Bump version to 2.0.3-2

Revert Issue 4609 - CVE - info disclosure when authenticating(breaks DogTag)

0001-Issue-2526-retrocl-backend-created-out-of-order.patch

@@ -1,103 +0,0 @@
-From 67c8b8702a249cb0ef1ebf49b6e87056cd5339f6 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Tue, 27 Oct 2020 13:14:55 -0400
-Subject: [PATCH] Issue 2526 - retrocl backend created out of order
-
-Bug Description:  A recent change verified that you do not create
-                  a mappingtree entry before the backend entry was
-                  created.  The server created the retrocl backend
-                  in the opposite order which broke the retrocl.
-
-Fix Description:  Create the retrocl backend entry before creating
-                  the mapping tree entry.
-
-Relates: https://github.com/389ds/389-ds-base/issues/2526
-
-Reviewed by: viktor(Thanks!)
----
- ldap/servers/plugins/retrocl/retrocl.c        | 10 ++---
- ldap/servers/plugins/retrocl/retrocl_create.c | 38 +++++++++----------
- 2 files changed, 22 insertions(+), 26 deletions(-)
-
-diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c
-index 4af4d752b..8d6135dad 100644
---- a/ldap/servers/plugins/retrocl/retrocl.c
-+++ b/ldap/servers/plugins/retrocl/retrocl.c
-@@ -222,15 +222,11 @@ retrocl_select_backend(void)
-     slapi_entry_free(referral);
- 
-     if (err != LDAP_SUCCESS || be == NULL || be == defbackend_get_backend()) {
--        slapi_log_err(SLAPI_LOG_ERR, RETROCL_PLUGIN_NAME,
-+        /* Could not find the backend for cn=changelog, either because
-+         * it doesn't exist mapping tree not registered. */
-+        slapi_log_err(SLAPI_LOG_PLUGIN, RETROCL_PLUGIN_NAME,
-                       "retrocl_select_backend - Mapping tree select failed (%d) %s.\n", err, errbuf);
--
--        /* could not find the backend for cn=changelog, either because
--         * it doesn't exist
--         * mapping tree not registered.
--         */
-         err = retrocl_create_config();
--
-         if (err != LDAP_SUCCESS)
-             return err;
-     } else {
-diff --git a/ldap/servers/plugins/retrocl/retrocl_create.c b/ldap/servers/plugins/retrocl/retrocl_create.c
-index fb1503520..571e6899f 100644
---- a/ldap/servers/plugins/retrocl/retrocl_create.c
-+++ b/ldap/servers/plugins/retrocl/retrocl_create.c
-@@ -192,6 +192,25 @@ retrocl_create_config(void)
-     vals[0] = &val;
-     vals[1] = NULL;
- 
-+    retrocl_be_changelog = slapi_be_select_by_instance_name("changelog");
-+
-+    if (retrocl_be_changelog == NULL) {
-+        /* This is not the nsslapd-changelogdir from cn=changelog4,cn=config */
-+        char *bedir;
-+
-+        bedir = retrocl_get_config_str(CONFIG_CHANGELOG_DIRECTORY_ATTRIBUTE);
-+        if (bedir == NULL) {
-+            /* none specified */
-+        }
-+
-+        rc = retrocl_create_be(bedir);
-+        slapi_ch_free_string(&bedir);
-+        if (rc != LDAP_SUCCESS && rc != LDAP_ALREADY_EXISTS) {
-+            return rc;
-+        }
-+        retrocl_be_changelog = slapi_be_select_by_instance_name("changelog");
-+    }
-+
-     /* Assume the mapping tree node is missing.  It doesn't hurt to
-      * attempt to add it if it already exists.  You will see a warning
-      * in the errors file when the referenced backend does not exist.
-@@ -256,25 +275,6 @@ retrocl_create_config(void)
-         return rc;
-     }
- 
--    retrocl_be_changelog = slapi_be_select_by_instance_name("changelog");
--
--    if (retrocl_be_changelog == NULL) {
--        /* This is not the nsslapd-changelogdir from cn=changelog4,cn=config */
--        char *bedir;
--
--        bedir = retrocl_get_config_str(CONFIG_CHANGELOG_DIRECTORY_ATTRIBUTE);
--        if (bedir == NULL) {
--            /* none specified */
--        }
--
--        rc = retrocl_create_be(bedir);
--        slapi_ch_free_string(&bedir);
--        if (rc != LDAP_SUCCESS && rc != LDAP_ALREADY_EXISTS) {
--            return rc;
--        }
--        retrocl_be_changelog = slapi_be_select_by_instance_name("changelog");
--    }
--
-     return LDAP_SUCCESS;
- }
- 
--- 
-2.28.0
-

0001-Revert-Issue-4609-CVE-info-disclosure-when-authentic.patch

@@ -0,0 +1,143 @@
+From 9cb892cb2e36f62275257f3d43e938e2182c793c Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Fri, 19 Feb 2021 12:40:56 -0500
+Subject: [PATCH] Revert "Issue 4609 - CVE - info disclosure when
+ authenticating"
+
+This reverts commit b6aae4d8e7c8a6ddd21646f94fef1bf7f22c3f32.
+---
+ dirsrvtests/tests/suites/basic/basic_test.py | 51 ++++----------------
+ ldap/servers/slapd/back-ldbm/ldbm_bind.c     |  4 +-
+ ldap/servers/slapd/dse.c                     |  7 +--
+ 3 files changed, 13 insertions(+), 49 deletions(-)
+
+diff --git a/dirsrvtests/tests/suites/basic/basic_test.py b/dirsrvtests/tests/suites/basic/basic_test.py
+index a206bdb38..a43001ab6 100644
+--- a/dirsrvtests/tests/suites/basic/basic_test.py
++++ b/dirsrvtests/tests/suites/basic/basic_test.py
+@@ -9,7 +9,7 @@
+ 
+ from subprocess import check_output, PIPE, run
+ from lib389 import DirSrv
+-from lib389.idm.user import UserAccount, UserAccounts
++from lib389.idm.user import UserAccounts
+ import pytest
+ from lib389.tasks import *
+ from lib389.utils import *
+@@ -1148,14 +1148,18 @@ def test_bind_invalid_entry(topology_st):
+     """Test the failing bind does not return information about the entry
+ 
+     :id: 5cd9b083-eea6-426b-84ca-83c26fc49a6f
++
+     :customerscenario: True
++
+     :setup: Standalone instance
++
+     :steps:
+-        1: bind as non existing entry
+-        2: check that bind info does not report 'No such entry'
++    1: bind as non existing entry
++    2: check that bind info does not report 'No such entry'
++
+     :expectedresults:
+-        1: pass
+-        2: pass
++    1: pass
++    2: pass
+     """
+ 
+     topology_st.standalone.restart()
+@@ -1177,43 +1181,6 @@ def test_bind_invalid_entry(topology_st):
+     topology_st.standalone.simple_bind_s(DN_DM, PW_DM)
+ 
+ 
+-def test_bind_entry_missing_passwd(topology_st):
+-    """
+-    :id: af209149-8fb8-48cb-93ea-3e82dd7119d2
+-    :setup: Standalone Instance
+-    :steps:
+-        1. Bind as database entry that does not have userpassword set
+-        2. Bind as database entry that does not exist
+-        1. Bind as cn=config entry that does not have userpassword set
+-        2. Bind as cn=config entry that does not exist
+-    :expectedresults:
+-        1. Fails with error 49
+-        2. Fails with error 49
+-        3. Fails with error 49
+-        4. Fails with error 49
+-    """
+-    user = UserAccount(topology_st.standalone, DEFAULT_SUFFIX)
+-    with pytest.raises(ldap.INVALID_CREDENTIALS):
+-        # Bind as the suffix root entry which does not have a userpassword
+-        user.bind("some_password")
+-
+-    user = UserAccount(topology_st.standalone, "cn=not here," + DEFAULT_SUFFIX)
+-    with pytest.raises(ldap.INVALID_CREDENTIALS):
+-        # Bind as the entry which does not exist
+-        user.bind("some_password")
+-
+-    # Test cn=config since it has its own code path
+-    user = UserAccount(topology_st.standalone, "cn=config")
+-    with pytest.raises(ldap.INVALID_CREDENTIALS):
+-        # Bind as the config entry which does not have a userpassword
+-        user.bind("some_password")
+-
+-    user = UserAccount(topology_st.standalone, "cn=does not exist,cn=config")
+-    with pytest.raises(ldap.INVALID_CREDENTIALS):
+-        # Bind as an entry under cn=config that does not exist
+-        user.bind("some_password")
+-
+-
+ @pytest.mark.bz1044135
+ @pytest.mark.ds47319
+ def test_connection_buffer_size(topology_st):
+diff --git a/ldap/servers/slapd/back-ldbm/ldbm_bind.c b/ldap/servers/slapd/back-ldbm/ldbm_bind.c
+index 38d115a32..fa450ecd5 100644
+--- a/ldap/servers/slapd/back-ldbm/ldbm_bind.c
++++ b/ldap/servers/slapd/back-ldbm/ldbm_bind.c
+@@ -76,8 +76,8 @@ ldbm_back_bind(Slapi_PBlock *pb)
+     case LDAP_AUTH_SIMPLE: {
+         Slapi_Value cv;
+         if (slapi_entry_attr_find(e->ep_entry, "userpassword", &attr) != 0) {
+-            slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not have userpassword set");
+-            slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
++            slapi_send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL,
++                                   NULL, 0, NULL);
+             CACHE_RETURN(&inst->inst_cache, &e);
+             rc = SLAPI_BIND_FAIL;
+             goto bail;
+diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c
+index f2741aeb4..f5572d78d 100644
+--- a/ldap/servers/slapd/dse.c
++++ b/ldap/servers/slapd/dse.c
+@@ -1446,8 +1446,7 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this
+ 
+     ec = dse_get_entry_copy(pdse, sdn, DSE_USE_LOCK);
+     if (ec == NULL) {
+-        slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not exist");
+-        slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
++        slapi_send_ldap_result(pb, LDAP_NO_SUCH_OBJECT, NULL, NULL, 0, NULL);
+         return (SLAPI_BIND_FAIL);
+     }
+ 
+@@ -1455,8 +1454,7 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this
+     case LDAP_AUTH_SIMPLE: {
+         Slapi_Value cv;
+         if (slapi_entry_attr_find(ec, "userpassword", &attr) != 0) {
+-            slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not have userpassword set");
+-            slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
++            slapi_send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL, NULL, 0, NULL);
+             slapi_entry_free(ec);
+             return SLAPI_BIND_FAIL;
+         }
+@@ -1464,7 +1462,6 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this
+ 
+         slapi_value_init_berval(&cv, cred);
+         if (slapi_pw_find_sv(bvals, &cv) != 0) {
+-            slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Invalid credentials");
+             slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
+             slapi_entry_free(ec);
+             value_done(&cv);
+-- 
+2.26.2
+

389-ds-base.spec

@@ -47,7 +47,7 @@ ExcludeArch: i686
 Summary:          389 Directory Server (base)
 Name:             389-ds-base
 Version:          2.0.3
-Release:          %{?relprefix}1%{?prerel}%{?dist}
+Release:          %{?relprefix}2%{?prerel}%{?dist}
 License:          GPLv3+
 URL:              https://www.port389.org
 Conflicts:        selinux-policy-base < 3.9.8
@@ -170,6 +170,7 @@ Source2:          %{name}-devel.README
 %if %{bundle_jemalloc}
 Source3:          https://github.com/jemalloc/%{jemalloc_name}/releases/download/%{jemalloc_ver}/%{jemalloc_name}-%{jemalloc_ver}.tar.bz2
 %endif
+Patch01:          0001-Revert-Issue-4609-CVE-info-disclosure-when-authentic.patch
 
 %description
 389 Directory Server is an LDAPv3 compliant server.  The base package includes
@@ -268,6 +269,7 @@ A cockpit UI Plugin for configuring and administering the 389 Directory Server
 %endif
 
 %prep
+%autosetup -p1 -v -n %{name}-%{version}%{?prerel}
 %setup -q -n %{name}-%{version}%{?prerel}
 
 %if %{bundle_jemalloc}
@@ -613,6 +615,10 @@ exit 0
 %endif
 
 %changelog
+* Fri Feb 19 2021 Mark Reynolds <mreynolds@redhat.com> - 2.0.3-2
+- Bump version to 2.0.3-2
+- Revert Issue 4609 - CVE - info disclosure when authenticating(breaks DogTag)
+
 * Fri Feb 12 2021 Mark Reynolds <mreynolds@redhat.com> - 2.0.3-1
 - Bump version to 2.0.3
 - Issue 4619 - remove pytest requirement from lib389