Bump version to 3.0.4

2024-08-21 20:21:30 +02:00 · 2024-08-21 20:21:30 +02:00 · 53cbf5eef2
commit 53cbf5eef2
parent 057607d6c3
7 changed files with 41 additions and 466 deletions
--- a/.gitignore
+++ b/.gitignore
@ -228,3 +228,4 @@
 /389-ds-base-3.0.1.tar.bz2
 /389-ds-base-3.0.3.tar.bz2
 /libdb-5.3.28-59.tar.bz2
 /389-ds-base-3.0.4.tar.bz2
--- a/0001-Issue-6120-usr-lib64-dirsrv-plugins-libback-bdb.so-h.patch
+++ b/0001-Issue-6120-usr-lib64-dirsrv-plugins-libback-bdb.so-h.patch
@ -1,40 +0,0 @@
 From cc556a853531190ff829b08e67c30bd986543f03 Mon Sep 17 00:00:00 2001
 From: Viktor Ashirov <vashirov@redhat.com>
 Date: Mon, 10 Jun 2024 09:43:38 +0200
 Subject: [PATCH] Issue 6120 - /usr/lib64/dirsrv/plugins/libback-bdb.so has an
 invalid-looking DT_RPATH: /usr/lib/dirsrv
 Bug Description:
 rpminspect reports an invalid DT_RPATH /usr/lib/dirsrv
 It's evaluated in m4/bundle_libdb.m4 from
 ```
 -R${prefix}/lib/dirsrv"
 ```
 Fix Description:
 Change it to lib64
 Fixes: https://github.com/389ds/389-ds-base/issues/6210
 Reviewed by: @progier389 (Thanks!)
 ---
 m4/bundle_libdb.m4 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/m4/bundle_libdb.m4 b/m4/bundle_libdb.m4
 index c9bf3142e..3ae3beb49 100644
 --- a/m4/bundle_libdb.m4
 +++ b/m4/bundle_libdb.m4
@@ -8,7 +8,7 @@
 AC_MSG_CHECKING(Handling bundle_libdb)
 -db_lib="-L${with_bundle_libdb}/.libs -R${prefix}/lib/dirsrv"
 +db_lib="-L${with_bundle_libdb}/.libs -R${prefix}/lib64/dirsrv"
 db_incdir=$with_bundle_libdb
 db_inc="-I $db_incdir"
 db_libver="5.3-389ds"
 -- 
 2.45.0
--- a/0002-CVE-2024-3657.patch
+++ b/0002-CVE-2024-3657.patch
@ -1,213 +0,0 @@
 From 5cfa136c48c477765cb20b007ad441ed21534e86 Mon Sep 17 00:00:00 2001
 From: Pierre Rogier <progier@redhat.com>
 Date: Wed, 17 Apr 2024 18:18:04 +0200
 Subject: [PATCH] CVE-2024-3657
 ---
 .../tests/suites/filter/large_filter_test.py  |  34 +++++-
 ldap/servers/slapd/back-ldbm/index.c          | 111 ++++++++++--------
 2 files changed, 92 insertions(+), 53 deletions(-)
 diff --git a/dirsrvtests/tests/suites/filter/large_filter_test.py b/dirsrvtests/tests/suites/filter/large_filter_test.py
 index 964facae5..5390a0f9c 100644
 --- a/dirsrvtests/tests/suites/filter/large_filter_test.py
 +++ b/dirsrvtests/tests/suites/filter/large_filter_test.py
@@ -13,19 +13,29 @@ verify and testing  Filter from a search
 import os
 import pytest
 +import ldap
 -from lib389._constants import PW_DM
 +from lib389._constants import PW_DM, DEFAULT_SUFFIX, ErrorLog
 from lib389.topologies import topology_st as topo
 from lib389.idm.user import UserAccounts, UserAccount
 from lib389.idm.account import Accounts
 from lib389.backend import Backends
 from lib389.idm.domain import Domain
 +from lib389.utils import get_ldapurl_from_serverid
 SUFFIX = 'dc=anuj,dc=com'
 pytestmark = pytest.mark.tier1
 +def open_new_ldapi_conn(dsinstance):
 +    ldapurl, certdir = get_ldapurl_from_serverid(dsinstance)
 +    assert 'ldapi://' in ldapurl
 +    conn = ldap.initialize(ldapurl)
 +    conn.sasl_interactive_bind_s("", ldap.sasl.external())
 +    return conn
 +
 +
 @pytest.fixture(scope="module")
 def _create_entries(request, topo):
     """
@@ -159,6 +169,28 @@ def test_large_filter(topo, _create_entries, real_value):
     assert len(Accounts(conn, SUFFIX).filter(real_value)) == 3
 +def test_long_filter_value(topo):
 +    """Exercise large eq filter with dn syntax attributes
 +
 +        :id: b069ef72-fcc3-11ee-981c-482ae39447e5
 +        :setup: Standalone
 +        :steps:
 +            1. Try to pass filter rules as per the condition.
 +        :expectedresults:
 +            1. Pass
 +    """
 +    inst = topo.standalone
 +    conn = open_new_ldapi_conn(inst.serverid)
 +    inst.config.loglevel(vals=(ErrorLog.DEFAULT,ErrorLog.TRACE,ErrorLog.SEARCH_FILTER))
 +    filter_value = "a\x1Edmin" * 1025
 +    conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, f'(cn={filter_value})')
 +    filter_value = "aAdmin" * 1025
 +    conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, f'(cn={filter_value})')
 +    filter_value = "*"
 +    conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, f'(cn={filter_value})')
 +    inst.config.loglevel(vals=(ErrorLog.DEFAULT,))
 +
 +
 if __name__ == '__main__':
     CURRENT_FILE = os.path.realpath(__file__)
     pytest.main("-s -v %s" % CURRENT_FILE)
 diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c
 index 86bc825fe..bdac0a616 100644
 --- a/ldap/servers/slapd/back-ldbm/index.c
 +++ b/ldap/servers/slapd/back-ldbm/index.c
@@ -74,6 +74,32 @@ typedef struct _index_buffer_handle index_buffer_handle;
 #define INDEX_BUFFER_FLAG_SERIALIZE 1
 #define INDEX_BUFFER_FLAG_STATS 2
 +/*
 + * space needed to encode a byte:
 + *  0x00-0x31 and 0x7f-0xff requires 3 bytes: \xx
 + *  0x22 and 0x5C requires 2 bytes: \" and \\
 + *  other requires 1 byte: c
 + */
 +static char encode_size[] = {
 +    /* 0x00 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
 +    /* 0x10 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
 +    /* 0x20 */   1, 1, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
 +    /* 0x30 */   1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
 +    /* 0x40 */   1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
 +    /* 0x50 */   1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 1, 1, 1,
 +    /* 0x60 */   1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
 +    /* 0x70 */   1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3,
 +    /* 0x80 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
 +    /* 0x90 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
 +    /* 0xA0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
 +    /* 0xB0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
 +    /* 0xC0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
 +    /* 0xD0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
 +    /* 0xE0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
 +    /* 0xF0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
 +};
 +
 +
 /* Index buffering functions */
 static int
@@ -802,65 +828,46 @@ index_add_mods(
 /*
  * Convert a 'struct berval' into a displayable ASCII string
 + * returns the printable string
  */
 -
 -#define SPECIAL(c) (c < 32 || c > 126 || c == '\\' || c == '"')
 -
 const char *
 encode(const struct berval *data, char buf[BUFSIZ])
 {
 -    char *s;
 -    char *last;
 -    if (data == NULL || data->bv_len == 0)
 -        return "";
 -    last = data->bv_val + data->bv_len - 1;
 -    for (s = data->bv_val; s < last; ++s) {
 -        if (SPECIAL(*s)) {
 -            char *first = data->bv_val;
 -            char *bufNext = buf;
 -            size_t bufSpace = BUFSIZ - 4;
 -            while (1) {
 -                /* printf ("%lu bytes ASCII\n", (unsigned long)(s - first)); */
 -                if (bufSpace < (size_t)(s - first))
 -                    s = first + bufSpace - 1;
 -                if (s != first) {
 -                    memcpy(bufNext, first, s - first);
 -                    bufNext += (s - first);
 -                    bufSpace -= (s - first);
 -                }
 -                do {
 -                    if (bufSpace) {
 -                        *bufNext++ = '\\';
 -                        --bufSpace;
 -                    }
 -                    if (bufSpace < 2) {
 -                        memcpy(bufNext, "..", 2);
 -                        bufNext += 2;
 -                        goto bail;
 -                    }
 -                    if (*s == '\\' || *s == '"') {
 -                        *bufNext++ = *s;
 -                        --bufSpace;
 -                    } else {
 -                        sprintf(bufNext, "%02x", (unsigned)*(unsigned char *)s);
 -                        bufNext += 2;
 -                        bufSpace -= 2;
 -                    }
 -                } while (++s <= last && SPECIAL(*s));
 -                if (s > last)
 -                    break;
 -                first = s;
 -                while (!SPECIAL(*s) && s <= last)
 -                    ++s;
 -            }
 -        bail:
 -            *bufNext = '\0';
 -            /* printf ("%lu chars in buffer\n", (unsigned long)(bufNext - buf)); */
 +    if (!data || !data->bv_val) {
 +        strcpy(buf, "<NULL>");
 +        return buf;
 +    }
 +    char *endbuff = &buf[BUFSIZ-4];  /* Reserve space to append "...\0" */
 +    char *ptout = buf;
 +    unsigned char *ptin = (unsigned char*) data->bv_val;
 +    unsigned char *endptin = ptin+data->bv_len;
 +
 +    while (ptin < endptin) {
 +        if (ptout >= endbuff) {
 +            /*
 +             * BUFSIZ(8K) > SLAPI_LOG_BUFSIZ(2K) so the error log message will be
 +             * truncated anyway. So there is no real interrest to test if the original
 +             * data contains no special characters and return it as is.
 +             */
 +            strcpy(endbuff, "...");
             return buf;
         }
 +        switch (encode_size[*ptin]) {
 +            case 1:
 +                *ptout++ = *ptin++;
 +                break;
 +            case 2:
 +                *ptout++ = '\\';
 +                *ptout++ = *ptin++;
 +                break;
 +            case 3:
 +                sprintf(ptout, "\\%02x", *ptin++);
 +                ptout += 3;
 +                break;
 +        }
     }
 -    /* printf ("%lu bytes, all ASCII\n", (unsigned long)(s - data->bv_val)); */
 -    return data->bv_val;
 +    *ptout = 0;
 +    return buf;
 }
 static const char *
 -- 
 2.44.0
--- a/0003-CVE-2024-5953.patch
+++ b/0003-CVE-2024-5953.patch
@ -1,145 +0,0 @@
 From 52a9ee6556a0467f5134fb6392ff1681a38f3252 Mon Sep 17 00:00:00 2001
 From: Pierre Rogier <progier@redhat.com>
 Date: Fri, 14 Jun 2024 13:27:10 +0200
 Subject: [PATCH] CVE-2024-5953
 ---
 .../tests/suites/password/regression_test.py  | 51 ++++++++++++++++++-
 ldap/servers/plugins/pwdstorage/md5_pwd.c     |  9 +++-
 ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c  |  6 +++
 3 files changed, 64 insertions(+), 2 deletions(-)
 diff --git a/dirsrvtests/tests/suites/password/regression_test.py b/dirsrvtests/tests/suites/password/regression_test.py
 index 4876ff435..160d6f01d 100644
 --- a/dirsrvtests/tests/suites/password/regression_test.py
 +++ b/dirsrvtests/tests/suites/password/regression_test.py
@@ -8,11 +8,12 @@
 import pytest
 import time
 import glob
 +import base64
 from lib389._constants import PASSWORD, DN_DM, DEFAULT_SUFFIX
 from lib389._constants import SUFFIX, PASSWORD, DN_DM, DN_CONFIG, PLUGIN_RETRO_CHANGELOG, DEFAULT_SUFFIX, DEFAULT_CHANGELOG_DB, DEFAULT_BENAME
 from lib389 import Entry
 from lib389.topologies import topology_m1 as topo_supplier
 -from lib389.idm.user import UserAccounts
 +from lib389.idm.user import UserAccounts, UserAccount
 from lib389.utils import ldap, os, logging, ensure_bytes, ds_is_newer, ds_supports_new_changelog
 from lib389.topologies import topology_st as topo
 from lib389.idm.organizationalunit import OrganizationalUnits
@@ -40,6 +41,13 @@ TEST_PASSWORDS += ['CNpwtest1ZZZZ', 'ZZZZZCNpwtest1',
 TEST_PASSWORDS2 = (
     'CN12pwtest31', 'SN3pwtest231', 'UID1pwtest123', 'MAIL2pwtest12@redhat.com', '2GN1pwtest123', 'People123')
 +SUPPORTED_SCHEMES = (
 +    "{SHA}", "{SSHA}", "{SHA256}", "{SSHA256}",
 +    "{SHA384}", "{SSHA384}", "{SHA512}", "{SSHA512}",
 +    "{crypt}", "{NS-MTA-MD5}", "{clear}", "{MD5}",
 +    "{SMD5}", "{PBKDF2_SHA256}", "{PBKDF2_SHA512}",
 +    "{GOST_YESCRYPT}", "{PBKDF2-SHA256}", "{PBKDF2-SHA512}" )
 +
 def _check_unhashed_userpw(inst, user_dn, is_present=False):
     """Check if unhashed#user#password attribute is present or not in the changelog"""
     unhashed_pwd_attribute = 'unhashed#user#password'
@@ -319,6 +327,47 @@ def test_unhashed_pw_switch(topo_supplier):
         # Add debugging steps(if any)...
         pass
 +@pytest.mark.parametrize("scheme", SUPPORTED_SCHEMES )
 +def test_long_hashed_password(topo, create_user, scheme):
 +    """Check that hashed password with very long value does not cause trouble
 +
 +    :id: 252a1f76-114b-11ef-8a7a-482ae39447e5
 +    :setup: standalone Instance
 +    :parametrized: yes
 +    :steps:
 +        1. Add a test user user
 +        2. Set a long password with requested scheme
 +        3. Bind on that user using a wrong password
 +        4. Check that instance is still alive
 +        5. Remove the added user
 +    :expectedresults:
 +        1. Success
 +        2. Success
 +        3. Should get ldap.INVALID_CREDENTIALS exception
 +        4. Success
 +        5. Success
 +    """
 +    inst = topo.standalone
 +    inst.simple_bind_s(DN_DM, PASSWORD)
 +    users = UserAccounts(inst, DEFAULT_SUFFIX)
 +    # Make sure that server is started as this test may crash it
 +    inst.start()
 +    # Adding Test user (It may already exists if previous test failed)
 +    user2 = UserAccount(inst, dn='uid=test_user_1002,ou=People,dc=example,dc=com')
 +    if not user2.exists():
 +        user2 = users.create_test_user(uid=1002, gid=2002)
 +    # Setting hashed password
 +    passwd = 'A'*4000
 +    hashed_passwd = scheme.encode('utf-8') + base64.b64encode(passwd.encode('utf-8'))
 +    user2.replace('userpassword', hashed_passwd)
 +    # Bind on that user using a wrong password
 +    with pytest.raises(ldap.INVALID_CREDENTIALS):
 +        conn = user2.bind(PASSWORD)
 +    # Check that instance is still alive
 +    assert inst.status()
 +    # Remove the added user
 +    user2.delete()
 +
 if __name__ == '__main__':
     # Run isolated
 diff --git a/ldap/servers/plugins/pwdstorage/md5_pwd.c b/ldap/servers/plugins/pwdstorage/md5_pwd.c
 index 1e2cf58e7..b9a48d5ca 100644
 --- a/ldap/servers/plugins/pwdstorage/md5_pwd.c
 +++ b/ldap/servers/plugins/pwdstorage/md5_pwd.c
@@ -37,6 +37,7 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd)
     unsigned char hash_out[MD5_HASH_LEN];
     unsigned char b2a_out[MD5_HASH_LEN * 2]; /* conservative */
     SECItem binary_item;
 +    size_t dbpwd_len = strlen(dbpwd);
     ctx = PK11_CreateDigestContext(SEC_OID_MD5);
     if (ctx == NULL) {
@@ -45,6 +46,12 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd)
         goto loser;
     }
 +    if (dbpwd_len >= sizeof b2a_out) {
 +        slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
 +                      "The hashed password stored in the user entry is longer than any valid md5 hash");
 +        goto loser;
 +    }
 +
     /* create the hash */
     PK11_DigestBegin(ctx);
     PK11_DigestOp(ctx, (const unsigned char *)userpwd, strlen(userpwd));
@@ -57,7 +64,7 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd)
     bver = NSSBase64_EncodeItem(NULL, (char *)b2a_out, sizeof b2a_out, &binary_item);
     /* bver points to b2a_out upon success */
     if (bver) {
 -        rc = slapi_ct_memcmp(bver, dbpwd, strlen(dbpwd));
 +        rc = slapi_ct_memcmp(bver, dbpwd, dbpwd_len);
     } else {
         slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
                       "Could not base64 encode hashed value for password compare");
 diff --git a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
 index dcac4fcdd..82b8c9501 100644
 --- a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
 +++ b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
@@ -255,6 +255,12 @@ pbkdf2_sha256_pw_cmp(const char *userpwd, const char *dbpwd)
     passItem.data = (unsigned char *)userpwd;
     passItem.len = strlen(userpwd);
 +    if (pwdstorage_base64_decode_len(dbpwd, dbpwd_len) > sizeof dbhash) {
 +        /* Hashed value is too long and cannot match any value generated by pbkdf2_sha256_hash */
 +        slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to base64 decode dbpwd value. (hashed value is too long)\n");
 +        return result;
 +    }
 +
     /* Decode the DBpwd to bytes from b64 */
     if (PL_Base64Decode(dbpwd, dbpwd_len, dbhash) == NULL) {
         slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to base64 decode dbpwd value\n");
 -- 
 2.44.0
--- a/0004-CVE-2024-6237.patch
+++ b/0004-CVE-2024-6237.patch
@ -1,25 +0,0 @@
 From 323f74c69f84a8482413ecd73cf61d09cfc4a0a1 Mon Sep 17 00:00:00 2001
 From: Thierry Bordaz <tbordaz@redhat.com>
 Date: Mon, 24 Jun 2024 15:51:28 +0200
 Subject: [PATCH] CVE-2024-6237
 ---
 ldap/servers/plugins/syntaxes/inchain.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/ldap/servers/plugins/syntaxes/inchain.c b/ldap/servers/plugins/syntaxes/inchain.c
 index df19c973b..0a6a04e9f 100644
 --- a/ldap/servers/plugins/syntaxes/inchain.c
 +++ b/ldap/servers/plugins/syntaxes/inchain.c
@@ -277,7 +277,7 @@ inchain_values2keys(Slapi_PBlock *pb, Slapi_Value **vals, Slapi_Value ***ivals,
     slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &base_sdn);
     if (! slapi_attr_is_dn_syntax_type(mrTYPE)) {
 -        slapi_log_err(SLAPI_LOG_ERR, "inchain", "Requires distinguishedName syntax. AttributeDescription %s is not distinguishedName\n");
 +        slapi_log_err(SLAPI_LOG_ERR, "inchain", "Requires distinguishedName syntax. AttributeDescription %s is not distinguishedName\n", mrTYPE);
         result = (Slapi_Value **)slapi_ch_calloc(1, sizeof(Slapi_Value *));
         *ivals = result;
         return(0);
 -- 
 2.44.0
--- a/389-ds-base.spec
+++ b/389-ds-base.spec
@ -60,7 +60,7 @@ ExcludeArch: i686
 Summary:          389 Directory Server (%{variant})
 Name:             389-ds-base
-Version:          3.0.3
+Version:          3.0.4
 Release:          %{autorelease -n %{?with_asan:-e asan}}%{?dist}
 License:          GPL-3.0-or-later AND (0BSD OR Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT OR Zlib) AND (Apache-2.0 OR MIT) AND (CC-BY-4.0 AND MIT) AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND (MIT OR CC0-1.0) AND (MIT OR Unlicense) AND 0BSD AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MIT AND ISC AND MPL-2.0 AND PSF-2.0
 Conflicts:        selinux-policy-base < 3.9.8
@ -72,53 +72,53 @@ Obsoletes:        %{name}-legacy-tools-debuginfo < 1.4.4.6
 Provides:         ldif2ldbm >= 0
 ##### Bundled cargo crates list - START #####
-Provides:  bundled(crate(addr2line)) = 0.21.0
+Provides:  bundled(crate(addr2line)) = 0.22.0
 Provides:  bundled(crate(adler)) = 1.0.2
 Provides:  bundled(crate(ahash)) = 0.7.8
 Provides:  bundled(crate(atty)) = 0.2.14
 Provides:  bundled(crate(autocfg)) = 1.3.0
-Provides:  bundled(crate(backtrace)) = 0.3.71
+Provides:  bundled(crate(backtrace)) = 0.3.73
 Provides:  bundled(crate(base64)) = 0.13.1
-Provides:  bundled(crate(bitflags)) = 2.5.0
+Provides:  bundled(crate(bitflags)) = 2.6.0
 Provides:  bundled(crate(byteorder)) = 1.5.0
 Provides:  bundled(crate(cbindgen)) = 0.26.0
-Provides:  bundled(crate(cc)) = 1.0.97
+Provides:  bundled(crate(cc)) = 1.1.7
 Provides:  bundled(crate(cfg-if)) = 1.0.0
 Provides:  bundled(crate(clap)) = 3.2.25
 Provides:  bundled(crate(clap_lex)) = 0.2.4
 Provides:  bundled(crate(concread)) = 0.2.21
 Provides:  bundled(crate(crossbeam)) = 0.8.4
-Provides:  bundled(crate(crossbeam-channel)) = 0.5.12
+Provides:  bundled(crate(crossbeam-channel)) = 0.5.13
 Provides:  bundled(crate(crossbeam-deque)) = 0.8.5
 Provides:  bundled(crate(crossbeam-epoch)) = 0.9.18
 Provides:  bundled(crate(crossbeam-queue)) = 0.3.11
-Provides:  bundled(crate(crossbeam-utils)) = 0.8.19
+Provides:  bundled(crate(crossbeam-utils)) = 0.8.20
 Provides:  bundled(crate(errno)) = 0.3.9
 Provides:  bundled(crate(fastrand)) = 2.1.0
 Provides:  bundled(crate(fernet)) = 0.1.4
 Provides:  bundled(crate(foreign-types)) = 0.3.2
 Provides:  bundled(crate(foreign-types-shared)) = 0.1.1
 Provides:  bundled(crate(getrandom)) = 0.2.15
-Provides:  bundled(crate(gimli)) = 0.28.1
+Provides:  bundled(crate(gimli)) = 0.29.0
 Provides:  bundled(crate(hashbrown)) = 0.12.3
 Provides:  bundled(crate(heck)) = 0.4.1
 Provides:  bundled(crate(hermit-abi)) = 0.1.19
 Provides:  bundled(crate(indexmap)) = 1.9.3
-Provides:  bundled(crate(instant)) = 0.1.12
+Provides:  bundled(crate(instant)) = 0.1.13
 Provides:  bundled(crate(itoa)) = 1.0.11
-Provides:  bundled(crate(jobserver)) = 0.1.31
+Provides:  bundled(crate(jobserver)) = 0.1.32
-Provides:  bundled(crate(libc)) = 0.2.154
+Provides:  bundled(crate(libc)) = 0.2.155
-Provides:  bundled(crate(linux-raw-sys)) = 0.4.13
+Provides:  bundled(crate(linux-raw-sys)) = 0.4.14
 Provides:  bundled(crate(lock_api)) = 0.4.12
-Provides:  bundled(crate(log)) = 0.4.21
+Provides:  bundled(crate(log)) = 0.4.22
 Provides:  bundled(crate(lru)) = 0.7.8
-Provides:  bundled(crate(memchr)) = 2.7.2
+Provides:  bundled(crate(memchr)) = 2.7.4
-Provides:  bundled(crate(miniz_oxide)) = 0.7.2
+Provides:  bundled(crate(miniz_oxide)) = 0.7.4
-Provides:  bundled(crate(object)) = 0.32.2
+Provides:  bundled(crate(object)) = 0.36.2
 Provides:  bundled(crate(once_cell)) = 1.19.0
-Provides:  bundled(crate(openssl)) = 0.10.64
+Provides:  bundled(crate(openssl)) = 0.10.66
 Provides:  bundled(crate(openssl-macros)) = 0.1.1
-Provides:  bundled(crate(openssl-sys)) = 0.9.102
+Provides:  bundled(crate(openssl-sys)) = 0.9.103
 Provides:  bundled(crate(os_str_bytes)) = 6.6.1
 Provides:  bundled(crate(parking_lot)) = 0.11.2
 Provides:  bundled(crate(parking_lot_core)) = 0.8.6
@ -126,9 +126,9 @@ Provides:  bundled(crate(paste)) = 0.1.18
 Provides:  bundled(crate(paste-impl)) = 0.1.18
 Provides:  bundled(crate(pin-project-lite)) = 0.2.14
 Provides:  bundled(crate(pkg-config)) = 0.3.30
-Provides:  bundled(crate(ppv-lite86)) = 0.2.17
+Provides:  bundled(crate(ppv-lite86)) = 0.2.18
 Provides:  bundled(crate(proc-macro-hack)) = 0.5.20+deprecated
-Provides:  bundled(crate(proc-macro2)) = 1.0.82
+Provides:  bundled(crate(proc-macro2)) = 1.0.86
 Provides:  bundled(crate(quote)) = 1.0.36
 Provides:  bundled(crate(rand)) = 0.8.5
 Provides:  bundled(crate(rand_chacha)) = 0.3.1
@ -138,38 +138,40 @@ Provides:  bundled(crate(rustc-demangle)) = 0.1.24
 Provides:  bundled(crate(rustix)) = 0.38.34
 Provides:  bundled(crate(ryu)) = 1.0.18
 Provides:  bundled(crate(scopeguard)) = 1.2.0
-Provides:  bundled(crate(serde)) = 1.0.201
+Provides:  bundled(crate(serde)) = 1.0.204
-Provides:  bundled(crate(serde_derive)) = 1.0.201
+Provides:  bundled(crate(serde_derive)) = 1.0.204
-Provides:  bundled(crate(serde_json)) = 1.0.117
+Provides:  bundled(crate(serde_json)) = 1.0.121
 Provides:  bundled(crate(smallvec)) = 1.13.2
 Provides:  bundled(crate(strsim)) = 0.10.0
-Provides:  bundled(crate(syn)) = 2.0.61
+Provides:  bundled(crate(syn)) = 2.0.72
 Provides:  bundled(crate(tempfile)) = 3.10.1
 Provides:  bundled(crate(termcolor)) = 1.4.1
 Provides:  bundled(crate(textwrap)) = 0.16.1
-Provides:  bundled(crate(tokio)) = 1.37.0
+Provides:  bundled(crate(tokio)) = 1.39.2
-Provides:  bundled(crate(tokio-macros)) = 2.2.0
+Provides:  bundled(crate(tokio-macros)) = 2.4.0
 Provides:  bundled(crate(toml)) = 0.5.11
 Provides:  bundled(crate(unicode-ident)) = 1.0.12
 Provides:  bundled(crate(uuid)) = 0.8.2
 Provides:  bundled(crate(vcpkg)) = 0.2.15
-Provides:  bundled(crate(version_check)) = 0.9.4
+Provides:  bundled(crate(version_check)) = 0.9.5
 Provides:  bundled(crate(wasi)) = 0.11.0+wasi_snapshot_preview1
 Provides:  bundled(crate(winapi)) = 0.3.9
 Provides:  bundled(crate(winapi-i686-pc-windows-gnu)) = 0.4.0
 Provides:  bundled(crate(winapi-util)) = 0.1.8
 Provides:  bundled(crate(winapi-x86_64-pc-windows-gnu)) = 0.4.0
 Provides:  bundled(crate(windows-sys)) = 0.52.0
-Provides:  bundled(crate(windows-targets)) = 0.52.5
+Provides:  bundled(crate(windows-targets)) = 0.52.6
-Provides:  bundled(crate(windows_aarch64_gnullvm)) = 0.52.5
+Provides:  bundled(crate(windows_aarch64_gnullvm)) = 0.52.6
-Provides:  bundled(crate(windows_aarch64_msvc)) = 0.52.5
+Provides:  bundled(crate(windows_aarch64_msvc)) = 0.52.6
-Provides:  bundled(crate(windows_i686_gnu)) = 0.52.5
+Provides:  bundled(crate(windows_i686_gnu)) = 0.52.6
-Provides:  bundled(crate(windows_i686_gnullvm)) = 0.52.5
+Provides:  bundled(crate(windows_i686_gnullvm)) = 0.52.6
-Provides:  bundled(crate(windows_i686_msvc)) = 0.52.5
+Provides:  bundled(crate(windows_i686_msvc)) = 0.52.6
-Provides:  bundled(crate(windows_x86_64_gnu)) = 0.52.5
+Provides:  bundled(crate(windows_x86_64_gnu)) = 0.52.6
-Provides:  bundled(crate(windows_x86_64_gnullvm)) = 0.52.5
+Provides:  bundled(crate(windows_x86_64_gnullvm)) = 0.52.6
-Provides:  bundled(crate(windows_x86_64_msvc)) = 0.52.5
+Provides:  bundled(crate(windows_x86_64_msvc)) = 0.52.6
-Provides:  bundled(crate(zeroize)) = 1.7.0
+Provides:  bundled(crate(zerocopy)) = 0.6.6
 Provides:  bundled(crate(zerocopy-derive)) = 0.6.6
 Provides:  bundled(crate(zeroize)) = 1.8.1
 Provides:  bundled(crate(zeroize_derive)) = 1.4.2
 Provides:  bundled(npm(@aashutoshrathi/word-wrap)) = 1.2.6
 Provides:  bundled(npm(@eslint-community/eslint-utils)) = 4.4.0
@ -485,11 +487,6 @@ Source4:          389-ds-base.sysusers
 Source5:          https://fedorapeople.org/groups/389ds/libdb-5.3.28-59.tar.bz2
 %endif
 Patch:            0001-Issue-6120-usr-lib64-dirsrv-plugins-libback-bdb.so-h.patch
 Patch:            0002-CVE-2024-3657.patch
 Patch:            0003-CVE-2024-5953.patch
 Patch:            0004-CVE-2024-6237.patch
 %description
 389 Directory Server is an LDAPv3 compliant server.  The base package includes
 the LDAP server and command line utilities for server administration.
--- a/2
+++ b/2
@ -1,3 +1,3 @@
 SHA512 (jemalloc-5.3.0.tar.bz2) = 22907bb052096e2caffb6e4e23548aecc5cc9283dce476896a2b1127eee64170e3562fa2e7db9571298814a7a2c7df6e8d1fbe152bd3f3b0c1abec22a2de34b1
-SHA512 (389-ds-base-3.0.3.tar.bz2) = f9e5432d8acc7701c9455cb7b561ff6dd67a8e2f9d0340f47cf17b8a3558aa02dab7319d139a23e8f89682c2521c9c6852a097b702228785dda37cb03d2c9310
+SHA512 (389-ds-base-3.0.4.tar.bz2) = 45ef03d288fc3c1e7a24474393fe769deb52413f57aa1517b71882fb4be653eeae041911d55e60b82079922e7995c55bb0653d3f1ea0a83622e84d6411c863fe
 SHA512 (libdb-5.3.28-59.tar.bz2) = 731a434fa2e6487ebb05c458b0437456eb9f7991284beb08cb3e21931e23bdeddddbc95bfabe3a2f9f029fe69cd33a2d4f0f5ce6a9811e9c3b940cb6fde4bf79