Merged update from upstream sources

This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/389-ds-base.git#2af7ac7f6d5bc823408d3bbd5d760fef03483a8b
2021-02-19 18:36:36 +00:00 · 2021-02-19 18:36:36 +00:00 · 72f324b519
commit 72f324b519
parent 2fc0f52930
3 changed files with 150 additions and 104 deletions
--- a/0001-Issue-2526-retrocl-backend-created-out-of-order.patch
+++ b/0001-Issue-2526-retrocl-backend-created-out-of-order.patch
@ -1,103 +0,0 @@
 From 67c8b8702a249cb0ef1ebf49b6e87056cd5339f6 Mon Sep 17 00:00:00 2001
 From: Mark Reynolds <mreynolds@redhat.com>
 Date: Tue, 27 Oct 2020 13:14:55 -0400
 Subject: [PATCH] Issue 2526 - retrocl backend created out of order
 Bug Description:  A recent change verified that you do not create
                  a mappingtree entry before the backend entry was
                  created.  The server created the retrocl backend
                  in the opposite order which broke the retrocl.
 Fix Description:  Create the retrocl backend entry before creating
                  the mapping tree entry.
 Relates: https://github.com/389ds/389-ds-base/issues/2526
 Reviewed by: viktor(Thanks!)
 ---
 ldap/servers/plugins/retrocl/retrocl.c        | 10 ++---
 ldap/servers/plugins/retrocl/retrocl_create.c | 38 +++++++++----------
 2 files changed, 22 insertions(+), 26 deletions(-)
 diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c
 index 4af4d752b..8d6135dad 100644
 --- a/ldap/servers/plugins/retrocl/retrocl.c
 +++ b/ldap/servers/plugins/retrocl/retrocl.c
@@ -222,15 +222,11 @@ retrocl_select_backend(void)
     slapi_entry_free(referral);
     if (err != LDAP_SUCCESS || be == NULL || be == defbackend_get_backend()) {
 -        slapi_log_err(SLAPI_LOG_ERR, RETROCL_PLUGIN_NAME,
 +        /* Could not find the backend for cn=changelog, either because
 +         * it doesn't exist mapping tree not registered. */
 +        slapi_log_err(SLAPI_LOG_PLUGIN, RETROCL_PLUGIN_NAME,
                       "retrocl_select_backend - Mapping tree select failed (%d) %s.\n", err, errbuf);
 -
 -        /* could not find the backend for cn=changelog, either because
 -         * it doesn't exist
 -         * mapping tree not registered.
 -         */
         err = retrocl_create_config();
 -
         if (err != LDAP_SUCCESS)
             return err;
     } else {
 diff --git a/ldap/servers/plugins/retrocl/retrocl_create.c b/ldap/servers/plugins/retrocl/retrocl_create.c
 index fb1503520..571e6899f 100644
 --- a/ldap/servers/plugins/retrocl/retrocl_create.c
 +++ b/ldap/servers/plugins/retrocl/retrocl_create.c
@@ -192,6 +192,25 @@ retrocl_create_config(void)
     vals[0] = &val;
     vals[1] = NULL;
 +    retrocl_be_changelog = slapi_be_select_by_instance_name("changelog");
 +
 +    if (retrocl_be_changelog == NULL) {
 +        /* This is not the nsslapd-changelogdir from cn=changelog4,cn=config */
 +        char *bedir;
 +
 +        bedir = retrocl_get_config_str(CONFIG_CHANGELOG_DIRECTORY_ATTRIBUTE);
 +        if (bedir == NULL) {
 +            /* none specified */
 +        }
 +
 +        rc = retrocl_create_be(bedir);
 +        slapi_ch_free_string(&bedir);
 +        if (rc != LDAP_SUCCESS && rc != LDAP_ALREADY_EXISTS) {
 +            return rc;
 +        }
 +        retrocl_be_changelog = slapi_be_select_by_instance_name("changelog");
 +    }
 +
     /* Assume the mapping tree node is missing.  It doesn't hurt to
      * attempt to add it if it already exists.  You will see a warning
      * in the errors file when the referenced backend does not exist.
@@ -256,25 +275,6 @@ retrocl_create_config(void)
         return rc;
     }
 -    retrocl_be_changelog = slapi_be_select_by_instance_name("changelog");
 -
 -    if (retrocl_be_changelog == NULL) {
 -        /* This is not the nsslapd-changelogdir from cn=changelog4,cn=config */
 -        char *bedir;
 -
 -        bedir = retrocl_get_config_str(CONFIG_CHANGELOG_DIRECTORY_ATTRIBUTE);
 -        if (bedir == NULL) {
 -            /* none specified */
 -        }
 -
 -        rc = retrocl_create_be(bedir);
 -        slapi_ch_free_string(&bedir);
 -        if (rc != LDAP_SUCCESS && rc != LDAP_ALREADY_EXISTS) {
 -            return rc;
 -        }
 -        retrocl_be_changelog = slapi_be_select_by_instance_name("changelog");
 -    }
 -
     return LDAP_SUCCESS;
 }
 -- 
 2.28.0
--- a/0001-Revert-Issue-4609-CVE-info-disclosure-when-authentic.patch
+++ b/0001-Revert-Issue-4609-CVE-info-disclosure-when-authentic.patch
@ -0,0 +1,143 @@
 From 9cb892cb2e36f62275257f3d43e938e2182c793c Mon Sep 17 00:00:00 2001
 From: Mark Reynolds <mreynolds@redhat.com>
 Date: Fri, 19 Feb 2021 12:40:56 -0500
 Subject: [PATCH] Revert "Issue 4609 - CVE - info disclosure when
 authenticating"
 This reverts commit b6aae4d8e7c8a6ddd21646f94fef1bf7f22c3f32.
 ---
 dirsrvtests/tests/suites/basic/basic_test.py | 51 ++++----------------
 ldap/servers/slapd/back-ldbm/ldbm_bind.c     |  4 +-
 ldap/servers/slapd/dse.c                     |  7 +--
 3 files changed, 13 insertions(+), 49 deletions(-)
 diff --git a/dirsrvtests/tests/suites/basic/basic_test.py b/dirsrvtests/tests/suites/basic/basic_test.py
 index a206bdb38..a43001ab6 100644
 --- a/dirsrvtests/tests/suites/basic/basic_test.py
 +++ b/dirsrvtests/tests/suites/basic/basic_test.py
@@ -9,7 +9,7 @@
 from subprocess import check_output, PIPE, run
 from lib389 import DirSrv
 -from lib389.idm.user import UserAccount, UserAccounts
 +from lib389.idm.user import UserAccounts
 import pytest
 from lib389.tasks import *
 from lib389.utils import *
@@ -1148,14 +1148,18 @@ def test_bind_invalid_entry(topology_st):
     """Test the failing bind does not return information about the entry
     :id: 5cd9b083-eea6-426b-84ca-83c26fc49a6f
 +
     :customerscenario: True
 +
     :setup: Standalone instance
 +
     :steps:
 -        1: bind as non existing entry
 -        2: check that bind info does not report 'No such entry'
 +    1: bind as non existing entry
 +    2: check that bind info does not report 'No such entry'
 +
     :expectedresults:
 -        1: pass
 -        2: pass
 +    1: pass
 +    2: pass
     """
     topology_st.standalone.restart()
@@ -1177,43 +1181,6 @@ def test_bind_invalid_entry(topology_st):
     topology_st.standalone.simple_bind_s(DN_DM, PW_DM)
 -def test_bind_entry_missing_passwd(topology_st):
 -    """
 -    :id: af209149-8fb8-48cb-93ea-3e82dd7119d2
 -    :setup: Standalone Instance
 -    :steps:
 -        1. Bind as database entry that does not have userpassword set
 -        2. Bind as database entry that does not exist
 -        1. Bind as cn=config entry that does not have userpassword set
 -        2. Bind as cn=config entry that does not exist
 -    :expectedresults:
 -        1. Fails with error 49
 -        2. Fails with error 49
 -        3. Fails with error 49
 -        4. Fails with error 49
 -    """
 -    user = UserAccount(topology_st.standalone, DEFAULT_SUFFIX)
 -    with pytest.raises(ldap.INVALID_CREDENTIALS):
 -        # Bind as the suffix root entry which does not have a userpassword
 -        user.bind("some_password")
 -
 -    user = UserAccount(topology_st.standalone, "cn=not here," + DEFAULT_SUFFIX)
 -    with pytest.raises(ldap.INVALID_CREDENTIALS):
 -        # Bind as the entry which does not exist
 -        user.bind("some_password")
 -
 -    # Test cn=config since it has its own code path
 -    user = UserAccount(topology_st.standalone, "cn=config")
 -    with pytest.raises(ldap.INVALID_CREDENTIALS):
 -        # Bind as the config entry which does not have a userpassword
 -        user.bind("some_password")
 -
 -    user = UserAccount(topology_st.standalone, "cn=does not exist,cn=config")
 -    with pytest.raises(ldap.INVALID_CREDENTIALS):
 -        # Bind as an entry under cn=config that does not exist
 -        user.bind("some_password")
 -
 -
 @pytest.mark.bz1044135
 @pytest.mark.ds47319
 def test_connection_buffer_size(topology_st):
 diff --git a/ldap/servers/slapd/back-ldbm/ldbm_bind.c b/ldap/servers/slapd/back-ldbm/ldbm_bind.c
 index 38d115a32..fa450ecd5 100644
 --- a/ldap/servers/slapd/back-ldbm/ldbm_bind.c
 +++ b/ldap/servers/slapd/back-ldbm/ldbm_bind.c
@@ -76,8 +76,8 @@ ldbm_back_bind(Slapi_PBlock *pb)
     case LDAP_AUTH_SIMPLE: {
         Slapi_Value cv;
         if (slapi_entry_attr_find(e->ep_entry, "userpassword", &attr) != 0) {
 -            slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not have userpassword set");
 -            slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
 +            slapi_send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL,
 +                                   NULL, 0, NULL);
             CACHE_RETURN(&inst->inst_cache, &e);
             rc = SLAPI_BIND_FAIL;
             goto bail;
 diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c
 index f2741aeb4..f5572d78d 100644
 --- a/ldap/servers/slapd/dse.c
 +++ b/ldap/servers/slapd/dse.c
@@ -1446,8 +1446,7 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this
     ec = dse_get_entry_copy(pdse, sdn, DSE_USE_LOCK);
     if (ec == NULL) {
 -        slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not exist");
 -        slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
 +        slapi_send_ldap_result(pb, LDAP_NO_SUCH_OBJECT, NULL, NULL, 0, NULL);
         return (SLAPI_BIND_FAIL);
     }
@@ -1455,8 +1454,7 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this
     case LDAP_AUTH_SIMPLE: {
         Slapi_Value cv;
         if (slapi_entry_attr_find(ec, "userpassword", &attr) != 0) {
 -            slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not have userpassword set");
 -            slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
 +            slapi_send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL, NULL, 0, NULL);
             slapi_entry_free(ec);
             return SLAPI_BIND_FAIL;
         }
@@ -1464,7 +1462,6 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this
         slapi_value_init_berval(&cv, cred);
         if (slapi_pw_find_sv(bvals, &cv) != 0) {
 -            slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Invalid credentials");
             slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
             slapi_entry_free(ec);
             value_done(&cv);
 -- 
 2.26.2
--- a/389-ds-base.spec
+++ b/389-ds-base.spec
@ -47,7 +47,7 @@ ExcludeArch: i686
 Summary:          389 Directory Server (base)
 Name:             389-ds-base
 Version:          2.0.3
-Release:          %{?relprefix}1%{?prerel}%{?dist}
+Release:          %{?relprefix}2%{?prerel}%{?dist}
 License:          GPLv3+
 URL:              https://www.port389.org
 Conflicts:        selinux-policy-base < 3.9.8
@ -170,6 +170,7 @@ Source2:          %{name}-devel.README
 %if %{bundle_jemalloc}
 Source3:          https://github.com/jemalloc/%{jemalloc_name}/releases/download/%{jemalloc_ver}/%{jemalloc_name}-%{jemalloc_ver}.tar.bz2
 %endif
 Patch01:          0001-Revert-Issue-4609-CVE-info-disclosure-when-authentic.patch
 %description
 389 Directory Server is an LDAPv3 compliant server.  The base package includes
@ -268,6 +269,7 @@ A cockpit UI Plugin for configuring and administering the 389 Directory Server
 %endif
 %prep
 %autosetup -p1 -v -n %{name}-%{version}%{?prerel}
 %setup -q -n %{name}-%{version}%{?prerel}
 %if %{bundle_jemalloc}
@ -613,6 +615,10 @@ exit 0
 %endif
 %changelog
 * Fri Feb 19 2021 Mark Reynolds <mreynolds@redhat.com> - 2.0.3-2
 - Bump version to 2.0.3-2
 - Revert Issue 4609 - CVE - info disclosure when authenticating(breaks DogTag)
 * Fri Feb 12 2021 Mark Reynolds <mreynolds@redhat.com> - 2.0.3-1
 - Bump version to 2.0.3
 - Issue 4619 - remove pytest requirement from lib389