diff --git a/SOURCES/0023-Issue-51086-Fix-instance-name-length-for-interactive.patch b/SOURCES/0023-Issue-51086-Fix-instance-name-length-for-interactive.patch new file mode 100644 index 0000000..90c275e --- /dev/null +++ b/SOURCES/0023-Issue-51086-Fix-instance-name-length-for-interactive.patch @@ -0,0 +1,33 @@ +From 5e0a2d34f1c03a7d6a1c8591896a21e122d90d6b Mon Sep 17 00:00:00 2001 +From: Simon Pichugin +Date: Thu, 23 Jul 2020 23:45:18 +0200 +Subject: [PATCH] Issue 51086 - Fix instance name length for interactive + install + +Description: Instance name lenght is not properly validated +during interactive install. Add a check during a user input. + +https://pagure.io/389-ds-base/issue/51086 + +Reviewed by: mreynolds (Thanks!) +--- + src/lib389/lib389/instance/setup.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/lib389/lib389/instance/setup.py b/src/lib389/lib389/instance/setup.py +index f5fc5495d..45c7dfdd4 100644 +--- a/src/lib389/lib389/instance/setup.py ++++ b/src/lib389/lib389/instance/setup.py +@@ -308,6 +308,9 @@ class SetupDs(object): + + val = input('\nEnter the instance name [{}]: '.format(slapd['instance_name'])).rstrip() + if val != "": ++ if len(val) > 80: ++ print("Server identifier should not be longer than 80 symbols") ++ continue + if not all(ord(c) < 128 for c in val): + print("Server identifier can not contain non ascii characters") + continue +-- +2.26.2 + diff --git a/SOURCES/0024-Issue-51129-SSL-alert-The-value-of-sslVersionMax-TLS.patch b/SOURCES/0024-Issue-51129-SSL-alert-The-value-of-sslVersionMax-TLS.patch new file mode 100644 index 0000000..a4c26cc --- /dev/null +++ b/SOURCES/0024-Issue-51129-SSL-alert-The-value-of-sslVersionMax-TLS.patch @@ -0,0 +1,360 @@ +From 3e11020fa7a79d335a02c001435aabcf59aaa622 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Fri, 24 Jul 2020 12:14:44 -0400 +Subject: [PATCH] Issue 51129 - SSL alert: The value of sslVersionMax "TLS1.3" + is higher than the supported version + +Bug Description: If you try and set the sslVersionMax higher than the + default range, but within the supported range, you + would still get an error and the server would reset + the max to "default" max value. + +Fix Description: Keep track of both the supported and default SSL ranges, + and correctly use each range for value validation. If + the value is outside the supported range, then use default + value, etc, but do not check the requested range against + the default range. We only use the default range if + there is no specified min or max in the config, or if + a invalid min or max value is set in the config. + + Also, refactored the range variable names to be more + accurate: + + enabledNSSVersions --> defaultNSSVersions + emin, emax --> dmin, dmax + +relates: https://pagure.io/389-ds-base/issue/51129 + +Reviewed by: firstyear(Thanks!) +--- + ldap/servers/slapd/ssl.c | 155 ++++++++++++++++---------------- + src/lib389/lib389/dirsrv_log.py | 2 +- + 2 files changed, 81 insertions(+), 76 deletions(-) + +diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c +index 846106b42..7206cafd2 100644 +--- a/ldap/servers/slapd/ssl.c ++++ b/ldap/servers/slapd/ssl.c +@@ -50,11 +50,11 @@ + ******************************************************************************/ + + #define DEFVERSION "TLS1.2" +-#define CURRENT_DEFAULT_SSL_VERSION SSL_LIBRARY_VERSION_TLS_1_2 + + extern char *slapd_SSL3ciphers; + extern symbol_t supported_ciphers[]; +-static SSLVersionRange enabledNSSVersions; ++static SSLVersionRange defaultNSSVersions; ++static SSLVersionRange supportedNSSVersions; + static SSLVersionRange slapdNSSVersions; + + +@@ -1014,15 +1014,24 @@ slapd_nss_init(int init_ssl __attribute__((unused)), int config_available __attr + int create_certdb = 0; + PRUint32 nssFlags = 0; + char *certdir; +- char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH]; +- /* Get the range of the supported SSL version */ +- SSL_VersionRangeGetDefault(ssl_variant_stream, &enabledNSSVersions); ++ char dmin[VERSION_STR_LENGTH], dmax[VERSION_STR_LENGTH]; ++ char smin[VERSION_STR_LENGTH], smax[VERSION_STR_LENGTH]; + +- (void)slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin)); +- (void)slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax)); ++ /* Get the range of the supported SSL version */ ++ SSL_VersionRangeGetSupported(ssl_variant_stream, &supportedNSSVersions); ++ (void)slapi_getSSLVersion_str(supportedNSSVersions.min, smin, sizeof(smin)); ++ (void)slapi_getSSLVersion_str(supportedNSSVersions.max, smax, sizeof(smax)); ++ ++ /* Get the enabled default range */ ++ SSL_VersionRangeGetDefault(ssl_variant_stream, &defaultNSSVersions); ++ (void)slapi_getSSLVersion_str(defaultNSSVersions.min, dmin, sizeof(dmin)); ++ (void)slapi_getSSLVersion_str(defaultNSSVersions.max, dmax, sizeof(dmax)); + slapi_log_err(SLAPI_LOG_CONFIG, "Security Initialization", + "slapd_nss_init - Supported range by NSS: min: %s, max: %s\n", +- emin, emax); ++ smin, smax); ++ slapi_log_err(SLAPI_LOG_CONFIG, "Security Initialization", ++ "slapd_nss_init - Enabled default range by NSS: min: %s, max: %s\n", ++ dmin, dmax); + + /* set in slapd_bootstrap_config, + thus certdir is available even if config_available is false +@@ -1344,21 +1353,21 @@ static int + set_NSS_version(char *val, PRUint16 *rval, int ismin) + { + char *vp; +- char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH]; ++ char dmin[VERSION_STR_LENGTH], dmax[VERSION_STR_LENGTH]; + + if (NULL == rval) { + return 1; + } +- (void)slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin)); +- (void)slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax)); ++ (void)slapi_getSSLVersion_str(defaultNSSVersions.min, dmin, sizeof(dmin)); ++ (void)slapi_getSSLVersion_str(defaultNSSVersions.max, dmax, sizeof(dmax)); + + if (!strncasecmp(val, SSLSTR, SSLLEN)) { /* ssl# NOT SUPPORTED */ + if (ismin) { +- slapd_SSL_warn("SSL3 is no longer supported. Using NSS default min value: %s\n", emin); +- (*rval) = enabledNSSVersions.min; ++ slapd_SSL_warn("SSL3 is no longer supported. Using NSS default min value: %s", dmin); ++ (*rval) = defaultNSSVersions.min; + } else { +- slapd_SSL_warn("SSL3 is no longer supported. Using NSS default max value: %s\n", emax); +- (*rval) = enabledNSSVersions.max; ++ slapd_SSL_warn("SSL3 is no longer supported. Using NSS default max value: %s", dmax); ++ (*rval) = defaultNSSVersions.max; + } + } else if (!strncasecmp(val, TLSSTR, TLSLEN)) { /* tls# */ + float tlsv; +@@ -1366,122 +1375,122 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin) + sscanf(vp, "%4f", &tlsv); + if (tlsv < 1.1f) { /* TLS1.0 */ + if (ismin) { +- if (enabledNSSVersions.min > CURRENT_DEFAULT_SSL_VERSION) { ++ if (supportedNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) { + slapd_SSL_warn("The value of sslVersionMin " + "\"%s\" is lower than the supported version; " + "the default value \"%s\" is used.", +- val, emin); +- (*rval) = enabledNSSVersions.min; ++ val, dmin); ++ (*rval) = defaultNSSVersions.min; + } else { + (*rval) = SSL_LIBRARY_VERSION_TLS_1_0; + } + } else { +- if (enabledNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) { ++ if (supportedNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_0) { + /* never happens */ + slapd_SSL_warn("The value of sslVersionMax " + "\"%s\" is higher than the supported version; " + "the default value \"%s\" is used.", +- val, emax); +- (*rval) = enabledNSSVersions.max; ++ val, dmax); ++ (*rval) = defaultNSSVersions.max; + } else { + (*rval) = SSL_LIBRARY_VERSION_TLS_1_0; + } + } + } else if (tlsv < 1.2f) { /* TLS1.1 */ + if (ismin) { +- if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_1) { ++ if (supportedNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_1) { + slapd_SSL_warn("The value of sslVersionMin " + "\"%s\" is lower than the supported version; " + "the default value \"%s\" is used.", +- val, emin); +- (*rval) = enabledNSSVersions.min; ++ val, dmin); ++ (*rval) = defaultNSSVersions.min; + } else { + (*rval) = SSL_LIBRARY_VERSION_TLS_1_1; + } + } else { +- if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) { ++ if (supportedNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) { + /* never happens */ + slapd_SSL_warn("The value of sslVersionMax " + "\"%s\" is higher than the supported version; " + "the default value \"%s\" is used.", +- val, emax); +- (*rval) = enabledNSSVersions.max; ++ val, dmax); ++ (*rval) = defaultNSSVersions.max; + } else { + (*rval) = SSL_LIBRARY_VERSION_TLS_1_1; + } + } + } else if (tlsv < 1.3f) { /* TLS1.2 */ + if (ismin) { +- if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_2) { ++ if (supportedNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_2) { + slapd_SSL_warn("The value of sslVersionMin " + "\"%s\" is lower than the supported version; " + "the default value \"%s\" is used.", +- val, emin); +- (*rval) = enabledNSSVersions.min; ++ val, dmin); ++ (*rval) = defaultNSSVersions.min; + } else { + (*rval) = SSL_LIBRARY_VERSION_TLS_1_2; + } + } else { +- if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_2) { ++ if (supportedNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_2) { + /* never happens */ + slapd_SSL_warn("The value of sslVersionMax " + "\"%s\" is higher than the supported version; " + "the default value \"%s\" is used.", +- val, emax); +- (*rval) = enabledNSSVersions.max; ++ val, dmax); ++ (*rval) = defaultNSSVersions.max; + } else { + (*rval) = SSL_LIBRARY_VERSION_TLS_1_2; + } + } + } else if (tlsv < 1.4f) { /* TLS1.3 */ +- if (ismin) { +- if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_3) { +- slapd_SSL_warn("The value of sslVersionMin " +- "\"%s\" is lower than the supported version; " +- "the default value \"%s\" is used.", +- val, emin); +- (*rval) = enabledNSSVersions.min; +- } else { +- (*rval) = SSL_LIBRARY_VERSION_TLS_1_3; +- } +- } else { +- if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_3) { +- /* never happens */ +- slapd_SSL_warn("The value of sslVersionMax " +- "\"%s\" is higher than the supported version; " +- "the default value \"%s\" is used.", +- val, emax); +- (*rval) = enabledNSSVersions.max; +- } else { +- (*rval) = SSL_LIBRARY_VERSION_TLS_1_3; +- } +- } ++ if (ismin) { ++ if (supportedNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_3) { ++ slapd_SSL_warn("The value of sslVersionMin " ++ "\"%s\" is lower than the supported version; " ++ "the default value \"%s\" is used.", ++ val, dmin); ++ (*rval) = defaultNSSVersions.min; ++ } else { ++ (*rval) = SSL_LIBRARY_VERSION_TLS_1_3; ++ } ++ } else { ++ if (supportedNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_3) { ++ /* never happens */ ++ slapd_SSL_warn("The value of sslVersionMax " ++ "\"%s\" is higher than the supported version; " ++ "the default value \"%s\" is used.", ++ val, dmax); ++ (*rval) = defaultNSSVersions.max; ++ } else { ++ (*rval) = SSL_LIBRARY_VERSION_TLS_1_3; ++ } ++ } + } else { /* Specified TLS is newer than supported */ + if (ismin) { + slapd_SSL_warn("The value of sslVersionMin " + "\"%s\" is out of the range of the supported version; " + "the default value \"%s\" is used.", +- val, emin); +- (*rval) = enabledNSSVersions.min; ++ val, dmin); ++ (*rval) = defaultNSSVersions.min; + } else { + slapd_SSL_warn("The value of sslVersionMax " + "\"%s\" is out of the range of the supported version; " + "the default value \"%s\" is used.", +- val, emax); +- (*rval) = enabledNSSVersions.max; ++ val, dmax); ++ (*rval) = defaultNSSVersions.max; + } + } + } else { + if (ismin) { + slapd_SSL_warn("The value of sslVersionMin " + "\"%s\" is invalid; the default value \"%s\" is used.", +- val, emin); +- (*rval) = enabledNSSVersions.min; ++ val, dmin); ++ (*rval) = defaultNSSVersions.min; + } else { + slapd_SSL_warn("The value of sslVersionMax " + "\"%s\" is invalid; the default value \"%s\" is used.", +- val, emax); +- (*rval) = enabledNSSVersions.max; ++ val, dmax); ++ (*rval) = defaultNSSVersions.max; + } + } + return 0; +@@ -1511,10 +1520,9 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) + char *tmpDir; + Slapi_Entry *e = NULL; + PRBool fipsMode = PR_FALSE; +- PRUint16 NSSVersionMin = enabledNSSVersions.min; +- PRUint16 NSSVersionMax = enabledNSSVersions.max; ++ PRUint16 NSSVersionMin = defaultNSSVersions.min; ++ PRUint16 NSSVersionMax = defaultNSSVersions.max; + char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH]; +- char newmax[VERSION_STR_LENGTH]; + int allowweakcipher = CIPHER_SET_DEFAULTWEAKCIPHER; + int_fast16_t renegotiation = (int_fast16_t)SSL_RENEGOTIATE_REQUIRES_XTN; + +@@ -1875,12 +1883,9 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) + if (NSSVersionMin > NSSVersionMax) { + (void)slapi_getSSLVersion_str(NSSVersionMin, mymin, sizeof(mymin)); + (void)slapi_getSSLVersion_str(NSSVersionMax, mymax, sizeof(mymax)); +- slapd_SSL_warn("The min value of NSS version range \"%s\" is greater than the max value \"%s\".", ++ slapd_SSL_warn("The min value of NSS version range \"%s\" is greater than the max value \"%s\". Adjusting the max to match the miniumum.", + mymin, mymax); +- (void)slapi_getSSLVersion_str(enabledNSSVersions.max, newmax, sizeof(newmax)); +- slapd_SSL_warn("Reset the max \"%s\" to supported max \"%s\".", +- mymax, newmax); +- NSSVersionMax = enabledNSSVersions.max; ++ NSSVersionMax = NSSVersionMin; + } + } + +@@ -1896,7 +1901,7 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) + if (sslStatus != SECSuccess) { + errorCode = PR_GetError(); + slapd_SSL_error("Security Initialization - " +- "slapd_ssl_init2 - Failed to set SSL range: min: %s, max: %s - error %d (%s)\n", ++ "slapd_ssl_init2 - Failed to set SSL range: min: %s, max: %s - error %d (%s)", + mymin, mymax, errorCode, slapd_pr_strerror(errorCode)); + } + /* +@@ -1926,13 +1931,13 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) + (void)slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin)); + (void)slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax)); + slapd_SSL_error("Security Initialization - " +- "slapd_ssl_init2 - Failed to set SSL range: min: %s, max: %s - error %d (%s)\n", ++ "slapd_ssl_init2 - Failed to set SSL range: min: %s, max: %s - error %d (%s)", + mymin, mymax, errorCode, slapd_pr_strerror(errorCode)); + } + } else { + errorCode = PR_GetError(); + slapd_SSL_error("Security Initialization - ", +- "slapd_ssl_init2 - Failed to get SSL range from socket - error %d (%s)\n", ++ "slapd_ssl_init2 - Failed to get SSL range from socket - error %d (%s)", + errorCode, slapd_pr_strerror(errorCode)); + } + +@@ -2265,7 +2270,7 @@ slapd_SSL_client_auth(LDAP *ld) + } + } else { + if (token == NULL) { +- slapd_SSL_warn("slapd_SSL_client_auth - certificate token was not found\n"); ++ slapd_SSL_warn("slapd_SSL_client_auth - certificate token was not found"); + } + rc = -1; + } +diff --git a/src/lib389/lib389/dirsrv_log.py b/src/lib389/lib389/dirsrv_log.py +index 7bed4bb17..ab8872051 100644 +--- a/src/lib389/lib389/dirsrv_log.py ++++ b/src/lib389/lib389/dirsrv_log.py +@@ -207,7 +207,7 @@ class DirsrvAccessLog(DirsrvLog): + return { + 'base': quoted_vals[0], + 'filter': quoted_vals[1], +- 'timestamp': re.findall('\[(.*)\]', lines[0])[0], ++ 'timestamp': re.findall('[(.*)]', lines[0])[0], + 'scope': lines[0].split(' scope=', 1)[1].split(' ',1)[0] + } + +-- +2.26.2 + diff --git a/SOURCES/0025-Issue-50984-Memory-leaks-in-disk-monitoring.patch b/SOURCES/0025-Issue-50984-Memory-leaks-in-disk-monitoring.patch new file mode 100644 index 0000000..5f8d129 --- /dev/null +++ b/SOURCES/0025-Issue-50984-Memory-leaks-in-disk-monitoring.patch @@ -0,0 +1,202 @@ +From 68ca1de0f39c11056a57b03a544520bd6708d855 Mon Sep 17 00:00:00 2001 +From: Simon Pichugin +Date: Thu, 11 Jun 2020 15:39:59 +0200 +Subject: [PATCH] Issue 50984 - Memory leaks in disk monitoring + +Description: Fix the rest of the leaks in disk monitoring +which are present when we shutdown while being below half +of the threshold (at the start-up in main.c). + +Free directories, sockets and ports before going to cleanup. + +https://pagure.io/389-ds-base/issue/50984 + +Reviewed by: mhonek, tbordaz (Thanks!) +--- + ldap/servers/slapd/daemon.c | 75 ++++++++++++++++++++----------------- + ldap/servers/slapd/fe.h | 1 + + ldap/servers/slapd/main.c | 49 +++++++++++++----------- + 3 files changed, 70 insertions(+), 55 deletions(-) + +diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c +index a70f40316..7091b570d 100644 +--- a/ldap/servers/slapd/daemon.c ++++ b/ldap/servers/slapd/daemon.c +@@ -884,6 +884,46 @@ convert_pbe_des_to_aes(void) + charray_free(attrs); + } + ++void ++slapd_sockets_ports_free(daemon_ports_t *ports_info) ++{ ++ /* freeing PRFileDescs */ ++ PRFileDesc **fdesp = NULL; ++ for (fdesp = ports_info->n_socket; fdesp && *fdesp; fdesp++) { ++ PR_Close(*fdesp); ++ } ++ slapi_ch_free((void **)&ports_info->n_socket); ++ ++ for (fdesp = ports_info->s_socket; fdesp && *fdesp; fdesp++) { ++ PR_Close(*fdesp); ++ } ++ slapi_ch_free((void **)&ports_info->s_socket); ++#if defined(ENABLE_LDAPI) ++ for (fdesp = ports_info->i_socket; fdesp && *fdesp; fdesp++) { ++ PR_Close(*fdesp); ++ } ++ slapi_ch_free((void **)&ports_info->i_socket); ++#endif /* ENABLE_LDAPI */ ++ ++ /* freeing NetAddrs */ ++ PRNetAddr **nap; ++ for (nap = ports_info->n_listenaddr; nap && *nap; nap++) { ++ slapi_ch_free((void **)nap); ++ } ++ slapi_ch_free((void **)&ports_info->n_listenaddr); ++ ++ for (nap = ports_info->s_listenaddr; nap && *nap; nap++) { ++ slapi_ch_free((void **)nap); ++ } ++ slapi_ch_free((void **)&ports_info->s_listenaddr); ++#if defined(ENABLE_LDAPI) ++ for (nap = ports_info->i_listenaddr; nap && *nap; nap++) { ++ slapi_ch_free((void **)nap); ++ } ++ slapi_ch_free((void **)&ports_info->i_listenaddr); ++#endif ++} ++ + void + slapd_daemon(daemon_ports_t *ports) + { +@@ -1099,40 +1139,7 @@ slapd_daemon(daemon_ports_t *ports) + /* free the listener indexes */ + slapi_ch_free((void **)&listener_idxs); + +- for (fdesp = n_tcps; fdesp && *fdesp; fdesp++) { +- PR_Close(*fdesp); +- } +- slapi_ch_free((void **)&n_tcps); +- +- for (fdesp = i_unix; fdesp && *fdesp; fdesp++) { +- PR_Close(*fdesp); +- } +- slapi_ch_free((void **)&i_unix); +- +- for (fdesp = s_tcps; fdesp && *fdesp; fdesp++) { +- PR_Close(*fdesp); +- } +- slapi_ch_free((void **)&s_tcps); +- +- /* freeing NetAddrs */ +- { +- PRNetAddr **nap; +- for (nap = ports->n_listenaddr; nap && *nap; nap++) { +- slapi_ch_free((void **)nap); +- } +- slapi_ch_free((void **)&ports->n_listenaddr); +- +- for (nap = ports->s_listenaddr; nap && *nap; nap++) { +- slapi_ch_free((void **)nap); +- } +- slapi_ch_free((void **)&ports->s_listenaddr); +-#if defined(ENABLE_LDAPI) +- for (nap = ports->i_listenaddr; nap && *nap; nap++) { +- slapi_ch_free((void **)nap); +- } +- slapi_ch_free((void **)&ports->i_listenaddr); +-#endif +- } ++ slapd_sockets_ports_free(ports); + + op_thread_cleanup(); + housekeeping_stop(); /* Run this after op_thread_cleanup() logged sth */ +diff --git a/ldap/servers/slapd/fe.h b/ldap/servers/slapd/fe.h +index 2d9a0931b..9cd122881 100644 +--- a/ldap/servers/slapd/fe.h ++++ b/ldap/servers/slapd/fe.h +@@ -120,6 +120,7 @@ int connection_table_iterate_active_connections(Connection_Table *ct, void *arg, + */ + int signal_listner(void); + int daemon_pre_setuid_init(daemon_ports_t *ports); ++void slapd_sockets_ports_free(daemon_ports_t *ports_info); + void slapd_daemon(daemon_ports_t *ports); + void daemon_register_connection(void); + int slapd_listenhost2addr(const char *listenhost, PRNetAddr ***addr); +diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c +index e54b8e1c5..9e5219c4a 100644 +--- a/ldap/servers/slapd/main.c ++++ b/ldap/servers/slapd/main.c +@@ -734,7 +734,6 @@ main(int argc, char **argv) + * etc the backends need to start + */ + +- + /* Important: up 'till here we could be running as root (on unix). + * we believe that we've not created any files before here, otherwise + * they'd be owned by root, which is bad. We're about to change identity +@@ -891,6 +890,34 @@ main(int argc, char **argv) + } + } + ++ if (config_get_disk_monitoring()) { ++ char **dirs = NULL; ++ char *dirstr = NULL; ++ uint64_t disk_space = 0; ++ int64_t threshold = 0; ++ uint64_t halfway = 0; ++ threshold = config_get_disk_threshold(); ++ halfway = threshold / 2; ++ disk_mon_get_dirs(&dirs); ++ dirstr = disk_mon_check_diskspace(dirs, threshold, &disk_space); ++ if (dirstr != NULL && disk_space < halfway) { ++ slapi_log_err(SLAPI_LOG_EMERG, "main", ++ "Disk Monitoring is enabled and disk space on (%s) is too far below the threshold(%" PRIu64 " bytes). Exiting now.\n", ++ dirstr, threshold); ++ slapi_ch_array_free(dirs); ++ /* ++ * We should free the structs we allocated for sockets and addresses ++ * as they would be freed at the slapd_daemon but it was not initiated ++ * at that point of start-up. ++ */ ++ slapd_sockets_ports_free(&ports_info); ++ return_value = 1; ++ goto cleanup; ++ } ++ slapi_ch_array_free(dirs); ++ dirs = NULL; ++ } ++ + /* initialize the normalized DN cache */ + if (ndn_cache_init() != 0) { + slapi_log_err(SLAPI_LOG_EMERG, "main", "Unable to create ndn cache\n"); +@@ -940,26 +967,6 @@ main(int argc, char **argv) + slapi_ch_free((void **)&versionstring); + } + +- if (config_get_disk_monitoring()) { +- char **dirs = NULL; +- char *dirstr = NULL; +- uint64_t disk_space = 0; +- int64_t threshold = 0; +- uint64_t halfway = 0; +- threshold = config_get_disk_threshold(); +- halfway = threshold / 2; +- disk_mon_get_dirs(&dirs); +- dirstr = disk_mon_check_diskspace(dirs, threshold, &disk_space); +- if (dirstr != NULL && disk_space < halfway) { +- slapi_log_err(SLAPI_LOG_EMERG, "main", +- "Disk Monitoring is enabled and disk space on (%s) is too far below the threshold(%" PRIu64 " bytes). Exiting now.\n", +- dirstr, threshold); +- return_value = 1; +- goto cleanup; +- } +- slapi_ch_array_free(dirs); +- dirs = NULL; +- } + /* log the max fd limit as it is typically set in env/systemd */ + slapi_log_err(SLAPI_LOG_INFO, "main", + "Setting the maximum file descriptor limit to: %ld\n", +-- +2.26.2 + diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec index 7901e19..37554a0 100644 --- a/SPECS/389-ds-base.spec +++ b/SPECS/389-ds-base.spec @@ -45,7 +45,7 @@ ExcludeArch: i686 Summary: 389 Directory Server (base) Name: 389-ds-base Version: 1.4.3.8 -Release: %{?relprefix}4%{?prerel}%{?dist} +Release: %{?relprefix}5%{?prerel}%{?dist} License: GPLv3+ URL: https://www.port389.org Group: System Environment/Daemons @@ -196,6 +196,9 @@ Patch19: 0019-Issue-51144-dsctl-fails-with-instance-names-that-con.patc Patch20: 0020-Ticket-49859-A-distinguished-value-can-be-missing-in.patch Patch21: 0021-Issue-49256-log-warning-when-thread-number-is-very-d.patch Patch22: 0022-Issue-51188-db2ldif-crashes-when-LDIF-file-can-t-be-.patch +Patch23: 0023-Issue-51086-Fix-instance-name-length-for-interactive.patch +Patch24: 0024-Issue-51129-SSL-alert-The-value-of-sslVersionMax-TLS.patch +Patch25: 0025-Issue-50984-Memory-leaks-in-disk-monitoring.patch %description 389 Directory Server is an LDAPv3 compliant server. The base package includes @@ -813,6 +816,13 @@ exit 0 %doc README.md %changelog +* Wed Aug 5 2020 Mark Reynolds - 1.4.3.8-5 +- Bump version to 1.4.3.8-5 +- Resolves: Bug 1841086 - SSL alert: The value of sslVersionMax "TLS1.3" is higher than the supported version +- Resolves: Bug 1800529 - Memory leaks in disk monitoring +- Resolves: Bug 1748227 - Instance name length is not enforced +- Resolves: Bug 1849418 - python3-lib389 pulls unnecessary bash-completion package + * Fri Jun 26 2020 Mark Reynolds - 1.4.3.8-4 - Bump version to 1.4.3.8-4 - Resolves: Bug 1806978 - ns-slapd crashes during db2ldif