Debian Bug report logs -
#741600
389-ds-base: CVE-2014-0132
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 14 Mar 2014 12:21:01 UTC
Severity: grave
Tags: patch, security
Fixed in version 389-ds-base/1.3.2.9-1.1
Done: Tobias Frost <tobi@coldtobi.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian 389ds Team <pkg-fedora-ds-maintainers@lists.alioth.debian.org>
:
Bug#741600
; Package 389-ds-base
.
(Fri, 14 Mar 2014 12:21:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian 389ds Team <pkg-fedora-ds-maintainers@lists.alioth.debian.org>
.
(Fri, 14 Mar 2014 12:21:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: 389-ds-base
Severity: grave
Tags: security
Justification: user security hole
Hi,
please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0132 for details.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian 389ds Team <pkg-fedora-ds-maintainers@lists.alioth.debian.org>
:
Bug#741600
; Package 389-ds-base
.
(Fri, 14 Mar 2014 17:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Timo Aaltonen <tjaalton@ubuntu.com>
:
Extra info received and forwarded to list. Copy sent to Debian 389ds Team <pkg-fedora-ds-maintainers@lists.alioth.debian.org>
.
(Fri, 14 Mar 2014 17:33:05 GMT) (full text, mbox, link).
Message #10 received at 741600@bugs.debian.org (full text, mbox, reply):
On 14.03.2014 14:07, Moritz Muehlenhoff wrote:
> Package: 389-ds-base
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi,
> please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0132 for details.
Thanks, fixed in git.d.o.
--
t
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian 389ds Team <pkg-fedora-ds-maintainers@lists.alioth.debian.org>
:
Bug#741600
; Package 389-ds-base
.
(Fri, 25 Apr 2014 16:12:09 GMT) (full text, mbox, link).
Acknowledgement sent
to tobi@coldtobi.de
:
Extra info received and forwarded to list. Copy sent to Debian 389ds Team <pkg-fedora-ds-maintainers@lists.alioth.debian.org>
.
(Fri, 25 Apr 2014 16:12:09 GMT) (full text, mbox, link).
Message #15 received at 741600@bugs.debian.org (full text, mbox, reply):
tags 741600 + patch
tags 741600 + pending
thanks
Dear maintainer,
I've prepared an NMU for 389-ds-base (versioned as 1.3.2.9-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards.
diff -Nru 389-ds-base-1.3.2.9/debian/changelog 389-ds-base-1.3.2.9/debian/changelog
--- 389-ds-base-1.3.2.9/debian/changelog 2014-02-03 10:09:07.000000000 +0100
+++ 389-ds-base-1.3.2.9/debian/changelog 2014-04-25 16:55:53.000000000 +0200
@@ -1,3 +1,12 @@
+389-ds-base (1.3.2.9-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Apply fix for CVE-2014-0132, see like named patch (Closes: 741600)
+ * Fix m4-macro for libsrvcore and add missing B-D on libpci-dev
+ (Closes: #745821)
+
+ -- Tobias Frost <tobi@coldtobi.de> Fri, 25 Apr 2014 15:11:16 +0200
+
389-ds-base (1.3.2.9-1) unstable; urgency=low
* New upstream release.
diff -Nru 389-ds-base-1.3.2.9/debian/control 389-ds-base-1.3.2.9/debian/control
--- 389-ds-base-1.3.2.9/debian/control 2014-01-11 11:40:42.000000000 +0100
+++ 389-ds-base-1.3.2.9/debian/control 2014-04-25 16:37:03.000000000 +0200
@@ -22,6 +22,7 @@
libperl-dev,
libkrb5-dev,
libpcre3-dev,
+ libpci-dev
Standards-Version: 3.9.5
Vcs-Git: git://git.debian.org/git/pkg-fedora-ds/389-ds-base.git
Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-fedora-ds/389-ds-base.git
diff -Nru 389-ds-base-1.3.2.9/debian/patches/CVE-2014-0132.patch 389-ds-base-1.3.2.9/debian/patches/CVE-2014-0132.patch
--- 389-ds-base-1.3.2.9/debian/patches/CVE-2014-0132.patch 1970-01-01 01:00:00.000000000 +0100
+++ 389-ds-base-1.3.2.9/debian/patches/CVE-2014-0132.patch 2014-04-25 15:11:13.000000000 +0200
@@ -0,0 +1,49 @@
+--- a/ldap/servers/slapd/saslbind.c
++++ b/ldap/servers/slapd/saslbind.c
+@@ -229,34 +229,6 @@
+ return SASL_OK;
+ }
+
+-static int ids_sasl_proxy_policy(
+- sasl_conn_t *conn,
+- void *context,
+- const char *requested_user, int rlen,
+- const char *auth_identity, int alen,
+- const char *def_realm, int urlen,
+- struct propctx *propctx
+-)
+-{
+- int retVal = SASL_OK;
+- /* do not permit sasl proxy authorization */
+- /* if the auth_identity is null or empty string, allow the sasl request to go thru */
+- if ( (auth_identity != NULL ) && ( strlen(auth_identity) > 0 ) ) {
+- Slapi_DN authId , reqUser;
+- slapi_sdn_init_dn_byref(&authId,auth_identity);
+- slapi_sdn_init_dn_byref(&reqUser,requested_user);
+- if (slapi_sdn_compare((const Slapi_DN *)&reqUser,(const Slapi_DN *) &authId) != 0) {
+- LDAPDebug(LDAP_DEBUG_TRACE,
+- "sasl proxy auth not permitted authid=%s user=%s\n",
+- auth_identity, requested_user, 0);
+- retVal = SASL_NOAUTHZ;
+- }
+- slapi_sdn_done(&authId);
+- slapi_sdn_done(&reqUser);
+- }
+- return retVal;
+-}
+-
+ static void ids_sasl_user_search(
+ char *basedn,
+ int scope,
+@@ -583,11 +555,6 @@
+ NULL
+ },
+ {
+- SASL_CB_PROXY_POLICY,
+- (IFP) ids_sasl_proxy_policy,
+- NULL
+- },
+- {
+ SASL_CB_CANON_USER,
+ (IFP) ids_sasl_canon_user,
+ NULL
diff -Nru 389-ds-base-1.3.2.9/debian/patches/ftbs_lsoftotkn3.patch 389-ds-base-1.3.2.9/debian/patches/ftbs_lsoftotkn3.patch
--- 389-ds-base-1.3.2.9/debian/patches/ftbs_lsoftotkn3.patch 1970-01-01 01:00:00.000000000 +0100
+++ 389-ds-base-1.3.2.9/debian/patches/ftbs_lsoftotkn3.patch 2014-04-25 16:17:53.000000000 +0200
@@ -0,0 +1,20 @@
+Description: Fix autoconf macro to detect svrcore properly
+ configure bails out with a linking error against libsoftokn, which is according
+ #473275 the correct behaviour. The patch modifies the m4 file to do not link
+ against this lib.
+Author: Tobias Frost <tobi@coldtobi.de>
+Forwarded: no
+Last-Update: 2014-04-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/m4/svrcore.m4
++++ b/m4/svrcore.m4
+@@ -96,7 +96,7 @@
+ if test -z "$svrcore_inc" -o -z "$svrcore_lib"; then
+ dnl just see if SVRCORE is already a system library
+ AC_CHECK_LIB([svrcore], [SVRCORE_GetRegisteredPinObj], [havesvrcore=1],
+- [], [$nss_inc $nspr_inc $nss_lib -lnss3 -lsoftokn3 $nspr_lib -lplds4 -lplc4 -lnspr4])
++ [], [$nss_inc $nspr_inc $nss_lib -lnss3 $nspr_lib -lplds4 -lplc4 -lnspr4])
+ if test -n "$havesvrcore" ; then
+ dnl just see if SVRCORE is already a system header file
+ save_cppflags="$CPPFLAGS"
diff -Nru 389-ds-base-1.3.2.9/debian/patches/rename-online-scripts.diff 389-ds-base-1.3.2.9/debian/patches/rename-online-scripts.diff
--- 389-ds-base-1.3.2.9/debian/patches/rename-online-scripts.diff 2014-01-11 11:39:16.000000000 +0100
+++ 389-ds-base-1.3.2.9/debian/patches/rename-online-scripts.diff 2014-04-25 15:11:03.000000000 +0200
@@ -1,8 +1,14 @@
-diff --git a/ldap/admin/src/scripts/template-bak2db.pl.in b/ldap/admin/src/scripts/template-bak2db.pl.in
-index 4c7bab8..a972878 100644
+Description: Cherrypick fix for CVE-2014-0132
+Author: Noriko Hosoi <nhosoi@redhat.com>
+Origin: https://fedorahosted.org/389/ticket/47739
+Forwarded: not
+Applied-Upstream: https://fedorahosted.org/389/changeset/9bc2b46b7c7ee4c975d04b041f73a5992906b07c/
+Last-Update: 2014-04-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/ldap/admin/src/scripts/template-bak2db.pl.in
+++ b/ldap/admin/src/scripts/template-bak2db.pl.in
-@@ -49,6 +49,6 @@ while ($i <= $#ARGV) {
+@@ -49,6 +49,6 @@
$i++;
}
@@ -10,11 +16,9 @@
+exec "{{SERVERBIN-DIR}}/bak2db-online @wrapperArgs -Z {{SERV-ID}}";
exit ($?);
-diff --git a/ldap/admin/src/scripts/template-db2bak.pl.in b/ldap/admin/src/scripts/template-db2bak.pl.in
-index 712f387..e5f44eb 100644
--- a/ldap/admin/src/scripts/template-db2bak.pl.in
+++ b/ldap/admin/src/scripts/template-db2bak.pl.in
-@@ -49,7 +49,7 @@ while ($i <= $#ARGV) {
+@@ -49,7 +49,7 @@
$i++;
}
@@ -23,11 +27,9 @@
exit ($?);
-diff --git a/ldap/admin/src/scripts/template-db2index.pl.in b/ldap/admin/src/scripts/template-db2index.pl.in
-index d2d6d87..7edb3c2 100644
--- a/ldap/admin/src/scripts/template-db2index.pl.in
+++ b/ldap/admin/src/scripts/template-db2index.pl.in
-@@ -49,6 +49,6 @@ while ($i <= $#ARGV) {
+@@ -49,6 +49,6 @@
$i++;
}
@@ -35,11 +37,9 @@
+exec "{{SERVERBIN-DIR}}/db2index-online @wrapperArgs -Z {{SERV-ID}}";
exit ($?);
-diff --git a/ldap/admin/src/scripts/template-db2ldif.pl.in b/ldap/admin/src/scripts/template-db2ldif.pl.in
-index feb8af9..10db293 100644
--- a/ldap/admin/src/scripts/template-db2ldif.pl.in
+++ b/ldap/admin/src/scripts/template-db2ldif.pl.in
-@@ -53,6 +53,6 @@ while ($i <= $#ARGV) {
+@@ -53,6 +53,6 @@
$cwd = cwd();
@@ -47,11 +47,9 @@
+exec "{{SERVERBIN-DIR}}/db2ldif-online -c $cwd @wrapperArgs -Z {{SERV-ID}}";
exit ($?);
-diff --git a/ldap/admin/src/scripts/template-ldif2db.pl.in b/ldap/admin/src/scripts/template-ldif2db.pl.in
-index 5211fd5..0bae57d 100644
--- a/ldap/admin/src/scripts/template-ldif2db.pl.in
+++ b/ldap/admin/src/scripts/template-ldif2db.pl.in
-@@ -49,6 +49,6 @@ while ($i <= $#ARGV) {
+@@ -49,6 +49,6 @@
$i++;
}
diff -Nru 389-ds-base-1.3.2.9/debian/patches/series 389-ds-base-1.3.2.9/debian/patches/series
--- 389-ds-base-1.3.2.9/debian/patches/series 2014-01-11 11:39:16.000000000 +0100
+++ 389-ds-base-1.3.2.9/debian/patches/series 2014-04-25 16:09:52.000000000 +0200
@@ -2,3 +2,5 @@
fix-sasl-path.diff
admin_scripts.diff
rename-online-scripts.diff
+CVE-2014-0132.patch
+ftbs_lsoftotkn3.patch
Added tag(s) patch.
Request was from tobi@coldtobi.de
to control@bugs.debian.org
.
(Fri, 25 Apr 2014 16:12:18 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from tobi@coldtobi.de
to control@bugs.debian.org
.
(Fri, 25 Apr 2014 16:12:19 GMT) (full text, mbox, link).
Reply sent
to Tobias Frost <tobi@coldtobi.de>
:
You have taken responsibility.
(Fri, 25 Apr 2014 21:39:21 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(Fri, 25 Apr 2014 21:39:21 GMT) (full text, mbox, link).
Message #24 received at 741600-close@bugs.debian.org (full text, mbox, reply):
Source: 389-ds-base
Source-Version: 1.3.2.9-1.1
We believe that the bug you reported is fixed in the latest version of
389-ds-base, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 741600@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Frost <tobi@coldtobi.de> (supplier of updated 389-ds-base package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 25 Apr 2014 15:11:16 +0200
Source: 389-ds-base
Binary: 389-ds 389-ds-base-libs 389-ds-base-libs-dbg 389-ds-base-dev 389-ds-base 389-ds-base-dbg
Architecture: source all amd64
Version: 1.3.2.9-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian 389ds Team <pkg-fedora-ds-maintainers@lists.alioth.debian.org>
Changed-By: Tobias Frost <tobi@coldtobi.de>
Description:
389-ds - 389 Directory Server suite - metapackage
389-ds-base - 389 Directory Server suite - server
389-ds-base-dbg - 389 Directory Server suite - server debugging symbols
389-ds-base-dev - 389 Directory Server suite - development files
389-ds-base-libs - 389 Directory Server suite - libraries
389-ds-base-libs-dbg - 389 Directory Server suite - library debugging symbols
Closes: 741600 745821
Changes:
389-ds-base (1.3.2.9-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Apply fix for CVE-2014-0132, see like named patch (Closes: 741600)
* Fix m4-macro for libsrvcore and add missing B-D on libpci-dev
(Closes: #745821)
Checksums-Sha1:
46bb7385c1304964e81bca719d7830b2dfbab8f0 2583 389-ds-base_1.3.2.9-1.1.dsc
ffafead56e41340eea8a0fb54f2fdaabddd8dba9 20292 389-ds-base_1.3.2.9-1.1.debian.tar.xz
293657c1efed08cd531c40b2c4fdc71faaad0734 14682 389-ds_1.3.2.9-1.1_all.deb
518767ebbb416c14c5150b71814941b9c594d7f7 355482 389-ds-base-libs_1.3.2.9-1.1_amd64.deb
eebaaee6eb0777c34056f1461af23035de34e9e3 1286850 389-ds-base-libs-dbg_1.3.2.9-1.1_amd64.deb
eae5e60ff15d61d11d605ae209be32ed45d05cf2 66862 389-ds-base-dev_1.3.2.9-1.1_amd64.deb
ff1ab63e0ab67f38b3ba050951ab5ac208682049 1394896 389-ds-base_1.3.2.9-1.1_amd64.deb
a241d67cbd7a4dbba254d107f611e6b0f404faa6 4362090 389-ds-base-dbg_1.3.2.9-1.1_amd64.deb
Checksums-Sha256:
052cb4017ed9f554289e9521134dde6f4bcbdf8bea4ef70f62b898ba564e9bef 2583 389-ds-base_1.3.2.9-1.1.dsc
2439b773d438e1a884eeabf7ed81ff574bc647898fb56ec3fa2b7f95c0435614 20292 389-ds-base_1.3.2.9-1.1.debian.tar.xz
cb6d4d31aefa03fb8e169f4ee37880e14cc1cd4d3f934f0c772f9b16f531debe 14682 389-ds_1.3.2.9-1.1_all.deb
e94d9c848d9423c626d54cacee37a5feda110bd1697afebe6a47d0bf47e76df8 355482 389-ds-base-libs_1.3.2.9-1.1_amd64.deb
dc37aeef3115aa00d3118f7326b8ba9af482801cf2a852d1e37e06b8adc92b98 1286850 389-ds-base-libs-dbg_1.3.2.9-1.1_amd64.deb
4a52fedfbe2602882467cd80e78373e4bdee10594824591ee1ab501a0b64414a 66862 389-ds-base-dev_1.3.2.9-1.1_amd64.deb
7bb9bf971a81df9a79eadde8253402ed8a9d5ecb6b4dff169fc5ec84fa440fda 1394896 389-ds-base_1.3.2.9-1.1_amd64.deb
c5a136300aef05b57f4bf18ca2840184604a105a157aba2af61834af540c2703 4362090 389-ds-base-dbg_1.3.2.9-1.1_amd64.deb
Files:
45e6bf17837906bd788cd4c42ac3e49b 14682 net optional 389-ds_1.3.2.9-1.1_all.deb
270e8d3e59d2e8f21ee4f5085995b519 355482 libs optional 389-ds-base-libs_1.3.2.9-1.1_amd64.deb
11134b552968d64717a1cc61f7eea67b 1286850 debug extra 389-ds-base-libs-dbg_1.3.2.9-1.1_amd64.deb
239ceafc5b142f1b6341432ff04dd5b0 66862 libdevel optional 389-ds-base-dev_1.3.2.9-1.1_amd64.deb
ec5aa74c5a026891d6a0200845aa376d 1394896 net optional 389-ds-base_1.3.2.9-1.1_amd64.deb
9e9540e0f65c50fc0b1e82375e755db2 4362090 debug extra 389-ds-base-dbg_1.3.2.9-1.1_amd64.deb
8ce4c2f4ba2698008395964ba8a36f6e 2583 net optional 389-ds-base_1.3.2.9-1.1.dsc
6f248fec8102eea40b3a99a4fb308148 20292 net optional 389-ds-base_1.3.2.9-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJTWsGRAAoJEKGwm0IzOWHoGSoQAOH8Q84cVfd13rCcF5vjZ316
MSAqtutlKM9wn5zYnym49hsJxFXwCMrxIdGVdW3UxDEXUgo0RwGMXg5bWY8qUieY
p1eXF6ILcjhrbPmbJP7OTOiUYDMJyIQrvNPI/bjWGLxjjvD0zD0z4Lzu+yScj/X1
YX63fBE06HyBwjqyB3A/tdhHPIUl+cmV9HcFAVLNGiDN8F14OSHW/H0IDbp7KqkK
cW9wFXAoGWAZorgHrZ4fg5VnLKqUhRCR9OByhiBmCQqXxfbmN1PidbjFj9FL4hu5
R5EVdfsmL5HnoRB7DgXx6kJoeMpMmd3GVWao+P/ATiGW5h4Yog9NlfYtqIPPUtCJ
Y7kg72atISq/T6NhmVxobIDcN9gErRi4LTjI8c3ZFV0wOlrcCgRUFk2/VVghlp53
Dxm/2DWTVs6CDWizFraON7zBtwiL85DRkY6D0jlvFj3YxgP1eSIViIqr53cgi705
nJ7kv/oFoTdwZ8lXFG3Kl2LRUTi4fPMwFvke2VehwDi9xDpplhlbOWZ0uXmZhM4f
db8Y+m+NCTuGmoIHe7fA1KZzdLapmtzlvFeGUvn4EO8DCCktLx/3RJcTaqo4K7FS
SeQFBKY8FzkPowAe/Xontb/sjehbXfVyRtIYBkOGfyqvI6Zoi9opI2ltGzN08doG
H15xdV/jB++5YwnBHq52
=pXLa
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 30 May 2014 07:25:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:37:51 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.