diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch b/0005-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch similarity index 98% rename from 0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch rename to 0005-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch index 40dba66..62f2693 100644 --- a/0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch +++ b/0005-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch @@ -1,4 +1,4 @@ -From 7d1bc439a07c51b5f4f37405b6b27a1990b8cb28 Mon Sep 17 00:00:00 2001 +From 9319d5b022918f14cacb00e3faef85a6ab730a26 Mon Sep 17 00:00:00 2001 From: Simon Pichugin Date: Tue, 27 Feb 2024 16:30:47 -0800 Subject: [PATCH] Issue 3527 - Support HAProxy and Instance on the same machine @@ -79,5 +79,5 @@ index d28a39bf7..10a8cc577 100644 slapi_log_err(SLAPI_LOG_CONNS, "connection_read_operation", "HAProxy header received from unknown source.\n"); disconnect_server_nomutex(conn, conn->c_connid, -1, SLAPD_DISCONNECT_PROXY_UNKNOWN, EPROTO); -- -2.43.0 +2.45.0 diff --git a/0006-CVE-2024-2199.patch b/0006-CVE-2024-2199.patch index d980f8c..26ce84d 100644 --- a/0006-CVE-2024-2199.patch +++ b/0006-CVE-2024-2199.patch @@ -1,4 +1,4 @@ -From 23956cfb86a312318667fb9376322574fa8ec7f4 Mon Sep 17 00:00:00 2001 +From 016a2b6bd3e27cbff36609824a75b020dfd24823 Mon Sep 17 00:00:00 2001 From: James Chapman Date: Wed, 1 May 2024 15:01:33 +0100 Subject: [PATCH] CVE-2024-2199 @@ -9,10 +9,10 @@ Subject: [PATCH] CVE-2024-2199 2 files changed, 62 insertions(+), 2 deletions(-) diff --git a/dirsrvtests/tests/suites/password/password_test.py b/dirsrvtests/tests/suites/password/password_test.py -index 1245feb31..e4abd9907 100644 +index 38079476a..b3ff08904 100644 --- a/dirsrvtests/tests/suites/password/password_test.py +++ b/dirsrvtests/tests/suites/password/password_test.py -@@ -63,6 +63,62 @@ def test_password_delete_specific_password(topology_st): +@@ -65,6 +65,62 @@ def test_password_delete_specific_password(topology_st): log.info('test_password_delete_specific_password: PASSED') @@ -76,10 +76,10 @@ index 1245feb31..e4abd9907 100644 # Run isolated # -s for DEBUG mode diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c -index a20984e0b..fb65d58b3 100644 +index 5ca78539c..669bb104c 100644 --- a/ldap/servers/slapd/modify.c +++ b/ldap/servers/slapd/modify.c -@@ -762,8 +762,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw) +@@ -765,8 +765,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw) * flagged - leave mod attributes alone */ if (!repl_op && !skip_modified_attrs && lastmod) { modify_update_last_modified_attr(pb, &smods); @@ -90,7 +90,7 @@ index a20984e0b..fb65d58b3 100644 if (0 == slapi_mods_get_num_mods(&smods)) { /* nothing to do - no mods - this is not an error - just send back LDAP_SUCCESS */ -@@ -930,8 +932,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw) +@@ -933,8 +935,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw) /* encode password */ if (pw_encodevals_ext(pb, sdn, va)) { @@ -104,5 +104,5 @@ index a20984e0b..fb65d58b3 100644 goto free_and_return; } -- -2.41.0 +2.45.0 diff --git a/0007-CVE-2024-3657.patch b/0007-CVE-2024-3657.patch index dba55ff..722e51c 100644 --- a/0007-CVE-2024-3657.patch +++ b/0007-CVE-2024-3657.patch @@ -1,4 +1,4 @@ -From 5cfa136c48c477765cb20b007ad441ed21534e86 Mon Sep 17 00:00:00 2001 +From d5bbe52fbe84a7d3b5938bf82d5c4af15061a8e2 Mon Sep 17 00:00:00 2001 From: Pierre Rogier Date: Wed, 17 Apr 2024 18:18:04 +0200 Subject: [PATCH] CVE-2024-3657 @@ -9,7 +9,7 @@ Subject: [PATCH] CVE-2024-3657 2 files changed, 92 insertions(+), 53 deletions(-) diff --git a/dirsrvtests/tests/suites/filter/large_filter_test.py b/dirsrvtests/tests/suites/filter/large_filter_test.py -index 964facae5..5390a0f9c 100644 +index ecc7bf979..40526bb16 100644 --- a/dirsrvtests/tests/suites/filter/large_filter_test.py +++ b/dirsrvtests/tests/suites/filter/large_filter_test.py @@ -13,19 +13,29 @@ verify and testing Filter from a search @@ -43,7 +43,7 @@ index 964facae5..5390a0f9c 100644 @pytest.fixture(scope="module") def _create_entries(request, topo): """ -@@ -159,6 +169,28 @@ def test_large_filter(topo, _create_entries, real_value): +@@ -160,6 +170,28 @@ def test_large_filter(topo, _create_entries, real_value): assert len(Accounts(conn, SUFFIX).filter(real_value)) == 3 @@ -73,10 +73,10 @@ index 964facae5..5390a0f9c 100644 CURRENT_FILE = os.path.realpath(__file__) pytest.main("-s -v %s" % CURRENT_FILE) diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c -index 86bc825fe..bdac0a616 100644 +index 410db23d1..30fa09ebb 100644 --- a/ldap/servers/slapd/back-ldbm/index.c +++ b/ldap/servers/slapd/back-ldbm/index.c -@@ -74,6 +74,32 @@ typedef struct _index_buffer_handle index_buffer_handle; +@@ -71,6 +71,32 @@ typedef struct _index_buffer_handle index_buffer_handle; #define INDEX_BUFFER_FLAG_SERIALIZE 1 #define INDEX_BUFFER_FLAG_STATS 2 @@ -109,7 +109,7 @@ index 86bc825fe..bdac0a616 100644 /* Index buffering functions */ static int -@@ -802,65 +828,46 @@ index_add_mods( +@@ -799,65 +825,46 @@ index_add_mods( /* * Convert a 'struct berval' into a displayable ASCII string @@ -209,5 +209,5 @@ index 86bc825fe..bdac0a616 100644 static const char * -- -2.44.0 +2.45.0 diff --git a/0008-Issue-6096-Improve-connection-timeout-error-logging-.patch b/0008-Issue-6096-Improve-connection-timeout-error-logging-.patch new file mode 100644 index 0000000..cd2f206 --- /dev/null +++ b/0008-Issue-6096-Improve-connection-timeout-error-logging-.patch @@ -0,0 +1,143 @@ +From 6e5f03d5872129963106024f53765234a282406c Mon Sep 17 00:00:00 2001 +From: James Chapman +Date: Fri, 16 Feb 2024 11:13:16 +0000 +Subject: [PATCH] Issue 6096 - Improve connection timeout error logging (#6097) + +Bug description: When a paged result search is run with a time limit, +if the time limit is exceed the server closes the connection with +closed IO timeout (nsslapd-ioblocktimeout) - T2. This error message +is incorrect as the reason the connection has been closed was because +the specified time limit on a paged result search has been exceeded. + +Fix description: Correct error message + +Relates: https://github.com/389ds/389-ds-base/issues/6096 + +Reviewed by: @tbordaz (Thank you) +--- + ldap/admin/src/logconv.pl | 24 ++++++++++++++++++- + ldap/servers/slapd/daemon.c | 4 ++-- + ldap/servers/slapd/disconnect_error_strings.h | 1 + + ldap/servers/slapd/disconnect_errors.h | 2 +- + 4 files changed, 27 insertions(+), 4 deletions(-) + +diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl +index 7698c383a..2a933c4a3 100755 +--- a/ldap/admin/src/logconv.pl ++++ b/ldap/admin/src/logconv.pl +@@ -267,7 +267,7 @@ my $optimeAvg = 0; + my %cipher = (); + my @removefiles = (); + +-my @conncodes = qw(A1 B1 B4 T1 T2 B2 B3 R1 P1 P2 U1); ++my @conncodes = qw(A1 B1 B4 T1 T2 T3 B2 B3 R1 P1 P2 U1); + my %conn = (); + map {$conn{$_} = $_} @conncodes; + +@@ -355,6 +355,7 @@ $connmsg{"B1"} = "Bad Ber Tag Encountered"; + $connmsg{"B4"} = "Server failed to flush data (response) back to Client"; + $connmsg{"T1"} = "Idle Timeout Exceeded"; + $connmsg{"T2"} = "IO Block Timeout Exceeded or NTSSL Timeout"; ++$connmsg{"T3"} = "Paged Search Time Limit Exceeded"; + $connmsg{"B2"} = "Ber Too Big"; + $connmsg{"B3"} = "Ber Peek"; + $connmsg{"R1"} = "Revents"; +@@ -1723,6 +1724,10 @@ if ($usage =~ /j/i || $verb eq "yes"){ + print "\n $recCount. You have some coonections that are being closed by the ioblocktimeout setting. You may want to increase the ioblocktimeout.\n"; + $recCount++; + } ++ if (defined($conncount->{"T3"}) and $conncount->{"T3"} > 0){ ++ print "\n $recCount. You have some connections that are being closed because a paged result search limit has been exceeded. You may want to increase the search time limit.\n"; ++ $recCount++; ++ } + # compare binds to unbinds, if the difference is more than 30% of the binds, then report a issue + if (($bindCount - $unbindCount) > ($bindCount*.3)){ + print "\n $recCount. You have a significant difference between binds and unbinds. You may want to investigate this difference.\n"; +@@ -2366,6 +2371,7 @@ sub parseLineNormal + $brokenPipeCount++; + if (m/- T1/){ $hashes->{rc}->{"T1"}++; } + elsif (m/- T2/){ $hashes->{rc}->{"T2"}++; } ++ elsif (m/- T3/){ $hashes->{rc}->{"T3"}++; } + elsif (m/- A1/){ $hashes->{rc}->{"A1"}++; } + elsif (m/- B1/){ $hashes->{rc}->{"B1"}++; } + elsif (m/- B4/){ $hashes->{rc}->{"B4"}++; } +@@ -2381,6 +2387,7 @@ sub parseLineNormal + $connResetByPeerCount++; + if (m/- T1/){ $hashes->{src}->{"T1"}++; } + elsif (m/- T2/){ $hashes->{src}->{"T2"}++; } ++ elsif (m/- T3/){ $hashes->{src}->{"T3"}++; } + elsif (m/- A1/){ $hashes->{src}->{"A1"}++; } + elsif (m/- B1/){ $hashes->{src}->{"B1"}++; } + elsif (m/- B4/){ $hashes->{src}->{"B4"}++; } +@@ -2396,6 +2403,7 @@ sub parseLineNormal + $resourceUnavailCount++; + if (m/- T1/){ $hashes->{rsrc}->{"T1"}++; } + elsif (m/- T2/){ $hashes->{rsrc}->{"T2"}++; } ++ elsif (m/- T3/){ $hashes->{rsrc}->{"T3"}++; } + elsif (m/- A1/){ $hashes->{rsrc}->{"A1"}++; } + elsif (m/- B1/){ $hashes->{rsrc}->{"B1"}++; } + elsif (m/- B4/){ $hashes->{rsrc}->{"B4"}++; } +@@ -2494,6 +2502,20 @@ sub parseLineNormal + } + } + } ++ if (m/- T3/){ ++ if ($_ =~ /conn= *([0-9A-Z]+)/i) { ++ $exc = "no"; ++ $ip = getIPfromConn($1, $serverRestartCount); ++ for (my $xxx = 0; $xxx < $#excludeIP; $xxx++){ ++ if ($ip eq $excludeIP[$xxx]){$exc = "yes";} ++ } ++ if ($exc ne "yes"){ ++ $hashes->{T3}->{$ip}++; ++ $hashes->{conncount}->{"T3"}++; ++ $connCodeCount++; ++ } ++ } ++ } + if (m/- B2/){ + if ($_ =~ /conn= *([0-9A-Z]+)/i) { + $exc = "no"; +diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c +index 5a48aa66f..bb80dae36 100644 +--- a/ldap/servers/slapd/daemon.c ++++ b/ldap/servers/slapd/daemon.c +@@ -1599,9 +1599,9 @@ setup_pr_read_pds(Connection_Table *ct) + int add_fd = 1; + /* check timeout for PAGED RESULTS */ + if (pagedresults_is_timedout_nolock(c)) { +- /* Exceeded the timelimit; disconnect the client */ ++ /* Exceeded the paged search timelimit; disconnect the client */ + disconnect_server_nomutex(c, c->c_connid, -1, +- SLAPD_DISCONNECT_IO_TIMEOUT, ++ SLAPD_DISCONNECT_PAGED_SEARCH_LIMIT, + 0); + connection_table_move_connection_out_of_active_list(ct, + c); +diff --git a/ldap/servers/slapd/disconnect_error_strings.h b/ldap/servers/slapd/disconnect_error_strings.h +index f7a31d728..c2d9e283b 100644 +--- a/ldap/servers/slapd/disconnect_error_strings.h ++++ b/ldap/servers/slapd/disconnect_error_strings.h +@@ -27,6 +27,7 @@ ER2(SLAPD_DISCONNECT_BER_FLUSH, "B4") + ER2(SLAPD_DISCONNECT_IDLE_TIMEOUT, "T1") + ER2(SLAPD_DISCONNECT_REVENTS, "R1") + ER2(SLAPD_DISCONNECT_IO_TIMEOUT, "T2") ++ER2(SLAPD_DISCONNECT_PAGED_SEARCH_LIMIT, "T3") + ER2(SLAPD_DISCONNECT_PLUGIN, "P1") + ER2(SLAPD_DISCONNECT_UNBIND, "U1") + ER2(SLAPD_DISCONNECT_POLL, "P2") +diff --git a/ldap/servers/slapd/disconnect_errors.h b/ldap/servers/slapd/disconnect_errors.h +index a0484f1c2..e118f674c 100644 +--- a/ldap/servers/slapd/disconnect_errors.h ++++ b/ldap/servers/slapd/disconnect_errors.h +@@ -35,6 +35,6 @@ + #define SLAPD_DISCONNECT_SASL_FAIL SLAPD_DISCONNECT_ERROR_BASE + 12 + #define SLAPD_DISCONNECT_PROXY_INVALID_HEADER SLAPD_DISCONNECT_ERROR_BASE + 13 + #define SLAPD_DISCONNECT_PROXY_UNKNOWN SLAPD_DISCONNECT_ERROR_BASE + 14 +- ++#define SLAPD_DISCONNECT_PAGED_SEARCH_LIMIT SLAPD_DISCONNECT_ERROR_BASE + 15 + + #endif /* __DISCONNECT_ERRORS_H_ */ +-- +2.45.0 + diff --git a/389-ds-base.spec b/389-ds-base.spec index bc5e6e5..d7fb6ba 100644 --- a/389-ds-base.spec +++ b/389-ds-base.spec @@ -48,7 +48,7 @@ ExcludeArch: i686 Summary: 389 Directory Server (base) Name: 389-ds-base Version: 1.4.3.39 -Release: %{?relprefix}4%{?prerel}%{?dist} +Release: %{?relprefix}5%{?prerel}%{?dist} License: GPLv3+ and (ASL 2.0 or MIT) URL: https://www.port389.org Group: System Environment/Daemons @@ -297,9 +297,10 @@ Patch01: 0001-issue-5647-covscan-memory-leak-in-audit-log-when-add.patc Patch02: 0002-Issue-5647-Fix-unused-variable-warning-from-previous.patch Patch03: 0003-Issue-5407-sync_repl-crashes-if-enabled-while-dynami.patch Patch04: 0004-Issue-5547-automember-plugin-improvements.patch -Patch05: 0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch +Patch05: 0005-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch Patch06: 0006-CVE-2024-2199.patch Patch07: 0007-CVE-2024-3657.patch +Patch08: 0008-Issue-6096-Improve-connection-timeout-error-logging-.patch %description 389 Directory Server is an LDAPv3 compliant server. The base package includes @@ -921,6 +922,10 @@ exit 0 %doc README.md %changelog +* Tue Jun 11 2024 Viktor Ashirov - 1.4.3.39-5 +- Bump version to 1.4.3.39-5 +- Resolves: RHEL-16277 - LDAP connections are closed with code T2 before the IO block timeout is reached. [rhel-8.10.0.z] + * Thu Jun 06 2024 James Chapman - 1.4.3.39-4 - Bump version to 1.4.3.39-4 - Resolves: RHEL-34818 - redhat-ds:11/389-ds-base: Malformed userPassword may cause crash at do_modify in slapd/modify.c diff --git a/main.fmf b/main.fmf new file mode 100644 index 0000000..76d16bf --- /dev/null +++ b/main.fmf @@ -0,0 +1,17 @@ +/plan: + summary: Basic test suite + discover: + how: fmf + execute: + how: tmt + prepare: + - name: install required packages + how: install + package: [389-ds-base, git, pytest] + - name: clone repo + how: shell + script: git clone https://github.com/389ds/389-ds-base /root/ds +/test: + /upstream_basic: + test: pytest -v /root/ds/dirsrvtests/tests/suites/basic/basic_test.py + duration: 30m diff --git a/tests/tests.yml b/tests/tests.yml deleted file mode 100644 index a2570d1..0000000 --- a/tests/tests.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- -- hosts: localhost - remote_user: root - vars: - ds_repo_url: https://github.com/389ds/389-ds-base.git - ds_repo_dir: ds - ds_repo_version: 389-ds-base-2.1 - ds_tests: "{{ ds_repo_dir }}/dirsrvtests/tests" - pytest: "py.test-3" - pytest_args: "-v" - pytest_tier0_tests: "-m tier0" - pytest_tier1_tests: "-m 'tier1 and not tier2'" - pytest_run_command: "PYTHONPATH=../../src/lib389 {{ pytest }} {{ pytest_args }}" - artifacts: ./artifacts - pre_tasks: - - name: Install policycoreutils - action: > - {{ ansible_pkg_mgr }} name=policycoreutils-python-utils state=present - tags: always - ignore_errors: yes - - name: Prelabel non-secure ports - tags: always - shell: "semanage port -a -t ldap_port_t -p tcp 38900-39299" - ignore_errors: yes - - name: Prelabel secure ports - tags: always - shell: "semanage port -a -t ldap_port_t -p tcp 63600-63999" - ignore_errors: yes - - name: Install pip - action: > - {{ ansible_pkg_mgr }} name=python3-pip state=present - tags: always - ignore_errors: yes - - name: Install slugify - tags: always - shell: "pip3 install slugify" - ignore_errors: yes - roles: - - role: standard-test-basic - tags: - - classic - repositories: - - repo: "{{ ds_repo_url }}" - dest: "{{ ds_repo_dir }}" - version: "{{ ds_repo_version }}" - tests: - - tier0: - dir: "{{ ds_tests }}" - run: "{{ pytest_run_command }} {{ pytest_tier0_tests }}" - - tier1: - dir: "{{ ds_tests }}" - run: "{{ pytest_run_command }} {{ pytest_tier1_tests }}" - required_packages: - - python3-pytest - - python3-distro - - 389-ds-base - - 389-ds-base-snmp - - cracklib-dicts