touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #81299
[Bug 1362481] Re: openldap upgrade fails. chwon of olcDbDirectory, /var/lib/ldap not empty and missing backup of suffix
This bug was fixed in the package openldap - 2.4.40+dfsg-1ubuntu1
---------------
openldap (2.4.40+dfsg-1ubuntu1) wily; urgency=low
* Merge from Debian testing (LP: #1395098, LP: #1316124). Remaining changes:
- Enable AppArmor support:
- d/apparmor-profile: add AppArmor profile
- d/rules: use dh_apparmor
- d/control: Build-Depends on dh-apparmor
- d/slapd.README.Debian: add note about AppArmor
- Enable GSSAPI support:
- d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
- Add --with-gssapi support
- Make guess_service_principal() more robust when determining
principal
- d/configure.options: Configure with --with-gssapi
- d/control: Added heimdal-dev as a build depend
- Enable ufw support:
- d/control: suggest ufw.
- d/rules: install ufw profile.
- d/slapd.ufw.profile: add ufw profile.
- Enable nss overlay:
- d/{patches/nssov-build,rules}: Apply, build and package the
nss overlay.
- d/{rules,slapd.py}: Add apport hook.
- d/slapd.init.ldif: don't set olcRootDN since it's not defined in
either the default DIT nor via an Authn mapping.
- d/slapd.scripts-common:
- add slapcat_opts to local variables.
- Remove unused variable new_conf.
- Fix backup directory naming for multiple reconfiguration.
- d/{slapd.default,slapd.README.Debian}: use the new configuration style.
- d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
in the openldap library, as required by Likewise-Open
- Show distribution in version:
- d/control: added lsb-release
- d/patches/fix-ldap-distribution.patch: show distribution in version
* Drop patches included upstream:
- d/patches/0001-ITS-7430-GnuTLS-Avoid-use-of-deprecated-function.patch
- d/patches/bdb-deadlock.patch
- d/patches/its-7354-fix-delta-sync-mmr.diff
* Drop hardening-wrapper as Debian now sets PIE and bindnow flags.
* debian/patches/nssov-build: Adjust for upstream changes.
* debian/apparmor-profile:
- Change 'r' to 'rw' for ldapi and nslcd sockets, required for apparmor
kernel ABI v7 (utopic and later). (LP: #1392018)
- Reduce permissions on /run/nslcd to just the nslcd socket.
* Enable the mdb backend again on ppc64el, fixed upstream in ITS#7713.
(LP: #1293250)
openldap (2.4.40+dfsg-1) unstable; urgency=medium
* Remove inetorgperson.schema from the upstream source. Replace it with a
copy stripped of RFC text. (Closes: #780283)
* Adjust debian/watch for +dfsg versioning.
* debian/patches/ITS7975-fix-mdb-onelevel-search.patch: Import upstream
patch to fix scope=onelevel searches wrongly including the search base in
results under the MDB backend. (ITS#7975) (Closes: #782212)
openldap (2.4.40-4) unstable; urgency=medium
* debian/patches/ITS8027-deref-reject-empty-attr-list.patch: Import upstream
patch to fix a crash when a search includes the Deref control with an
empty attribute list. (ITS#8027) (CVE-2015-1545, Closes: #776988)
* debian/patches/ITS8046-fix-vrFilter_free-crash.patch: Import upstream
patch to fix a double free triggered by certain search queries using the
Matched Values control. (ITS#8046) (CVE-2015-1546, Closes: #776991)
openldap (2.4.40-3) unstable; urgency=medium
* Remove trailing spaces from slapd.templates.
* Update Vietnamese debconf translation.
Thanks to Trần Ngọc Quân.
* Update Danish debconf translation.
Thanks to Joe Hansen. (Closes: #766848)
* Update Japanese debconf translation.
Thanks to Kenshi Muto. (Closes: #766824)
* Update Russian debconf translation.
Thanks to Yuri Kozlov. (Closes: #766825)
* Update Basque translation.
Thanks to Iñaki Larrañaga Murgoitio. (Closes: #767070)
* Update French debconf translation.
Thanks to Christian Perrier. (Closes: #767634)
* Update German debconf translation.
Thanks to Helge Kreutzmann. (Closes: #767686)
* Update Portuguese debconf translation.
Thanks to Ricardo Silva. (Closes: #768085)
* Update Italian debconf translation.
Thanks to Luca Monducci. (Closes: #768195)
* Update Turkish debconf translation.
Thanks to Atila KOÇ. (Closes: #768409)
* Update Czech debconf translation.
Thanks to Miroslav Kure. (Closes: #768591)
* Update Catalan debconf translation.
Thanks to Innocent De Marchi. (Closes: #768605)
* Update Dutch debconf translation.
Thanks to Frans Spiesschaert. (Closes: #769024)
* Update Brazilian Portuguese debconf translation.
Thanks to Adriano Rafael Gomes. (Closes: #769717)
* Update Galician debconf translation.
Thanks to Jorge Barreiro.
* Update Swedish debconf translation.
Thanks to Martin Bagge / brother. (Closes: #769867)
* Update Spanish debconf translation.
Thanks to Camaleón. (Closes: #770715)
* Fix doubled spaces in po files, caused by trailing spaces in the templates
file.
* Run debconf-updatepo to refresh PO files.
openldap (2.4.40-2) unstable; urgency=medium
* Fix typo (chmod/chgrp) in previous changelog, spotted by Ferenc Wagner.
* debian/patches/contrib-modules-use-dpkg-buildflags: Also use CPPFLAGS from
dpkg-buildflags. Spotted by Lintian.
* debian/slapd.init.ldif: Don't bother explicitly granting rights to the
rootdn, since it already has unlimited privileges. Thanks Ferenc Wagner.
* Recommend MDB for new installations, per upstream's recommendation.
* Don't re-create the default DB_CONFIG if there wasn't one in the backup,
for example if the active backend doesn't use it. Thanks Ferenc Wagner.
* On upgrade, if an access rule begins with "to * by self write", show a
debconf note warning that it should be changed. (Closes: #761406)
* Build and install the lastbind contrib module. (Closes: #701111)
* Build and install the passwd/sha2 contrib module. (Closes: #746727)
openldap (2.4.40-1) unstable; urgency=low
[ Ryan Tandy ]
* New upstream release.
- fixed ldap_get_dn(3) ldap_ava definition (ITS#7860) (Closes: #465024)
- fixed slapcat with external schema (ITS#7895) (Closes: #599235)
- fixed double free with invalid ciphersuite (ITS#7500) (Closes: #640384)
- fixed modrdn crash on naming attr with no matching rule (ITS#7850)
(Closes: #666515)
- fixed slapacl causing unclean database (ITS#7827) (Closes: #741248)
* slapd.scripts-common:
- Anchor grep patterns to avoid matching commented lines in ldif files
under cn=config. (Closes: #723957)
- Don't silently ignore nonexistent directories that should be dumped.
- Invoke find, chown, and chgrp with -H in case /var/lib/ldap is a
symlink. (Closes: #742862)
- When upgrading a database, ignore extra nested directories as they might
contain other databases. Patch from Kenny Millington. (LP: #1003854)
- Fix dumping and reloading when multiple databases hold the same suffix,
thanks Peder Stray. (Closes: #759596, LP: #1362481)
- Remove trailing dot from slapd/domain. (Closes: #637996)
* debian/rules:
- Enable parallel building.
- Copy libldap-2.4-2.shlibs into place manually, as a workaround for
#676168. (Closes: #742841)
* debian/slapd.README.Debian: Add a note about database format upgrades and
the consequences of missing one. (Closes: #594711)
* Build with GnuTLS 3 (Closes: #745231, #760559).
* Drop debian/patches/fix-ftbfs-binutils-gold, no longer needed.
* Drop debconf-utils from Build-Depends, no longer used (replaced by
po-debconf). Thanks Johannes Schauer.
* Acknowledge NMU fixing #729367, thanks to Michael Gilbert.
* Offer the MDB backend as a choice during initial configuration. (Closes:
#750022)
* debian/slapd.init.ldif:
- Disallow modifying one's own entry by default, except specific
attributes. (Closes: #761406)
- Index some more common search attributes by default. (Closes: #762111)
* Introduce a symbols file for libldap-2.4-2.
* debian/schema/pmi.schema: Add a copyright clarification. There does not
appear to be any copyrighted text in this file, only ASN.1 assignments and
LDAP schema definitions. Fixes a Lintian error on the original.
* debian/schema/duaconf.schema: Strip Internet-Draft text from
duaconf.schema.
* Drop debian/patches/CVE-2013-4449.patch, applied upstream.
* Update debian/patches/no-AM_INIT_AUTOMAKE with upstream changes.
* debian/schema/ppolicy.schema: Update with ordering rules added in
draft-behera-ldap-password-policy-11.
* Suggest GSSAPI SASL modules. (Closes: #762424)
* debian/patches/ITS6035-olcauthzregex-needs-restart.patch: Document in
slapd-config.5 the fact that changes to olcAuthzRegexp only take effect
after the server is restarted. (Closes: #761407)
* Add myself to Uploaders.
[ Jelmer Vernooij ]
* Depend on heimdal-multidev rather than heimdal-dev. (Closes: #745356,
#706123)
[ Updated debconf translations ]
* Turkish, thanks to Atila KOÇ <akoc@xxxxxxxxxxxxxxxxxxxxx>.
(Closes: #661641)
openldap (2.4.39-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix CVE-2013-4449: reference counting logic issue (closes: #729367).
openldap (2.4.39-1) unstable; urgency=low
[ Peter Marschall ]
* debian/patches/wrong-database-location: fix database location in
doc/man/man5/slapd-mdb.5
* debian/configure.options: add info on --enable-mdb
[ Russ Allbery ]
* Remove myself from Uploaders.
[ Steve Langasek ]
* Remove Stephen Frost from Uploaders, per discussion with him. Thanks for
your contributions, Stephen!
* Adjust dh_autoreconf usage to update all config.sub/config.guess
instances in the source, so that we can be forwards-compatible with new
ports. Thanks to Colin Watson <cjwatson@xxxxxxxxxx> for the patch.
Closes: #725824.
* Add Timo to Uploaders.
* Update Vcs-* fields to point at the new git repo; thanks to Timo for
driving this migration!
* Rebuild against db5.3, with a corresponding dump/restore of the database
on upgrade. Closes: #738641.
[ Timo Aaltonen ]
* contrib-modules-use-dpkg-buildflags, autogroup-makefile,
smbk5pwd-makefile:
- Updated for current upstream.
* Refresh patches to apply cleanly.
* rules: Use dpkg-parsechangelog to determine the upstream version for
get-orig-source.
* source: Add lintian overrides for non-transatable internal
templates.
-- Ryan Tandy <ryan@xxxxxxxxx> Mon, 25 May 2015 19:49:21 -0700
** Changed in: openldap (Ubuntu)
Status: In Progress => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-4449
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1545
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1546
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1362481
Title:
openldap upgrade fails. chwon of olcDbDirectory, /var/lib/ldap not
empty and missing backup of suffix
Status in openldap package in Ubuntu:
Fix Released
Status in openldap package in Debian:
Fix Released
Bug description:
Upgrading from Ubuntu 12.04.5 LTS to 14.04.1 LTS
(slapd-2.4.28-1.1ubuntu4.4 to slapd-2.4.31-1+nmu2ubuntu8), it fails
horribly on my setup with one disk-backend and one ldap-backend (sync
to another server).
First, dump_databases in
/var/lib/dpkg/info/slapd.{config,preinst,postinst} fails due to
get_directory returning "olcDbDirectory" instead of /var/lib/ldap.
This is caused by a missing -h to grep, causing another : in the
returned line, thus causing the '| cut -d: -f 2' to get the wrong part
of the line. This causes both the backup of the suffix to fail, and
later the chown after restore to fail.
grep "olcDbDirectory:" `grep -l "olcSuffix: ...
should have been
grep -h "olcDbDirectory:" `grep -l "olcSuffix: ...
later, get_suffix causes the same suffix to be reported twice, thus
causing database load to fail on the second round of the while since
/var/lib/ldap is already loaded with the correct files, but is
expected to be empty. I fixed it with a '| sort -u' in get_suffix, but
i guess it would be better to maybe redo load_databases' while loop to
get both suffix and dbdir (since you can have the same suffix stored
in more than one location, as I have, and thus first getting the
suffix and then doing a grep for the olcDbDirectory in get_directory
will cause the same storage to be reported for both instances of the
suffix)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1362481/+subscriptions
References