Compare commits
No commits in common. "c8-stream-DL1" and "stream-idm-DL1-rhel-8.10.0" have entirely different histories.
c8-stream-
...
stream-idm
1
.gitignore
vendored
1
.gitignore
vendored
@ -1 +1,2 @@
|
|||||||
SOURCES/slapi-nis-0.60.0.tar.gz
|
SOURCES/slapi-nis-0.60.0.tar.gz
|
||||||
|
/slapi-nis-0.60.0.tar.gz
|
||||||
|
@ -1 +1 @@
|
|||||||
e5a84cf93b13b174c6d865de2f735cbfbc950917 SOURCES/slapi-nis-0.60.0.tar.gz
|
e5a84cf93b13b174c6d865de2f735cbfbc950917 slapi-nis-0.60.0.tar.gz
|
||||||
|
@ -0,0 +1,28 @@
|
|||||||
|
From 062c157013c5af8714d9015582de898b42d1a981 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Date: Wed, 2 May 2018 08:56:15 +0300
|
||||||
|
Subject: [PATCH] support transition from libtirpc to libnsl in Fedora 28
|
||||||
|
|
||||||
|
libnsl2-devel in Fedora 28 depends on libtirpc-devel internally
|
||||||
|
so we can also reduce the dependency in spec
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index 184a9af..80f2ca2 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -273,6 +273,12 @@ AC_ARG_WITH(tirpc,
|
||||||
|
])
|
||||||
|
if test $use_tirpc = yes ; then
|
||||||
|
PKG_CHECK_MODULES(TIRPC,libtirpc)
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+PKG_CHECK_MODULES(NSL,libnsl,[use_libnsl=yes],[use_libnsl=no])
|
||||||
|
+if test "$use_libnsl" = yes ; then
|
||||||
|
+ RPC_CFLAGS="$NSL_CFLAGS"
|
||||||
|
+ RPC_LIBS="$NSL_LIBS"
|
||||||
|
else
|
||||||
|
RPC_CFLAGS=
|
||||||
|
RPC_LIBS=-lnsl
|
||||||
|
--
|
||||||
|
2.14.3
|
||||||
|
|
33
cve-2021-3480-fix.patch
Normal file
33
cve-2021-3480-fix.patch
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
From 2f2b7ecd9d6a0f5044c24e4f96464942a1d873db Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Date: Wed, 7 Apr 2021 14:40:52 +0300
|
||||||
|
Subject: [PATCH] CVE-2021-3480: invalid bind DN crash
|
||||||
|
|
||||||
|
For certain LDAP bind operations 389-ds would pass unvalidated bind DN
|
||||||
|
to bind plugins. A first attempt to normalize the DN would find that out
|
||||||
|
and should reject the request.
|
||||||
|
|
||||||
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
---
|
||||||
|
src/back-sch.c | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/back-sch.c b/src/back-sch.c
|
||||||
|
index a5e4c04..d806627 100644
|
||||||
|
--- a/src/back-sch.c
|
||||||
|
+++ b/src/back-sch.c
|
||||||
|
@@ -1988,6 +1988,11 @@ backend_locate_cb(const char *group, const char *set, bool_t flag,
|
||||||
|
rdn = slapi_rdn_new_sdn(cbdata->target_dn);
|
||||||
|
if (rdn != NULL) {
|
||||||
|
rdnstr = slapi_rdn_get_nrdn(rdn);
|
||||||
|
+ if (rdnstr == NULL) {
|
||||||
|
+ /* normalizing RDN failed, break the search */
|
||||||
|
+ slapi_rdn_free(&rdn);
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
if (map_match(cbdata->state, group, set, &flag,
|
||||||
|
strlen(rdnstr), rdnstr,
|
||||||
|
&ndnlen, &ndn,
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
7
gating.yaml
Normal file
7
gating.yaml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
# recipients: abokovoy, frenaud, kaleem, ftrivino
|
||||||
|
--- !Policy
|
||||||
|
product_versions:
|
||||||
|
- rhel-9
|
||||||
|
decision_context: osci_compose_gate
|
||||||
|
rules:
|
||||||
|
- !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}
|
16
slapi-nis-0.56.6.tar.gz.asc
Normal file
16
slapi-nis-0.56.6.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAl/KPI0ACgkQRxniuKu/
|
||||||
|
Yhp7KA//aI0HHAGWn56NjsbLCdk98tpt3YekptGwKpaDiFan7An2JtnJe3CvC71q
|
||||||
|
pAWtj1VduHLx+cAxRaRPKSheMkqv9qKrIvhtDHKEgTs9zkxZ02AYa8Emof9x8v6h
|
||||||
|
KsnRYMpy5TmKlvT8urnNbrkQXcxGvfjkaBYdaLegT87tSuLsB5vmZpfDbcdMuZ6V
|
||||||
|
mfU7JOoKpq0aXg/cYfSc3Br8njZujQXjdUipwKQMBQivNdFzkUk/ly6v8eWXP0O5
|
||||||
|
TlD0Rg8QMcSVgqG8hcLVzka078AHzAlOK1B2hGRuFXfRrnd88mDxPps7UEbEfSy3
|
||||||
|
oULXpXdQGVet7kujo8JfUyS5D4yiJOS2q/KmES8IGpIUeiwrV+383/pU2UY+lCUU
|
||||||
|
Cjv62t4YAwsFOOo+2z0thmzvpEc6FtP9mMx88JRX01OkSCapThgPaGKMfr8wM5Ez
|
||||||
|
/3YK4RC14FybOF6jruoTkvlW0b4d6wsZwPHOKs+IeflO8UzncwfxY8L7GiSwTmC/
|
||||||
|
40QYCNrXmo79dyg9MGvXtBhUOnfZ41zSVdpzN3EZ5ulMZvdnsBeRK2ixImgQKLSf
|
||||||
|
80uZV0k/+koInWYnUQYMbTpKP1843KxZWnLmfd82w1ju5fAsSoDvu9MnomswiRhp
|
||||||
|
PzQdcWBSjcQxWjVxwN4RKXqcLCxm99xywTHYIP1xSCuN22KNOLk=
|
||||||
|
=EOmw
|
||||||
|
-----END PGP SIGNATURE-----
|
41
slapi-nis-bz1958909.patch
Normal file
41
slapi-nis-bz1958909.patch
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
From d18b1d105c928363eddec87af37fda0757cfb440 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Date: Thu, 1 Jul 2021 11:37:38 +0300
|
||||||
|
Subject: [PATCH] back-sch: reuse backend_should_descend
|
||||||
|
|
||||||
|
When backend_search_find_set_dn_cb() is called, use the same logic as in
|
||||||
|
other callbacks -- identify whether we should descend into the group by
|
||||||
|
using backend_should_descend().
|
||||||
|
|
||||||
|
The issue was introduced in 2015 with ID Views support but was masked
|
||||||
|
until 61ea8f6a104da25329e301a8f56944f860de8177 as we always felt through
|
||||||
|
to the full scan of the groups anyway. with the latter change the
|
||||||
|
fell-through part was removed.
|
||||||
|
|
||||||
|
Resolves: rhbz#1958909
|
||||||
|
|
||||||
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Signed-off-by: Thierry Bordaz <tbordaz@redhat.com>
|
||||||
|
---
|
||||||
|
src/back-sch.c | 5 +++--
|
||||||
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/back-sch.c b/src/back-sch.c
|
||||||
|
index d806627..0ed06fb 100644
|
||||||
|
--- a/src/back-sch.c
|
||||||
|
+++ b/src/back-sch.c
|
||||||
|
@@ -1369,8 +1369,9 @@ backend_search_find_set_dn_cb(const char *group, void *cb_data)
|
||||||
|
|
||||||
|
/* Check the group itself. */
|
||||||
|
group_dn = slapi_sdn_new_dn_byval(group);
|
||||||
|
- if (slapi_sdn_scope_test(group_dn, cbdata->target_dn,
|
||||||
|
- cbdata->scope) == 1) {
|
||||||
|
+ if (backend_should_descend(group_dn,
|
||||||
|
+ cbdata->target_dn,
|
||||||
|
+ cbdata->scope)) {
|
||||||
|
cbdata->answer = TRUE;
|
||||||
|
slapi_sdn_free(&group_dn);
|
||||||
|
return TRUE;
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
52
slapi-nis-bz1978189.patch
Normal file
52
slapi-nis-bz1978189.patch
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
From 0f700cf71f5531fb6c863990216aa1eb88970dc8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Date: Wed, 16 Jun 2021 11:08:21 +0300
|
||||||
|
Subject: [PATCH] back-sch-nss: only loop if asked to try again
|
||||||
|
|
||||||
|
slapi-nis uses sss-idmap library to discover user group membership. Its
|
||||||
|
sss_nss_getgrouplist_timeout() function can return timeout errors as
|
||||||
|
well which might cause a busy looping. sss_nss_getgrouplist_timeout()
|
||||||
|
will return ERANGE which is translated by slapi-nis to NSS_STATUS_TRYAGAIN.
|
||||||
|
|
||||||
|
Fixes: rhbz#1967179
|
||||||
|
|
||||||
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
---
|
||||||
|
src/back-sch-nss.c | 13 ++++++++-----
|
||||||
|
1 file changed, 8 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c
|
||||||
|
index df04a96..b595f3b 100644
|
||||||
|
--- a/src/back-sch-nss.c
|
||||||
|
+++ b/src/back-sch-nss.c
|
||||||
|
@@ -589,19 +589,22 @@ repeat:
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
- do {
|
||||||
|
+ for(rc = NSS_STATUS_TRYAGAIN; rc == NSS_STATUS_TRYAGAIN;) {
|
||||||
|
rc = backend_nss_getgrouplist(ctx, user_name, pwd.pw_gid,
|
||||||
|
grouplist, &ngroups,
|
||||||
|
&lerrno);
|
||||||
|
- if ((rc != NSS_STATUS_SUCCESS)) {
|
||||||
|
- tmp_list = realloc(grouplist, ngroups * sizeof(gid_t));
|
||||||
|
- if (tmp_list == NULL) {
|
||||||
|
+ if (rc == NSS_STATUS_TRYAGAIN) {
|
||||||
|
+ tmp_list = NULL;
|
||||||
|
+ if (lerrno == ERANGE) {
|
||||||
|
+ tmp_list = realloc(grouplist, ngroups * sizeof(gid_t));
|
||||||
|
+ }
|
||||||
|
+ if ((tmp_list == NULL) || (lerrno == ENOMEM)) {
|
||||||
|
free(grouplist);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
grouplist = tmp_list;
|
||||||
|
}
|
||||||
|
- } while (rc != NSS_STATUS_SUCCESS);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
entries = calloc(ngroups + 1, sizeof(entries[0]));
|
||||||
|
if (entries == NULL) {
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
52
slapi-nis-bz1979619.patch
Normal file
52
slapi-nis-bz1979619.patch
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
From 0f700cf71f5531fb6c863990216aa1eb88970dc8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Date: Wed, 16 Jun 2021 11:08:21 +0300
|
||||||
|
Subject: [PATCH] back-sch-nss: only loop if asked to try again
|
||||||
|
|
||||||
|
slapi-nis uses sss-idmap library to discover user group membership. Its
|
||||||
|
sss_nss_getgrouplist_timeout() function can return timeout errors as
|
||||||
|
well which might cause a busy looping. sss_nss_getgrouplist_timeout()
|
||||||
|
will return ERANGE which is translated by slapi-nis to NSS_STATUS_TRYAGAIN.
|
||||||
|
|
||||||
|
Fixes: rhbz#1967179
|
||||||
|
|
||||||
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
---
|
||||||
|
src/back-sch-nss.c | 13 ++++++++-----
|
||||||
|
1 file changed, 8 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c
|
||||||
|
index df04a96..b595f3b 100644
|
||||||
|
--- a/src/back-sch-nss.c
|
||||||
|
+++ b/src/back-sch-nss.c
|
||||||
|
@@ -589,19 +589,22 @@ repeat:
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
- do {
|
||||||
|
+ for(rc = NSS_STATUS_TRYAGAIN; rc == NSS_STATUS_TRYAGAIN;) {
|
||||||
|
rc = backend_nss_getgrouplist(ctx, user_name, pwd.pw_gid,
|
||||||
|
grouplist, &ngroups,
|
||||||
|
&lerrno);
|
||||||
|
- if ((rc != NSS_STATUS_SUCCESS)) {
|
||||||
|
- tmp_list = realloc(grouplist, ngroups * sizeof(gid_t));
|
||||||
|
- if (tmp_list == NULL) {
|
||||||
|
+ if (rc == NSS_STATUS_TRYAGAIN) {
|
||||||
|
+ tmp_list = NULL;
|
||||||
|
+ if (lerrno == ERANGE) {
|
||||||
|
+ tmp_list = realloc(grouplist, ngroups * sizeof(gid_t));
|
||||||
|
+ }
|
||||||
|
+ if ((tmp_list == NULL) || (lerrno == ENOMEM)) {
|
||||||
|
free(grouplist);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
grouplist = tmp_list;
|
||||||
|
}
|
||||||
|
- } while (rc != NSS_STATUS_SUCCESS);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
entries = calloc(ngroups + 1, sizeof(entries[0]));
|
||||||
|
if (entries == NULL) {
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
41
slapi-nis-bz1979623.patch
Normal file
41
slapi-nis-bz1979623.patch
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
From d18b1d105c928363eddec87af37fda0757cfb440 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Date: Thu, 1 Jul 2021 11:37:38 +0300
|
||||||
|
Subject: [PATCH] back-sch: reuse backend_should_descend
|
||||||
|
|
||||||
|
When backend_search_find_set_dn_cb() is called, use the same logic as in
|
||||||
|
other callbacks -- identify whether we should descend into the group by
|
||||||
|
using backend_should_descend().
|
||||||
|
|
||||||
|
The issue was introduced in 2015 with ID Views support but was masked
|
||||||
|
until 61ea8f6a104da25329e301a8f56944f860de8177 as we always felt through
|
||||||
|
to the full scan of the groups anyway. with the latter change the
|
||||||
|
fell-through part was removed.
|
||||||
|
|
||||||
|
Resolves: rhbz#1958909
|
||||||
|
|
||||||
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Signed-off-by: Thierry Bordaz <tbordaz@redhat.com>
|
||||||
|
---
|
||||||
|
src/back-sch.c | 5 +++--
|
||||||
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/back-sch.c b/src/back-sch.c
|
||||||
|
index d806627..0ed06fb 100644
|
||||||
|
--- a/src/back-sch.c
|
||||||
|
+++ b/src/back-sch.c
|
||||||
|
@@ -1369,8 +1369,9 @@ backend_search_find_set_dn_cb(const char *group, void *cb_data)
|
||||||
|
|
||||||
|
/* Check the group itself. */
|
||||||
|
group_dn = slapi_sdn_new_dn_byval(group);
|
||||||
|
- if (slapi_sdn_scope_test(group_dn, cbdata->target_dn,
|
||||||
|
- cbdata->scope) == 1) {
|
||||||
|
+ if (backend_should_descend(group_dn,
|
||||||
|
+ cbdata->target_dn,
|
||||||
|
+ cbdata->scope)) {
|
||||||
|
cbdata->answer = TRUE;
|
||||||
|
slapi_sdn_free(&group_dn);
|
||||||
|
return TRUE;
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
27
slapi-nis-bz2000919.patch
Normal file
27
slapi-nis-bz2000919.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
From 02a9cb46ece79d6205a847e6941a772febe47cff Mon Sep 17 00:00:00 2001
|
||||||
|
From: Viktor Ashirov <vashirov@redhat.com>
|
||||||
|
Date: Thu, 5 Aug 2021 16:04:49 +0200
|
||||||
|
Subject: [PATCH] back-sch: fix memory leak in backend_search_cb()
|
||||||
|
|
||||||
|
Resolves: rhbz#1967906
|
||||||
|
|
||||||
|
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
|
||||||
|
---
|
||||||
|
src/back-sch.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/src/back-sch.c b/src/back-sch.c
|
||||||
|
index 0ed06fb..172d619 100644
|
||||||
|
--- a/src/back-sch.c
|
||||||
|
+++ b/src/back-sch.c
|
||||||
|
@@ -1793,6 +1793,7 @@ backend_search_cb(Slapi_PBlock *pb)
|
||||||
|
slapi_ch_free_string(&target);
|
||||||
|
if (cbdata.answer == FALSE) {
|
||||||
|
/* None of the configured trees in the sets matched the target at all, ignore search */
|
||||||
|
+ slapi_sdn_free(&cbdata.target_dn);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -11,7 +11,7 @@
|
|||||||
|
|
||||||
Name: slapi-nis
|
Name: slapi-nis
|
||||||
Version: 0.60.0
|
Version: 0.60.0
|
||||||
Release: 4%{?dist}.alma.1
|
Release: 4%{?dist}
|
||||||
Summary: NIS Server and Schema Compatibility plugins for Directory Server
|
Summary: NIS Server and Schema Compatibility plugins for Directory Server
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
License: GPLv3
|
License: GPLv3
|
||||||
@ -19,9 +19,6 @@ URL: http://pagure.io/slapi-nis/
|
|||||||
Source0: https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz
|
Source0: https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz
|
||||||
Source1: https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz.asc
|
Source1: https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz.asc
|
||||||
Patch0: slapi-nis-bz2183469.patch
|
Patch0: slapi-nis-bz2183469.patch
|
||||||
|
|
||||||
# Patches were taken from:
|
|
||||||
# https://gitlab.com/redhat/centos-stream/rpms/slapi-nis/-/commit/0c099f8456d77e063b51c39fac7c70105816855a
|
|
||||||
Patch1: slapi-nis-RHEL-5134.patch
|
Patch1: slapi-nis-RHEL-5134.patch
|
||||||
|
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
@ -92,10 +89,10 @@ make check
|
|||||||
%{_sbindir}/nisserver-plugin-defs
|
%{_sbindir}/nisserver-plugin-defs
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Wed Nov 15 2023 Eduard Abdullin <eabdullin@almalinux.org> - 0.60.0-4.alma.1
|
* Tue Oct 10 2023 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-4
|
||||||
- Ignore updates from non-tracked subtrees during modify/modrdn/update
|
- Ignore updates from non-tracked subtrees during modify/modrdn/update
|
||||||
to avoid deadlocks with retro changelog
|
to avoid deadlocks with retro changelog
|
||||||
|
- Resolves: RHEL-5134
|
||||||
|
|
||||||
* Mon Apr 24 2023 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-3
|
* Mon Apr 24 2023 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-3
|
||||||
- Also handle base searches within the compat tree
|
- Also handle base searches within the compat tree
|
Loading…
Reference in New Issue
Block a user