From 9820cbeebe81720251c3508f6121a53de5bf4d6f Mon Sep 17 00:00:00 2001 From: Simon Pichugin Date: Fri, 24 May 2024 09:44:57 -0700 Subject: [PATCH] Bump version to 2.4.46-20 Resolves: RHEL-35538 - Fix OpenSSL channel binding digest --- openldap-cbinding-fix-openssl-digest.patch | 18 ++++++++++++++++++ openldap.spec | 12 +++++++++--- 2 files changed, 27 insertions(+), 3 deletions(-) create mode 100644 openldap-cbinding-fix-openssl-digest.patch diff --git a/openldap-cbinding-fix-openssl-digest.patch b/openldap-cbinding-fix-openssl-digest.patch new file mode 100644 index 0000000..7eed80b --- /dev/null +++ b/openldap-cbinding-fix-openssl-digest.patch @@ -0,0 +1,18 @@ +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index 6f27168..eb7b97c 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -862,7 +862,12 @@ tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server ) + return 0; + + #if OPENSSL_VERSION_NUMBER >= 0x10100000 +- md = EVP_get_digestbynid( X509_get_signature_nid( cert )); ++ { ++ int mdnid; ++ if ( !OBJ_find_sigid_algs( X509_get_signature_nid( cert ), &mdnid, NULL )) ++ return 0; ++ md = EVP_get_digestbynid( mdnid ); ++ } + #else + md = EVP_get_digestbynid(OBJ_obj2nid( cert->sig_alg->algorithm )); + #endif diff --git a/openldap.spec b/openldap.spec index 0600067..2e0077a 100644 --- a/openldap.spec +++ b/openldap.spec @@ -5,7 +5,7 @@ Name: openldap Version: 2.4.46 -Release: 19%{?dist} +Release: 20%{?dist} Summary: LDAP support libraries License: OpenLDAP URL: http://www.openldap.org/ @@ -58,8 +58,9 @@ Patch61: openldap-cbinding-Convert-test077-to-LDIF-config.patch Patch62: openldap-cbinding-Update-keys-to-RSA-4096.patch Patch63: openldap-add-TLS_REQSAN-option.patch Patch64: openldap-change-TLS_REQSAN-default-to-TRY.patch -Patch65: 0001-ITS-9904-ldap_url_parsehosts-check-for-strdup-failur.patch -Patch66: 0001-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch +Patch65: openldap-cbinding-fix-openssl-digest.patch +Patch66: 0001-ITS-9904-ldap_url_parsehosts-check-for-strdup-failur.patch +Patch67: 0001-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch # check-password module specific patches Patch90: check-password-makefile.patch @@ -157,6 +158,7 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch64 -p1 %patch65 -p1 %patch66 -p1 +%patch67 -p1 # build smbk5pwd with other overlays ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays @@ -526,6 +528,10 @@ exit 0 %{_mandir}/man3/* %changelog +* Wed Jul 3 2024 Simon Pichugin - 2.4.46-20 +- Bump version to 2.4.46-20 +- Resolves: RHEL-35538 - Fix OpenSSL channel binding digest + * Tue Apr 30 2024 Simon Pichugin - 2.4.46-19 - Bump version to 2.4.46-19 - Resolves: RHEL-34283 - openldap: null pointer dereference in ber_memalloc_x function