Bump version to 1.4.3.39-5

Resolves: RHEL-16277 - LDAP connections are closed with code T2 before the IO block timeout is reached. [rhel-8.10.0.z]
2024-06-11 19:12:33 +02:00 · 2024-06-11 19:12:33 +02:00 · 315bc65149
commit 315bc65149
parent d2aa1055aa
8 changed files with 184 additions and 76 deletions
--- a/.fmf/version
+++ b/.fmf/version
@ -0,0 +1 @@
+1
--- a/0005-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch
+++ b/0005-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch
@ -1,4 +1,4 @@
-From 7d1bc439a07c51b5f4f37405b6b27a1990b8cb28 Mon Sep 17 00:00:00 2001
+From 9319d5b022918f14cacb00e3faef85a6ab730a26 Mon Sep 17 00:00:00 2001
 From: Simon Pichugin <spichugi@redhat.com>
 Date: Tue, 27 Feb 2024 16:30:47 -0800
 Subject: [PATCH] Issue 3527 - Support HAProxy and Instance on the same machine
@ -79,5 +79,5 @@ index d28a39bf7..10a8cc577 100644
                             slapi_log_err(SLAPI_LOG_CONNS, "connection_read_operation", "HAProxy header received from unknown source.\n");
                             disconnect_server_nomutex(conn, conn->c_connid, -1, SLAPD_DISCONNECT_PROXY_UNKNOWN, EPROTO);
 -- 
-2.43.0
+2.45.0

--- a/0006-CVE-2024-2199.patch
+++ b/0006-CVE-2024-2199.patch
@ -1,4 +1,4 @@
-From 23956cfb86a312318667fb9376322574fa8ec7f4 Mon Sep 17 00:00:00 2001
+From 016a2b6bd3e27cbff36609824a75b020dfd24823 Mon Sep 17 00:00:00 2001
 From: James Chapman <jachapma@redhat.com>
 Date: Wed, 1 May 2024 15:01:33 +0100
 Subject: [PATCH] CVE-2024-2199
@ -9,10 +9,10 @@ Subject: [PATCH] CVE-2024-2199
 2 files changed, 62 insertions(+), 2 deletions(-)

 diff --git a/dirsrvtests/tests/suites/password/password_test.py b/dirsrvtests/tests/suites/password/password_test.py
-index 1245feb31..e4abd9907 100644
+index 38079476a..b3ff08904 100644
 --- a/dirsrvtests/tests/suites/password/password_test.py
 +++ b/dirsrvtests/tests/suites/password/password_test.py
-@@ -63,6 +63,62 @@ def test_password_delete_specific_password(topology_st):
+@@ -65,6 +65,62 @@ def test_password_delete_specific_password(topology_st):
     log.info('test_password_delete_specific_password: PASSED')
 
 
@ -76,10 +76,10 @@ index 1245feb31..e4abd9907 100644
     # Run isolated
     # -s for DEBUG mode
 diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
-index a20984e0b..fb65d58b3 100644
+index 5ca78539c..669bb104c 100644
 --- a/ldap/servers/slapd/modify.c
 +++ b/ldap/servers/slapd/modify.c
-@@ -762,8 +762,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
+@@ -765,8 +765,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
      * flagged - leave mod attributes alone */
     if (!repl_op && !skip_modified_attrs && lastmod) {
         modify_update_last_modified_attr(pb, &smods);
@ -90,7 +90,7 @@ index a20984e0b..fb65d58b3 100644
     if (0 == slapi_mods_get_num_mods(&smods)) {
         /* nothing to do - no mods - this is not an error - just
            send back LDAP_SUCCESS */
-@@ -930,8 +932,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
+@@ -933,8 +935,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
 
             /* encode password */
             if (pw_encodevals_ext(pb, sdn, va)) {
@ -104,5 +104,5 @@ index a20984e0b..fb65d58b3 100644
                 goto free_and_return;
             }
 -- 
-2.41.0
+2.45.0

--- a/0007-CVE-2024-3657.patch
+++ b/0007-CVE-2024-3657.patch
@ -1,4 +1,4 @@
-From 5cfa136c48c477765cb20b007ad441ed21534e86 Mon Sep 17 00:00:00 2001
+From d5bbe52fbe84a7d3b5938bf82d5c4af15061a8e2 Mon Sep 17 00:00:00 2001
 From: Pierre Rogier <progier@redhat.com>
 Date: Wed, 17 Apr 2024 18:18:04 +0200
 Subject: [PATCH] CVE-2024-3657
@ -9,7 +9,7 @@ Subject: [PATCH] CVE-2024-3657
 2 files changed, 92 insertions(+), 53 deletions(-)

 diff --git a/dirsrvtests/tests/suites/filter/large_filter_test.py b/dirsrvtests/tests/suites/filter/large_filter_test.py
-index 964facae5..5390a0f9c 100644
+index ecc7bf979..40526bb16 100644
 --- a/dirsrvtests/tests/suites/filter/large_filter_test.py
 +++ b/dirsrvtests/tests/suites/filter/large_filter_test.py
@@ -13,19 +13,29 @@ verify and testing  Filter from a search
@ -43,7 +43,7 @@ index 964facae5..5390a0f9c 100644
 @pytest.fixture(scope="module")
 def _create_entries(request, topo):
     """
-@@ -159,6 +169,28 @@ def test_large_filter(topo, _create_entries, real_value):
+@@ -160,6 +170,28 @@ def test_large_filter(topo, _create_entries, real_value):
     assert len(Accounts(conn, SUFFIX).filter(real_value)) == 3
 
 
@ -73,10 +73,10 @@ index 964facae5..5390a0f9c 100644
     CURRENT_FILE = os.path.realpath(__file__)
     pytest.main("-s -v %s" % CURRENT_FILE)
 diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c
-index 86bc825fe..bdac0a616 100644
+index 410db23d1..30fa09ebb 100644
 --- a/ldap/servers/slapd/back-ldbm/index.c
 +++ b/ldap/servers/slapd/back-ldbm/index.c
-@@ -74,6 +74,32 @@ typedef struct _index_buffer_handle index_buffer_handle;
+@@ -71,6 +71,32 @@ typedef struct _index_buffer_handle index_buffer_handle;
 #define INDEX_BUFFER_FLAG_SERIALIZE 1
 #define INDEX_BUFFER_FLAG_STATS 2
 
@ -109,7 +109,7 @@ index 86bc825fe..bdac0a616 100644
 /* Index buffering functions */
 
 static int
-@@ -802,65 +828,46 @@ index_add_mods(
+@@ -799,65 +825,46 @@ index_add_mods(
 
 /*
  * Convert a 'struct berval' into a displayable ASCII string
@ -209,5 +209,5 @@ index 86bc825fe..bdac0a616 100644
 
 static const char *
 -- 
-2.44.0
+2.45.0

--- a/0008-Issue-6096-Improve-connection-timeout-error-logging-.patch
+++ b/0008-Issue-6096-Improve-connection-timeout-error-logging-.patch
@ -0,0 +1,143 @@
+From 6e5f03d5872129963106024f53765234a282406c Mon Sep 17 00:00:00 2001
+From: James Chapman <jachapma@redhat.com>
+Date: Fri, 16 Feb 2024 11:13:16 +0000
+Subject: [PATCH] Issue 6096 - Improve connection timeout error logging (#6097)
+
+Bug description: When a paged result search is run with a time limit,
+if the time limit is exceed the server closes the connection with
+closed IO timeout (nsslapd-ioblocktimeout) - T2. This error message
+is incorrect as the reason the connection has been closed was because
+the specified time limit on a paged result search has been exceeded.
+
+Fix description: Correct error message
+
+Relates: https://github.com/389ds/389-ds-base/issues/6096
+
+Reviewed by: @tbordaz (Thank you)
+---
+ ldap/admin/src/logconv.pl                     | 24 ++++++++++++++++++-
+ ldap/servers/slapd/daemon.c                   |  4 ++--
+ ldap/servers/slapd/disconnect_error_strings.h |  1 +
+ ldap/servers/slapd/disconnect_errors.h        |  2 +-
+ 4 files changed, 27 insertions(+), 4 deletions(-)
+
+diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl
+index 7698c383a..2a933c4a3 100755
+--- a/ldap/admin/src/logconv.pl
+++ b/ldap/admin/src/logconv.pl
+@@ -267,7 +267,7 @@ my $optimeAvg = 0;
+ my %cipher = ();
+ my @removefiles = ();
+ 
+-my @conncodes = qw(A1 B1 B4 T1 T2 B2 B3 R1 P1 P2 U1);
+my @conncodes = qw(A1 B1 B4 T1 T2 T3 B2 B3 R1 P1 P2 U1);
+ my %conn = ();
+ map {$conn{$_} = $_} @conncodes;
+ 
+@@ -355,6 +355,7 @@ $connmsg{"B1"} = "Bad Ber Tag Encountered";
+ $connmsg{"B4"} = "Server failed to flush data (response) back to Client";
+ $connmsg{"T1"} = "Idle Timeout Exceeded";
+ $connmsg{"T2"} = "IO Block Timeout Exceeded or NTSSL Timeout";
+$connmsg{"T3"} = "Paged Search Time Limit Exceeded";
+ $connmsg{"B2"} = "Ber Too Big";
+ $connmsg{"B3"} = "Ber Peek";
+ $connmsg{"R1"} = "Revents";
+@@ -1723,6 +1724,10 @@ if ($usage =~ /j/i || $verb eq "yes"){
+ 		print "\n $recCount.  You have some coonections that are being closed by the ioblocktimeout setting. You may want to increase the ioblocktimeout.\n";
+ 		$recCount++;
+ 	}
+	if (defined($conncount->{"T3"}) and $conncount->{"T3"} > 0){
+		print "\n $recCount.  You have some connections that are being closed because a paged result search limit has been exceeded. You may want to increase the search time limit.\n";
+		$recCount++;
+	}
+ 	# compare binds to unbinds, if the difference is more than 30% of the binds, then report a issue
+ 	if (($bindCount - $unbindCount) > ($bindCount*.3)){
+ 		print "\n $recCount.  You have a significant difference between binds and unbinds.  You may want to investigate this difference.\n";
+@@ -2366,6 +2371,7 @@ sub parseLineNormal
+ 		$brokenPipeCount++;
+ 		if (m/- T1/){ $hashes->{rc}->{"T1"}++; }
+ 		elsif (m/- T2/){ $hashes->{rc}->{"T2"}++; }
+		elsif (m/- T3/){ $hashes->{rc}->{"T3"}++; }
+ 		elsif (m/- A1/){ $hashes->{rc}->{"A1"}++; }
+ 		elsif (m/- B1/){ $hashes->{rc}->{"B1"}++; }
+ 		elsif (m/- B4/){ $hashes->{rc}->{"B4"}++; }
+@@ -2381,6 +2387,7 @@ sub parseLineNormal
+ 		$connResetByPeerCount++;
+ 		if (m/- T1/){ $hashes->{src}->{"T1"}++; }
+ 		elsif (m/- T2/){ $hashes->{src}->{"T2"}++; }
+		elsif (m/- T3/){ $hashes->{src}->{"T3"}++; }
+ 		elsif (m/- A1/){ $hashes->{src}->{"A1"}++; }
+ 		elsif (m/- B1/){ $hashes->{src}->{"B1"}++; }
+ 		elsif (m/- B4/){ $hashes->{src}->{"B4"}++; }
+@@ -2396,6 +2403,7 @@ sub parseLineNormal
+ 		$resourceUnavailCount++;
+ 		if (m/- T1/){ $hashes->{rsrc}->{"T1"}++; }
+ 		elsif (m/- T2/){ $hashes->{rsrc}->{"T2"}++; }
+		elsif (m/- T3/){ $hashes->{rsrc}->{"T3"}++; }
+ 		elsif (m/- A1/){ $hashes->{rsrc}->{"A1"}++; }
+ 		elsif (m/- B1/){ $hashes->{rsrc}->{"B1"}++; }
+ 		elsif (m/- B4/){ $hashes->{rsrc}->{"B4"}++; }
+@@ -2494,6 +2502,20 @@ sub parseLineNormal
+ 				}
+ 			}
+ 		}
+		if (m/- T3/){
+			if ($_ =~ /conn= *([0-9A-Z]+)/i) {
+				$exc = "no";
+				$ip = getIPfromConn($1, $serverRestartCount);
+				for (my $xxx = 0; $xxx < $#excludeIP; $xxx++){
+					if ($ip eq $excludeIP[$xxx]){$exc = "yes";}
+				}
+				if ($exc ne "yes"){
+					$hashes->{T3}->{$ip}++;
+					$hashes->{conncount}->{"T3"}++;
+					$connCodeCount++;
+				}
+			}
+		}
+ 		if (m/- B2/){
+ 			if ($_ =~ /conn= *([0-9A-Z]+)/i) {
+ 				$exc = "no";
+diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
+index 5a48aa66f..bb80dae36 100644
+--- a/ldap/servers/slapd/daemon.c
+++ b/ldap/servers/slapd/daemon.c
+@@ -1599,9 +1599,9 @@ setup_pr_read_pds(Connection_Table *ct)
+                     int add_fd = 1;
+                     /* check timeout for PAGED RESULTS */
+                     if (pagedresults_is_timedout_nolock(c)) {
+-                        /* Exceeded the timelimit; disconnect the client */
+                        /* Exceeded the paged search timelimit; disconnect the client */
+                         disconnect_server_nomutex(c, c->c_connid, -1,
+-                                                  SLAPD_DISCONNECT_IO_TIMEOUT,
+                                                  SLAPD_DISCONNECT_PAGED_SEARCH_LIMIT,
+                                                   0);
+                         connection_table_move_connection_out_of_active_list(ct,
+                                                                             c);
+diff --git a/ldap/servers/slapd/disconnect_error_strings.h b/ldap/servers/slapd/disconnect_error_strings.h
+index f7a31d728..c2d9e283b 100644
+--- a/ldap/servers/slapd/disconnect_error_strings.h
+++ b/ldap/servers/slapd/disconnect_error_strings.h
+@@ -27,6 +27,7 @@ ER2(SLAPD_DISCONNECT_BER_FLUSH, "B4")
+ ER2(SLAPD_DISCONNECT_IDLE_TIMEOUT, "T1")
+ ER2(SLAPD_DISCONNECT_REVENTS, "R1")
+ ER2(SLAPD_DISCONNECT_IO_TIMEOUT, "T2")
+ER2(SLAPD_DISCONNECT_PAGED_SEARCH_LIMIT, "T3")
+ ER2(SLAPD_DISCONNECT_PLUGIN, "P1")
+ ER2(SLAPD_DISCONNECT_UNBIND, "U1")
+ ER2(SLAPD_DISCONNECT_POLL, "P2")
+diff --git a/ldap/servers/slapd/disconnect_errors.h b/ldap/servers/slapd/disconnect_errors.h
+index a0484f1c2..e118f674c 100644
+--- a/ldap/servers/slapd/disconnect_errors.h
+++ b/ldap/servers/slapd/disconnect_errors.h
+@@ -35,6 +35,6 @@
+ #define SLAPD_DISCONNECT_SASL_FAIL SLAPD_DISCONNECT_ERROR_BASE + 12
+ #define SLAPD_DISCONNECT_PROXY_INVALID_HEADER SLAPD_DISCONNECT_ERROR_BASE + 13
+ #define SLAPD_DISCONNECT_PROXY_UNKNOWN SLAPD_DISCONNECT_ERROR_BASE + 14
+-
+#define SLAPD_DISCONNECT_PAGED_SEARCH_LIMIT SLAPD_DISCONNECT_ERROR_BASE + 15
+ 
+ #endif /* __DISCONNECT_ERRORS_H_ */
+-- 
+2.45.0
+
--- a/389-ds-base.spec
+++ b/389-ds-base.spec
@ -48,7 +48,7 @@ ExcludeArch: i686
 Summary:          389 Directory Server (base)
 Name:             389-ds-base
 Version:          1.4.3.39
-Release:          %{?relprefix}4%{?prerel}%{?dist}
+Release:          %{?relprefix}5%{?prerel}%{?dist}
 License:          GPLv3+ and (ASL 2.0 or MIT)
 URL:              https://www.port389.org
 Group:            System Environment/Daemons
@ -297,9 +297,10 @@ Patch01:          0001-issue-5647-covscan-memory-leak-in-audit-log-when-add.patc
 Patch02:          0002-Issue-5647-Fix-unused-variable-warning-from-previous.patch
 Patch03:          0003-Issue-5407-sync_repl-crashes-if-enabled-while-dynami.patch
 Patch04:          0004-Issue-5547-automember-plugin-improvements.patch
-Patch05:          0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch
+Patch05:          0005-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch
 Patch06:          0006-CVE-2024-2199.patch
 Patch07:          0007-CVE-2024-3657.patch
+Patch08:          0008-Issue-6096-Improve-connection-timeout-error-logging-.patch

 %description
 389 Directory Server is an LDAPv3 compliant server.  The base package includes
@ -921,6 +922,10 @@ exit 0
 %doc README.md

 %changelog
+* Tue Jun 11 2024 Viktor Ashirov <vashirov@redhat.com> - 1.4.3.39-5
+- Bump version to 1.4.3.39-5
+- Resolves: RHEL-16277 - LDAP connections are closed with code T2 before the IO block timeout is reached. [rhel-8.10.0.z]
+
 * Thu Jun 06 2024 James Chapman <jachapma@redhat.com> - 1.4.3.39-4
 - Bump version to 1.4.3.39-4
 - Resolves: RHEL-34818 - redhat-ds:11/389-ds-base: Malformed userPassword may cause crash at do_modify in slapd/modify.c
--- a/main.fmf
+++ b/main.fmf
@ -0,0 +1,17 @@
+/plan:
+    summary: Basic test suite
+    discover:
+        how: fmf
+    execute:
+        how: tmt
+    prepare:
+      - name: install required packages
+        how: install
+        package: [389-ds-base, git, pytest]
+      - name: clone repo
+        how: shell
+        script: git clone https://github.com/389ds/389-ds-base /root/ds
+/test:
+    /upstream_basic:
+        test: pytest -v /root/ds/dirsrvtests/tests/suites/basic/basic_test.py
+        duration: 30m
--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -1,58 +0,0 @@
---
- hosts: localhost
-  remote_user: root
-  vars:
-    ds_repo_url: https://github.com/389ds/389-ds-base.git
-    ds_repo_dir: ds
-    ds_repo_version: 389-ds-base-2.1
-    ds_tests: "{{ ds_repo_dir }}/dirsrvtests/tests"
-    pytest: "py.test-3"
-    pytest_args: "-v"
-    pytest_tier0_tests: "-m tier0"
-    pytest_tier1_tests: "-m 'tier1 and not tier2'"
-    pytest_run_command: "PYTHONPATH=../../src/lib389 {{ pytest }} {{ pytest_args }}"
-    artifacts: ./artifacts
-  pre_tasks:
-    - name: Install policycoreutils
-      action: >
-        {{ ansible_pkg_mgr }} name=policycoreutils-python-utils state=present
-      tags: always
-      ignore_errors: yes
-    - name: Prelabel non-secure ports
-      tags: always
-      shell: "semanage port -a -t ldap_port_t -p tcp 38900-39299"
-      ignore_errors: yes
-    - name: Prelabel secure ports
-      tags: always
-      shell: "semanage port -a -t ldap_port_t -p tcp 63600-63999"
-      ignore_errors: yes
-    - name: Install pip
-      action: >
-        {{ ansible_pkg_mgr }} name=python3-pip state=present
-      tags: always
-      ignore_errors: yes
-    - name: Install slugify
-      tags: always
-      shell: "pip3 install slugify"
-      ignore_errors: yes
-  roles:
-  - role: standard-test-basic
-    tags:
-    - classic
-    repositories:
-    - repo: "{{ ds_repo_url }}"
-      dest: "{{ ds_repo_dir }}"
-      version: "{{ ds_repo_version }}"
-    tests:
-    - tier0:
-        dir: "{{ ds_tests }}"
-        run: "{{ pytest_run_command }} {{ pytest_tier0_tests }}"
-    - tier1:
-        dir: "{{ ds_tests }}"
-        run: "{{ pytest_run_command }} {{ pytest_tier1_tests }}"
-    required_packages:
-    - python3-pytest
-    - python3-distro
-    - 389-ds-base
-    - 389-ds-base-snmp
-    - cracklib-dicts