11 changed files with 66 additions and 281 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,89 +1 @@
-slapi-nis-0.8.tar.gz
+SOURCES/slapi-nis-0.60.0.tar.gz
 slapi-nis-0.8.1.tar.gz
 slapi-nis-0.9.tar.gz
 slapi-nis-0.10.tar.gz
 slapi-nis-0.11.tar.gz
 slapi-nis-0.13.tar.gz
 slapi-nis-0.14.tar.gz
 slapi-nis-0.15.tar.gz
 slapi-nis-0.16.tar.gz
 slapi-nis-0.17.tar.gz
 /slapi-nis-0.18.tar.gz
 /slapi-nis-0.19.tar.gz
 /slapi-nis-0.20.tar.gz
 /slapi-nis-0.21.tar.gz
 /slapi-nis-0.22.tar.gz
 /slapi-nis-0.23.tar.gz
 /slapi-nis-0.25.tar.gz
 /slapi-nis-0.26.tar.gz
 /slapi-nis-0.27.tar.gz
 /slapi-nis-0.27.tar.gz.sig
 /slapi-nis-0.28.tar.gz
 /slapi-nis-0.28.tar.gz.sig
 /slapi-nis-0.34.tar.gz
 /slapi-nis-0.34.tar.gz.sig
 /slapi-nis-0.36.tar.gz
 /slapi-nis-0.36.tar.gz.sig
 /slapi-nis-0.37.tar.gz
 /slapi-nis-0.37.tar.gz.sig
 /slapi-nis-0.38.tar.gz
 /slapi-nis-0.38.tar.gz.sig
 /slapi-nis-0.40.tar.gz
 /slapi-nis-0.40.tar.gz.sig
 /slapi-nis-0.42.tar.gz
 /slapi-nis-0.42.tar.gz.sig
 /slapi-nis-0.43.tar.gz
 /slapi-nis-0.43.tar.gz.sig
 /slapi-nis-0.44.tar.gz
 /slapi-nis-0.44.tar.gz.sig
 /slapi-nis-0.45.tar.gz
 /slapi-nis-0.45.tar.gz.sig
 /slapi-nis-0.46.tar.gz
 /slapi-nis-0.46.tar.gz.sig
 /slapi-nis-0.47.tar.gz
 /slapi-nis-0.47.tar.gz.sig
 /slapi-nis-0.47.5.tar.gz
 /slapi-nis-0.47.5.tar.gz.sig
 /slapi-nis-0.47.7.tar.gz
 /slapi-nis-0.47.7.tar.gz.sig
 /slapi-nis-0.48.tar.gz
 /slapi-nis-0.48.tar.gz.sig
 /slapi-nis-0.49.tar.gz
 /slapi-nis-0.49.tar.gz.sig
 /slapi-nis-0.50.tar.gz
 /slapi-nis-0.50.tar.gz.sig
 /slapi-nis-0.51.tar.gz
 /slapi-nis-0.51.tar.gz.sig
 /slapi-nis-0.52.tar.gz
 /slapi-nis-0.52.tar.gz.sig
 /slapi-nis-0.53.tar.gz
 /slapi-nis-0.53.tar.gz.sig
 /slapi-nis-0.54.tar.gz
 /slapi-nis-0.54.tar.gz.sig
 /slapi-nis-0.54.1.tar.gz
 /slapi-nis-0.54.1.tar.gz.sig
 /slapi-nis-0.54.2.tar.gz
 /slapi-nis-0.54.2.tar.gz.sig
 /slapi-nis-0.55.tar.gz
 /slapi-nis-0.55.tar.gz.sig
 /slapi-nis-0.56.tar.gz
 /slapi-nis-0.56.tar.gz.sig
 /slapi-nis-0.56.0.tar.gz
 /slapi-nis-0.56.0.tar.gz.sig
 /slapi-nis-0.56.1.tar.gz
 /slapi-nis-0.56.1.tar.gz.sig
 /slapi-nis-0.56.2.tar.gz
 /slapi-nis-0.56.2.tar.gz.sig
 /slapi-nis-0.56.3.tar.gz
 /slapi-nis-0.56.3.tar.gz.sig
 /slapi-nis-0.56.4.tar.gz
 /slapi-nis-0.56.4.tar.gz.asc
 /slapi-nis-0.56.4.tar.gz.sig
 /slapi-nis-0.56.5.tar.gz
 /slapi-nis-0.56.5.tar.gz.asc
 /slapi-nis-0.56.6.tar.gz
 /slapi-nis-0.56.6.tar.gz.asc
 /slapi-nis-0.56.7.tar.gz
 /slapi-nis-0.56.7.tar.gz.asc
 /slapi-nis-0.60.0.tar.gz
 /slapi-nis-0.60.0.tar.gz.asc
--- a/.slapi-nis.metadata
+++ b/.slapi-nis.metadata
@ -0,0 +1 @@
 e5a84cf93b13b174c6d865de2f735cbfbc950917 SOURCES/slapi-nis-0.60.0.tar.gz
--- a/0001-support-transition-from-libtirpc-to-libnsl-in-Fedora.patch
+++ b/0001-support-transition-from-libtirpc-to-libnsl-in-Fedora.patch
@ -1,28 +0,0 @@
 From 062c157013c5af8714d9015582de898b42d1a981 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Wed, 2 May 2018 08:56:15 +0300
 Subject: [PATCH] support transition from libtirpc to libnsl in Fedora 28
 libnsl2-devel in Fedora 28 depends on libtirpc-devel internally
 so we can also reduce the dependency in spec
 diff --git a/configure.ac b/configure.ac
 index 184a9af..80f2ca2 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -273,6 +273,12 @@ AC_ARG_WITH(tirpc,
 	    ])
 if test $use_tirpc = yes ; then
 	PKG_CHECK_MODULES(TIRPC,libtirpc)
 +fi
 +
 +PKG_CHECK_MODULES(NSL,libnsl,[use_libnsl=yes],[use_libnsl=no])
 +if test "$use_libnsl" = yes ; then
 +	RPC_CFLAGS="$NSL_CFLAGS"
 +	RPC_LIBS="$NSL_LIBS"
 else
 	RPC_CFLAGS=
 	RPC_LIBS=-lnsl
 -- 
 2.14.3
--- a/SOURCES/slapi-nis-0.60.0.tar.gz.asc
+++ b/SOURCES/slapi-nis-0.60.0.tar.gz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmMAimgACgkQRxniuKu/
 YhorRw/8D0typYdDLGlalL7nMo57rjSApgy6gA4FKxMsNg/KiN1/7rMoCbu13iG0
 sP6wpeZLjBNI/nWGYLRuQOyi7DSxgXYlNp+8xzJDMKjnNjRSaK+/EjqIcWhdWoEq
 Q1JDjTdJ3hDCWCMQFrA/EBqb/WgQAhdmPdVzMoy6L2GBvX7W+UlCWaSMfpq5hnqg
 9SZe4NpC7i6BVhHrnWUMsQRcApnjdHlC8tQmzqdD0+iNer0asXmJcQGCI9W7EwAs
 MT4be/C2hfLfWgBdaMCZGgefGFYGI1ec+hfM9jyGsJcBsRXQ8Rq+VOLEI7lkD+wc
 nQwq1VVVcAwFkbziQ5JBZqOKdem8lo9Mucn/sQ297EIfIi8NVhlDDZFtkgsYAglT
 gaEeK4+d0QNz2+ViwJxGp2l0mG2inV8GjiyINpntbw8dh+qwI8xLI6/6B7R6wP30
 Kj/90EehX0vFXX2ylrkrvg3d7UGp6PBgsiqeaJT5bL2ItVKJl8FyD0N9JsEL766/
 SKqNHGZjEJv1rzPf2MMqutLHe1aSyTBjq4JBYPJKHAXPdvZluyALLM94erZqA/tJ
 17PCLAf3P+OvixcnyzsUTP9U7SNlLPiMqwyvUB26ul0+CqEqKzZxiTOfpbKQ8p/j
 3QpkrKLn0JbofZN1K7H6x/Mdwe5scdeTP0T8YPJm+ofZq+fBdnI=
 =ZUV6
 -----END PGP SIGNATURE-----
--- a/SOURCES/slapi-nis-RHEL-5134.patch
+++ b/SOURCES/slapi-nis-RHEL-5134.patch
--- a/SOURCES/slapi-nis-bz2183469.patch
+++ b/SOURCES/slapi-nis-bz2183469.patch
--- a/SPECS/slapi-nis.spec
+++ b/SPECS/slapi-nis.spec
@ -11,13 +11,17 @@
 Name:		slapi-nis
 Version:	0.60.0
-Release:	5%{?dist}
+Release:	4%{?dist}.alma.1
 Summary:	NIS Server and Schema Compatibility plugins for Directory Server
 Group:		System Environment/Daemons
 License:	GPLv3
 URL:		http://pagure.io/slapi-nis/
 Source0:	https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz
 Source1:	https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz.asc
-Patch0:         slapi-nis-bz2183950.patch
+Patch0:         slapi-nis-bz2183469.patch
 # Patches were taken from:
 # https://gitlab.com/redhat/centos-stream/rpms/slapi-nis/-/commit/0c099f8456d77e063b51c39fac7c70105816855a
 Patch1:         slapi-nis-RHEL-5134.patch
 BuildRequires:  make
@ -38,7 +42,7 @@ BuildRequires:	libtirpc-devel
 %else
 BuildRequires:  libnsl2-devel
 %endif
-%if 0%{?fedora} > 27 || 0%{?rhel} >= 9
+%if 0%{?fedora} > 27 || 0%{?rhel} > 7
 ExcludeArch: %{ix86}
 %endif
 Requires: 389-ds-base >= 1.3.5.6
@ -81,97 +85,79 @@ make check
 %endif
 %files
 %defattr(-,root,root,-)
 %doc COPYING NEWS README STATUS doc/*.txt doc/examples/*.ldif doc/ipa
 %{_mandir}/man1/*
 %{_libdir}/dirsrv/plugins/*.so
 %{_sbindir}/nisserver-plugin-defs
 %changelog
-* Tue Oct 10 2023 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-5
+* Wed Nov 15 2023 Eduard Abdullin <eabdullin@almalinux.org> - 0.60.0-4.alma.1
 - Ignore updates from non-tracked subtrees during modify/modrdn/update
  to avoid deadlocks with retro changelog
 - Resolves: RHEL-11983
-* Mon Apr 24 2023 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-4
+
 * Mon Apr 24 2023 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-3
 - Also handle base searches within the compat tree
- Related: rhbz#2183950
+- Related: rhbz#2183469
-* Wed Apr 12 2023 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-3
+* Wed Apr 12 2023 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-2
 - Fix base DN searches outside the compat tree
- Resolves: rhbz#2183950
+- Resolves: rhbz#2183469
 * Sun Aug 21 2022 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-2
 - Rebuild to fix changelog
 - Related: rhbz#2117299
 * Sat Aug 20 2022 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-1
 - upstream release 0.60.0
 - Change license from GPLv2 to GPLv3+ to follow 389-ds licensing
- Fix ID views integration
+- Resolves: rhbz#1984010
  Fix ID views integration
 - Fix base scope lookups
- Bump NIS max dgram size to 8KB by default instead of 1KB
+- Resolves: rhbz#1784172
- Resolves: rhbz#2117299
+  Bump NIS max dgram size to 8KB by default instead of 1KB
 - Resolves: rhbz#2070575
  Allow to rebuild the compat tree
-* Fri Jan 21 2022 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.7-4
+* Mon Sep 13 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-4
- Rebuild against libnsl 2.0.0
+- Resolves: rhbz#2000919 - memory leak in backend_search_cb
 - Related: rhbz#2039220
-* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.56.7-3
+* Thu Jul 01 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+- Resolves: rhbz#1958909 - fix regression for scoped searches in compat tree
-  Related: rhbz#1991688
+- Resolves: rhbz#1978189 - better handle error response from libsss_nss_idmap
-* Wed Jul 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.7-2
+* Wed Apr 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-2
- Resolves: rhbz#1979619
+- CVE 2021-3480:  idm:DL1/slapi-nis: NULL dereference (DoS) with specially crafted Binding DN
-  IPA: High CPU utilization (over 1000% plus) by ns-slapd process
+- Resolves: rhbz#1944713
 - Resolves: rhbz#1979623
  With base object scope, ldapsearch against compat tree does not return any data on Rhel8 IPA servers.
 * Wed May 19 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.7-1
 - CVE-2021-3480: invalid bind DN crash
 - New upstream release
 - Resolves: rhbz#1947351
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.56.6-3
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.56.6-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Fri Dec 04 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-1
- New upstream release
+- Upstream release 0.56.6
- Ignore searches which don't match any configured map
+- Resolves rhbz#1891741
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.56.5-3
+* Mon Sep 14 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.5-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+- Ignore unmatched searches
 - Resolves: rhbz#1874015
 * Thu Sep 10 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.5-3
 - Fix memory leaks in ID views processing
 - Resolves: rhbz#1875348
 * Wed May 06 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.5-2
- Initialize map locks in NIS plugin to prevent crash
+- Initialize map lock in NIS plugin
 - Resolves: rhbz#1832331
 * Mon May 04 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.5-1
- New upstream release
+- Upstream release 0.56.5
 - Resolves: rhbz#1751295: (2) When sync-repl is enabled, slapi-nis can deadlock during retrochanglog trimming
 - Resolves: rhbz#1768156: ERR - schemacompat - map rdlock: old way MAP_MONITOR_DISABLED
-* Fri Feb 07 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.4-1
+* Fri Aug 16 2019 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.3-2
 - Resolves rhbz#1741881
  ns-slapd is crashing intermittently
 * Wed Jun 05 2019 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.3-1
 - New upstream release
- Fix build with newer gcc versions
+- Resolves rhbz#1684563
 - Resolves rhbz#1800097
-* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.56.3-3
+* Mon Jul 23 2018 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.2-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+- 389-ds is not available on i686 architecture, don't build there
 * Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.56.3-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Thu Jun 06 2019 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.3-1
 - New upstream release
 * Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.56.2-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.56.2-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Wed May 02 2018 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.2-6
 - Force rebuild of configure
--- a/gating.yaml
+++ b/gating.yaml
@ -1,7 +0,0 @@
 # recipients: abokovoy, frenaud, kaleem, ftrivino
 --- !Policy
 product_versions:
  - rhel-9
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}
--- a/slapi-nis-bz1979619.patch
+++ b/slapi-nis-bz1979619.patch
@ -1,52 +0,0 @@
 From 0f700cf71f5531fb6c863990216aa1eb88970dc8 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Wed, 16 Jun 2021 11:08:21 +0300
 Subject: [PATCH] back-sch-nss: only loop if asked to try again
 slapi-nis uses sss-idmap library to discover user group membership.  Its
 sss_nss_getgrouplist_timeout() function can return timeout errors as
 well which might cause a busy looping.  sss_nss_getgrouplist_timeout()
 will return ERANGE which is translated by slapi-nis to NSS_STATUS_TRYAGAIN.
 Fixes: rhbz#1967179
 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
 ---
 src/back-sch-nss.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)
 diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c
 index df04a96..b595f3b 100644
 --- a/src/back-sch-nss.c
 +++ b/src/back-sch-nss.c
@@ -589,19 +589,22 @@ repeat:
 		return NULL;
 	}
 -	do {
 +	for(rc = NSS_STATUS_TRYAGAIN; rc == NSS_STATUS_TRYAGAIN;) {
 		rc = backend_nss_getgrouplist(ctx, user_name, pwd.pw_gid,
 					      grouplist, &ngroups,
 					      &lerrno);
 -		if ((rc != NSS_STATUS_SUCCESS)) {
 -			tmp_list = realloc(grouplist, ngroups * sizeof(gid_t));
 -			if (tmp_list == NULL) {
 +		if (rc == NSS_STATUS_TRYAGAIN) {
 +			tmp_list = NULL;
 +			if (lerrno == ERANGE) {
 +				tmp_list = realloc(grouplist, ngroups * sizeof(gid_t));
 +			}
 +			if ((tmp_list == NULL) || (lerrno == ENOMEM)) {
 				free(grouplist);
 				return NULL;
 			}
 			grouplist = tmp_list;
 		}
 -	} while (rc != NSS_STATUS_SUCCESS);
 +	}
 	entries = calloc(ngroups + 1, sizeof(entries[0]));
 	if (entries == NULL) {
 -- 
 2.31.1
--- a/slapi-nis-bz1979623.patch
+++ b/slapi-nis-bz1979623.patch
@ -1,41 +0,0 @@
 From d18b1d105c928363eddec87af37fda0757cfb440 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Thu, 1 Jul 2021 11:37:38 +0300
 Subject: [PATCH] back-sch: reuse backend_should_descend
 When backend_search_find_set_dn_cb() is called, use the same logic as in
 other callbacks -- identify whether we should descend into the group by
 using backend_should_descend().
 The issue was introduced in 2015 with ID Views support but was masked
 until 61ea8f6a104da25329e301a8f56944f860de8177 as we always felt through
 to the full scan of the groups anyway. with the latter change the
 fell-through part was removed.
 Resolves: rhbz#1958909
 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
 Signed-off-by: Thierry Bordaz <tbordaz@redhat.com>
 ---
 src/back-sch.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/src/back-sch.c b/src/back-sch.c
 index d806627..0ed06fb 100644
 --- a/src/back-sch.c
 +++ b/src/back-sch.c
@@ -1369,8 +1369,9 @@ backend_search_find_set_dn_cb(const char *group, void *cb_data)
 	/* Check the group itself. */
 	group_dn = slapi_sdn_new_dn_byval(group);
 -	if (slapi_sdn_scope_test(group_dn, cbdata->target_dn,
 -				 cbdata->scope) == 1) {
 +	if (backend_should_descend(group_dn,
 +				   cbdata->target_dn,
 +				   cbdata->scope)) {
 		cbdata->answer = TRUE;
 		slapi_sdn_free(&group_dn);
 		return TRUE;
 -- 
 2.31.1
--- a/2
+++ b/2
@ -1,2 +0,0 @@
 SHA512 (slapi-nis-0.60.0.tar.gz) = 15fe7f821c6b7eea5f93edb46adcc8ba8ac8369e47b607bd56db23bbaf3e0a3e35da412bcc3665aa35bfd01d3863222d926d661adb70491f3ecce1204bc4b6e7
 SHA512 (slapi-nis-0.60.0.tar.gz.asc) = 117c1da76320ec065970752cfb5de379dbe7899e08dbcb7f2699daa26cb8cb429e1436092e4d5b39c162fc3b3f58b3c48a24c6884c2bd909767bccdd27cf7786
		`@ -0,0 +1 @@`
							`e5a84cf93b13b174c6d865de2f735cbfbc950917 SOURCES/slapi-nis-0.60.0.tar.gz`
		`@ -1,2 +0,0 @@`
			`SHA512 (slapi-nis-0.60.0.tar.gz) = 15fe7f821c6b7eea5f93edb46adcc8ba8ac8369e47b607bd56db23bbaf3e0a3e35da412bcc3665aa35bfd01d3863222d926d661adb70491f3ecce1204bc4b6e7`
			`SHA512 (slapi-nis-0.60.0.tar.gz.asc) = 117c1da76320ec065970752cfb5de379dbe7899e08dbcb7f2699daa26cb8cb429e1436092e4d5b39c162fc3b3f58b3c48a24c6884c2bd909767bccdd27cf7786`