diff --git a/SOURCES/0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch b/SOURCES/0005-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch similarity index 98% rename from SOURCES/0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch rename to SOURCES/0005-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch index 40dba66..62f2693 100644 --- a/SOURCES/0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch +++ b/SOURCES/0005-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch @@ -1,4 +1,4 @@ -From 7d1bc439a07c51b5f4f37405b6b27a1990b8cb28 Mon Sep 17 00:00:00 2001 +From 9319d5b022918f14cacb00e3faef85a6ab730a26 Mon Sep 17 00:00:00 2001 From: Simon Pichugin Date: Tue, 27 Feb 2024 16:30:47 -0800 Subject: [PATCH] Issue 3527 - Support HAProxy and Instance on the same machine @@ -79,5 +79,5 @@ index d28a39bf7..10a8cc577 100644 slapi_log_err(SLAPI_LOG_CONNS, "connection_read_operation", "HAProxy header received from unknown source.\n"); disconnect_server_nomutex(conn, conn->c_connid, -1, SLAPD_DISCONNECT_PROXY_UNKNOWN, EPROTO); -- -2.43.0 +2.45.0 diff --git a/SOURCES/0006-CVE-2024-2199.patch b/SOURCES/0006-CVE-2024-2199.patch new file mode 100644 index 0000000..26ce84d --- /dev/null +++ b/SOURCES/0006-CVE-2024-2199.patch @@ -0,0 +1,108 @@ +From 016a2b6bd3e27cbff36609824a75b020dfd24823 Mon Sep 17 00:00:00 2001 +From: James Chapman +Date: Wed, 1 May 2024 15:01:33 +0100 +Subject: [PATCH] CVE-2024-2199 + +--- + .../tests/suites/password/password_test.py | 56 +++++++++++++++++++ + ldap/servers/slapd/modify.c | 8 ++- + 2 files changed, 62 insertions(+), 2 deletions(-) + +diff --git a/dirsrvtests/tests/suites/password/password_test.py b/dirsrvtests/tests/suites/password/password_test.py +index 38079476a..b3ff08904 100644 +--- a/dirsrvtests/tests/suites/password/password_test.py ++++ b/dirsrvtests/tests/suites/password/password_test.py +@@ -65,6 +65,62 @@ def test_password_delete_specific_password(topology_st): + log.info('test_password_delete_specific_password: PASSED') + + ++def test_password_modify_non_utf8(topology_st): ++ """Attempt a modify of the userPassword attribute with ++ an invalid non utf8 value ++ ++ :id: a31af9d5-d665-42b9-8d6e-fea3d0837d36 ++ :setup: Standalone instance ++ :steps: ++ 1. Add a user if it doesnt exist and set its password ++ 2. Verify password with a bind ++ 3. Modify userPassword attr with invalid value ++ 4. Attempt a bind with invalid password value ++ 5. Verify original password with a bind ++ :expectedresults: ++ 1. The user with userPassword should be added successfully ++ 2. Operation should be successful ++ 3. Server returns ldap.UNWILLING_TO_PERFORM ++ 4. Server returns ldap.INVALID_CREDENTIALS ++ 5. Operation should be successful ++ """ ++ ++ log.info('Running test_password_modify_non_utf8...') ++ ++ # Create user and set password ++ standalone = topology_st.standalone ++ users = UserAccounts(standalone, DEFAULT_SUFFIX) ++ if not users.exists(TEST_USER_PROPERTIES['uid'][0]): ++ user = users.create(properties=TEST_USER_PROPERTIES) ++ else: ++ user = users.get(TEST_USER_PROPERTIES['uid'][0]) ++ user.set('userpassword', PASSWORD) ++ ++ # Verify password ++ try: ++ user.bind(PASSWORD) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to bind as {}, error: '.format(user.dn) + e.args[0]['desc']) ++ assert False ++ ++ # Modify userPassword with an invalid value ++ password = b'tes\x82t-password' # A non UTF-8 encoded password ++ with pytest.raises(ldap.UNWILLING_TO_PERFORM): ++ user.replace('userpassword', password) ++ ++ # Verify a bind fails with invalid pasword ++ with pytest.raises(ldap.INVALID_CREDENTIALS): ++ user.bind(password) ++ ++ # Verify we can still bind with original password ++ try: ++ user.bind(PASSWORD) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to bind as {}, error: '.format(user.dn) + e.args[0]['desc']) ++ assert False ++ ++ log.info('test_password_modify_non_utf8: PASSED') ++ + if __name__ == '__main__': + # Run isolated + # -s for DEBUG mode +diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c +index 5ca78539c..669bb104c 100644 +--- a/ldap/servers/slapd/modify.c ++++ b/ldap/servers/slapd/modify.c +@@ -765,8 +765,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw) + * flagged - leave mod attributes alone */ + if (!repl_op && !skip_modified_attrs && lastmod) { + modify_update_last_modified_attr(pb, &smods); ++ slapi_pblock_set(pb, SLAPI_MODIFY_MODS, slapi_mods_get_ldapmods_byref(&smods)); + } + ++ + if (0 == slapi_mods_get_num_mods(&smods)) { + /* nothing to do - no mods - this is not an error - just + send back LDAP_SUCCESS */ +@@ -933,8 +935,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw) + + /* encode password */ + if (pw_encodevals_ext(pb, sdn, va)) { +- slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s.\n", slapi_entry_get_dn_const(e)); +- send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to store attribute \"userPassword\" correctly\n", 0, NULL); ++ slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s, " ++ "check value is utf8 string.\n", slapi_entry_get_dn_const(e)); ++ send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to hash \"userPassword\" attribute, " ++ "check value is utf8 string.\n", 0, NULL); + valuearray_free(&va); + goto free_and_return; + } +-- +2.45.0 + diff --git a/SOURCES/0007-CVE-2024-3657.patch b/SOURCES/0007-CVE-2024-3657.patch new file mode 100644 index 0000000..722e51c --- /dev/null +++ b/SOURCES/0007-CVE-2024-3657.patch @@ -0,0 +1,213 @@ +From d5bbe52fbe84a7d3b5938bf82d5c4af15061a8e2 Mon Sep 17 00:00:00 2001 +From: Pierre Rogier +Date: Wed, 17 Apr 2024 18:18:04 +0200 +Subject: [PATCH] CVE-2024-3657 + +--- + .../tests/suites/filter/large_filter_test.py | 34 +++++- + ldap/servers/slapd/back-ldbm/index.c | 111 ++++++++++-------- + 2 files changed, 92 insertions(+), 53 deletions(-) + +diff --git a/dirsrvtests/tests/suites/filter/large_filter_test.py b/dirsrvtests/tests/suites/filter/large_filter_test.py +index ecc7bf979..40526bb16 100644 +--- a/dirsrvtests/tests/suites/filter/large_filter_test.py ++++ b/dirsrvtests/tests/suites/filter/large_filter_test.py +@@ -13,19 +13,29 @@ verify and testing Filter from a search + + import os + import pytest ++import ldap + +-from lib389._constants import PW_DM ++from lib389._constants import PW_DM, DEFAULT_SUFFIX, ErrorLog + from lib389.topologies import topology_st as topo + from lib389.idm.user import UserAccounts, UserAccount + from lib389.idm.account import Accounts + from lib389.backend import Backends + from lib389.idm.domain import Domain ++from lib389.utils import get_ldapurl_from_serverid + + SUFFIX = 'dc=anuj,dc=com' + + pytestmark = pytest.mark.tier1 + + ++def open_new_ldapi_conn(dsinstance): ++ ldapurl, certdir = get_ldapurl_from_serverid(dsinstance) ++ assert 'ldapi://' in ldapurl ++ conn = ldap.initialize(ldapurl) ++ conn.sasl_interactive_bind_s("", ldap.sasl.external()) ++ return conn ++ ++ + @pytest.fixture(scope="module") + def _create_entries(request, topo): + """ +@@ -160,6 +170,28 @@ def test_large_filter(topo, _create_entries, real_value): + assert len(Accounts(conn, SUFFIX).filter(real_value)) == 3 + + ++def test_long_filter_value(topo): ++ """Exercise large eq filter with dn syntax attributes ++ ++ :id: b069ef72-fcc3-11ee-981c-482ae39447e5 ++ :setup: Standalone ++ :steps: ++ 1. Try to pass filter rules as per the condition. ++ :expectedresults: ++ 1. Pass ++ """ ++ inst = topo.standalone ++ conn = open_new_ldapi_conn(inst.serverid) ++ inst.config.loglevel(vals=(ErrorLog.DEFAULT,ErrorLog.TRACE,ErrorLog.SEARCH_FILTER)) ++ filter_value = "a\x1Edmin" * 1025 ++ conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, f'(cn={filter_value})') ++ filter_value = "aAdmin" * 1025 ++ conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, f'(cn={filter_value})') ++ filter_value = "*" ++ conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, f'(cn={filter_value})') ++ inst.config.loglevel(vals=(ErrorLog.DEFAULT,)) ++ ++ + if __name__ == '__main__': + CURRENT_FILE = os.path.realpath(__file__) + pytest.main("-s -v %s" % CURRENT_FILE) +diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c +index 410db23d1..30fa09ebb 100644 +--- a/ldap/servers/slapd/back-ldbm/index.c ++++ b/ldap/servers/slapd/back-ldbm/index.c +@@ -71,6 +71,32 @@ typedef struct _index_buffer_handle index_buffer_handle; + #define INDEX_BUFFER_FLAG_SERIALIZE 1 + #define INDEX_BUFFER_FLAG_STATS 2 + ++/* ++ * space needed to encode a byte: ++ * 0x00-0x31 and 0x7f-0xff requires 3 bytes: \xx ++ * 0x22 and 0x5C requires 2 bytes: \" and \\ ++ * other requires 1 byte: c ++ */ ++static char encode_size[] = { ++ /* 0x00 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, ++ /* 0x10 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, ++ /* 0x20 */ 1, 1, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, ++ /* 0x30 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, ++ /* 0x40 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, ++ /* 0x50 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 1, 1, 1, ++ /* 0x60 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, ++ /* 0x70 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3, ++ /* 0x80 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, ++ /* 0x90 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, ++ /* 0xA0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, ++ /* 0xB0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, ++ /* 0xC0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, ++ /* 0xD0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, ++ /* 0xE0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, ++ /* 0xF0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, ++}; ++ ++ + /* Index buffering functions */ + + static int +@@ -799,65 +825,46 @@ index_add_mods( + + /* + * Convert a 'struct berval' into a displayable ASCII string ++ * returns the printable string + */ +- +-#define SPECIAL(c) (c < 32 || c > 126 || c == '\\' || c == '"') +- + const char * + encode(const struct berval *data, char buf[BUFSIZ]) + { +- char *s; +- char *last; +- if (data == NULL || data->bv_len == 0) +- return ""; +- last = data->bv_val + data->bv_len - 1; +- for (s = data->bv_val; s < last; ++s) { +- if (SPECIAL(*s)) { +- char *first = data->bv_val; +- char *bufNext = buf; +- size_t bufSpace = BUFSIZ - 4; +- while (1) { +- /* printf ("%lu bytes ASCII\n", (unsigned long)(s - first)); */ +- if (bufSpace < (size_t)(s - first)) +- s = first + bufSpace - 1; +- if (s != first) { +- memcpy(bufNext, first, s - first); +- bufNext += (s - first); +- bufSpace -= (s - first); +- } +- do { +- if (bufSpace) { +- *bufNext++ = '\\'; +- --bufSpace; +- } +- if (bufSpace < 2) { +- memcpy(bufNext, "..", 2); +- bufNext += 2; +- goto bail; +- } +- if (*s == '\\' || *s == '"') { +- *bufNext++ = *s; +- --bufSpace; +- } else { +- sprintf(bufNext, "%02x", (unsigned)*(unsigned char *)s); +- bufNext += 2; +- bufSpace -= 2; +- } +- } while (++s <= last && SPECIAL(*s)); +- if (s > last) +- break; +- first = s; +- while (!SPECIAL(*s) && s <= last) +- ++s; +- } +- bail: +- *bufNext = '\0'; +- /* printf ("%lu chars in buffer\n", (unsigned long)(bufNext - buf)); */ ++ if (!data || !data->bv_val) { ++ strcpy(buf, ""); ++ return buf; ++ } ++ char *endbuff = &buf[BUFSIZ-4]; /* Reserve space to append "...\0" */ ++ char *ptout = buf; ++ unsigned char *ptin = (unsigned char*) data->bv_val; ++ unsigned char *endptin = ptin+data->bv_len; ++ ++ while (ptin < endptin) { ++ if (ptout >= endbuff) { ++ /* ++ * BUFSIZ(8K) > SLAPI_LOG_BUFSIZ(2K) so the error log message will be ++ * truncated anyway. So there is no real interrest to test if the original ++ * data contains no special characters and return it as is. ++ */ ++ strcpy(endbuff, "..."); + return buf; + } ++ switch (encode_size[*ptin]) { ++ case 1: ++ *ptout++ = *ptin++; ++ break; ++ case 2: ++ *ptout++ = '\\'; ++ *ptout++ = *ptin++; ++ break; ++ case 3: ++ sprintf(ptout, "\\%02x", *ptin++); ++ ptout += 3; ++ break; ++ } + } +- /* printf ("%lu bytes, all ASCII\n", (unsigned long)(s - data->bv_val)); */ +- return data->bv_val; ++ *ptout = 0; ++ return buf; + } + + static const char * +-- +2.45.0 + diff --git a/SOURCES/0008-Issue-6096-Improve-connection-timeout-error-logging-.patch b/SOURCES/0008-Issue-6096-Improve-connection-timeout-error-logging-.patch new file mode 100644 index 0000000..cd2f206 --- /dev/null +++ b/SOURCES/0008-Issue-6096-Improve-connection-timeout-error-logging-.patch @@ -0,0 +1,143 @@ +From 6e5f03d5872129963106024f53765234a282406c Mon Sep 17 00:00:00 2001 +From: James Chapman +Date: Fri, 16 Feb 2024 11:13:16 +0000 +Subject: [PATCH] Issue 6096 - Improve connection timeout error logging (#6097) + +Bug description: When a paged result search is run with a time limit, +if the time limit is exceed the server closes the connection with +closed IO timeout (nsslapd-ioblocktimeout) - T2. This error message +is incorrect as the reason the connection has been closed was because +the specified time limit on a paged result search has been exceeded. + +Fix description: Correct error message + +Relates: https://github.com/389ds/389-ds-base/issues/6096 + +Reviewed by: @tbordaz (Thank you) +--- + ldap/admin/src/logconv.pl | 24 ++++++++++++++++++- + ldap/servers/slapd/daemon.c | 4 ++-- + ldap/servers/slapd/disconnect_error_strings.h | 1 + + ldap/servers/slapd/disconnect_errors.h | 2 +- + 4 files changed, 27 insertions(+), 4 deletions(-) + +diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl +index 7698c383a..2a933c4a3 100755 +--- a/ldap/admin/src/logconv.pl ++++ b/ldap/admin/src/logconv.pl +@@ -267,7 +267,7 @@ my $optimeAvg = 0; + my %cipher = (); + my @removefiles = (); + +-my @conncodes = qw(A1 B1 B4 T1 T2 B2 B3 R1 P1 P2 U1); ++my @conncodes = qw(A1 B1 B4 T1 T2 T3 B2 B3 R1 P1 P2 U1); + my %conn = (); + map {$conn{$_} = $_} @conncodes; + +@@ -355,6 +355,7 @@ $connmsg{"B1"} = "Bad Ber Tag Encountered"; + $connmsg{"B4"} = "Server failed to flush data (response) back to Client"; + $connmsg{"T1"} = "Idle Timeout Exceeded"; + $connmsg{"T2"} = "IO Block Timeout Exceeded or NTSSL Timeout"; ++$connmsg{"T3"} = "Paged Search Time Limit Exceeded"; + $connmsg{"B2"} = "Ber Too Big"; + $connmsg{"B3"} = "Ber Peek"; + $connmsg{"R1"} = "Revents"; +@@ -1723,6 +1724,10 @@ if ($usage =~ /j/i || $verb eq "yes"){ + print "\n $recCount. You have some coonections that are being closed by the ioblocktimeout setting. You may want to increase the ioblocktimeout.\n"; + $recCount++; + } ++ if (defined($conncount->{"T3"}) and $conncount->{"T3"} > 0){ ++ print "\n $recCount. You have some connections that are being closed because a paged result search limit has been exceeded. You may want to increase the search time limit.\n"; ++ $recCount++; ++ } + # compare binds to unbinds, if the difference is more than 30% of the binds, then report a issue + if (($bindCount - $unbindCount) > ($bindCount*.3)){ + print "\n $recCount. You have a significant difference between binds and unbinds. You may want to investigate this difference.\n"; +@@ -2366,6 +2371,7 @@ sub parseLineNormal + $brokenPipeCount++; + if (m/- T1/){ $hashes->{rc}->{"T1"}++; } + elsif (m/- T2/){ $hashes->{rc}->{"T2"}++; } ++ elsif (m/- T3/){ $hashes->{rc}->{"T3"}++; } + elsif (m/- A1/){ $hashes->{rc}->{"A1"}++; } + elsif (m/- B1/){ $hashes->{rc}->{"B1"}++; } + elsif (m/- B4/){ $hashes->{rc}->{"B4"}++; } +@@ -2381,6 +2387,7 @@ sub parseLineNormal + $connResetByPeerCount++; + if (m/- T1/){ $hashes->{src}->{"T1"}++; } + elsif (m/- T2/){ $hashes->{src}->{"T2"}++; } ++ elsif (m/- T3/){ $hashes->{src}->{"T3"}++; } + elsif (m/- A1/){ $hashes->{src}->{"A1"}++; } + elsif (m/- B1/){ $hashes->{src}->{"B1"}++; } + elsif (m/- B4/){ $hashes->{src}->{"B4"}++; } +@@ -2396,6 +2403,7 @@ sub parseLineNormal + $resourceUnavailCount++; + if (m/- T1/){ $hashes->{rsrc}->{"T1"}++; } + elsif (m/- T2/){ $hashes->{rsrc}->{"T2"}++; } ++ elsif (m/- T3/){ $hashes->{rsrc}->{"T3"}++; } + elsif (m/- A1/){ $hashes->{rsrc}->{"A1"}++; } + elsif (m/- B1/){ $hashes->{rsrc}->{"B1"}++; } + elsif (m/- B4/){ $hashes->{rsrc}->{"B4"}++; } +@@ -2494,6 +2502,20 @@ sub parseLineNormal + } + } + } ++ if (m/- T3/){ ++ if ($_ =~ /conn= *([0-9A-Z]+)/i) { ++ $exc = "no"; ++ $ip = getIPfromConn($1, $serverRestartCount); ++ for (my $xxx = 0; $xxx < $#excludeIP; $xxx++){ ++ if ($ip eq $excludeIP[$xxx]){$exc = "yes";} ++ } ++ if ($exc ne "yes"){ ++ $hashes->{T3}->{$ip}++; ++ $hashes->{conncount}->{"T3"}++; ++ $connCodeCount++; ++ } ++ } ++ } + if (m/- B2/){ + if ($_ =~ /conn= *([0-9A-Z]+)/i) { + $exc = "no"; +diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c +index 5a48aa66f..bb80dae36 100644 +--- a/ldap/servers/slapd/daemon.c ++++ b/ldap/servers/slapd/daemon.c +@@ -1599,9 +1599,9 @@ setup_pr_read_pds(Connection_Table *ct) + int add_fd = 1; + /* check timeout for PAGED RESULTS */ + if (pagedresults_is_timedout_nolock(c)) { +- /* Exceeded the timelimit; disconnect the client */ ++ /* Exceeded the paged search timelimit; disconnect the client */ + disconnect_server_nomutex(c, c->c_connid, -1, +- SLAPD_DISCONNECT_IO_TIMEOUT, ++ SLAPD_DISCONNECT_PAGED_SEARCH_LIMIT, + 0); + connection_table_move_connection_out_of_active_list(ct, + c); +diff --git a/ldap/servers/slapd/disconnect_error_strings.h b/ldap/servers/slapd/disconnect_error_strings.h +index f7a31d728..c2d9e283b 100644 +--- a/ldap/servers/slapd/disconnect_error_strings.h ++++ b/ldap/servers/slapd/disconnect_error_strings.h +@@ -27,6 +27,7 @@ ER2(SLAPD_DISCONNECT_BER_FLUSH, "B4") + ER2(SLAPD_DISCONNECT_IDLE_TIMEOUT, "T1") + ER2(SLAPD_DISCONNECT_REVENTS, "R1") + ER2(SLAPD_DISCONNECT_IO_TIMEOUT, "T2") ++ER2(SLAPD_DISCONNECT_PAGED_SEARCH_LIMIT, "T3") + ER2(SLAPD_DISCONNECT_PLUGIN, "P1") + ER2(SLAPD_DISCONNECT_UNBIND, "U1") + ER2(SLAPD_DISCONNECT_POLL, "P2") +diff --git a/ldap/servers/slapd/disconnect_errors.h b/ldap/servers/slapd/disconnect_errors.h +index a0484f1c2..e118f674c 100644 +--- a/ldap/servers/slapd/disconnect_errors.h ++++ b/ldap/servers/slapd/disconnect_errors.h +@@ -35,6 +35,6 @@ + #define SLAPD_DISCONNECT_SASL_FAIL SLAPD_DISCONNECT_ERROR_BASE + 12 + #define SLAPD_DISCONNECT_PROXY_INVALID_HEADER SLAPD_DISCONNECT_ERROR_BASE + 13 + #define SLAPD_DISCONNECT_PROXY_UNKNOWN SLAPD_DISCONNECT_ERROR_BASE + 14 +- ++#define SLAPD_DISCONNECT_PAGED_SEARCH_LIMIT SLAPD_DISCONNECT_ERROR_BASE + 15 + + #endif /* __DISCONNECT_ERRORS_H_ */ +-- +2.45.0 + diff --git a/SOURCES/0009-Issue-6103-New-connection-timeout-error-breaks-error.patch b/SOURCES/0009-Issue-6103-New-connection-timeout-error-breaks-error.patch new file mode 100644 index 0000000..4d577ec --- /dev/null +++ b/SOURCES/0009-Issue-6103-New-connection-timeout-error-breaks-error.patch @@ -0,0 +1,44 @@ +From a112394af3a20787755029804684d57a9c3ffa9a Mon Sep 17 00:00:00 2001 +From: James Chapman +Date: Wed, 21 Feb 2024 12:43:03 +0000 +Subject: [PATCH] Issue 6103 - New connection timeout error breaks errormap + (#6104) + +Bug description: A recent addition to the connection disconnect error +messaging, conflicts with how errormap.c maps error codes/strings. + +Fix description: errormap expects error codes/strings to be in ascending +order. Moved the new error code to the bottom of the list. + +Relates: https://github.com/389ds/389-ds-base/issues/6103 + +Reviewed by: @droideck. @progier389 (Thank you) +--- + ldap/servers/slapd/disconnect_error_strings.h | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/ldap/servers/slapd/disconnect_error_strings.h b/ldap/servers/slapd/disconnect_error_strings.h +index c2d9e283b..f603a08ce 100644 +--- a/ldap/servers/slapd/disconnect_error_strings.h ++++ b/ldap/servers/slapd/disconnect_error_strings.h +@@ -14,7 +14,8 @@ + /* disconnect_error_strings.h + * + * Strings describing the errors used in logging the reason a connection +- * was closed. ++ * was closed. Ensure definitions are in the same order as the error codes ++ * defined in disconnect_errors.h + */ + #ifndef __DISCONNECT_ERROR_STRINGS_H_ + #define __DISCONNECT_ERROR_STRINGS_H_ +@@ -35,6 +36,6 @@ ER2(SLAPD_DISCONNECT_NTSSL_TIMEOUT, "T2") + ER2(SLAPD_DISCONNECT_SASL_FAIL, "S1") + ER2(SLAPD_DISCONNECT_PROXY_INVALID_HEADER, "P3") + ER2(SLAPD_DISCONNECT_PROXY_UNKNOWN, "P4") +- ++ER2(SLAPD_DISCONNECT_PAGED_SEARCH_LIMIT, "T3") + + #endif /* __DISCONNECT_ERROR_STRINGS_H_ */ +-- +2.45.0 + diff --git a/SOURCES/0010-Issue-6103-New-connection-timeout-error-breaks-error.patch b/SOURCES/0010-Issue-6103-New-connection-timeout-error-breaks-error.patch new file mode 100644 index 0000000..895545e --- /dev/null +++ b/SOURCES/0010-Issue-6103-New-connection-timeout-error-breaks-error.patch @@ -0,0 +1,30 @@ +From edd9abc8901604dde1d739d87ca2906734d53dd3 Mon Sep 17 00:00:00 2001 +From: Viktor Ashirov +Date: Thu, 13 Jun 2024 13:35:09 +0200 +Subject: [PATCH] Issue 6103 - New connection timeout error breaks errormap + +Description: +Remove duplicate SLAPD_DISCONNECT_PAGED_SEARCH_LIMIT error code. + +Fixes: https://github.com/389ds/389-ds-base/issues/6103 + +Reviewed by: @tbordaz (Thanks!) +--- + ldap/servers/slapd/disconnect_error_strings.h | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/ldap/servers/slapd/disconnect_error_strings.h b/ldap/servers/slapd/disconnect_error_strings.h +index f603a08ce..d49cc79a2 100644 +--- a/ldap/servers/slapd/disconnect_error_strings.h ++++ b/ldap/servers/slapd/disconnect_error_strings.h +@@ -28,7 +28,6 @@ ER2(SLAPD_DISCONNECT_BER_FLUSH, "B4") + ER2(SLAPD_DISCONNECT_IDLE_TIMEOUT, "T1") + ER2(SLAPD_DISCONNECT_REVENTS, "R1") + ER2(SLAPD_DISCONNECT_IO_TIMEOUT, "T2") +-ER2(SLAPD_DISCONNECT_PAGED_SEARCH_LIMIT, "T3") + ER2(SLAPD_DISCONNECT_PLUGIN, "P1") + ER2(SLAPD_DISCONNECT_UNBIND, "U1") + ER2(SLAPD_DISCONNECT_POLL, "P2") +-- +2.45.0 + diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec index 903fcf4..189cec0 100644 --- a/SPECS/389-ds-base.spec +++ b/SPECS/389-ds-base.spec @@ -48,7 +48,7 @@ ExcludeArch: i686 Summary: 389 Directory Server (base) Name: 389-ds-base Version: 1.4.3.39 -Release: %{?relprefix}3%{?prerel}%{?dist} +Release: %{?relprefix}7%{?prerel}%{?dist} License: GPLv3+ and (ASL 2.0 or MIT) URL: https://www.port389.org Group: System Environment/Daemons @@ -297,7 +297,12 @@ Patch01: 0001-issue-5647-covscan-memory-leak-in-audit-log-when-add.patc Patch02: 0002-Issue-5647-Fix-unused-variable-warning-from-previous.patch Patch03: 0003-Issue-5407-sync_repl-crashes-if-enabled-while-dynami.patch Patch04: 0004-Issue-5547-automember-plugin-improvements.patch -Patch05: 0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch +Patch05: 0005-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch +Patch06: 0006-CVE-2024-2199.patch +Patch07: 0007-CVE-2024-3657.patch +Patch08: 0008-Issue-6096-Improve-connection-timeout-error-logging-.patch +Patch09: 0009-Issue-6103-New-connection-timeout-error-breaks-error.patch +Patch10: 0010-Issue-6103-New-connection-timeout-error-breaks-error.patch %description 389 Directory Server is an LDAPv3 compliant server. The base package includes @@ -919,6 +924,23 @@ exit 0 %doc README.md %changelog +* Thu Jun 13 2024 Viktor Ashirov - 1.4.3.39-7 +- Bump version to 1.4.3.39-7 +- Resolves: RHEL-16277 - LDAP connections are closed with code T2 before the IO block timeout is reached. [rhel-8.10.0.z] + +* Thu Jun 13 2024 Viktor Ashirov - 1.4.3.39-6 +- Bump version to 1.4.3.39-6 +- Resolves: RHEL-16277 - LDAP connections are closed with code T2 before the IO block timeout is reached. [rhel-8.10.0.z] + +* Tue Jun 11 2024 Viktor Ashirov - 1.4.3.39-5 +- Bump version to 1.4.3.39-5 +- Resolves: RHEL-16277 - LDAP connections are closed with code T2 before the IO block timeout is reached. [rhel-8.10.0.z] + +* Thu Jun 06 2024 James Chapman - 1.4.3.39-4 +- Bump version to 1.4.3.39-4 +- Resolves: RHEL-34818 - redhat-ds:11/389-ds-base: Malformed userPassword may cause crash at do_modify in slapd/modify.c +- Resolves: RHEL-34824 - redhat-ds:11/389-ds-base: potential denial of service via specially crafted kerberos AS-REQ request + * Thu Mar 14 2024 Simon Pichugin - 1.4.3.39-3 - Bump version to 1.4.3.39-3 - Resolves: RHEL-19240 - RFE Add PROXY protocol support to 389-ds-base via confiuration item - similar to Postfix