diff --git a/SOURCES/0035-Issue-5242-Craft-message-may-crash-the-server-5243.patch b/SOURCES/0035-Issue-5242-Craft-message-may-crash-the-server-5243.patch new file mode 100644 index 0000000..d35f00b --- /dev/null +++ b/SOURCES/0035-Issue-5242-Craft-message-may-crash-the-server-5243.patch @@ -0,0 +1,45 @@ +From 3854c402d06028b63e593463f34bb8d76dc42973 Mon Sep 17 00:00:00 2001 +From: tbordaz +Date: Wed, 30 Mar 2022 18:07:23 +0200 +Subject: [PATCH 1/4] Issue 5242- Craft message may crash the server (#5243) + +Bug description: + A craft request can result in DoS + +Fix description: + If the server fails to decode the ber value + then return an Error + +relates: 5242 + +Reviewed by: Pierre Rogier, Mark Reynolds (thanks !) + +Platforms tested: F34 +--- + ldap/servers/slapd/filter.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/ldap/servers/slapd/filter.c b/ldap/servers/slapd/filter.c +index 8e21b34c3..e86946387 100644 +--- a/ldap/servers/slapd/filter.c ++++ b/ldap/servers/slapd/filter.c +@@ -644,8 +644,14 @@ get_extensible_filter(BerElement *ber, mr_filter_t *mrf) + } + } + +- if ((tag != LBER_ERROR) && (len != -1)) { +- goto parsing_error; ++ if (tag == LBER_ERROR) { ++ if (len == -1) { ++ /* means that the ber sequence ended without LBER_END_OF_SEQORSET tag ++ * and it is considered as valid to ensure compatibility with open ldap. ++ */ ++ } else { ++ goto parsing_error; ++ } + } + + slapi_log_err(SLAPI_LOG_FILTER, "get_extensible_filter", "<= %i\n", rc); +-- +2.31.1 + diff --git a/SOURCES/0036-Issue-4956-Automember-allows-invalid-regex-and-does-.patch b/SOURCES/0036-Issue-4956-Automember-allows-invalid-regex-and-does-.patch new file mode 100644 index 0000000..995cfcb --- /dev/null +++ b/SOURCES/0036-Issue-4956-Automember-allows-invalid-regex-and-does-.patch @@ -0,0 +1,106 @@ +From 6458f3cb9a959dd6ad9f8cadc236289715a99979 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Wed, 20 Oct 2021 10:04:06 -0400 +Subject: [PATCH 2/4] Issue 4956 - Automember allows invalid regex, and does + not log proper error + +Bug Description: The server was detecting an invalid automember + regex, but it did not reject it, and it did not + log which regex rule was invalid. + +Fix Description: By properly rejecting the invalid regex will also + trigger the proper error logging to occur. + +relates: https://github.com/389ds/389-ds-base/issues/4956 + +Reviewed by: tbordaz & spichugi(Thanks!!) +--- + .../automember_plugin/configuration_test.py | 63 +++++++++++++++++++ + ldap/servers/plugins/automember/automember.c | 1 + + 2 files changed, 64 insertions(+) + create mode 100644 dirsrvtests/tests/suites/automember_plugin/configuration_test.py + +diff --git a/dirsrvtests/tests/suites/automember_plugin/configuration_test.py b/dirsrvtests/tests/suites/automember_plugin/configuration_test.py +new file mode 100644 +index 000000000..fc7c15c45 +--- /dev/null ++++ b/dirsrvtests/tests/suites/automember_plugin/configuration_test.py +@@ -0,0 +1,63 @@ ++# --- BEGIN COPYRIGHT BLOCK --- ++# Copyright (C) 2021 Red Hat, Inc. ++# All rights reserved. ++# ++# License: GPL (version 3 or any later version). ++# See LICENSE for details. ++# --- END COPYRIGHT BLOCK --- ++ ++import ldap ++import os ++import pytest ++from lib389.topologies import topology_st as topo ++from lib389.plugins import AutoMembershipPlugin, AutoMembershipDefinitions, MemberOfPlugin ++from lib389._constants import DEFAULT_SUFFIX ++ ++pytestmark = pytest.mark.tier1 ++ ++def test_invalid_regex(topo): ++ """Test invalid regex is properly reportedin the error log ++ ++ :id: a6d89f84-ec76-4871-be96-411d051800b1 ++ :setup: Standalone Instance ++ :steps: ++ 1. Setup automember ++ 2. Add invalid regex ++ 3. Error log reports useful message ++ :expectedresults: ++ 1. Success ++ 2. Success ++ 3. Success ++ """ ++ REGEX_DN = "cn=regex1,cn=testregex,cn=auto membership plugin,cn=plugins,cn=config" ++ REGEX_VALUE = "cn=*invalid*" ++ REGEX_ESC_VALUE = "cn=\\*invalid\\*" ++ GROUP_DN = "cn=demo_group,ou=groups," + DEFAULT_SUFFIX ++ ++ AutoMembershipPlugin(topo.standalone).remove_all("nsslapd-pluginConfigArea") ++ automemberplugin = AutoMembershipPlugin(topo.standalone) ++ ++ automember_prop = { ++ 'cn': 'testRegex', ++ 'autoMemberScope': 'ou=People,' + DEFAULT_SUFFIX, ++ 'autoMemberFilter': 'objectclass=*', ++ 'autoMemberDefaultGroup': GROUP_DN, ++ 'autoMemberGroupingAttr': 'member:dn', ++ } ++ automember_defs = AutoMembershipDefinitions(topo.standalone, "cn=Auto Membership Plugin,cn=plugins,cn=config") ++ automember_def = automember_defs.create(properties=automember_prop) ++ automember_def.add_regex_rule("regex1", GROUP_DN, include_regex=[REGEX_VALUE]) ++ ++ automemberplugin.enable() ++ topo.standalone.restart() ++ ++ # Check errors log for invalid message ++ ERR_STR1 = "automember_parse_regex_rule - Unable to parse regex rule" ++ ERR_STR2 = "Skipping invalid inclusive regex rule in rule entry \"%s\" \\(rule = \"%s\"\\)" % (REGEX_DN, REGEX_ESC_VALUE) ++ assert topo.standalone.searchErrorsLog(ERR_STR1) ++ assert topo.standalone.searchErrorsLog(ERR_STR2) ++ ++ ++if __name__ == "__main__": ++ CURRENT_FILE = os.path.realpath(__file__) ++ pytest.main("-s -v %s" % CURRENT_FILE) +diff --git a/ldap/servers/plugins/automember/automember.c b/ldap/servers/plugins/automember/automember.c +index 24fd874aa..d06c6375e 100644 +--- a/ldap/servers/plugins/automember/automember.c ++++ b/ldap/servers/plugins/automember/automember.c +@@ -1224,6 +1224,7 @@ automember_parse_regex_rule(char *rule_string) + "automember_parse_regex_rule - Unable to parse " + "regex rule (invalid regex). Error \"%s\".\n", + recomp_result ? recomp_result : "unknown"); ++ goto bail; + } + + /* Validation has passed, so create the regex rule struct and fill it in. +-- +2.31.1 + diff --git a/SOURCES/0037-Issue-5155-RFE-Provide-an-option-to-abort-an-Auto-Me.patch b/SOURCES/0037-Issue-5155-RFE-Provide-an-option-to-abort-an-Auto-Me.patch new file mode 100644 index 0000000..334ba59 --- /dev/null +++ b/SOURCES/0037-Issue-5155-RFE-Provide-an-option-to-abort-an-Auto-Me.patch @@ -0,0 +1,255 @@ +From b74fa27d5da3e96f474a9643d6c56cea7e395db8 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Tue, 8 Feb 2022 12:38:54 -0500 +Subject: [PATCH 3/4] Issue 5155 - RFE - Provide an option to abort an Auto + Member rebuild task + +https://github.com/389ds/389-ds-base/issues/5155 + +https://github.com/389ds/389-ds-base/pull/5157 +--- + ldap/servers/plugins/automember/automember.c | 124 +++++++++++++------ + 1 file changed, 88 insertions(+), 36 deletions(-) + +diff --git a/ldap/servers/plugins/automember/automember.c b/ldap/servers/plugins/automember/automember.c +index d06c6375e..c377431f4 100644 +--- a/ldap/servers/plugins/automember/automember.c ++++ b/ldap/servers/plugins/automember/automember.c +@@ -21,6 +21,7 @@ + */ + static PRCList *g_automember_config = NULL; + static Slapi_RWLock *g_automember_config_lock = NULL; ++static uint64_t abort_rebuild_task = 0; + + static void *_PluginID = NULL; + static Slapi_DN *_PluginDN = NULL; +@@ -82,9 +83,11 @@ static int automember_update_member_value(Slapi_Entry *member_e, const char *gro + static int automember_task_add(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Entry *eAfter, int *returncode, char *returntext, void *arg); + static int automember_task_add_export_updates(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Entry *eAfter, int *returncode, char *returntext, void *arg); + static int automember_task_add_map_entries(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Entry *eAfter, int *returncode, char *returntext, void *arg); ++static int automember_task_abort(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Entry *eAfter, int *returncode, char *returntext, void *arg); + void automember_rebuild_task_thread(void *arg); + void automember_export_task_thread(void *arg); + void automember_map_task_thread(void *arg); ++void automember_task_abort_thread(void *arg); + static void automember_task_destructor(Slapi_Task *task); + static void automember_task_export_destructor(Slapi_Task *task); + static void automember_task_map_destructor(Slapi_Task *task); +@@ -305,6 +308,7 @@ automember_start(Slapi_PBlock *pb) + "--> automember_start\n"); + + slapi_plugin_task_register_handler("automember rebuild membership", automember_task_add, pb); ++ slapi_plugin_task_register_handler("automember abort rebuild", automember_task_abort, pb); + slapi_plugin_task_register_handler("automember export updates", automember_task_add_export_updates, pb); + slapi_plugin_task_register_handler("automember map updates", automember_task_add_map_entries, pb); + +@@ -383,6 +387,9 @@ automember_close(Slapi_PBlock *pb __attribute__((unused))) + automember_task_add_export_updates); + slapi_plugin_task_unregister_handler("automember map updates", + automember_task_add_map_entries); ++ slapi_plugin_task_unregister_handler("automember abort rebuild", ++ automember_task_abort); ++ + + automember_delete_config(); + slapi_sdn_free(&_PluginDN); +@@ -2207,6 +2214,65 @@ automember_task_map_destructor(Slapi_Task *task) + } + } + ++/* ++ * automember_task_abort ++ * ++ * This task is designed to abort and existing rebuild task ++ * ++ * task entry: ++ * ++ * dn: cn=my abort task, cn=automember abort rebuild,cn=tasks,cn=config ++ * objectClass: top ++ * objectClass: extensibleObject ++ * cn: my abort task ++ */ ++static int ++automember_task_abort(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Entry *eAfter __attribute__((unused)), int *returncode, char *returntext __attribute__((unused)), void *arg) ++{ ++ Slapi_Task *task = NULL; ++ PRThread *thread = NULL; ++ int rc; ++ ++ *returncode = LDAP_SUCCESS; /* can not fail - always success */ ++ ++ task = slapi_plugin_new_task(slapi_entry_get_ndn(e), arg); ++ thread = PR_CreateThread(PR_USER_THREAD, automember_task_abort_thread, ++ (void *)task, PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD, ++ PR_UNJOINABLE_THREAD, SLAPD_DEFAULT_THREAD_STACKSIZE); ++ if (thread == NULL) { ++ slapi_log_err(SLAPI_LOG_ERR, AUTOMEMBER_PLUGIN_SUBSYSTEM, ++ "automember_task_abort - Unable to create task thread!\n"); ++ *returncode = LDAP_OPERATIONS_ERROR; ++ slapi_task_finish(task, *returncode); ++ rc = SLAPI_DSE_CALLBACK_ERROR; ++ } else { ++ rc = SLAPI_DSE_CALLBACK_OK; ++ } ++ return rc; ++} ++ ++void ++automember_task_abort_thread(void *arg) ++{ ++ Slapi_Task *task = (Slapi_Task *)arg; ++ ++ slapi_task_inc_refcount(task); ++ slapi_task_begin(task, 1); ++ slapi_task_log_notice(task, "Automember abort rebuild task started."); ++ slapi_task_log_status(task, "Automember abort rebuild task started."); ++ ++ /* Set the abort flag */ ++ slapi_atomic_store_64(&abort_rebuild_task, 1, __ATOMIC_RELEASE); ++ ++ /* Wrap things up */ ++ slapi_task_log_notice(task, "Automember abort rebuild task finished."); ++ slapi_task_log_status(task, "Automember abort rebuild task finished."); ++ slapi_task_inc_progress(task); ++ slapi_task_finish(task, 0); ++ slapi_task_dec_refcount(task); ++} ++ ++ + /* + * automember_task_add + * +@@ -2320,13 +2386,16 @@ automember_rebuild_task_thread(void *arg) + { + Slapi_Task *task = (Slapi_Task *)arg; + struct configEntry *config = NULL; +- Slapi_PBlock *search_pb = NULL, *fixup_pb = NULL; ++ Slapi_PBlock *search_pb = NULL; + Slapi_Entry **entries = NULL; + task_data *td = NULL; + PRCList *list = NULL; + PRCList *include_list = NULL; + int result = 0; +- size_t i = 0, ii = 0; ++ size_t i = 0; ++ ++ /* Reset abort flag */ ++ slapi_atomic_store_64(&abort_rebuild_task, 0, __ATOMIC_RELEASE); + + if (!task) { + return; /* no task */ +@@ -2350,6 +2419,8 @@ automember_rebuild_task_thread(void *arg) + /* + * Search the database + */ ++ automember_config_read_lock(); ++ + search_pb = slapi_pblock_new(); + slapi_search_internal_set_pb_ext(search_pb, td->base_dn, td->scope, td->filter_str, NULL, + 0, NULL, NULL, automember_get_plugin_id(), 0); +@@ -2372,30 +2443,19 @@ automember_rebuild_task_thread(void *arg) + slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries); + + /* +- * If this is a backend txn plugin, start the transaction ++ * loop over the entries + */ +- if (plugin_is_betxn) { +- Slapi_Backend *be = slapi_be_select(td->base_dn); +- +- if (be) { +- fixup_pb = slapi_pblock_new(); +- slapi_pblock_set(fixup_pb, SLAPI_BACKEND, be); +- if (slapi_back_transaction_begin(fixup_pb) != LDAP_SUCCESS) { +- slapi_log_err(SLAPI_LOG_ERR, AUTOMEMBER_PLUGIN_SUBSYSTEM, +- "automember_rebuild_task_thread - Failed to start transaction\n"); +- } +- } else { +- slapi_log_err(SLAPI_LOG_ERR, AUTOMEMBER_PLUGIN_SUBSYSTEM, +- "automember_rebuild_task_thread - Failed to get be backend from %s\n", +- slapi_sdn_get_dn(td->base_dn)); ++ for (i = 0; entries && (entries[i] != NULL); i++) { ++ if (slapi_atomic_load_64(&abort_rebuild_task, __ATOMIC_ACQUIRE) == 1) { ++ /* The task was aborted */ ++ slapi_task_log_notice(task, "Automember rebuild task was intentionally aborted"); ++ slapi_task_log_status(task, "Automember rebuild task was intentionally aborted"); ++ slapi_log_err(SLAPI_LOG_NOTICE, AUTOMEMBER_PLUGIN_SUBSYSTEM, ++ "automember_rebuild_task_thread - task was intentionally aborted\n"); ++ result = -1; ++ goto out; + } +- } + +- /* +- * Grab the config read lock, and loop over the entries +- */ +- automember_config_read_lock(); +- for (i = 0; entries && (entries[i] != NULL); i++) { + if (!PR_CLIST_IS_EMPTY(g_automember_config)) { + list = PR_LIST_HEAD(g_automember_config); + while (list != g_automember_config) { +@@ -2405,7 +2465,7 @@ automember_rebuild_task_thread(void *arg) + (slapi_filter_test_simple(entries[i], config->filter) == 0)) + { + /* First clear out all the defaults groups */ +- for (ii = 0; config->default_groups && config->default_groups[ii]; ii++) { ++ for (size_t ii = 0; config->default_groups && config->default_groups[ii]; ii++) { + if ((result = automember_update_member_value(entries[i], config->default_groups[ii], + config->grouping_attr, config->grouping_value, NULL, DEL_MEMBER))) + { +@@ -2418,7 +2478,6 @@ automember_rebuild_task_thread(void *arg) + slapi_log_err(SLAPI_LOG_ERR, AUTOMEMBER_PLUGIN_SUBSYSTEM, + "automember_rebuild_task_thread - Unable to unable to delete from (%s) error (%d)\n", + config->default_groups[ii], result); +- automember_config_unlock(); + goto out; + } + } +@@ -2440,7 +2499,6 @@ automember_rebuild_task_thread(void *arg) + slapi_log_err(SLAPI_LOG_ERR, AUTOMEMBER_PLUGIN_SUBSYSTEM, + "automember_rebuild_task_thread - Unable to unable to delete from (%s) error (%d)\n", + slapi_sdn_get_dn(curr_rule->target_group_dn), result); +- automember_config_unlock(); + goto out; + } + include_list = PR_NEXT_LINK(include_list); +@@ -2452,7 +2510,6 @@ automember_rebuild_task_thread(void *arg) + automember_update_membership(config, entries[i], NULL) == SLAPI_PLUGIN_FAILURE) + { + result = SLAPI_PLUGIN_FAILURE; +- automember_config_unlock(); + goto out; + } + } +@@ -2460,17 +2517,10 @@ automember_rebuild_task_thread(void *arg) + } + } + } +- automember_config_unlock(); + + out: +- if (plugin_is_betxn && fixup_pb) { +- if (i == 0 || result != 0) { /* no updates performed */ +- slapi_back_transaction_abort(fixup_pb); +- } else { +- slapi_back_transaction_commit(fixup_pb); +- } +- slapi_pblock_destroy(fixup_pb); +- } ++ automember_config_unlock(); ++ + slapi_free_search_results_internal(search_pb); + slapi_pblock_destroy(search_pb); + +@@ -2485,6 +2535,8 @@ out: + slapi_task_inc_progress(task); + slapi_task_finish(task, result); + slapi_task_dec_refcount(task); ++ slapi_atomic_store_64(&abort_rebuild_task, 0, __ATOMIC_RELEASE); ++ + slapi_log_err(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM, + "automember_rebuild_task_thread - Refcount decremented.\n"); + } +-- +2.31.1 + diff --git a/SOURCES/0038-Issue-5221-User-with-expired-password-can-still-logi.patch b/SOURCES/0038-Issue-5221-User-with-expired-password-can-still-logi.patch new file mode 100644 index 0000000..4ffed30 --- /dev/null +++ b/SOURCES/0038-Issue-5221-User-with-expired-password-can-still-logi.patch @@ -0,0 +1,108 @@ +From 1a5c28b6546214054ca44e57dc0c21b9a8a73baa Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Thu, 3 Mar 2022 16:29:41 -0500 +Subject: [PATCH 4/4] Issue 5221 - User with expired password can still login + with full privledges + +Bug Description: + +A user with an expired password can still login and perform operations +with its typical access perimssions. But an expired password means the +account should be considered anonymous. + +Fix Description: + +Clear the bind credentials if the password is expired + +relates: https://github.com/389ds/389-ds-base/issues/5221 + +Reviewed by: progier(Thanks!) +--- + .../suites/password/pw_expired_access_test.py | 62 +++++++++++++++++++ + ldap/servers/slapd/pw_mgmt.c | 1 + + 2 files changed, 63 insertions(+) + create mode 100644 dirsrvtests/tests/suites/password/pw_expired_access_test.py + +diff --git a/dirsrvtests/tests/suites/password/pw_expired_access_test.py b/dirsrvtests/tests/suites/password/pw_expired_access_test.py +new file mode 100644 +index 000000000..fb0afb190 +--- /dev/null ++++ b/dirsrvtests/tests/suites/password/pw_expired_access_test.py +@@ -0,0 +1,62 @@ ++import ldap ++import logging ++import pytest ++import os ++import time ++from lib389._constants import DEFAULT_SUFFIX, PASSWORD ++from lib389.idm.domain import Domain ++from lib389.idm.user import UserAccounts ++from lib389.topologies import topology_st as topo ++ ++log = logging.getLogger(__name__) ++ ++def test_expired_user_has_no_privledge(topo): ++ """Specify a test case purpose or name here ++ ++ :id: 3df86b45-9929-414b-9bf6-06c25301d207 ++ :setup: Standalone Instance ++ :steps: ++ 1. Set short password expiration time ++ 2. Add user and wait for expiration time to run out ++ 3. Set one aci that allows authenticated users full access ++ 4. Bind as user (password should be expired) ++ 5. Attempt modify ++ :expectedresults: ++ 1. Success ++ 2. Success ++ 3. Success ++ 4. Success ++ 5. Success ++ """ ++ ++ # Configured password epxiration ++ topo.standalone.config.replace_many(('passwordexp', 'on'), ('passwordmaxage', '1')) ++ ++ # Set aci ++ suffix = Domain(topo.standalone, DEFAULT_SUFFIX) ++ ACI_TEXT = '(targetattr="*")(version 3.0; acl "test aci"; allow (all) (userdn="ldap:///all");)' ++ suffix.replace('aci', ACI_TEXT) ++ ++ # Add user ++ user = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None).create_test_user() ++ user.replace('userpassword', PASSWORD) ++ time.sleep(2) ++ ++ # Bind as user with expired password. Need to use raw ldap calls because ++ # lib389 will close the connection when an error 49 is encountered. ++ ldap_object = ldap.initialize(topo.standalone.toLDAPURL()) ++ with pytest.raises(ldap.INVALID_CREDENTIALS): ++ res_type, res_data, res_msgid, res_ctrls = ldap_object.simple_bind_s( ++ user.dn, PASSWORD) ++ ++ # Try modify ++ with pytest.raises(ldap.INSUFFICIENT_ACCESS): ++ modlist = [ (ldap.MOD_REPLACE, 'description', b'Should not work!') ] ++ ldap_object.modify_ext_s(DEFAULT_SUFFIX, modlist) ++ ++ ++if __name__ == '__main__': ++ # Run isolated ++ # -s for DEBUG mode ++ CURRENT_FILE = os.path.realpath(__file__) ++ pytest.main(["-s", CURRENT_FILE]) +diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c +index ca76fc12f..f9b5a9add 100644 +--- a/ldap/servers/slapd/pw_mgmt.c ++++ b/ldap/servers/slapd/pw_mgmt.c +@@ -211,6 +211,7 @@ skip: + slapi_pwpolicy_make_response_control(pb, -1, -1, LDAP_PWPOLICY_PWDEXPIRED); + } + slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0); ++ bind_credentials_clear(pb_conn, PR_FALSE, PR_TRUE); + slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, + "password expired!", 0, NULL); + +-- +2.31.1 + diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec index 837b020..7a48f0c 100644 --- a/SPECS/389-ds-base.spec +++ b/SPECS/389-ds-base.spec @@ -39,7 +39,7 @@ Summary: 389 Directory Server (%{variant}) Name: 389-ds-base Version: 1.3.10.2 -Release: %{?relprefix}15%{?prerel}%{?dist} +Release: %{?relprefix}16%{?prerel}%{?dist} License: GPLv3+ URL: https://www.port389.org/ Group: System Environment/Daemons @@ -180,7 +180,10 @@ Patch31: 0031-Issue-4667-incorrect-accounting-of-readers-in-vattr-.patc Patch32: 0032-Issue-4943-Fix-csn-generator-to-limit-time-skew-drif.patch Patch33: 0033-Issue-4943-followup-Fix-csn-generator-to-limit-time-.patch Patch34: 0034-CVE-2021-4091-BZ-2030367-double-free-of-the-virtual-.patch - +Patch35: 0035-Issue-5242-Craft-message-may-crash-the-server-5243.patch +Patch36: 0036-Issue-4956-Automember-allows-invalid-regex-and-does-.patch +Patch37: 0037-Issue-5155-RFE-Provide-an-option-to-abort-an-Auto-Me.patch +Patch38: 0038-Issue-5221-User-with-expired-password-can-still-logi.patch %description 389 Directory Server is an LDAPv3 compliant server. The base package includes @@ -534,6 +537,13 @@ fi %{_sysconfdir}/%{pkgname}/dirsrvtests %changelog +* Tue Jun 07 2022 Thierry Bordaz - 1.3.10.2-16 +- Bump version to 1.3.10.2-16 +- Resolves: Bug 2077395 - CVE-2022-0918 389-ds:1.4/389-ds-base: sending crafted message could result in DoS +- Resolves: Bug 2014768 - Log the Auto Member invalid regex rules in the LDAP errors log +- Resolves: Bug 2018153 - RFE - Provide an option to abort an Auto Member rebuild task +- Resolves: Bug 2093294 - CVE-2022-0996 389-ds:1.4/389-ds-base: expired password was still allowed to access the database + * Thu Feb 03 2022 Thierry Bordaz - 1.3.10.2-15 - Bump version to 1.3.10.2-15 - Resolves: Bug 2049812 - Fix csn generator to limit time skew drift