This bug was fixed in the package openldap - 2.4.40+dfsg-1ubuntu1
---------------
openldap (2.4.40+dfsg-1ubuntu1) wily; urgency=low
* Merge from Debian testing (LP: #1395098, LP: #1316124). Remaining changes:
- Enable AppArmor support:
- d/apparmor-profile: add AppArmor profile
- d/rules: use dh_apparmor
- d/control: Build-Depends on dh-apparmor
- d/slapd.README.Debian: add note about AppArmor
- Enable GSSAPI support:
- d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
- Add --with-gssapi support
- Make guess_service_principal() more robust when determining
principal
- d/configure.options: Configure with --with-gssapi
- d/control: Added heimdal-dev as a build depend
- Enable ufw support:
- d/control: suggest ufw.
- d/rules: install ufw profile.
- d/slapd.ufw.profile: add ufw profile.
- Enable nss overlay:
- d/{patches/nssov-build,rules}: Apply, build and package the
nss overlay.
- d/{rules,slapd.py}: Add apport hook.
- d/slapd.init.ldif: don't set olcRootDN since it's not defined in
either the default DIT nor via an Authn mapping.
- d/slapd.scripts-common:
- add slapcat_opts to local variables.
- Remove unused variable new_conf.
- Fix backup directory naming for multiple reconfiguration.
- d/{slapd.default,slapd.README.Debian}: use the new configuration style.
- d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
in the openldap library, as required by Likewise-Open
- Show distribution in version:
- d/control: added lsb-release
- d/patches/fix-ldap-distribution.patch: show distribution in version
* Drop patches included upstream:
- d/patches/0001-ITS-7430-GnuTLS-Avoid-use-of-deprecated-function.patch
- d/patches/bdb-deadlock.patch
- d/patches/its-7354-fix-delta-sync-mmr.diff
* Drop hardening-wrapper as Debian now sets PIE and bindnow flags.
* debian/patches/nssov-build: Adjust for upstream changes.
* debian/apparmor-profile:
- Change 'r' to 'rw' for ldapi and nslcd sockets, required for apparmor
kernel ABI v7 (utopic and later). (LP: #1392018)
- Reduce permissions on /run/nslcd to just the nslcd socket.
* Enable the mdb backend again on ppc64el, fixed upstream in ITS#7713.
(LP: #1293250)
openldap (2.4.40+dfsg-1) unstable; urgency=medium
* Remove inetorgperson.schema from the upstream source. Replace it with a
copy stripped of RFC text. (Closes: #780283)
* Adjust debian/watch for +dfsg versioning.
* debian/patches/ITS7975-fix-mdb-onelevel-search.patch: Import upstream
patch to fix scope=onelevel searches wrongly including the search base in
results under the MDB backend. (ITS#7975) (Closes: #782212)
openldap (2.4.40-4) unstable; urgency=medium
* debian/patches/ITS8027-deref-reject-empty-attr-list.patch: Import upstream
patch to fix a crash when a search includes the Deref control with an
empty attribute list. (ITS#8027) (CVE-2015-1545, Closes: #776988)
* debian/patches/ITS8046-fix-vrFilter_free-crash.patch: Import upstream
patch to fix a double free triggered by certain search queries using the
Matched Values control. (ITS#8046) (CVE-2015-1546, Closes: #776991)
openldap (2.4.40-3) unstable; urgency=medium
* Remove trailing spaces from slapd.templates.
* Update Vietnamese debconf translation.
Thanks to Trần Ngọc Quân.
* Update Danish debconf translation.
Thanks to Joe Hansen. (Closes: #766848)
* Update Japanese debconf translation.
Thanks to Kenshi Muto. (Closes: #766824)
* Update Russian debconf translation.
Thanks to Yuri Kozlov. (Closes: #766825)
* Update Basque translation.
Thanks to Iñaki Larrañaga Murgoitio. (Closes: #767070)
* Update French debconf translation.
Thanks to Christian Perrier. (Closes: #767634)
* Update German debconf translation.
Thanks to Helge Kreutzmann. (Closes: #767686)
* Update Portuguese debconf translation.
Thanks to Ricardo Silva. (Closes: #768085)
* Update Italian debconf translation.
Thanks to Luca Monducci. (Closes: #768195)
* Update Turkish debconf translation.
Thanks to Atila KOÇ. (Closes: #768409)
* Update Czech debconf translation.
Thanks to Miroslav Kure. (Closes: #768591)
* Update Catalan debconf translation.
Thanks to Innocent De Marchi. (Closes: #768605)
* Update Dutch debconf translation.
Thanks to Frans Spiesschaert. (Closes: #769024)
* Update Brazilian Portuguese debconf translation.
Thanks to Adriano Rafael Gomes. (Closes: #769717)
* Update Galician debconf translation.
Thanks to Jorge Barreiro.
* Update Swedish debconf translation.
Thanks to Martin Bagge / brother. (Closes: #769867)
* Update Spanish debconf translation.
Thanks to Camaleón. (Closes: #770715)
* Fix doubled spaces in po files, caused by trailing spaces in the templates
file.
* Run debconf-updatepo to refresh PO files.
openldap (2.4.40-2) unstable; urgency=medium
* Fix typo (chmod/chgrp) in previous changelog, spotted by Ferenc Wagner.
* debian/patches/contrib-modules-use-dpkg-buildflags: Also use CPPFLAGS from
dpkg-buildflags. Spotted by Lintian.
* debian/slapd.init.ldif: Don't bother explicitly granting rights to the
rootdn, since it already has unlimited privileges. Thanks Ferenc Wagner.
* Recommend MDB for new installations, per upstream's recommendation.
* Don't re-create the default DB_CONFIG if there wasn't one in the backup,
for example if the active backend doesn't use it. Thanks Ferenc Wagner.
* On upgrade, if an access rule begins with "to * by self write", show a
debconf note warning that it should be changed. (Closes: #761406)
* Build and install the lastbind contrib module. (Closes: #701111)
* Build and install the passwd/sha2 contrib module. (Closes: #746727)
openldap (2.4.40-1) unstable; urgency=low
[ Ryan Tandy ]
* New upstream release.
- fixed ldap_get_dn(3) ldap_ava definition (ITS#7860) (Closes: #465024)
- fixed slapcat with external schema (ITS#7895) (Closes: #599235)
- fixed double free with invalid ciphersuite (ITS#7500) (Closes: #640384)
- fixed modrdn crash on naming attr with no matching rule (ITS#7850)
(Closes: #666515)
- fixed slapacl causing unclean database (ITS#7827) (Closes: #741248)
* slapd.scripts-common:
- Anchor grep patterns to avoid matching commented lines in ldif files
under cn=config. (Closes: #723957)
- Don't silently ignore nonexistent directories that should be dumped.
- Invoke find, chown, and chgrp with -H in case /var/lib/ldap is a
symlink. (Closes: #742862)
- When upgrading a database, ignore extra nested directories as they might
contain other databases. Patch from Kenny Millington. (LP: #1003854)
- Fix dumping and reloading when multiple databases hold the same suffix,
thanks Peder Stray. (Closes: #759596, LP: #1362481)
- Remove trailing dot from slapd/domain. (Closes: #637996)
* debian/rules:
- Enable parallel building.
- Copy libldap-2.4-2.shlibs into place manually, as a workaround for
#676168. (Closes: #742841)
* debian/slapd.README.Debian: Add a note about database format upgrades and
the consequences of missing one. (Closes: #594711)
* Build with GnuTLS 3 (Closes: #745231, #760559).
* Drop debian/patches/fix-ftbfs-binutils-gold, no longer needed.
* Drop debconf-utils from Build-Depends, no longer used (replaced by
po-debconf). Thanks Johannes Schauer.
* Acknowledge NMU fixing #729367, thanks to Michael Gilbert.
* Offer the MDB backend as a choice during initial configuration. (Closes:
#750022)
* debian/slapd.init.ldif:
- Disallow modifying one's own entry by default, except specific
attributes. (Closes: #761406)
- Index some more common search attributes by default. (Closes: #762111)
* Introduce a symbols file for libldap-2.4-2.
* debian/schema/pmi.schema: Add a copyright clarification. There does not
appear to be any copyrighted text in this file, only ASN.1 assignments and
LDAP schema definitions. Fixes a Lintian error on the original.
* debian/schema/duaconf.schema: Strip Internet-Draft text from
duaconf.schema.
* Drop debian/patches/CVE-2013-4449.patch, applied upstream.
* Update debian/patches/no-AM_INIT_AUTOMAKE with upstream changes.
* debian/schema/ppolicy.schema: Update with ordering rules added in
draft-behera-ldap-password-policy-11.
* Suggest GSSAPI SASL modules. (Closes: #762424)
* debian/patches/ITS6035-olcauthzregex-needs-restart.patch: Document in
slapd-config.5 the fact that changes to olcAuthzRegexp only take effect
after the server is restarted. (Closes: #761407)
* Add myself to Uploaders.
[ Jelmer Vernooij ]
* Depend on heimdal-multidev rather than heimdal-dev. (Closes: #745356,
#706123)
[ Updated debconf translations ]
* Turkish, thanks to Atila KOÇ <a...@artielektronik.com.tr>.
(Closes: #661641)
openldap (2.4.39-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix CVE-2013-4449: reference counting logic issue (closes: #729367).
openldap (2.4.39-1) unstable; urgency=low
[ Peter Marschall ]
* debian/patches/wrong-database-location: fix database location in
doc/man/man5/slapd-mdb.5
* debian/configure.options: add info on --enable-mdb
[ Russ Allbery ]
* Remove myself from Uploaders.
[ Steve Langasek ]
* Remove Stephen Frost from Uploaders, per discussion with him. Thanks for
your contributions, Stephen!
* Adjust dh_autoreconf usage to update all config.sub/config.guess
instances in the source, so that we can be forwards-compatible with new
ports. Thanks to Colin Watson <cjwat...@ubuntu.com> for the patch.
Closes: #725824.
* Add Timo to Uploaders.
* Update Vcs-* fields to point at the new git repo; thanks to Timo for
driving this migration!
* Rebuild against db5.3, with a corresponding dump/restore of the database
on upgrade. Closes: #738641.
[ Timo Aaltonen ]
* contrib-modules-use-dpkg-buildflags, autogroup-makefile,
smbk5pwd-makefile:
- Updated for current upstream.
* Refresh patches to apply cleanly.
* rules: Use dpkg-parsechangelog to determine the upstream version for
get-orig-source.
* source: Add lintian overrides for non-transatable internal
templates.
-- Ryan Tandy <r...@nardis.ca> Mon, 25 May 2015 19:49:21 -0700
** Changed in: openldap (Ubuntu)
Status: In Progress => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-4449
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1545
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1546
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1392018
Title:
apparmor stops /var/run/ldapi from being read causing ldap to fail
Status in openldap package in Ubuntu:
Fix Released
Bug description:
There is a bug in slapd that triggers the profile of apparmor of
slapd.
When installing a clean ubuntu 14.10 server and installing slapd with :
apt-get install slapd ldap-utils
configure it with :
dpkg-reconfigure slapd
with ldap address of ldapi://xxx.xxx.xxx
the following command :
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config
gives the following error:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
Checking syslog :
apparmor="DENIED" operation="file_perm" profile="/usr/sbin/slapd"
name="/run/slapd/ldapi" pid=1137 comm="slapd" requested_mask="r"
denied_mask="r" fsuid=105 ouid=0
we find in apparmor profile :
/etc/apparmor.d/usr.sbin.slapd reads:
# pid files and sockets
/{,var/}run/slapd/* w,
/run/slapd/ldapi has srwxrwxrwx attributes and is owned by
root:root
In 14.04 all of this is the same but does not lead to an error.
Changing it into :
# pid files and sockets
/{,var/}run/slapd/* rw,
Solves the issue but does not show me where things actually go wrong.
Slapd tries to read the file but fails.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1392018/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
