From 96a702581ab7e8dfbe728801783da2369f94f3ae Mon Sep 17 00:00:00 2001 From: DistroBaker Date: Thu, 4 Mar 2021 12:30:20 +0000 Subject: [PATCH] Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/389-ds-base.git#f9d057e91ce3d425b533de6ca9f77257f5d1f2f9 --- ...9-CVE-info-disclosure-when-authentic.patch | 143 ------------------ 389-ds-base.spec | 7 +- 2 files changed, 5 insertions(+), 145 deletions(-) delete mode 100644 0001-Revert-Issue-4609-CVE-info-disclosure-when-authentic.patch diff --git a/0001-Revert-Issue-4609-CVE-info-disclosure-when-authentic.patch b/0001-Revert-Issue-4609-CVE-info-disclosure-when-authentic.patch deleted file mode 100644 index 437bddd..0000000 --- a/0001-Revert-Issue-4609-CVE-info-disclosure-when-authentic.patch +++ /dev/null @@ -1,143 +0,0 @@ -From 9cb892cb2e36f62275257f3d43e938e2182c793c Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Fri, 19 Feb 2021 12:40:56 -0500 -Subject: [PATCH] Revert "Issue 4609 - CVE - info disclosure when - authenticating" - -This reverts commit b6aae4d8e7c8a6ddd21646f94fef1bf7f22c3f32. ---- - dirsrvtests/tests/suites/basic/basic_test.py | 51 ++++---------------- - ldap/servers/slapd/back-ldbm/ldbm_bind.c | 4 +- - ldap/servers/slapd/dse.c | 7 +-- - 3 files changed, 13 insertions(+), 49 deletions(-) - -diff --git a/dirsrvtests/tests/suites/basic/basic_test.py b/dirsrvtests/tests/suites/basic/basic_test.py -index a206bdb38..a43001ab6 100644 ---- a/dirsrvtests/tests/suites/basic/basic_test.py -+++ b/dirsrvtests/tests/suites/basic/basic_test.py -@@ -9,7 +9,7 @@ - - from subprocess import check_output, PIPE, run - from lib389 import DirSrv --from lib389.idm.user import UserAccount, UserAccounts -+from lib389.idm.user import UserAccounts - import pytest - from lib389.tasks import * - from lib389.utils import * -@@ -1148,14 +1148,18 @@ def test_bind_invalid_entry(topology_st): - """Test the failing bind does not return information about the entry - - :id: 5cd9b083-eea6-426b-84ca-83c26fc49a6f -+ - :customerscenario: True -+ - :setup: Standalone instance -+ - :steps: -- 1: bind as non existing entry -- 2: check that bind info does not report 'No such entry' -+ 1: bind as non existing entry -+ 2: check that bind info does not report 'No such entry' -+ - :expectedresults: -- 1: pass -- 2: pass -+ 1: pass -+ 2: pass - """ - - topology_st.standalone.restart() -@@ -1177,43 +1181,6 @@ def test_bind_invalid_entry(topology_st): - topology_st.standalone.simple_bind_s(DN_DM, PW_DM) - - --def test_bind_entry_missing_passwd(topology_st): -- """ -- :id: af209149-8fb8-48cb-93ea-3e82dd7119d2 -- :setup: Standalone Instance -- :steps: -- 1. Bind as database entry that does not have userpassword set -- 2. Bind as database entry that does not exist -- 1. Bind as cn=config entry that does not have userpassword set -- 2. Bind as cn=config entry that does not exist -- :expectedresults: -- 1. Fails with error 49 -- 2. Fails with error 49 -- 3. Fails with error 49 -- 4. Fails with error 49 -- """ -- user = UserAccount(topology_st.standalone, DEFAULT_SUFFIX) -- with pytest.raises(ldap.INVALID_CREDENTIALS): -- # Bind as the suffix root entry which does not have a userpassword -- user.bind("some_password") -- -- user = UserAccount(topology_st.standalone, "cn=not here," + DEFAULT_SUFFIX) -- with pytest.raises(ldap.INVALID_CREDENTIALS): -- # Bind as the entry which does not exist -- user.bind("some_password") -- -- # Test cn=config since it has its own code path -- user = UserAccount(topology_st.standalone, "cn=config") -- with pytest.raises(ldap.INVALID_CREDENTIALS): -- # Bind as the config entry which does not have a userpassword -- user.bind("some_password") -- -- user = UserAccount(topology_st.standalone, "cn=does not exist,cn=config") -- with pytest.raises(ldap.INVALID_CREDENTIALS): -- # Bind as an entry under cn=config that does not exist -- user.bind("some_password") -- -- - @pytest.mark.bz1044135 - @pytest.mark.ds47319 - def test_connection_buffer_size(topology_st): -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_bind.c b/ldap/servers/slapd/back-ldbm/ldbm_bind.c -index 38d115a32..fa450ecd5 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_bind.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_bind.c -@@ -76,8 +76,8 @@ ldbm_back_bind(Slapi_PBlock *pb) - case LDAP_AUTH_SIMPLE: { - Slapi_Value cv; - if (slapi_entry_attr_find(e->ep_entry, "userpassword", &attr) != 0) { -- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not have userpassword set"); -- slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL); -+ slapi_send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL, -+ NULL, 0, NULL); - CACHE_RETURN(&inst->inst_cache, &e); - rc = SLAPI_BIND_FAIL; - goto bail; -diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c -index f2741aeb4..f5572d78d 100644 ---- a/ldap/servers/slapd/dse.c -+++ b/ldap/servers/slapd/dse.c -@@ -1446,8 +1446,7 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this - - ec = dse_get_entry_copy(pdse, sdn, DSE_USE_LOCK); - if (ec == NULL) { -- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not exist"); -- slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL); -+ slapi_send_ldap_result(pb, LDAP_NO_SUCH_OBJECT, NULL, NULL, 0, NULL); - return (SLAPI_BIND_FAIL); - } - -@@ -1455,8 +1454,7 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this - case LDAP_AUTH_SIMPLE: { - Slapi_Value cv; - if (slapi_entry_attr_find(ec, "userpassword", &attr) != 0) { -- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not have userpassword set"); -- slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL); -+ slapi_send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL, NULL, 0, NULL); - slapi_entry_free(ec); - return SLAPI_BIND_FAIL; - } -@@ -1464,7 +1462,6 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this - - slapi_value_init_berval(&cv, cred); - if (slapi_pw_find_sv(bvals, &cv) != 0) { -- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Invalid credentials"); - slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL); - slapi_entry_free(ec); - value_done(&cv); --- -2.26.2 - diff --git a/389-ds-base.spec b/389-ds-base.spec index cb0b508..dcb2c1f 100644 --- a/389-ds-base.spec +++ b/389-ds-base.spec @@ -47,7 +47,7 @@ ExcludeArch: i686 Summary: 389 Directory Server (base) Name: 389-ds-base Version: 2.0.3 -Release: %{?relprefix}2%{?prerel}%{?dist} +Release: %{?relprefix}3%{?prerel}%{?dist} License: GPLv3+ URL: https://www.port389.org Conflicts: selinux-policy-base < 3.9.8 @@ -170,7 +170,6 @@ Source2: %{name}-devel.README %if %{bundle_jemalloc} Source3: https://github.com/jemalloc/%{jemalloc_name}/releases/download/%{jemalloc_ver}/%{jemalloc_name}-%{jemalloc_ver}.tar.bz2 %endif -Patch01: 0001-Revert-Issue-4609-CVE-info-disclosure-when-authentic.patch %description 389 Directory Server is an LDAPv3 compliant server. The base package includes @@ -615,6 +614,10 @@ exit 0 %endif %changelog +* Fri Feb 26 2021 Alexander Bokovoy - 2.0.3-3 +- Remove a revert of the fix for Issue 4609 - CVE - info disclosure when authenticating(breaks Dogtag) +- Dogtag has fixed own code that failed in the presence of the fix for Issue 4609 + * Fri Feb 19 2021 Mark Reynolds - 2.0.3-2 - Bump version to 2.0.3-2 - Revert Issue 4609 - CVE - info disclosure when authenticating(breaks DogTag)