New upstream release

.cvsignore

@@ -1,2 +1,2 @@
 db-4.6.21.tar.gz
-openldap-2.4.11.tgz
+openldap-2.4.12.tgz

openldap-2.3.27-ber-decode.patch

@@ -1,44 +0,0 @@
-453637, 453638, 453639, 453640,453444: CVE-2008-2952 OpenLDAP denial-of-service 
-flaw in ASN.1 decoder
-
-Source: upstream, cvs diff -r 1.120 -r 1.122 libraries/liblber/io.c
-
-Index: libraries/liblber/io.c
-===================================================================
-RCS file: /repo/OpenLDAP/pkg/ldap/libraries/liblber/io.c,v
-retrieving revision 1.120
-retrieving revision 1.122
-diff -u -r1.120 -r1.122
---- libraries/liblber/io.c	7 Jan 2008 23:20:03 -0000	1.120
-+++ libraries/liblber/io.c	1 Jul 2008 23:33:15 -0000	1.122
-@@ -522,14 +522,18 @@
- 	}
- 
- 	while (ber->ber_rwptr > (char *)&ber->ber_tag && ber->ber_rwptr <
--		(char *)&ber->ber_len + LENSIZE*2 -1) {
-+		(char *)&ber->ber_len + LENSIZE*2) {
- 		ber_slen_t sblen;
- 		char buf[sizeof(ber->ber_len)-1];
- 		ber_len_t tlen = 0;
- 
-+		/* The tag & len can be at most 9 bytes; we try to read up to 8 here */
- 		sock_errset(0);
--		sblen=ber_int_sb_read( sb, ber->ber_rwptr,
--			((char *)&ber->ber_len + LENSIZE*2 - 1)-ber->ber_rwptr);
-+		sblen=((char *)&ber->ber_len + LENSIZE*2 - 1)-ber->ber_rwptr;
-+		/* Trying to read the last len byte of a 9 byte tag+len */
-+		if (sblen<1)
-+			sblen = 1;
-+		sblen=ber_int_sb_read( sb, ber->ber_rwptr, sblen );
- 		if (sblen<=0) return LBER_DEFAULT;
- 		ber->ber_rwptr += sblen;
- 
-@@ -579,7 +583,7 @@
- 			int i;
- 			unsigned char *p = (unsigned char *)ber->ber_ptr;
- 			int llen = *p++ & 0x7f;
--			if (llen > (int)sizeof(ber_len_t)) {
-+			if (llen > LENSIZE) {
- 				sock_errset(ERANGE);
- 				return LBER_DEFAULT;
- 			}

openldap.spec

@@ -3,7 +3,7 @@
 # not work with some versions of OpenLDAP.
 %define db_version 4.6.21
 %define ldbm_backend berkeley
-%define version 2.4.11
+%define version 2.4.12
 %define evolution_connector_prefix %{_libdir}/evolution-openldap
 %define evolution_connector_includedir %{evolution_connector_prefix}/include
 %define evolution_connector_libdir %{evolution_connector_prefix}/%{_lib}
@@ -11,7 +11,7 @@
 Summary: The configuration files, libraries, and documentation for OpenLDAP
 Name: openldap
 Version: %{version}
-Release: 3%{?dist}
+Release: 1%{?dist}
 License: OpenLDAP
 Group: System Environment/Daemons
 Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
@@ -201,11 +201,6 @@ export CFLAGS="$CPPFLAGS $RPM_OPT_FLAGS -D_REENTRANT -fPIC -D_GNU_SOURCE"
 export LDFLAGS="-L${dbdir}/%{_lib}"
 export LD_LIBRARY_PATH=${dbdir}/%{_lib}${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
 
-# hack to get properly named __lock_getlocker - needed for bdb 4.6.21 + openldap2.4.8
-# check later releases
-export CPPFLAGS="$CPPFLAGS -D __lock_getlocker=__lock_getlocker_openldap_slapd_46"
-export CFLAGS="$CFLAGS -D __lock_getlocker=__lock_getlocker_openldap_slapd_46"
-
 build() {
 %configure \
     --with-threads=posix \
@@ -249,7 +244,9 @@ build \
     --enable-null \
     --enable-shell \
     --enable-sql=mod \
+    --disable-ndb \
     --enable-passwd \
+    --enable-sock \
     --disable-perl \
     --enable-relay \
     --disable-shared \
@@ -603,6 +600,9 @@ fi
 %attr(0644,root,root)      %{evolution_connector_libdir}/*.a
 
 %changelog
+* Wed Oct 15 2008 Jan Safranek <jsafranek@redhat.com> 2.4.11-1
+- new upstream release
+
 * Mon Oct 13 2008 Jan Safranek <jsafranek@redhat.com> 2.4.11-3
 - add SLAPD_SHUTDOWN_TIMEOUT to /etc/sysconfig/ldap, allowing admins
   to set non-default slapd shutdown timeout

patch.4.7.25.1

@@ -0,0 +1,75 @@
+*** sequence/sequence.c.orig	2008-05-05 13:25:09.000000000 -0700
+--- sequence/sequence.c	2008-08-15 09:58:46.000000000 -0700
+***************
+*** 187,193 ****
+  	if ((ret = __db_get_flags(dbp, &tflags)) != 0)
+  		goto err;
+  
+! 	if (DB_IS_READONLY(dbp)) {
+  		ret = __db_rdonly(dbp->env, "DB_SEQUENCE->open");
+  		goto err;
+  	}
+--- 187,197 ----
+  	if ((ret = __db_get_flags(dbp, &tflags)) != 0)
+  		goto err;
+  
+! 	/*
+! 	 * We can let replication clients open sequences, but must
+! 	 * check later that they do not update them.
+! 	 */
+! 	if (F_ISSET(dbp, DB_AM_RDONLY)) {
+  		ret = __db_rdonly(dbp->env, "DB_SEQUENCE->open");
+  		goto err;
+  	}
+***************
+*** 244,249 ****
+--- 248,258 ----
+  		if ((ret != DB_NOTFOUND && ret != DB_KEYEMPTY) ||
+  		    !LF_ISSET(DB_CREATE))
+  			goto err;
++ 		if (IS_REP_CLIENT(env) &&
++ 		    !F_ISSET(dbp, DB_AM_NOT_DURABLE)) {
++ 			ret = __db_rdonly(env, "DB_SEQUENCE->open");
++ 			goto err;
++ 		}
+  		ret = 0;
+  
+  		rp = &seq->seq_record;
+***************
+*** 296,302 ****
+  	 */
+  	rp = seq->seq_data.data;
+  	if (rp->seq_version == DB_SEQUENCE_OLDVER) {
+! oldver:		rp->seq_version = DB_SEQUENCE_VERSION;
+  		if (!F_ISSET(env, ENV_LITTLEENDIAN)) {
+  			if (IS_DB_AUTO_COMMIT(dbp, txn)) {
+  				if ((ret =
+--- 305,316 ----
+  	 */
+  	rp = seq->seq_data.data;
+  	if (rp->seq_version == DB_SEQUENCE_OLDVER) {
+! oldver:		if (IS_REP_CLIENT(env) &&
+! 		    !F_ISSET(dbp, DB_AM_NOT_DURABLE)) {
+! 			ret = __db_rdonly(env, "DB_SEQUENCE->open");
+! 			goto err;
+! 		}
+! 		rp->seq_version = DB_SEQUENCE_VERSION;
+  		if (!F_ISSET(env, ENV_LITTLEENDIAN)) {
+  			if (IS_DB_AUTO_COMMIT(dbp, txn)) {
+  				if ((ret =
+***************
+*** 707,712 ****
+--- 721,733 ----
+  
+  	MUTEX_LOCK(env, seq->mtx_seq);
+  
++ 	if (handle_check && IS_REP_CLIENT(env) &&
++ 	    !F_ISSET(dbp, DB_AM_NOT_DURABLE)) {
++ 		ret = __db_rdonly(env, "DB_SEQUENCE->get");
++ 		goto err;
++ 	}
++ 
++ 
+  	if (rp->seq_min + delta > rp->seq_max) {
+  		__db_errx(env, "Sequence overflow");
+  		ret = EINVAL;

sources

@@ -1,2 +1,2 @@
 718082e7e35fc48478a2334b0bc4cd11  db-4.6.21.tar.gz
-920fedbbb5bc61c2ca52c56edeef770a  openldap-2.4.11.tgz
+78a03f7dd2c842103a987e97c243925e  openldap-2.4.12.tgz