Mercurial Mercurial > upstream > oracle > userland-gate / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap s11-update
authorzihao.zhu@oracle.com <zihao.zhu@oracle.com>
Fri, 17 Jul 2015 14:10:26 -0600
branchs11-update
changeset 4662 291e4ab0706c
parent 4655 4a798873bdfd
child 4665 ac89769a1a3b
20220521 OpenLDAP TLS Protocol/Ciphersuite selection for nsswitch-ldap 20604417 problem in SERVICE/OPENLDAP 18218606 bad runpaths in openldap binaries after 12.3 switch
components/openldap/Makefile file | annotate | diff | comparison | revisions
components/openldap/patches/01-no-ssl3.patch file | annotate | diff | comparison | revisions
components/openldap/patches/02-CVE-2015-1545.patch file | annotate | diff | comparison | revisions 
--- a/components/openldap/Makefile	Tue Jul 14 15:20:49 2015 -0700
+++ b/components/openldap/Makefile	Fri Jul 17 14:10:26 2015 -0600
@@ -79,7 +79,7 @@
 CONFIGURE_OPTIONS += --docdir=$(USRSHAREDOCDIR)
 CONFIGURE_OPTIONS += --disable-static
 CONFIGURE_OPTIONS += --enable-overlays
-CONFIGURE_OPTIONS += --disable-dynamic
+CONFIGURE_OPTIONS += --enable-dynamic
 CONFIGURE_OPTIONS += --enable-crypt
 CONFIGURE_OPTIONS += --enable-shared
 CONFIGURE_OPTIONS += --enable-bdb
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openldap/patches/01-no-ssl3.patch	Fri Jul 17 14:10:26 2015 -0600
@@ -0,0 +1,31 @@
+Fixes problem with setting the TLS client protocol version and ciphersuite
+in the NSSWITCH LDAP library in Solaris.
+Patch was developed in-house; it is Solaris specific and
+will not be contributed upstream.
+
+--- openldap-2.4.30/libraries/libldap/ldap.conf.old	Mon Jun  1 16:46:56 2015
++++ openldap-2.4.30/libraries/libldap/ldap.conf	Mon Jun  1 16:47:08 2015
+@@ -9,5 +9,8 @@
+ #URI	ldap://ldap.example.com ldap://ldap-master.example.com:666
+ 
+ #SIZELIMIT	12
+ #TIMELIMIT	15
+ #DEREF		never
++
++TLS_PROTOCOL_MIN	3.2
++TLS_CIPHER_SUITE	-ALL:+TLSv1.2:+TLSv1.1
+--- openldap-2.4.30/servers/slapd/slapd.conf.old	Mon Jun  1 16:47:47 2015
++++ openldap-2.4.30/servers/slapd/slapd.conf	Mon Jun  1 16:47:59 2015
+@@ -22,10 +22,12 @@
+ # Sample security restrictions
+ #	Require integrity protection (prevent hijacking)
+ #	Require 112-bit (3DES or better) encryption for updates
+ #	Require 63-bit encryption for simple bind
+ # security ssf=1 update_ssf=112 simple_bind=64
++TLSProtocolMin	3.2
++TLSCipherSuite	-ALL:+TLSv1.2:+TLSv1.1
+ 
+ # Sample access control policy:
+ #	Root DSE: allow anyone to read it
+ #	Subschema (sub)entry DSE: allow anyone to read it
+ #	Other DSEs:
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openldap/patches/02-CVE-2015-1545.patch	Fri Jul 17 14:10:26 2015 -0600
@@ -0,0 +1,15 @@
+Fixes problem with OpenLDAP server configuration in Solaris.
+Patch was generated from upstream.
+
+--- openldap-2.4.30/servers/slapd/overlays/deref.c.old	Fri Jun 26 13:59:18 2015
++++ openldap-2.4.30/servers/slapd/overlays/deref.c	Fri Jun 26 13:59:40 2015
+@@ -182,7 +182,8 @@
+ 		ber_len_t cnt = sizeof(struct berval);
+ 		ber_len_t off = 0;
+ 
+-		if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR )
++		if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR
++			|| !cnt )
+ 		{
+ 			rs->sr_text = "Dereference control: derefSpec decoding error";
+ 			rs->sr_err = LDAP_PROTOCOL_ERROR;
upstream/oracle/userland-gate