Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/389-ds-base.git#f9d057e91ce3d425b533de6ca9f77257f5d1f2f9
This commit is contained in:
DistroBaker 2021-03-04 12:30:20 +00:00
parent 72f324b519
commit 96a702581a
2 changed files with 5 additions and 145 deletions

View File

@ -1,143 +0,0 @@
From 9cb892cb2e36f62275257f3d43e938e2182c793c Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Fri, 19 Feb 2021 12:40:56 -0500
Subject: [PATCH] Revert "Issue 4609 - CVE - info disclosure when
authenticating"
This reverts commit b6aae4d8e7c8a6ddd21646f94fef1bf7f22c3f32.
---
dirsrvtests/tests/suites/basic/basic_test.py | 51 ++++----------------
ldap/servers/slapd/back-ldbm/ldbm_bind.c | 4 +-
ldap/servers/slapd/dse.c | 7 +--
3 files changed, 13 insertions(+), 49 deletions(-)
diff --git a/dirsrvtests/tests/suites/basic/basic_test.py b/dirsrvtests/tests/suites/basic/basic_test.py
index a206bdb38..a43001ab6 100644
--- a/dirsrvtests/tests/suites/basic/basic_test.py
+++ b/dirsrvtests/tests/suites/basic/basic_test.py
@@ -9,7 +9,7 @@
from subprocess import check_output, PIPE, run
from lib389 import DirSrv
-from lib389.idm.user import UserAccount, UserAccounts
+from lib389.idm.user import UserAccounts
import pytest
from lib389.tasks import *
from lib389.utils import *
@@ -1148,14 +1148,18 @@ def test_bind_invalid_entry(topology_st):
"""Test the failing bind does not return information about the entry
:id: 5cd9b083-eea6-426b-84ca-83c26fc49a6f
+
:customerscenario: True
+
:setup: Standalone instance
+
:steps:
- 1: bind as non existing entry
- 2: check that bind info does not report 'No such entry'
+ 1: bind as non existing entry
+ 2: check that bind info does not report 'No such entry'
+
:expectedresults:
- 1: pass
- 2: pass
+ 1: pass
+ 2: pass
"""
topology_st.standalone.restart()
@@ -1177,43 +1181,6 @@ def test_bind_invalid_entry(topology_st):
topology_st.standalone.simple_bind_s(DN_DM, PW_DM)
-def test_bind_entry_missing_passwd(topology_st):
- """
- :id: af209149-8fb8-48cb-93ea-3e82dd7119d2
- :setup: Standalone Instance
- :steps:
- 1. Bind as database entry that does not have userpassword set
- 2. Bind as database entry that does not exist
- 1. Bind as cn=config entry that does not have userpassword set
- 2. Bind as cn=config entry that does not exist
- :expectedresults:
- 1. Fails with error 49
- 2. Fails with error 49
- 3. Fails with error 49
- 4. Fails with error 49
- """
- user = UserAccount(topology_st.standalone, DEFAULT_SUFFIX)
- with pytest.raises(ldap.INVALID_CREDENTIALS):
- # Bind as the suffix root entry which does not have a userpassword
- user.bind("some_password")
-
- user = UserAccount(topology_st.standalone, "cn=not here," + DEFAULT_SUFFIX)
- with pytest.raises(ldap.INVALID_CREDENTIALS):
- # Bind as the entry which does not exist
- user.bind("some_password")
-
- # Test cn=config since it has its own code path
- user = UserAccount(topology_st.standalone, "cn=config")
- with pytest.raises(ldap.INVALID_CREDENTIALS):
- # Bind as the config entry which does not have a userpassword
- user.bind("some_password")
-
- user = UserAccount(topology_st.standalone, "cn=does not exist,cn=config")
- with pytest.raises(ldap.INVALID_CREDENTIALS):
- # Bind as an entry under cn=config that does not exist
- user.bind("some_password")
-
-
@pytest.mark.bz1044135
@pytest.mark.ds47319
def test_connection_buffer_size(topology_st):
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_bind.c b/ldap/servers/slapd/back-ldbm/ldbm_bind.c
index 38d115a32..fa450ecd5 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_bind.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_bind.c
@@ -76,8 +76,8 @@ ldbm_back_bind(Slapi_PBlock *pb)
case LDAP_AUTH_SIMPLE: {
Slapi_Value cv;
if (slapi_entry_attr_find(e->ep_entry, "userpassword", &attr) != 0) {
- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not have userpassword set");
- slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
+ slapi_send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL,
+ NULL, 0, NULL);
CACHE_RETURN(&inst->inst_cache, &e);
rc = SLAPI_BIND_FAIL;
goto bail;
diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c
index f2741aeb4..f5572d78d 100644
--- a/ldap/servers/slapd/dse.c
+++ b/ldap/servers/slapd/dse.c
@@ -1446,8 +1446,7 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this
ec = dse_get_entry_copy(pdse, sdn, DSE_USE_LOCK);
if (ec == NULL) {
- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not exist");
- slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
+ slapi_send_ldap_result(pb, LDAP_NO_SUCH_OBJECT, NULL, NULL, 0, NULL);
return (SLAPI_BIND_FAIL);
}
@@ -1455,8 +1454,7 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this
case LDAP_AUTH_SIMPLE: {
Slapi_Value cv;
if (slapi_entry_attr_find(ec, "userpassword", &attr) != 0) {
- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not have userpassword set");
- slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
+ slapi_send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL, NULL, 0, NULL);
slapi_entry_free(ec);
return SLAPI_BIND_FAIL;
}
@@ -1464,7 +1462,6 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this
slapi_value_init_berval(&cv, cred);
if (slapi_pw_find_sv(bvals, &cv) != 0) {
- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Invalid credentials");
slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
slapi_entry_free(ec);
value_done(&cv);
--
2.26.2

View File

@ -47,7 +47,7 @@ ExcludeArch: i686
Summary: 389 Directory Server (base) Summary: 389 Directory Server (base)
Name: 389-ds-base Name: 389-ds-base
Version: 2.0.3 Version: 2.0.3
Release: %{?relprefix}2%{?prerel}%{?dist} Release: %{?relprefix}3%{?prerel}%{?dist}
License: GPLv3+ License: GPLv3+
URL: https://www.port389.org URL: https://www.port389.org
Conflicts: selinux-policy-base < 3.9.8 Conflicts: selinux-policy-base < 3.9.8
@ -170,7 +170,6 @@ Source2: %{name}-devel.README
%if %{bundle_jemalloc} %if %{bundle_jemalloc}
Source3: https://github.com/jemalloc/%{jemalloc_name}/releases/download/%{jemalloc_ver}/%{jemalloc_name}-%{jemalloc_ver}.tar.bz2 Source3: https://github.com/jemalloc/%{jemalloc_name}/releases/download/%{jemalloc_ver}/%{jemalloc_name}-%{jemalloc_ver}.tar.bz2
%endif %endif
Patch01: 0001-Revert-Issue-4609-CVE-info-disclosure-when-authentic.patch
%description %description
389 Directory Server is an LDAPv3 compliant server. The base package includes 389 Directory Server is an LDAPv3 compliant server. The base package includes
@ -615,6 +614,10 @@ exit 0
%endif %endif
%changelog %changelog
* Fri Feb 26 2021 Alexander Bokovoy <abokovoy@redhat.com> - 2.0.3-3
- Remove a revert of the fix for Issue 4609 - CVE - info disclosure when authenticating(breaks Dogtag)
- Dogtag has fixed own code that failed in the presence of the fix for Issue 4609
* Fri Feb 19 2021 Mark Reynolds <mreynolds@redhat.com> - 2.0.3-2 * Fri Feb 19 2021 Mark Reynolds <mreynolds@redhat.com> - 2.0.3-2
- Bump version to 2.0.3-2 - Bump version to 2.0.3-2
- Revert Issue 4609 - CVE - info disclosure when authenticating(breaks DogTag) - Revert Issue 4609 - CVE - info disclosure when authenticating(breaks DogTag)