From 315bc6514917a092076400a706943d2dfb61a809 Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Tue, 11 Jun 2024 19:12:33 +0200
Subject: [PATCH] Bump version to 1.4.3.39-5
Resolves: RHEL-16277 - LDAP connections are closed with code T2 before the IO block timeout is reached. [rhel-8.10.0.z]
---
.fmf/version | 1 +
...rt-HAProxy-and-Instance-on-the-same-.patch | 4 +-
0006-CVE-2024-2199.patch | 14 +-
0007-CVE-2024-3657.patch | 14 +-
...ve-connection-timeout-error-logging-.patch | 143 ++++++++++++++++++
389-ds-base.spec | 9 +-
main.fmf | 17 +++
tests/tests.yml | 58 -------
8 files changed, 184 insertions(+), 76 deletions(-)
create mode 100644 .fmf/version
rename 0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch => 0005-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch (98%)
create mode 100644 0008-Issue-6096-Improve-connection-timeout-error-logging-.patch
create mode 100644 main.fmf
delete mode 100644 tests/tests.yml
diff --git a/.fmf/version b/.fmf/version
new file mode 100644
index 0000000..d00491f
--- /dev/null
+++ b/.fmf/version
@@ -0,0 +1 @@
+1
diff --git a/0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch b/0005-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch
similarity index 98%
rename from 0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch
rename to 0005-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch
index 40dba66..62f2693 100644
--- a/0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch
+++ b/0005-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch
@@ -1,4 +1,4 @@
-From 7d1bc439a07c51b5f4f37405b6b27a1990b8cb28 Mon Sep 17 00:00:00 2001
+From 9319d5b022918f14cacb00e3faef85a6ab730a26 Mon Sep 17 00:00:00 2001
From: Simon Pichugin <spichugi@redhat.com>
Date: Tue, 27 Feb 2024 16:30:47 -0800
Subject: [PATCH] Issue 3527 - Support HAProxy and Instance on the same machine
@@ -79,5 +79,5 @@ index d28a39bf7..10a8cc577 100644
slapi_log_err(SLAPI_LOG_CONNS, "connection_read_operation", "HAProxy header received from unknown source.\n");
disconnect_server_nomutex(conn, conn->c_connid, -1, SLAPD_DISCONNECT_PROXY_UNKNOWN, EPROTO);
--
-2.43.0
+2.45.0
diff --git a/0006-CVE-2024-2199.patch b/0006-CVE-2024-2199.patch
index d980f8c..26ce84d 100644
--- a/0006-CVE-2024-2199.patch
+++ b/0006-CVE-2024-2199.patch
@@ -1,4 +1,4 @@
-From 23956cfb86a312318667fb9376322574fa8ec7f4 Mon Sep 17 00:00:00 2001
+From 016a2b6bd3e27cbff36609824a75b020dfd24823 Mon Sep 17 00:00:00 2001
From: James Chapman <jachapma@redhat.com>
Date: Wed, 1 May 2024 15:01:33 +0100
Subject: [PATCH] CVE-2024-2199
@@ -9,10 +9,10 @@ Subject: [PATCH] CVE-2024-2199
2 files changed, 62 insertions(+), 2 deletions(-)
diff --git a/dirsrvtests/tests/suites/password/password_test.py b/dirsrvtests/tests/suites/password/password_test.py
-index 1245feb31..e4abd9907 100644
+index 38079476a..b3ff08904 100644
--- a/dirsrvtests/tests/suites/password/password_test.py
+++ b/dirsrvtests/tests/suites/password/password_test.py
-@@ -63,6 +63,62 @@ def test_password_delete_specific_password(topology_st):
+@@ -65,6 +65,62 @@ def test_password_delete_specific_password(topology_st):
log.info('test_password_delete_specific_password: PASSED')
@@ -76,10 +76,10 @@ index 1245feb31..e4abd9907 100644
# Run isolated
# -s for DEBUG mode
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
-index a20984e0b..fb65d58b3 100644
+index 5ca78539c..669bb104c 100644
--- a/ldap/servers/slapd/modify.c
+++ b/ldap/servers/slapd/modify.c
-@@ -762,8 +762,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
+@@ -765,8 +765,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
* flagged - leave mod attributes alone */
if (!repl_op && !skip_modified_attrs && lastmod) {
modify_update_last_modified_attr(pb, &smods);
@@ -90,7 +90,7 @@ index a20984e0b..fb65d58b3 100644
if (0 == slapi_mods_get_num_mods(&smods)) {
/* nothing to do - no mods - this is not an error - just
send back LDAP_SUCCESS */
-@@ -930,8 +932,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
+@@ -933,8 +935,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
/* encode password */
if (pw_encodevals_ext(pb, sdn, va)) {
@@ -104,5 +104,5 @@ index a20984e0b..fb65d58b3 100644
goto free_and_return;
}
--
-2.41.0
+2.45.0
diff --git a/0007-CVE-2024-3657.patch b/0007-CVE-2024-3657.patch
index dba55ff..722e51c 100644
--- a/0007-CVE-2024-3657.patch
+++ b/0007-CVE-2024-3657.patch
@@ -1,4 +1,4 @@
-From 5cfa136c48c477765cb20b007ad441ed21534e86 Mon Sep 17 00:00:00 2001
+From d5bbe52fbe84a7d3b5938bf82d5c4af15061a8e2 Mon Sep 17 00:00:00 2001
From: Pierre Rogier <progier@redhat.com>
Date: Wed, 17 Apr 2024 18:18:04 +0200
Subject: [PATCH] CVE-2024-3657
@@ -9,7 +9,7 @@ Subject: [PATCH] CVE-2024-3657
2 files changed, 92 insertions(+), 53 deletions(-)
diff --git a/dirsrvtests/tests/suites/filter/large_filter_test.py b/dirsrvtests/tests/suites/filter/large_filter_test.py
-index 964facae5..5390a0f9c 100644
+index ecc7bf979..40526bb16 100644
--- a/dirsrvtests/tests/suites/filter/large_filter_test.py
+++ b/dirsrvtests/tests/suites/filter/large_filter_test.py
@@ -13,19 +13,29 @@ verify and testing Filter from a search
@@ -43,7 +43,7 @@ index 964facae5..5390a0f9c 100644
@pytest.fixture(scope="module")
def _create_entries(request, topo):
"""
-@@ -159,6 +169,28 @@ def test_large_filter(topo, _create_entries, real_value):
+@@ -160,6 +170,28 @@ def test_large_filter(topo, _create_entries, real_value):
assert len(Accounts(conn, SUFFIX).filter(real_value)) == 3
@@ -73,10 +73,10 @@ index 964facae5..5390a0f9c 100644
CURRENT_FILE = os.path.realpath(__file__)
pytest.main("-s -v %s" % CURRENT_FILE)
diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c
-index 86bc825fe..bdac0a616 100644
+index 410db23d1..30fa09ebb 100644
--- a/ldap/servers/slapd/back-ldbm/index.c
+++ b/ldap/servers/slapd/back-ldbm/index.c
-@@ -74,6 +74,32 @@ typedef struct _index_buffer_handle index_buffer_handle;
+@@ -71,6 +71,32 @@ typedef struct _index_buffer_handle index_buffer_handle;
#define INDEX_BUFFER_FLAG_SERIALIZE 1
#define INDEX_BUFFER_FLAG_STATS 2
@@ -109,7 +109,7 @@ index 86bc825fe..bdac0a616 100644
/* Index buffering functions */
static int
-@@ -802,65 +828,46 @@ index_add_mods(
+@@ -799,65 +825,46 @@ index_add_mods(
/*
* Convert a 'struct berval' into a displayable ASCII string
@@ -209,5 +209,5 @@ index 86bc825fe..bdac0a616 100644
static const char *
--
-2.44.0
+2.45.0
diff --git a/0008-Issue-6096-Improve-connection-timeout-error-logging-.patch b/0008-Issue-6096-Improve-connection-timeout-error-logging-.patch
new file mode 100644
index 0000000..cd2f206
--- /dev/null
+++ b/0008-Issue-6096-Improve-connection-timeout-error-logging-.patch
@@ -0,0 +1,143 @@
+From 6e5f03d5872129963106024f53765234a282406c Mon Sep 17 00:00:00 2001
+From: James Chapman <jachapma@redhat.com>
+Date: Fri, 16 Feb 2024 11:13:16 +0000
+Subject: [PATCH] Issue 6096 - Improve connection timeout error logging (#6097)
+
+Bug description: When a paged result search is run with a time limit,
+if the time limit is exceed the server closes the connection with
+closed IO timeout (nsslapd-ioblocktimeout) - T2. This error message
+is incorrect as the reason the connection has been closed was because
+the specified time limit on a paged result search has been exceeded.
+
+Fix description: Correct error message
+
+Relates: https://github.com/389ds/389-ds-base/issues/6096
+
+Reviewed by: @tbordaz (Thank you)
+---
+ ldap/admin/src/logconv.pl | 24 ++++++++++++++++++-
+ ldap/servers/slapd/daemon.c | 4 ++--
+ ldap/servers/slapd/disconnect_error_strings.h | 1 +
+ ldap/servers/slapd/disconnect_errors.h | 2 +-
+ 4 files changed, 27 insertions(+), 4 deletions(-)
+
+diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl
+index 7698c383a..2a933c4a3 100755
+--- a/ldap/admin/src/logconv.pl
++++ b/ldap/admin/src/logconv.pl
+@@ -267,7 +267,7 @@ my $optimeAvg = 0;
+ my %cipher = ();
+ my @removefiles = ();
+
+-my @conncodes = qw(A1 B1 B4 T1 T2 B2 B3 R1 P1 P2 U1);
++my @conncodes = qw(A1 B1 B4 T1 T2 T3 B2 B3 R1 P1 P2 U1);
+ my %conn = ();
+ map {$conn{$_} = $_} @conncodes;
+
+@@ -355,6 +355,7 @@ $connmsg{"B1"} = "Bad Ber Tag Encountered";
+ $connmsg{"B4"} = "Server failed to flush data (response) back to Client";
+ $connmsg{"T1"} = "Idle Timeout Exceeded";
+ $connmsg{"T2"} = "IO Block Timeout Exceeded or NTSSL Timeout";
++$connmsg{"T3"} = "Paged Search Time Limit Exceeded";
+ $connmsg{"B2"} = "Ber Too Big";
+ $connmsg{"B3"} = "Ber Peek";
+ $connmsg{"R1"} = "Revents";
+@@ -1723,6 +1724,10 @@ if ($usage =~ /j/i || $verb eq "yes"){
+ print "\n $recCount. You have some coonections that are being closed by the ioblocktimeout setting. You may want to increase the ioblocktimeout.\n";
+ $recCount++;
+ }
++ if (defined($conncount->{"T3"}) and $conncount->{"T3"} > 0){
++ print "\n $recCount. You have some connections that are being closed because a paged result search limit has been exceeded. You may want to increase the search time limit.\n";
++ $recCount++;
++ }
+ # compare binds to unbinds, if the difference is more than 30% of the binds, then report a issue
+ if (($bindCount - $unbindCount) > ($bindCount*.3)){
+ print "\n $recCount. You have a significant difference between binds and unbinds. You may want to investigate this difference.\n";
+@@ -2366,6 +2371,7 @@ sub parseLineNormal
+ $brokenPipeCount++;
+ if (m/- T1/){ $hashes->{rc}->{"T1"}++; }
+ elsif (m/- T2/){ $hashes->{rc}->{"T2"}++; }
++ elsif (m/- T3/){ $hashes->{rc}->{"T3"}++; }
+ elsif (m/- A1/){ $hashes->{rc}->{"A1"}++; }
+ elsif (m/- B1/){ $hashes->{rc}->{"B1"}++; }
+ elsif (m/- B4/){ $hashes->{rc}->{"B4"}++; }
+@@ -2381,6 +2387,7 @@ sub parseLineNormal
+ $connResetByPeerCount++;
+ if (m/- T1/){ $hashes->{src}->{"T1"}++; }
+ elsif (m/- T2/){ $hashes->{src}->{"T2"}++; }
++ elsif (m/- T3/){ $hashes->{src}->{"T3"}++; }
+ elsif (m/- A1/){ $hashes->{src}->{"A1"}++; }
+ elsif (m/- B1/){ $hashes->{src}->{"B1"}++; }
+ elsif (m/- B4/){ $hashes->{src}->{"B4"}++; }
+@@ -2396,6 +2403,7 @@ sub parseLineNormal
+ $resourceUnavailCount++;
+ if (m/- T1/){ $hashes->{rsrc}->{"T1"}++; }
+ elsif (m/- T2/){ $hashes->{rsrc}->{"T2"}++; }
++ elsif (m/- T3/){ $hashes->{rsrc}->{"T3"}++; }
+ elsif (m/- A1/){ $hashes->{rsrc}->{"A1"}++; }
+ elsif (m/- B1/){ $hashes->{rsrc}->{"B1"}++; }
+ elsif (m/- B4/){ $hashes->{rsrc}->{"B4"}++; }
+@@ -2494,6 +2502,20 @@ sub parseLineNormal
+ }
+ }
+ }
++ if (m/- T3/){
++ if ($_ =~ /conn= *([0-9A-Z]+)/i) {
++ $exc = "no";
++ $ip = getIPfromConn($1, $serverRestartCount);
++ for (my $xxx = 0; $xxx < $#excludeIP; $xxx++){
++ if ($ip eq $excludeIP[$xxx]){$exc = "yes";}
++ }
++ if ($exc ne "yes"){
++ $hashes->{T3}->{$ip}++;
++ $hashes->{conncount}->{"T3"}++;
++ $connCodeCount++;
++ }
++ }
++ }
+ if (m/- B2/){
+ if ($_ =~ /conn= *([0-9A-Z]+)/i) {
+ $exc = "no";
+diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
+index 5a48aa66f..bb80dae36 100644
+--- a/ldap/servers/slapd/daemon.c
++++ b/ldap/servers/slapd/daemon.c
+@@ -1599,9 +1599,9 @@ setup_pr_read_pds(Connection_Table *ct)
+ int add_fd = 1;
+ /* check timeout for PAGED RESULTS */
+ if (pagedresults_is_timedout_nolock(c)) {
+- /* Exceeded the timelimit; disconnect the client */
++ /* Exceeded the paged search timelimit; disconnect the client */
+ disconnect_server_nomutex(c, c->c_connid, -1,
+- SLAPD_DISCONNECT_IO_TIMEOUT,
++ SLAPD_DISCONNECT_PAGED_SEARCH_LIMIT,
+ 0);
+ connection_table_move_connection_out_of_active_list(ct,
+ c);
+diff --git a/ldap/servers/slapd/disconnect_error_strings.h b/ldap/servers/slapd/disconnect_error_strings.h
+index f7a31d728..c2d9e283b 100644
+--- a/ldap/servers/slapd/disconnect_error_strings.h
++++ b/ldap/servers/slapd/disconnect_error_strings.h
+@@ -27,6 +27,7 @@ ER2(SLAPD_DISCONNECT_BER_FLUSH, "B4")
+ ER2(SLAPD_DISCONNECT_IDLE_TIMEOUT, "T1")
+ ER2(SLAPD_DISCONNECT_REVENTS, "R1")
+ ER2(SLAPD_DISCONNECT_IO_TIMEOUT, "T2")
++ER2(SLAPD_DISCONNECT_PAGED_SEARCH_LIMIT, "T3")
+ ER2(SLAPD_DISCONNECT_PLUGIN, "P1")
+ ER2(SLAPD_DISCONNECT_UNBIND, "U1")
+ ER2(SLAPD_DISCONNECT_POLL, "P2")
+diff --git a/ldap/servers/slapd/disconnect_errors.h b/ldap/servers/slapd/disconnect_errors.h
+index a0484f1c2..e118f674c 100644
+--- a/ldap/servers/slapd/disconnect_errors.h
++++ b/ldap/servers/slapd/disconnect_errors.h
+@@ -35,6 +35,6 @@
+ #define SLAPD_DISCONNECT_SASL_FAIL SLAPD_DISCONNECT_ERROR_BASE + 12
+ #define SLAPD_DISCONNECT_PROXY_INVALID_HEADER SLAPD_DISCONNECT_ERROR_BASE + 13
+ #define SLAPD_DISCONNECT_PROXY_UNKNOWN SLAPD_DISCONNECT_ERROR_BASE + 14
+-
++#define SLAPD_DISCONNECT_PAGED_SEARCH_LIMIT SLAPD_DISCONNECT_ERROR_BASE + 15
+
+ #endif /* __DISCONNECT_ERRORS_H_ */
+--
+2.45.0
+
diff --git a/389-ds-base.spec b/389-ds-base.spec
index bc5e6e5..d7fb6ba 100644
--- a/389-ds-base.spec
+++ b/389-ds-base.spec
@@ -48,7 +48,7 @@ ExcludeArch: i686
Summary: 389 Directory Server (base)
Name: 389-ds-base
Version: 1.4.3.39
-Release: %{?relprefix}4%{?prerel}%{?dist}
+Release: %{?relprefix}5%{?prerel}%{?dist}
License: GPLv3+ and (ASL 2.0 or MIT)
URL: https://www.port389.org
Group: System Environment/Daemons
@@ -297,9 +297,10 @@ Patch01: 0001-issue-5647-covscan-memory-leak-in-audit-log-when-add.patc
Patch02: 0002-Issue-5647-Fix-unused-variable-warning-from-previous.patch
Patch03: 0003-Issue-5407-sync_repl-crashes-if-enabled-while-dynami.patch
Patch04: 0004-Issue-5547-automember-plugin-improvements.patch
-Patch05: 0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch
+Patch05: 0005-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch
Patch06: 0006-CVE-2024-2199.patch
Patch07: 0007-CVE-2024-3657.patch
+Patch08: 0008-Issue-6096-Improve-connection-timeout-error-logging-.patch
%description
389 Directory Server is an LDAPv3 compliant server. The base package includes
@@ -921,6 +922,10 @@ exit 0
%doc README.md
%changelog
+* Tue Jun 11 2024 Viktor Ashirov <vashirov@redhat.com> - 1.4.3.39-5
+- Bump version to 1.4.3.39-5
+- Resolves: RHEL-16277 - LDAP connections are closed with code T2 before the IO block timeout is reached. [rhel-8.10.0.z]
+
* Thu Jun 06 2024 James Chapman <jachapma@redhat.com> - 1.4.3.39-4
- Bump version to 1.4.3.39-4
- Resolves: RHEL-34818 - redhat-ds:11/389-ds-base: Malformed userPassword may cause crash at do_modify in slapd/modify.c
diff --git a/main.fmf b/main.fmf
new file mode 100644
index 0000000..76d16bf
--- /dev/null
+++ b/main.fmf
@@ -0,0 +1,17 @@
+/plan:
+ summary: Basic test suite
+ discover:
+ how: fmf
+ execute:
+ how: tmt
+ prepare:
+ - name: install required packages
+ how: install
+ package: [389-ds-base, git, pytest]
+ - name: clone repo
+ how: shell
+ script: git clone https://github.com/389ds/389-ds-base /root/ds
+/test:
+ /upstream_basic:
+ test: pytest -v /root/ds/dirsrvtests/tests/suites/basic/basic_test.py
+ duration: 30m
diff --git a/tests/tests.yml b/tests/tests.yml
deleted file mode 100644
index a2570d1..0000000
--- a/tests/tests.yml
+++ /dev/null
@@ -1,58 +0,0 @@
----
-- hosts: localhost
- remote_user: root
- vars:
- ds_repo_url: https://github.com/389ds/389-ds-base.git
- ds_repo_dir: ds
- ds_repo_version: 389-ds-base-2.1
- ds_tests: "{{ ds_repo_dir }}/dirsrvtests/tests"
- pytest: "py.test-3"
- pytest_args: "-v"
- pytest_tier0_tests: "-m tier0"
- pytest_tier1_tests: "-m 'tier1 and not tier2'"
- pytest_run_command: "PYTHONPATH=../../src/lib389 {{ pytest }} {{ pytest_args }}"
- artifacts: ./artifacts
- pre_tasks:
- - name: Install policycoreutils
- action: >
- {{ ansible_pkg_mgr }} name=policycoreutils-python-utils state=present
- tags: always
- ignore_errors: yes
- - name: Prelabel non-secure ports
- tags: always
- shell: "semanage port -a -t ldap_port_t -p tcp 38900-39299"
- ignore_errors: yes
- - name: Prelabel secure ports
- tags: always
- shell: "semanage port -a -t ldap_port_t -p tcp 63600-63999"
- ignore_errors: yes
- - name: Install pip
- action: >
- {{ ansible_pkg_mgr }} name=python3-pip state=present
- tags: always
- ignore_errors: yes
- - name: Install slugify
- tags: always
- shell: "pip3 install slugify"
- ignore_errors: yes
- roles:
- - role: standard-test-basic
- tags:
- - classic
- repositories:
- - repo: "{{ ds_repo_url }}"
- dest: "{{ ds_repo_dir }}"
- version: "{{ ds_repo_version }}"
- tests:
- - tier0:
- dir: "{{ ds_tests }}"
- run: "{{ pytest_run_command }} {{ pytest_tier0_tests }}"
- - tier1:
- dir: "{{ ds_tests }}"
- run: "{{ pytest_run_command }} {{ pytest_tier1_tests }}"
- required_packages:
- - python3-pytest
- - python3-distro
- - 389-ds-base
- - 389-ds-base-snmp
- - cracklib-dicts