDN escape handling (ITS-8574)
Fixed slapd segfault with invalid hostname (ITS-8631)
Fixed slapd sasl SEGV rebind in same session (ITS-8568)
Fixed slapd syncrepl filter handling (ITS-8413)
Fixed slapd syncrepl infinite looping mods with delta-sync MMR (ITS-8432)
Fixed slapd callback struct so older modules without writewait should function.
Custom modules may need to be updated for sc_writewait \
callback (ITS-8435)
Fixed slapd-ldap/meta broken LDAP_TAILQ macro (ITS-8576)
Fixed slapd-mdb so it passes ITS6794 regression test (ITS-6794)
Fixed slapd-mdb double free with size zero paged result (ITS-8655)
Fixed slapd-meta uninitialized diagnostic message (ITS-8442)
Fixed slapo-accesslog to honor pauses during purge for cn=config update (ITS-8423)
Fixed slapo-accesslog with multiple modifications to the same attribute (ITS-6545)
Fixed slapo-relay to correctly initialize sc_writewait (ITS-8428)
Fixed slapo-sssvlv double free (ITS-8592)
Fixed slapo-unique with empty modifications (ITS-8266)
Build Environment
Added test065 for proxyauthz (ITS-8571)
Fix test008 to be portable (ITS-8414)
Fix test064 to wait for slapd to start (ITS-8644)
Fix its4336 regression test (ITS-8534)
Fix its4337 regression test (ITS-8535)
Fix regression tests to execute on all backends (ITS-8539)
Contrib
Added slapo-autogroup(5) man page (ITS-8569)
Added passwd missing conversion scripts for apr1 (ITS-6826)
Fixed contrib modules where the writewait callback was not correctly \
initialized (ITS-8435)
Fixed smbk5pwd to build with newer OpenSSL releases (ITS-8525)
Documentation
admin24 fixed tls_cipher_suite bindconf option (ITS-8099)
admin24 fixed typo cn=config to be slapd.d (ITS-8449)
admin24 fixed slapo-syncprov information to be curent (ITS-8253)
admin24 fixed typo in access control docs (ITS-7341, ITS-8391)
admin24 fixed minor typo in tuning guide (ITS-8499)
admin24 fixed information about the limits option (ITS-7700)
admin24 fixed missing options for syncrepl configuration (ITS-7700)
admin24 fixed accesslog documentation to note it should not be replicated \
(ITS-8344)
Fixed ldap.conf(5) missing information on SASL_NOCANON option (ITS-7177)
Fixed ldapsearch(1) information on the V[V] flag behavior (ITS-7177, ITS-6339)
Fixed slapd-config(5), slapd.conf(5) clarification on interval keyword for \
refreshAndPersist (ITS-8538)
Fixed slapd-config(5), slapd.conf(5) clarify serverID requirements (ITS-8635)
Fixed slapd-config(5), slapd.conf(5) clarification on loglevel settings (ITS-8123)
Fixed slapo-ppolicy(5) to clearly note rootdn requirement (ITS-8565)
Fixed slapo-memberof(5) to note it is not safe to use with replication (ITS-8613)
Fixed slapo-syncprov(5) documentation to be current (ITS-8253)
Fixed slapadd(8) manpage to note slapd-mdb (ITS-8215)
Fixed various minor grammar issues in the man pages (ITS-8544)
Fixed various typos (ITS-8587)
|
2016-12-13 11:38:06 by Havard Eidnes | Files touched by this commit (5) |
Log message:
Apply fix from https://bugzilla.redhat.com/show_bug.cgi?id=1238322
Incorrect multi-keyword mode cipherstring parsing.
Fixes CVE-2015-3276.
Submitted upstream as ITS#8543, it apparently wasn't already(!)
http://www.openldap.org/its/index.cgi/Incoming?id=8543
Bump PKGREVISION for both openldap, openldap-server and openldap-client
(to be on the safe side...)
|
2016-07-02 23:03:08 by Jonathan Perkin | Files touched by this commit (1) |
Log message:
Expand more variables for SMF manifest. Bump PKGREVISION.
|
2016-06-17 15:56:53 by Jonathan Perkin | Files touched by this commit (3) |
Log message:
Add SMF manifest. Move rc.d script to openldap-server files directory
for consistency and avoid redundant FILESDIR shared between packages.
|
2016-03-05 12:29:49 by Jonathan Perkin | Files touched by this commit (1813) |
Log message:
Bump PKGREVISION for security/openssl ABI bump.
|
2015-12-02 18:04:57 by Adam Ciarcinski | Files touched by this commit (5) |
Log message:
OpenLDAP 2.4.43 Release (2015/11/30)
Fixed liblber remove obsolete assert (ITS-8240, ITS-8301)
Fixed libldap file URLs on windows (ITS-8273)
Fixed libldap microsecond timer for windows (ITS-8295)
Fixed slap tools minor one time memory leak (ITS-8082)
Fixed slapd to avoid redundant processing of abandon ops (ITS-8232)
Fixed slapd syncrepl segv when present list is NULL (ITS-8231, ITS-8042)
Fixed slapd segfault with invalid SASL URI (ITS-8218)
Fixed slapd configuration parser with unbalanced quotes (ITS-8233)
Fixed slapd syncrepl check with config db on windows (ITS-8277)
Fixed slapd with mod Increment and inherited attribute type (ITS-8289)
Fixed slapd-ldap SEGV after failed retry (ITS-8173)
Fixed slapd-ldap to skip client controls in ldap_back_entry_get (ITS-8244)
Fixed slapd-null to have an option to return a search entry (ITS-8249)
Fixed slapd-relay to correctly handle quoted options (ITS-8284)
Fixed slapo-accesslog delta-sync MMR with interrupted refresh phase (ITS-8281)
Fixed slapo-dds segfault when using slapo-memberof (ITS-8133)
Fixed slapo-ppolicy to allow purging of stale pwdFailureTime attributes (ITS-8185)
Fixed slapo-ppolicy to release entry on failure (ITS-7537)
Fixed slapo-ppolicy to fall back to default policy if there is a parsing error \
(ITS-8234)
Fixed slapo-syncprov with interrupted refresh phase (ITS-8281)
Fixed slapo-refint with subtree renames (ITS-8220)
Fixed slapo-rwm missing olcDropUnrequested attribute (ITS-7889)
Fixed slapo-rwm parsing to avoid double-escaping rewrite rules (ITS-7964)
Build Environment
Fixed ldif-filter option parsing (ITS-8292)
Fixed slapd-tester EOL handling in test output for windows (ITS-8280)
Fixed slapd-tester executable suffix for windows (ITS-8216)
Fixed test061 timing issues (ITS-8297)
Contrib
Added libnettle support to pw-pbkdf2 (ITS-8198)
Fixed smbk5pwd compiler warnings with libnettle (ITS-8235)
Fixed passwd symbol collisions with other crypto libraries (ITS-8294)
Documentation
Updated guide to reflect changes to how TLS is handled with syncrepl
|
2015-09-14 18:32:27 by Emmanuel Dreyfus | Files touched by this commit (4) |
Log message:
Add support for ECDH, from upstream
After the recent logjam attack, longer DH parameter size have been advised.
Unfortunately, this comes with a high computational cost. ECDH is a good
alternative to acheive forward secrecy with lower CPU Loads.
This patch is a backport from upstream ECDH umplementation. ECDH is
enabled by speciying a curve name through the TLSECName directive.
Valid curve names can be obtaines by openssl ecparam -list_curves
Advised usage for a forward-secrecy only setup wiht only ECDH:
TLSCipherSuite EECDH:!RC4:!SHA:!MD5:!DES:!aNULL:!eNULL
TLSECName prime256v1
If backward compatibility with older clients is required:
TLSCipherSuite EECDH:HIGH:!RC4:!SHA:!MD5:!DES:!aNULL:!eNULL
TLSECName prime256v1
Backward compatible flavor with more forward secrecy, at
the expense of using costly DH. dh2048.pem is obtained using openssl
dhparam 2048 > /etc/openssl/certs/dh2048.pem
TLSCipherSuite EECDH:EDH:HIGH:!RC4:!SHA:!MD5:!DES:!aNULL:!eNULL
TLSDHParamFile /etc/openssl/certs/dh2048.pem
TLSECName prime256v1
|
2015-09-07 14:02:07 by Jonathan Perkin | Files touched by this commit (29) |
Log message:
Now that _STRIPFLAG_INSTALL is disabled by default on Darwin, remove manual
settings of INSTALL_UNSTRIPPED=yes for Darwin in individual packages.
|