diff --git a/0001-Issue-2526-retrocl-backend-created-out-of-order.patch b/0001-Issue-2526-retrocl-backend-created-out-of-order.patch deleted file mode 100644 index c6f7fed..0000000 --- a/0001-Issue-2526-retrocl-backend-created-out-of-order.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 67c8b8702a249cb0ef1ebf49b6e87056cd5339f6 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 27 Oct 2020 13:14:55 -0400 -Subject: [PATCH] Issue 2526 - retrocl backend created out of order - -Bug Description: A recent change verified that you do not create - a mappingtree entry before the backend entry was - created. The server created the retrocl backend - in the opposite order which broke the retrocl. - -Fix Description: Create the retrocl backend entry before creating - the mapping tree entry. - -Relates: https://github.com/389ds/389-ds-base/issues/2526 - -Reviewed by: viktor(Thanks!) ---- - ldap/servers/plugins/retrocl/retrocl.c | 10 ++--- - ldap/servers/plugins/retrocl/retrocl_create.c | 38 +++++++++---------- - 2 files changed, 22 insertions(+), 26 deletions(-) - -diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c -index 4af4d752b..8d6135dad 100644 ---- a/ldap/servers/plugins/retrocl/retrocl.c -+++ b/ldap/servers/plugins/retrocl/retrocl.c -@@ -222,15 +222,11 @@ retrocl_select_backend(void) - slapi_entry_free(referral); - - if (err != LDAP_SUCCESS || be == NULL || be == defbackend_get_backend()) { -- slapi_log_err(SLAPI_LOG_ERR, RETROCL_PLUGIN_NAME, -+ /* Could not find the backend for cn=changelog, either because -+ * it doesn't exist mapping tree not registered. */ -+ slapi_log_err(SLAPI_LOG_PLUGIN, RETROCL_PLUGIN_NAME, - "retrocl_select_backend - Mapping tree select failed (%d) %s.\n", err, errbuf); -- -- /* could not find the backend for cn=changelog, either because -- * it doesn't exist -- * mapping tree not registered. -- */ - err = retrocl_create_config(); -- - if (err != LDAP_SUCCESS) - return err; - } else { -diff --git a/ldap/servers/plugins/retrocl/retrocl_create.c b/ldap/servers/plugins/retrocl/retrocl_create.c -index fb1503520..571e6899f 100644 ---- a/ldap/servers/plugins/retrocl/retrocl_create.c -+++ b/ldap/servers/plugins/retrocl/retrocl_create.c -@@ -192,6 +192,25 @@ retrocl_create_config(void) - vals[0] = &val; - vals[1] = NULL; - -+ retrocl_be_changelog = slapi_be_select_by_instance_name("changelog"); -+ -+ if (retrocl_be_changelog == NULL) { -+ /* This is not the nsslapd-changelogdir from cn=changelog4,cn=config */ -+ char *bedir; -+ -+ bedir = retrocl_get_config_str(CONFIG_CHANGELOG_DIRECTORY_ATTRIBUTE); -+ if (bedir == NULL) { -+ /* none specified */ -+ } -+ -+ rc = retrocl_create_be(bedir); -+ slapi_ch_free_string(&bedir); -+ if (rc != LDAP_SUCCESS && rc != LDAP_ALREADY_EXISTS) { -+ return rc; -+ } -+ retrocl_be_changelog = slapi_be_select_by_instance_name("changelog"); -+ } -+ - /* Assume the mapping tree node is missing. It doesn't hurt to - * attempt to add it if it already exists. You will see a warning - * in the errors file when the referenced backend does not exist. -@@ -256,25 +275,6 @@ retrocl_create_config(void) - return rc; - } - -- retrocl_be_changelog = slapi_be_select_by_instance_name("changelog"); -- -- if (retrocl_be_changelog == NULL) { -- /* This is not the nsslapd-changelogdir from cn=changelog4,cn=config */ -- char *bedir; -- -- bedir = retrocl_get_config_str(CONFIG_CHANGELOG_DIRECTORY_ATTRIBUTE); -- if (bedir == NULL) { -- /* none specified */ -- } -- -- rc = retrocl_create_be(bedir); -- slapi_ch_free_string(&bedir); -- if (rc != LDAP_SUCCESS && rc != LDAP_ALREADY_EXISTS) { -- return rc; -- } -- retrocl_be_changelog = slapi_be_select_by_instance_name("changelog"); -- } -- - return LDAP_SUCCESS; - } - --- -2.28.0 - diff --git a/0001-Revert-Issue-4609-CVE-info-disclosure-when-authentic.patch b/0001-Revert-Issue-4609-CVE-info-disclosure-when-authentic.patch new file mode 100644 index 0000000..437bddd --- /dev/null +++ b/0001-Revert-Issue-4609-CVE-info-disclosure-when-authentic.patch @@ -0,0 +1,143 @@ +From 9cb892cb2e36f62275257f3d43e938e2182c793c Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Fri, 19 Feb 2021 12:40:56 -0500 +Subject: [PATCH] Revert "Issue 4609 - CVE - info disclosure when + authenticating" + +This reverts commit b6aae4d8e7c8a6ddd21646f94fef1bf7f22c3f32. +--- + dirsrvtests/tests/suites/basic/basic_test.py | 51 ++++---------------- + ldap/servers/slapd/back-ldbm/ldbm_bind.c | 4 +- + ldap/servers/slapd/dse.c | 7 +-- + 3 files changed, 13 insertions(+), 49 deletions(-) + +diff --git a/dirsrvtests/tests/suites/basic/basic_test.py b/dirsrvtests/tests/suites/basic/basic_test.py +index a206bdb38..a43001ab6 100644 +--- a/dirsrvtests/tests/suites/basic/basic_test.py ++++ b/dirsrvtests/tests/suites/basic/basic_test.py +@@ -9,7 +9,7 @@ + + from subprocess import check_output, PIPE, run + from lib389 import DirSrv +-from lib389.idm.user import UserAccount, UserAccounts ++from lib389.idm.user import UserAccounts + import pytest + from lib389.tasks import * + from lib389.utils import * +@@ -1148,14 +1148,18 @@ def test_bind_invalid_entry(topology_st): + """Test the failing bind does not return information about the entry + + :id: 5cd9b083-eea6-426b-84ca-83c26fc49a6f ++ + :customerscenario: True ++ + :setup: Standalone instance ++ + :steps: +- 1: bind as non existing entry +- 2: check that bind info does not report 'No such entry' ++ 1: bind as non existing entry ++ 2: check that bind info does not report 'No such entry' ++ + :expectedresults: +- 1: pass +- 2: pass ++ 1: pass ++ 2: pass + """ + + topology_st.standalone.restart() +@@ -1177,43 +1181,6 @@ def test_bind_invalid_entry(topology_st): + topology_st.standalone.simple_bind_s(DN_DM, PW_DM) + + +-def test_bind_entry_missing_passwd(topology_st): +- """ +- :id: af209149-8fb8-48cb-93ea-3e82dd7119d2 +- :setup: Standalone Instance +- :steps: +- 1. Bind as database entry that does not have userpassword set +- 2. Bind as database entry that does not exist +- 1. Bind as cn=config entry that does not have userpassword set +- 2. Bind as cn=config entry that does not exist +- :expectedresults: +- 1. Fails with error 49 +- 2. Fails with error 49 +- 3. Fails with error 49 +- 4. Fails with error 49 +- """ +- user = UserAccount(topology_st.standalone, DEFAULT_SUFFIX) +- with pytest.raises(ldap.INVALID_CREDENTIALS): +- # Bind as the suffix root entry which does not have a userpassword +- user.bind("some_password") +- +- user = UserAccount(topology_st.standalone, "cn=not here," + DEFAULT_SUFFIX) +- with pytest.raises(ldap.INVALID_CREDENTIALS): +- # Bind as the entry which does not exist +- user.bind("some_password") +- +- # Test cn=config since it has its own code path +- user = UserAccount(topology_st.standalone, "cn=config") +- with pytest.raises(ldap.INVALID_CREDENTIALS): +- # Bind as the config entry which does not have a userpassword +- user.bind("some_password") +- +- user = UserAccount(topology_st.standalone, "cn=does not exist,cn=config") +- with pytest.raises(ldap.INVALID_CREDENTIALS): +- # Bind as an entry under cn=config that does not exist +- user.bind("some_password") +- +- + @pytest.mark.bz1044135 + @pytest.mark.ds47319 + def test_connection_buffer_size(topology_st): +diff --git a/ldap/servers/slapd/back-ldbm/ldbm_bind.c b/ldap/servers/slapd/back-ldbm/ldbm_bind.c +index 38d115a32..fa450ecd5 100644 +--- a/ldap/servers/slapd/back-ldbm/ldbm_bind.c ++++ b/ldap/servers/slapd/back-ldbm/ldbm_bind.c +@@ -76,8 +76,8 @@ ldbm_back_bind(Slapi_PBlock *pb) + case LDAP_AUTH_SIMPLE: { + Slapi_Value cv; + if (slapi_entry_attr_find(e->ep_entry, "userpassword", &attr) != 0) { +- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not have userpassword set"); +- slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL); ++ slapi_send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL, ++ NULL, 0, NULL); + CACHE_RETURN(&inst->inst_cache, &e); + rc = SLAPI_BIND_FAIL; + goto bail; +diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c +index f2741aeb4..f5572d78d 100644 +--- a/ldap/servers/slapd/dse.c ++++ b/ldap/servers/slapd/dse.c +@@ -1446,8 +1446,7 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this + + ec = dse_get_entry_copy(pdse, sdn, DSE_USE_LOCK); + if (ec == NULL) { +- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not exist"); +- slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL); ++ slapi_send_ldap_result(pb, LDAP_NO_SUCH_OBJECT, NULL, NULL, 0, NULL); + return (SLAPI_BIND_FAIL); + } + +@@ -1455,8 +1454,7 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this + case LDAP_AUTH_SIMPLE: { + Slapi_Value cv; + if (slapi_entry_attr_find(ec, "userpassword", &attr) != 0) { +- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not have userpassword set"); +- slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL); ++ slapi_send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL, NULL, 0, NULL); + slapi_entry_free(ec); + return SLAPI_BIND_FAIL; + } +@@ -1464,7 +1462,6 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this + + slapi_value_init_berval(&cv, cred); + if (slapi_pw_find_sv(bvals, &cv) != 0) { +- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Invalid credentials"); + slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL); + slapi_entry_free(ec); + value_done(&cv); +-- +2.26.2 + diff --git a/389-ds-base.spec b/389-ds-base.spec index 73e901e..cb0b508 100644 --- a/389-ds-base.spec +++ b/389-ds-base.spec @@ -47,7 +47,7 @@ ExcludeArch: i686 Summary: 389 Directory Server (base) Name: 389-ds-base Version: 2.0.3 -Release: %{?relprefix}1%{?prerel}%{?dist} +Release: %{?relprefix}2%{?prerel}%{?dist} License: GPLv3+ URL: https://www.port389.org Conflicts: selinux-policy-base < 3.9.8 @@ -170,6 +170,7 @@ Source2: %{name}-devel.README %if %{bundle_jemalloc} Source3: https://github.com/jemalloc/%{jemalloc_name}/releases/download/%{jemalloc_ver}/%{jemalloc_name}-%{jemalloc_ver}.tar.bz2 %endif +Patch01: 0001-Revert-Issue-4609-CVE-info-disclosure-when-authentic.patch %description 389 Directory Server is an LDAPv3 compliant server. The base package includes @@ -268,6 +269,7 @@ A cockpit UI Plugin for configuring and administering the 389 Directory Server %endif %prep +%autosetup -p1 -v -n %{name}-%{version}%{?prerel} %setup -q -n %{name}-%{version}%{?prerel} %if %{bundle_jemalloc} @@ -613,6 +615,10 @@ exit 0 %endif %changelog +* Fri Feb 19 2021 Mark Reynolds - 2.0.3-2 +- Bump version to 2.0.3-2 +- Revert Issue 4609 - CVE - info disclosure when authenticating(breaks DogTag) + * Fri Feb 12 2021 Mark Reynolds - 2.0.3-1 - Bump version to 2.0.3 - Issue 4619 - remove pytest requirement from lib389