This bug was fixed in the package openldap - 2.4.40+dfsg-1ubuntu1
---------------
openldap (2.4.40+dfsg-1ubuntu1) wily; urgency=low
* Merge from Debian testing (LP: #1395098, LP: #1316124). Remaining changes:
- Enable AppArmor support:
- d/apparmor-profile: add AppArmor profile
- d/rules: use dh_apparmor
- d/control: Build-Depends on dh-apparmor
- d/slapd.README.Debian: add note about AppArmor
- Enable GSSAPI support:
- d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
- Add --with-gssapi support
- Make guess_service_principal() more robust when determining
principal
- d/configure.options: Configure with --with-gssapi
- d/control: Added heimdal-dev as a build depend
- Enable ufw support:
- d/control: suggest ufw.
- d/rules: install ufw profile.
- d/slapd.ufw.profile: add ufw profile.
- Enable nss overlay:
- d/{patches/nssov-build,rules}: Apply, build and package the
nss overlay.
- d/{rules,slapd.py}: Add apport hook.
- d/slapd.init.ldif: don't set olcRootDN since it's not defined in
either the default DIT nor via an Authn mapping.
- d/slapd.scripts-common:
- add slapcat_opts to local variables.
- Remove unused variable new_conf.
- Fix backup directory naming for multiple reconfiguration.
- d/{slapd.default,slapd.README.Debian}: use the new configuration style.
- d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
in the openldap library, as required by Likewise-Open
- Show distribution in version:
- d/control: added lsb-release
- d/patches/fix-ldap-distribution.patch: show distribution in version
* Drop patches included upstream:
- d/patches/0001-ITS-7430-GnuTLS-Avoid-use-of-deprecated-function.patch
- d/patches/bdb-deadlock.patch
- d/patches/its-7354-fix-delta-sync-mmr.diff
* Drop hardening-wrapper as Debian now sets PIE and bindnow flags.
* debian/patches/nssov-build: Adjust for upstream changes.
* debian/apparmor-profile:
- Change 'r' to 'rw' for ldapi and nslcd sockets, required for apparmor
kernel ABI v7 (utopic and later). (LP: #1392018)
- Reduce permissions on /run/nslcd to just the nslcd socket.
* Enable the mdb backend again on ppc64el, fixed upstream in ITS#7713.
(LP: #1293250)
openldap (2.4.40+dfsg-1) unstable; urgency=medium
* Remove inetorgperson.schema from the upstream source. Replace it with a
copy stripped of RFC text. (Closes: #780283)
* Adjust debian/watch for +dfsg versioning.
* debian/patches/ITS7975-fix-mdb-onelevel-search.patch: Import upstream
patch to fix scope=onelevel searches wrongly including the search base in
results under the MDB backend. (ITS#7975) (Closes: #782212)
openldap (2.4.40-4) unstable; urgency=medium
* debian/patches/ITS8027-deref-reject-empty-attr-list.patch: Import upstream
patch to fix a crash when a search includes the Deref control with an
empty attribute list. (ITS#8027) (CVE-2015-1545, Closes: #776988)
* debian/patches/ITS8046-fix-vrFilter_free-crash.patch: Import upstream
patch to fix a double free triggered by certain search queries using the
Matched Values control. (ITS#8046) (CVE-2015-1546, Closes: #776991)
openldap (2.4.40-3) unstable; urgency=medium
* Remove trailing spaces from slapd.templates.
* Update Vietnamese debconf translation.
Thanks to Trần Ngọc Quân.
* Update Danish debconf translation.
Thanks to Joe Hansen. (Closes: #766848)
* Update Japanese debconf translation.
Thanks to Kenshi Muto. (Closes: #766824)
* Update Russian debconf translation.
Thanks to Yuri Kozlov. (Closes: #766825)
* Update Basque translation.
Thanks to Iñaki Larrañaga Murgoitio. (Closes: #767070)
* Update French debconf translation.
Thanks to Christian Perrier. (Closes: #767634)
* Update German debconf translation.
Thanks to Helge Kreutzmann. (Closes: #767686)
* Update Portuguese debconf translation.
Thanks to Ricardo Silva. (Closes: #768085)
* Update Italian debconf translation.
Thanks to Luca Monducci. (Closes: #768195)
* Update Turkish debconf translation.
Thanks to Atila KOÇ. (Closes: #768409)
* Update Czech debconf translation.
Thanks to Miroslav Kure. (Closes: #768591)
* Update Catalan debconf translation.
Thanks to Innocent De Marchi. (Closes: #768605)
* Update Dutch debconf translation.
Thanks to Frans Spiesschaert. (Closes: #769024)
* Update Brazilian Portuguese debconf translation.
Thanks to Adriano Rafael Gomes. (Closes: #769717)
* Update Galician debconf translation.
Thanks to Jorge Barreiro.
* Update Swedish debconf translation.
Thanks to Martin Bagge / brother. (Closes: #769867)
* Update Spanish debconf translation.
Thanks to Camaleón. (Closes: #770715)
* Fix doubled spaces in po files, caused by trailing spaces in the templates
file.
* Run debconf-updatepo to refresh PO files.
openldap (2.4.40-2) unstable; urgency=medium
* Fix typo (chmod/chgrp) in previous changelog, spotted by Ferenc Wagner.
* debian/patches/contrib-modules-use-dpkg-buildflags: Also use CPPFLAGS from
dpkg-buildflags. Spotted by Lintian.
* debian/slapd.init.ldif: Don't bother explicitly granting rights to the
rootdn, since it already has unlimited privileges. Thanks Ferenc Wagner.
* Recommend MDB for new installations, per upstream's recommendation.
* Don't re-create the default DB_CONFIG if there wasn't one in the backup,
for example if the active backend doesn't use it. Thanks Ferenc Wagner.
* On upgrade, if an access rule begins with "to * by self write", show a
debconf note warning that it should be changed. (Closes: #761406)
* Build and install the lastbind contrib module. (Closes: #701111)
* Build and install the passwd/sha2 contrib module. (Closes: #746727)
openldap (2.4.40-1) unstable; urgency=low
[ Ryan Tandy ]
* New upstream release.
- fixed ldap_get_dn(3) ldap_ava definition (ITS#7860) (Closes: #465024)
- fixed slapcat with external schema (ITS#7895) (Closes: #599235)
- fixed double free with invalid ciphersuite (ITS#7500) (Closes: #640384)
- fixed modrdn crash on naming attr with no matching rule (ITS#7850)
(Closes: #666515)
- fixed slapacl causing unclean database (ITS#7827) (Closes: #741248)
* slapd.scripts-common:
- Anchor grep patterns to avoid matching commented lines in ldif files
under cn=config. (Closes: #723957)
- Don't silently ignore nonexistent directories that should be dumped.
- Invoke find, chown, and chgrp with -H in case /var/lib/ldap is a
symlink. (Closes: #742862)
- When upgrading a database, ignore extra nested directories as they might
contain other databases. Patch from Kenny Millington. (LP: #1003854)
- Fix dumping and reloading when multiple databases hold the same suffix,
thanks Peder Stray. (Closes: #759596, LP: #1362481)
- Remove trailing dot from slapd/domain. (Closes: #637996)
* debian/rules:
- Enable parallel building.
- Copy libldap-2.4-2.shlibs into place manually, as a workaround for
#676168. (Closes: #742841)
* debian/slapd.README.Debian: Add a note about database format upgrades and
the consequences of missing one. (Closes: #594711)
* Build with GnuTLS 3 (Closes: #745231, #760559).
* Drop debian/patches/fix-ftbfs-binutils-gold, no longer needed.
* Drop debconf-utils from Build-Depends, no longer used (replaced by
po-debconf). Thanks Johannes Schauer.
* Acknowledge NMU fixing #729367, thanks to Michael Gilbert.
* Offer the MDB backend as a choice during initial configuration. (Closes:
#750022)
* debian/slapd.init.ldif:
- Disallow modifying one's own entry by default, except specific
attributes. (Closes: #761406)
- Index some more common search attributes by default. (Closes: #762111)
* Introduce a symbols file for libldap-2.4-2.
* debian/schema/pmi.schema: Add a copyright clarification. There does not
appear to be any copyrighted text in this file, only ASN.1 assignments and
LDAP schema definitions. Fixes a Lintian error on the original.
* debian/schema/duaconf.schema: Strip Internet-Draft text from
duaconf.schema.
* Drop debian/patches/CVE-2013-4449.patch, applied upstream.
* Update debian/patches/no-AM_INIT_AUTOMAKE with upstream changes.
* debian/schema/ppolicy.schema: Update with ordering rules added in
draft-behera-ldap-password-policy-11.
* Suggest GSSAPI SASL modules. (Closes: #762424)
* debian/patches/ITS6035-olcauthzregex-needs-restart.patch: Document in
slapd-config.5 the fact that changes to olcAuthzRegexp only take effect
after the server is restarted. (Closes: #761407)
* Add myself to Uploaders.
[ Jelmer Vernooij ]
* Depend on heimdal-multidev rather than heimdal-dev. (Closes: #745356,
#706123)
[ Updated debconf translations ]
* Turkish, thanks to Atila KOÇ <a...@artielektronik.com.tr>.
(Closes: #661641)
openldap (2.4.39-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix CVE-2013-4449: reference counting logic issue (closes: #729367).
openldap (2.4.39-1) unstable; urgency=low
[ Peter Marschall ]
* debian/patches/wrong-database-location: fix database location in
doc/man/man5/slapd-mdb.5
* debian/configure.options: add info on --enable-mdb
[ Russ Allbery ]
* Remove myself from Uploaders.
[ Steve Langasek ]
* Remove Stephen Frost from Uploaders, per discussion with him. Thanks for
your contributions, Stephen!
* Adjust dh_autoreconf usage to update all config.sub/config.guess
instances in the source, so that we can be forwards-compatible with new
ports. Thanks to Colin Watson <cjwat...@ubuntu.com> for the patch.
Closes: #725824.
* Add Timo to Uploaders.
* Update Vcs-* fields to point at the new git repo; thanks to Timo for
driving this migration!
* Rebuild against db5.3, with a corresponding dump/restore of the database
on upgrade. Closes: #738641.
[ Timo Aaltonen ]
* contrib-modules-use-dpkg-buildflags, autogroup-makefile,
smbk5pwd-makefile:
- Updated for current upstream.
* Refresh patches to apply cleanly.
* rules: Use dpkg-parsechangelog to determine the upstream version for
get-orig-source.
* source: Add lintian overrides for non-transatable internal
templates.
-- Ryan Tandy <r...@nardis.ca> Mon, 25 May 2015 19:49:21 -0700
** Changed in: openldap (Ubuntu)
Status: Confirmed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-4449
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1545
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1546
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1003854
Title:
Database upgrade/migration fails with nested db directories (lucid to
precise)
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Precise:
Confirmed
Status in openldap package in Debian:
Fix Released
Bug description:
Hi,
I've just performed an upgrade of our LDAP server on Ubuntu 10.04.4
LTS to Ubuntu 12.04 (I acknowledge this upgrade path is not officially
supported yet).
The incompatible database upgrading process in the preinst/postinst
files failed in the following scenario.
We have two suffixes/databases at the following paths:-
* /var/lib/ldap
* /var/lib/ldap/accesslog
The preinst database dumping part of the process worked just fine and
created the appropriate LDIF files under
/var/backup/slapd-2.4.21-0ubuntu5.7, however the restore failed
stating:-
"""
Loading from /var/backups/slapd-2.4.21-0ubuntu5.7:
- directory dc=REDACTEDs,dc=co,dc=uk... failed.
Loading the database from the LDIF dump failed with the following
error while running slapadd:
4fbdfebf olcDbDirectory: value #0: invalid path: No such file or directory
4fbdfebf config error processing olcDatabase={2}hdb,cn=config:
olcDbDirectory: value #0: invalid path: No such file or directory
slapadd: bad configuration directory!
"""
This is because when move_incompatible_databases_away() runs it finds
the main database first (/var/lib/ldap) and moves all top level
entries (find -mindepth 1 -maxdepth 1 ...) into the backup directory
and this includes the accesslog subdirectory which then no longer
exists. When slapadd runs it checks config specifying that directory
and bails with the above error given it is indeed missing.
I've tested a tentative fix and that's to patch the two find commands
(one in is_empty_dir() one in move_old_database_away to also specify
-type f so that the directory structure is preserved when moving the
old database away (accesslog will be backed up separately when its
suffx is iterated over in move_incompatible_databases_away()).
The simple and very tentative patch for this is:-
"""
# diff -u slapd.scripts-common.old slapd.scripts-common
--- slapd.scripts-common.old 2012-05-24 10:33:01.746206585 +0100
+++ slapd.scripts-common 2012-05-24 10:33:23.967902747 +0100
@@ -391,7 +391,7 @@
echo -n " - directory $suffix... " >&2
mkdir -p "$backupdir"
find "$databasedir" -mindepth 1 -maxdepth 1 \
- -exec mv {} "$backupdir" \;
+ -type f -exec mv {} "$backupdir" \;
echo done. >&2
else
cat >&2 <<EOF
@@ -728,7 +728,7 @@
# (i.e., contains no files except for an optional DB_CONFIG).
# Usage: if is_empty_dir "$dir"; then ... fi
- output=`find "$1" -mindepth 1 -maxdepth 1 \! -name DB_CONFIG
2>/dev/null`
+ output=`find "$1" -mindepth 1 -maxdepth 1 -type f \! -name DB_CONFIG
2>/dev/null`
if [ -n "$output" ]; then
return 1
else
"""
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1003854/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
