← Back to team overview

touch-packages team mailing list archive

[Bug 1362481] Re: openldap upgrade fails. chwon of olcDbDirectory, /var/lib/ldap not empty and missing backup of suffix

 

This bug was fixed in the package openldap - 2.4.40+dfsg-1ubuntu1

---------------
openldap (2.4.40+dfsg-1ubuntu1) wily; urgency=low

  * Merge from Debian testing (LP: #1395098, LP: #1316124). Remaining changes:
    - Enable AppArmor support:
      - d/apparmor-profile: add AppArmor profile
      - d/rules: use dh_apparmor
      - d/control: Build-Depends on dh-apparmor
      - d/slapd.README.Debian: add note about AppArmor
    - Enable GSSAPI support:
      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
        - Add --with-gssapi support
        - Make guess_service_principal() more robust when determining
          principal
      - d/configure.options: Configure with --with-gssapi
      - d/control: Added heimdal-dev as a build depend
    - Enable ufw support:
      - d/control: suggest ufw.
      - d/rules: install ufw profile.
      - d/slapd.ufw.profile: add ufw profile.
    - Enable nss overlay:
      - d/{patches/nssov-build,rules}: Apply, build and package the
        nss overlay.
    - d/{rules,slapd.py}: Add apport hook.
    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
      either the default DIT nor via an Authn mapping.
    - d/slapd.scripts-common:
      - add slapcat_opts to local variables.
      - Remove unused variable new_conf.
      - Fix backup directory naming for multiple reconfiguration.
    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
      in the openldap library, as required by Likewise-Open
    - Show distribution in version:
      - d/control: added lsb-release
      - d/patches/fix-ldap-distribution.patch: show distribution in version
  * Drop patches included upstream:
    - d/patches/0001-ITS-7430-GnuTLS-Avoid-use-of-deprecated-function.patch
    - d/patches/bdb-deadlock.patch
    - d/patches/its-7354-fix-delta-sync-mmr.diff
  * Drop hardening-wrapper as Debian now sets PIE and bindnow flags.
  * debian/patches/nssov-build: Adjust for upstream changes.
  * debian/apparmor-profile:
    - Change 'r' to 'rw' for ldapi and nslcd sockets, required for apparmor
      kernel ABI v7 (utopic and later). (LP: #1392018)
    - Reduce permissions on /run/nslcd to just the nslcd socket.
  * Enable the mdb backend again on ppc64el, fixed upstream in ITS#7713.
    (LP: #1293250)

openldap (2.4.40+dfsg-1) unstable; urgency=medium

  * Remove inetorgperson.schema from the upstream source. Replace it with a
    copy stripped of RFC text. (Closes: #780283)
  * Adjust debian/watch for +dfsg versioning.
  * debian/patches/ITS7975-fix-mdb-onelevel-search.patch: Import upstream
    patch to fix scope=onelevel searches wrongly including the search base in
    results under the MDB backend. (ITS#7975) (Closes: #782212)

openldap (2.4.40-4) unstable; urgency=medium

  * debian/patches/ITS8027-deref-reject-empty-attr-list.patch: Import upstream
    patch to fix a crash when a search includes the Deref control with an
    empty attribute list. (ITS#8027) (CVE-2015-1545, Closes: #776988)
  * debian/patches/ITS8046-fix-vrFilter_free-crash.patch: Import upstream
    patch to fix a double free triggered by certain search queries using the
    Matched Values control. (ITS#8046) (CVE-2015-1546, Closes: #776991)

openldap (2.4.40-3) unstable; urgency=medium

  * Remove trailing spaces from slapd.templates.
  * Update Vietnamese debconf translation.
    Thanks to Trần Ngọc Quân.
  * Update Danish debconf translation.
    Thanks to Joe Hansen. (Closes: #766848)
  * Update Japanese debconf translation.
    Thanks to Kenshi Muto. (Closes: #766824)
  * Update Russian debconf translation.
    Thanks to Yuri Kozlov. (Closes: #766825)
  * Update Basque translation.
    Thanks to Iñaki Larrañaga Murgoitio. (Closes: #767070)
  * Update French debconf translation.
    Thanks to Christian Perrier. (Closes: #767634)
  * Update German debconf translation.
    Thanks to Helge Kreutzmann. (Closes: #767686)
  * Update Portuguese debconf translation.
    Thanks to Ricardo Silva. (Closes: #768085)
  * Update Italian debconf translation.
    Thanks to Luca Monducci. (Closes: #768195)
  * Update Turkish debconf translation.
    Thanks to Atila KOÇ. (Closes: #768409)
  * Update Czech debconf translation.
    Thanks to Miroslav Kure. (Closes: #768591)
  * Update Catalan debconf translation.
    Thanks to Innocent De Marchi. (Closes: #768605)
  * Update Dutch debconf translation.
    Thanks to Frans Spiesschaert. (Closes: #769024)
  * Update Brazilian Portuguese debconf translation.
    Thanks to Adriano Rafael Gomes. (Closes: #769717)
  * Update Galician debconf translation.
    Thanks to Jorge Barreiro.
  * Update Swedish debconf translation.
    Thanks to Martin Bagge / brother. (Closes: #769867)
  * Update Spanish debconf translation.
    Thanks to Camaleón. (Closes: #770715)
  * Fix doubled spaces in po files, caused by trailing spaces in the templates
    file.
  * Run debconf-updatepo to refresh PO files.

openldap (2.4.40-2) unstable; urgency=medium

  * Fix typo (chmod/chgrp) in previous changelog, spotted by Ferenc Wagner.
  * debian/patches/contrib-modules-use-dpkg-buildflags: Also use CPPFLAGS from
    dpkg-buildflags. Spotted by Lintian.
  * debian/slapd.init.ldif: Don't bother explicitly granting rights to the
    rootdn, since it already has unlimited privileges. Thanks Ferenc Wagner.
  * Recommend MDB for new installations, per upstream's recommendation.
  * Don't re-create the default DB_CONFIG if there wasn't one in the backup,
    for example if the active backend doesn't use it. Thanks Ferenc Wagner.
  * On upgrade, if an access rule begins with "to * by self write", show a
    debconf note warning that it should be changed. (Closes: #761406)
  * Build and install the lastbind contrib module. (Closes: #701111)
  * Build and install the passwd/sha2 contrib module. (Closes: #746727)

openldap (2.4.40-1) unstable; urgency=low

  [ Ryan Tandy ]
  * New upstream release.
    - fixed ldap_get_dn(3) ldap_ava definition (ITS#7860) (Closes: #465024)
    - fixed slapcat with external schema (ITS#7895) (Closes: #599235)
    - fixed double free with invalid ciphersuite (ITS#7500) (Closes: #640384)
    - fixed modrdn crash on naming attr with no matching rule (ITS#7850)
      (Closes: #666515)
    - fixed slapacl causing unclean database (ITS#7827) (Closes: #741248)
  * slapd.scripts-common:
    - Anchor grep patterns to avoid matching commented lines in ldif files
      under cn=config. (Closes: #723957)
    - Don't silently ignore nonexistent directories that should be dumped.
    - Invoke find, chown, and chgrp with -H in case /var/lib/ldap is a
      symlink. (Closes: #742862)
    - When upgrading a database, ignore extra nested directories as they might
      contain other databases. Patch from Kenny Millington. (LP: #1003854)
    - Fix dumping and reloading when multiple databases hold the same suffix,
      thanks Peder Stray. (Closes: #759596, LP: #1362481)
    - Remove trailing dot from slapd/domain. (Closes: #637996)
  * debian/rules:
    - Enable parallel building.
    - Copy libldap-2.4-2.shlibs into place manually, as a workaround for
      #676168. (Closes: #742841)
  * debian/slapd.README.Debian: Add a note about database format upgrades and
    the consequences of missing one. (Closes: #594711)
  * Build with GnuTLS 3 (Closes: #745231, #760559).
  * Drop debian/patches/fix-ftbfs-binutils-gold, no longer needed.
  * Drop debconf-utils from Build-Depends, no longer used (replaced by
    po-debconf). Thanks Johannes Schauer.
  * Acknowledge NMU fixing #729367, thanks to Michael Gilbert.
  * Offer the MDB backend as a choice during initial configuration. (Closes:
    #750022)
  * debian/slapd.init.ldif:
    - Disallow modifying one's own entry by default, except specific
      attributes. (Closes: #761406)
    - Index some more common search attributes by default. (Closes: #762111)
  * Introduce a symbols file for libldap-2.4-2.
  * debian/schema/pmi.schema: Add a copyright clarification. There does not
    appear to be any copyrighted text in this file, only ASN.1 assignments and
    LDAP schema definitions. Fixes a Lintian error on the original.
  * debian/schema/duaconf.schema: Strip Internet-Draft text from
    duaconf.schema.
  * Drop debian/patches/CVE-2013-4449.patch, applied upstream.
  * Update debian/patches/no-AM_INIT_AUTOMAKE with upstream changes.
  * debian/schema/ppolicy.schema: Update with ordering rules added in
    draft-behera-ldap-password-policy-11.
  * Suggest GSSAPI SASL modules. (Closes: #762424)
  * debian/patches/ITS6035-olcauthzregex-needs-restart.patch: Document in
    slapd-config.5 the fact that changes to olcAuthzRegexp only take effect
    after the server is restarted. (Closes: #761407)
  * Add myself to Uploaders.

  [ Jelmer Vernooij ]
  * Depend on heimdal-multidev rather than heimdal-dev. (Closes: #745356,
    #706123)

  [ Updated debconf translations ]
  * Turkish, thanks to Atila KOÇ <akoc@xxxxxxxxxxxxxxxxxxxxx>.
    (Closes: #661641)

openldap (2.4.39-1.1) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fix CVE-2013-4449: reference counting logic issue (closes: #729367).

openldap (2.4.39-1) unstable; urgency=low

  [ Peter Marschall ]
  * debian/patches/wrong-database-location: fix database location in
    doc/man/man5/slapd-mdb.5
  * debian/configure.options: add info on --enable-mdb

  [ Russ Allbery ]
  * Remove myself from Uploaders.

  [ Steve Langasek ]
  * Remove Stephen Frost from Uploaders, per discussion with him.  Thanks for
    your contributions, Stephen!
  * Adjust dh_autoreconf usage to update all config.sub/config.guess
    instances in the source, so that we can be forwards-compatible with new
    ports.  Thanks to Colin Watson <cjwatson@xxxxxxxxxx> for the patch.
    Closes: #725824.
  * Add Timo to Uploaders.
  * Update Vcs-* fields to point at the new git repo; thanks to Timo for
    driving this migration!
  * Rebuild against db5.3, with a corresponding dump/restore of the database
    on upgrade.  Closes: #738641.

  [ Timo Aaltonen ]
  * contrib-modules-use-dpkg-buildflags, autogroup-makefile,
    smbk5pwd-makefile:
    - Updated for current upstream.
  * Refresh patches to apply cleanly.
  * rules: Use dpkg-parsechangelog to determine the upstream version for
    get-orig-source.
  * source: Add lintian overrides for non-transatable internal
    templates.

 -- Ryan Tandy <ryan@xxxxxxxxx>  Mon, 25 May 2015 19:49:21 -0700

** Changed in: openldap (Ubuntu)
       Status: In Progress => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-4449

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1545

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1546

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1362481

Title:
  openldap upgrade fails. chwon of olcDbDirectory, /var/lib/ldap not
  empty and missing backup of suffix

Status in openldap package in Ubuntu:
  Fix Released
Status in openldap package in Debian:
  Fix Released

Bug description:
  Upgrading from Ubuntu 12.04.5 LTS to 14.04.1 LTS
  (slapd-2.4.28-1.1ubuntu4.4 to slapd-2.4.31-1+nmu2ubuntu8), it fails
  horribly on my setup with one disk-backend and one ldap-backend (sync
  to another server).

  First, dump_databases in
  /var/lib/dpkg/info/slapd.{config,preinst,postinst} fails due to
  get_directory returning "olcDbDirectory" instead of /var/lib/ldap.
  This is caused by a missing -h to grep, causing another : in the
  returned line, thus causing the '| cut -d: -f 2' to get the wrong part
  of the line.  This causes both the backup of the suffix to fail, and
  later the chown after restore to fail.

      grep "olcDbDirectory:" `grep -l "olcSuffix: ...

  should have been

      grep -h "olcDbDirectory:" `grep -l "olcSuffix:  ...

  later, get_suffix causes the same suffix to be reported twice, thus
  causing database load to fail on the second round of the while since
  /var/lib/ldap is already loaded with the correct files, but is
  expected to be empty. I fixed it with a '| sort -u' in get_suffix, but
  i guess it would be better to maybe redo load_databases' while loop to
  get both suffix and dbdir (since you can have the same suffix stored
  in more than one location, as I have, and thus first getting the
  suffix and then doing a grep for the olcDbDirectory in get_directory
  will cause the same storage to be reported for both instances of the
  suffix)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1362481/+subscriptions


References