* [meta-oe] [PATCH 0/1] openldap: upgrade 2.4.58 -> 2.5.8
@ 2021-10-25 11:45 Salman Ahmed
2021-10-25 11:45 ` [meta-oe] [PATCH 1/1] " Salman Ahmed
0 siblings, 1 reply; 4+ messages in thread
From: Salman Ahmed @ 2021-10-25 11:45 UTC (permalink / raw)
To: openembedded-devel
openldap: upgrade 2.4.58 -> 2.5.8
- dropped retired backends (bdb, hdb, shell)
- back-monitor is now built as part of slapd
- added asyncmeta and wt backends
- dropped patches for functionalities which don't
exist anymore
The following changes since commit 763769eb446acf8377bc2d84c76cd7fffd904f84:
vboxguestdrivers: Fix build failure due to the last update. (2021-10-22 16:31:41 -0700)
are available in the Git repository at:
git://github.com/salmanisd/meta-openembedded upgrade-openldap
https://github.com/salmanisd/meta-openembedded/tree/upgrade-openldap
Salman Ahmed (1):
openldap: upgrade 2.4.58 -> 2.5.8
.../openldap/openldap/install-strip.patch | 2 +-
.../openldap-2.4.28-gnutls-gcrypt.patch | 10 ++-
.../openldap/openldap-CVE-2015-3276.patch | 58 ----------------
.../openldap/openldap-m4-pthread.patch | 22 ------
.../openldap/openldap/thread_stub.patch | 20 ------
.../openldap/openldap/use-urandom.patch | 15 ++--
.../{openldap_2.4.58.bb => openldap_2.5.8.bb} | 68 +++++++------------
7 files changed, 37 insertions(+), 158 deletions(-)
delete mode 100644 meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch
delete mode 100644 meta-oe/recipes-support/openldap/openldap/openldap-m4-pthread.patch
delete mode 100644 meta-oe/recipes-support/openldap/openldap/thread_stub.patch
rename meta-oe/recipes-support/openldap/{openldap_2.4.58.bb => openldap_2.5.8.bb} (82%)
--
2.32.0
^ permalink raw reply [flat|nested] 4+ messages in thread* [meta-oe] [PATCH 1/1] openldap: upgrade 2.4.58 -> 2.5.8 2021-10-25 11:45 [meta-oe] [PATCH 0/1] openldap: upgrade 2.4.58 -> 2.5.8 Salman Ahmed @ 2021-10-25 11:45 ` Salman Ahmed 2021-10-25 16:00 ` [oe] " Khem Raj 0 siblings, 1 reply; 4+ messages in thread From: Salman Ahmed @ 2021-10-25 11:45 UTC (permalink / raw) To: openembedded-devel - dropped retired backends (bdb, hdb, shell) - back-monitor is now built as part of slapd - added asyncmeta and wt backends - dropped patches for functionalities which don't exist anymore Signed-off-by: Salman Ahmed <salman.ahmed@weidmueller.com> --- .../openldap/openldap/install-strip.patch | 2 +- .../openldap-2.4.28-gnutls-gcrypt.patch | 10 ++- .../openldap/openldap-CVE-2015-3276.patch | 58 ---------------- .../openldap/openldap-m4-pthread.patch | 22 ------ .../openldap/openldap/thread_stub.patch | 20 ------ .../openldap/openldap/use-urandom.patch | 15 ++-- .../{openldap_2.4.58.bb => openldap_2.5.8.bb} | 68 +++++++------------ 7 files changed, 37 insertions(+), 158 deletions(-) delete mode 100644 meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch delete mode 100644 meta-oe/recipes-support/openldap/openldap/openldap-m4-pthread.patch delete mode 100644 meta-oe/recipes-support/openldap/openldap/thread_stub.patch rename meta-oe/recipes-support/openldap/{openldap_2.4.58.bb => openldap_2.5.8.bb} (82%) diff --git a/meta-oe/recipes-support/openldap/openldap/install-strip.patch b/meta-oe/recipes-support/openldap/openldap/install-strip.patch index b59db3939..b757aabb0 100644 --- a/meta-oe/recipes-support/openldap/openldap/install-strip.patch +++ b/meta-oe/recipes-support/openldap/openldap/install-strip.patch @@ -6,7 +6,7 @@ Upstream-Status: Pending --- a/build/top.mk +++ b/build/top.mk -@@ -121,7 +121,7 @@ LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) +@@ -125,7 +125,7 @@ LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \ LTLINK_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=link \ $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_MOD) diff --git a/meta-oe/recipes-support/openldap/openldap/openldap-2.4.28-gnutls-gcrypt.patch b/meta-oe/recipes-support/openldap/openldap/openldap-2.4.28-gnutls-gcrypt.patch index 91bcc0435..f551861a3 100644 --- a/meta-oe/recipes-support/openldap/openldap/openldap-2.4.28-gnutls-gcrypt.patch +++ b/meta-oe/recipes-support/openldap/openldap/openldap-2.4.28-gnutls-gcrypt.patch @@ -2,13 +2,11 @@ From http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-nds/openldap/fi Upstream-status: Pending --- - ---- a/configure.in -+++ b/configure.in -@@ -1227,7 +1227,7 @@ if test $ol_link_tls = no ; then - ol_with_tls=gnutls +--- a/configure.ac ++++ b/configure.ac +@@ -1263,7 +1263,7 @@ if test $ol_link_tls = no ; then ol_link_tls=yes + WITH_TLS_TYPE=gnutls - TLS_LIBS="-lgnutls" + TLS_LIBS="-lgnutls -lgcrypt" diff --git a/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch b/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch deleted file mode 100644 index ab5c4de66..000000000 --- a/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch +++ /dev/null @@ -1,58 +0,0 @@ -openldap CVE-2015-3276 - -the patch comes from: -https://bugzilla.redhat.com/show_bug.cgi?id=1238322 -https://bugzilla.redhat.com/attachment.cgi?id=1055640 - -The nss_parse_ciphers function in libraries/libldap/tls_m.c in -OpenLDAP does not properly parse OpenSSL-style multi-keyword mode -cipher strings, which might cause a weaker than intended cipher to -be used and allow remote attackers to have unspecified impact via -unknown vectors. - -Upstream-Status: Pending - -CVE: CVE-2015-3276 - -Signed-off-by: Li Wang <li.wang@windriver.com> ---- - libraries/libldap/tls_m.c | 27 ++++++++++++++++----------- - 1 file changed, 16 insertions(+), 11 deletions(-) - ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -620,18 +620,23 @@ nss_parse_ciphers(const char *cipherstr, - */ - if (mask || strength || protocol) { - for (i=0; i<ciphernum; i++) { -- if (((ciphers_def[i].attr & mask) || -- (ciphers_def[i].strength & strength) || -- (ciphers_def[i].version & protocol)) && -- (cipher_list[i] != -1)) { -- /* Enable the NULL ciphers only if explicity -- * requested */ -- if (ciphers_def[i].attr & SSL_eNULL) { -- if (mask & SSL_eNULL) -- cipher_list[i] = action; -- } else -+ /* if more than one mask is provided -+ * then AND logic applies (to match openssl) -+ */ -+ if ( cipher_list[i] == -1) ) -+ continue; -+ if ( mask && ! (ciphers_def[i].attr & mask) ) -+ continue; -+ if ( strength && ! (ciphers_def[i].strength & strength) ) -+ continue; -+ if ( protocol && ! (ciphers_def[i].version & protocol) ) -+ continue; -+ /* Enable the NULL ciphers only if explicity requested */ -+ if (ciphers_def[i].attr & SSL_eNULL) { -+ if (mask & SSL_eNULL) - cipher_list[i] = action; -- } -+ } else -+ cipher_list[i] = action; - } - } else { - for (i=0; i<ciphernum; i++) { diff --git a/meta-oe/recipes-support/openldap/openldap/openldap-m4-pthread.patch b/meta-oe/recipes-support/openldap/openldap/openldap-m4-pthread.patch deleted file mode 100644 index 4d1fda96e..000000000 --- a/meta-oe/recipes-support/openldap/openldap/openldap-m4-pthread.patch +++ /dev/null @@ -1,22 +0,0 @@ -Upstream-Status: Pending - ---- a/build/openldap.m4 -+++ b/build/openldap.m4 -@@ -651,7 +651,7 @@ AC_DEFUN([OL_PTHREAD_TEST_FUNCTION],[[ - ]]) - - AC_DEFUN([OL_PTHREAD_TEST_PROGRAM], --AC_LANG_SOURCE([OL_PTHREAD_TEST_INCLUDES -+[AC_LANG_SOURCE([[OL_PTHREAD_TEST_INCLUDES - - int main(argc, argv) - int argc; -@@ -659,7 +659,7 @@ int main(argc, argv) - { - OL_PTHREAD_TEST_FUNCTION - } --])) -+]])]) - dnl -------------------------------------------------------------------- - AC_DEFUN([OL_PTHREAD_TRY], [# Pthread try link: $1 ($2) - if test "$ol_link_threads" = no ; then diff --git a/meta-oe/recipes-support/openldap/openldap/thread_stub.patch b/meta-oe/recipes-support/openldap/openldap/thread_stub.patch deleted file mode 100644 index 540ba4a63..000000000 --- a/meta-oe/recipes-support/openldap/openldap/thread_stub.patch +++ /dev/null @@ -1,20 +0,0 @@ -openldap: set pointer - -When the function ldap_pvt_thread_pool_getkey() succeeds, it -must set the value of *data since the caller may try to use it. - -Upstream-Status: pending - -Signed-off-by: Joe Slater <jslater@windriver.com> - - ---- a/libraries/libldap_r/thr_stub.c -+++ b/libraries/libldap_r/thr_stub.c -@@ -217,6 +217,7 @@ ldap_pvt_thread_pool_unidle ( ldap_pvt_t - int ldap_pvt_thread_pool_getkey ( - void *ctx, void *key, void **data, ldap_pvt_thread_pool_keyfree_t **kfree ) - { -+ if (data) *data = NULL; /* avoid problems with uninitialized *data */ - return(0); - } - diff --git a/meta-oe/recipes-support/openldap/openldap/use-urandom.patch b/meta-oe/recipes-support/openldap/openldap/use-urandom.patch index 96a03369a..6783b5175 100644 --- a/meta-oe/recipes-support/openldap/openldap/use-urandom.patch +++ b/meta-oe/recipes-support/openldap/openldap/use-urandom.patch @@ -8,20 +8,17 @@ Upstream-Status: pending Signed-off-by: Joe Slater <jslater@windriver.com> - ---- a/configure.in -+++ b/configure.in -@@ -2153,8 +2153,8 @@ fi +--- a/configure.ac ++++ b/configure.ac +@@ -2117,6 +2117,7 @@ AC_SUBST(systemdsystemunitdir) dnl ---------------------------------------------------------------- dnl Check for entropy sources +dev=no if test $cross_compiling != yes && test "$ac_cv_mingw32" != yes ; then -- dev=no + dev=no if test -r /dev/urandom ; then - dev="/dev/urandom"; - elif test -r /idev/urandom ; then -@@ -2167,9 +2167,11 @@ if test $cross_compiling != yes && test +@@ -2131,9 +2132,11 @@ if test $cross_compiling != yes && test "$ac_cv_mingw32" != yes ; then dev="/idev/random"; fi @@ -29,7 +26,7 @@ Signed-off-by: Joe Slater <jslater@windriver.com> - AC_DEFINE_UNQUOTED(URANDOM_DEVICE,"$dev",[set to urandom device]) - fi +elif test $cross_compiling == yes ; then -+ dev="/dev/urandom"; ++ dev="/dev/urandom"; +fi +if test $dev != no ; then + AC_DEFINE_UNQUOTED(URANDOM_DEVICE,"$dev",[set to urandom device]) diff --git a/meta-oe/recipes-support/openldap/openldap_2.4.58.bb b/meta-oe/recipes-support/openldap/openldap_2.5.8.bb similarity index 82% rename from meta-oe/recipes-support/openldap/openldap_2.4.58.bb rename to meta-oe/recipes-support/openldap/openldap_2.5.8.bb index f9dc58a4c..ca005de70 100644 --- a/meta-oe/recipes-support/openldap/openldap_2.4.58.bb +++ b/meta-oe/recipes-support/openldap/openldap_2.5.8.bb @@ -7,7 +7,7 @@ HOMEPAGE = "http://www.OpenLDAP.org/license.html" # basically BSD. opensource.org does not record this license # at present (so it is apparently not OSI certified). LICENSE = "OpenLDAP" -LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=b6dea6c170362fc46381fe3690c722cb \ +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=5cc6ef74da4ad25d707c4f5903d64975 \ file://LICENSE;md5=153d07ef052c4a37a8fac23bc6031972 \ " SECTION = "libs" @@ -15,18 +15,15 @@ SECTION = "libs" LDAP_VER = "${@'.'.join(d.getVar('PV').split('.')[0:2])}" SRC_URI = "http://www.openldap.org/software/download/OpenLDAP/openldap-release/${BP}.tgz \ - file://openldap-m4-pthread.patch \ file://openldap-2.4.28-gnutls-gcrypt.patch \ file://use-urandom.patch \ file://initscript \ file://slapd.service \ - file://thread_stub.patch \ - file://openldap-CVE-2015-3276.patch \ file://remove-user-host-pwd-from-version.patch \ " -SRC_URI[md5sum] = "c203d735ba69976e5b28dc39006f29b5" -SRC_URI[sha256sum] = "57b59254be15d0bf6a9ab3d514c1c05777b02123291533134a87c94468f8f47b" +SRC_URI[md5sum] = "86e3ffce4adfc57cbb76ac0ff48b2614" +SRC_URI[sha256sum] = "366ea1c3b24202de4481978b632128c0cfe4148d4ae13cabf93a1f38c56472dc" DEPENDS = "util-linux groff-native" @@ -35,7 +32,7 @@ DEPENDS = "util-linux groff-native" # environments SRC_URI += "file://install-strip.patch" -inherit autotools-brokensep update-rc.d systemd +inherit autotools-brokensep update-rc.d systemd pkgconfig # CV SETTINGS # Required to work round AC_FUNC_MEMCMP which gets the wrong answer @@ -50,8 +47,8 @@ EXTRA_OECONF += "--with-yielding-select=yes" # Shared libraries are nice... EXTRA_OECONF += "--enable-dynamic" -PACKAGECONFIG ??= "gnutls modules \ - mdb ldap meta monitor null passwd shell proxycache dnssrv \ +PACKAGECONFIG ??= "asyncmeta gnutls modules \ + mdb ldap meta null passwd proxycache dnssrv \ ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \ " #--with-tls with TLS/SSL support auto|openssl|gnutls [auto] @@ -72,25 +69,20 @@ EXTRA_OECONF += "--enable-crypt" # The backend must be set by the configuration. This controls the # required database. # -# Backends="bdb dnssrv hdb ldap mdb meta monitor ndb null passwd perl relay shell sock sql" +# Backends="asyncmeta dnssrv ldap mdb meta ndb null passwd perl relay sock sql wt" # # Note that multiple backends can be built. The ldbm backend requires a -# build-time choice of database API. The bdb backend forces this to be -# DB4. To use the gdbm (or other) API the Berkely database module must -# be removed from the build. +# build-time choice of database API. To use the gdbm (or other) API the +# Berkely database module must be removed from the build. md = "${libexecdir}/openldap" # -#--enable-bdb enable Berkeley DB backend no|yes|mod yes -# The Berkely DB is the standard choice. This version of OpenLDAP requires -# the version 4 implementation or better. -PACKAGECONFIG[bdb] = "--enable-bdb=yes,--enable-bdb=no,db" + +#--enable-asyncmeta enable asyncmeta backend no|yes|mod no +PACKAGECONFIG[asyncmeta] = "--enable-asyncmeta=mod,--enable-asyncmeta=no" #--enable-dnssrv enable dnssrv backend no|yes|mod no PACKAGECONFIG[dnssrv] = "--enable-dnssrv=mod,--enable-dnssrv=no" -#--enable-hdb enable Hierarchical DB backend no|yes|mod no -PACKAGECONFIG[hdb] = "--enable-hdb=yes,--enable-hdb=no,db" - #--enable-ldap enable ldap backend no|yes|mod no PACKAGECONFIG[ldap] = "--enable-ldap=mod,--enable-ldap=no," @@ -100,9 +92,6 @@ PACKAGECONFIG[mdb] = "--enable-mdb=yes,--enable-mdb=no," #--enable-meta enable metadirectory backend no|yes|mod no PACKAGECONFIG[meta] = "--enable-meta=mod,--enable-meta=no," -#--enable-monitor enable monitor backend no|yes|mod yes -PACKAGECONFIG[monitor] = "--enable-monitor=mod,--enable-monitor=no," - #--enable-ndb enable MySQL NDB Cluster backend no|yes|mod [no] PACKAGECONFIG[ndb] = "--enable-ndb=mod,--enable-ndb=no," @@ -121,10 +110,6 @@ PACKAGECONFIG[perl] = "--enable-perl=mod,--enable-perl=no,perl" #--enable-relay enable relay backend no|yes|mod [yes] PACKAGECONFIG[relay] = "--enable-relay=mod,--enable-relay=no," -#--enable-shell enable shell backend no|yes|mod no -# configure: WARNING: Use of --without-threads is recommended with back-shell -PACKAGECONFIG[shell] = "--enable-shell=mod --without-threads,--enable-shell=no," - #--enable-sock enable sock backend no|yes|mod [no] PACKAGECONFIG[sock] = "--enable-sock=mod,--enable-sock=no," @@ -133,6 +118,10 @@ PACKAGECONFIG[sock] = "--enable-sock=mod,--enable-sock=no," # sqlite.h (which may be compatible but hasn't been tried.) PACKAGECONFIG[sql] = "--enable-sql=mod,--enable-sql=no,sqlite3" +#--enable-wt enable wt backend no|yes|mod no +# back-wt is marked currently as experimental +PACKAGECONFIG[wt] = "--enable-wt=mod,--enable-wt=no" + #--enable-dyngroup Dynamic Group overlay no|yes|mod no # This is a demo, Proxy Cache defines init_module which conflicts with the # same symbol in dyngroup @@ -176,7 +165,7 @@ FILES:${PN}-slapd = "${sysconfdir}/init.d ${libexecdir}/slapd ${sbindir} ${local ${sysconfdir}/openldap/DB_CONFIG.example ${systemd_unitdir}/system/*" FILES:${PN}-slurpd = "${libexecdir}/slurpd ${localstatedir}/openldap-slurp" FILES:${PN}-bin = "${bindir}" -FILES:${PN}-dev = "${includedir} ${libdir}/lib*.so ${libdir}/*.la ${libexecdir}/openldap/*.a ${libexecdir}/openldap/*.la ${libexecdir}/openldap/*.so" +FILES:${PN}-dev = "${includedir} ${libdir}/lib*.so ${libdir}/*.la ${libexecdir}/openldap/*.a ${libexecdir}/openldap/*.la ${libexecdir}/openldap/*.so ${libdir}/pkgconfig/*.pc" FILES:${PN}-dbg += "${libexecdir}/openldap/.debug" do_install:append() { @@ -210,8 +199,6 @@ do_install:append() { -i ${D}${sysconfdir}/openldap/slapd.conf mkdir -p ${D}${localstatedir}/${BPN}/data - - } INITSCRIPT_PACKAGES = "${PN}-slapd" @@ -220,21 +207,18 @@ INITSCRIPT_PARAMS:${PN}-slapd = "defaults" SYSTEMD_SERVICE:${PN}-slapd = "hostapd.service" SYSTEMD_AUTO_ENABLE:${PN}-slapd ?= "disable" - PACKAGES_DYNAMIC += "^${PN}-backends.* ^${PN}-backend-.*" # The modules require their .so to be dynamicaly loaded -INSANE_SKIP:${PN}-backend-dnssrv += "dev-so" -INSANE_SKIP:${PN}-backend-ldap += "dev-so" -INSANE_SKIP:${PN}-backend-meta += "dev-so" -INSANE_SKIP:${PN}-backend-mdb += "dev-so" -INSANE_SKIP:${PN}-backend-monitor += "dev-so" -INSANE_SKIP:${PN}-backend-null += "dev-so" -INSANE_SKIP:${PN}-backend-passwd += "dev-so" -INSANE_SKIP:${PN}-backend-shell += "dev-so" - - -python populate_packages:prepend () { +INSANE_SKIP:${PN}-backend-asyncmeta += "dev-so" +INSANE_SKIP:${PN}-backend-dnssrv += "dev-so" +INSANE_SKIP:${PN}-backend-ldap += "dev-so" +INSANE_SKIP:${PN}-backend-meta += "dev-so" +INSANE_SKIP:${PN}-backend-mdb += "dev-so" +INSANE_SKIP:${PN}-backend-null += "dev-so" +INSANE_SKIP:${PN}-backend-passwd += "dev-so" + +python populate_packages_prepend () { backend_dir = d.expand('${libexecdir}/openldap') do_split_packages(d, backend_dir, 'back_([a-z]*)\.so$', 'openldap-backend-%s', 'OpenLDAP %s backend', prepend=True, extra_depends='', allow_links=True) do_split_packages(d, backend_dir, 'back_([a-z]*)\-.*\.so\..*$', 'openldap-backend-%s', 'OpenLDAP %s backend', extra_depends='', allow_links=True) -- 2.32.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [oe] [meta-oe] [PATCH 1/1] openldap: upgrade 2.4.58 -> 2.5.8 2021-10-25 11:45 ` [meta-oe] [PATCH 1/1] " Salman Ahmed @ 2021-10-25 16:00 ` Khem Raj 2021-10-25 17:40 ` Khem Raj 0 siblings, 1 reply; 4+ messages in thread From: Khem Raj @ 2021-10-25 16:00 UTC (permalink / raw) To: Salman Ahmed; +Cc: openembeded-devel On Mon, Oct 25, 2021 at 4:45 AM Salman Ahmed <salman.isd@gmail.com> wrote: > > - dropped retired backends (bdb, hdb, shell) > - back-monitor is now built as part of slapd > - added asyncmeta and wt backends > - dropped patches for functionalities which don't > exist anymore > > Signed-off-by: Salman Ahmed <salman.ahmed@weidmueller.com> > --- > .../openldap/openldap/install-strip.patch | 2 +- > .../openldap-2.4.28-gnutls-gcrypt.patch | 10 ++- > .../openldap/openldap-CVE-2015-3276.patch | 58 ---------------- > .../openldap/openldap-m4-pthread.patch | 22 ------ > .../openldap/openldap/thread_stub.patch | 20 ------ > .../openldap/openldap/use-urandom.patch | 15 ++-- > .../{openldap_2.4.58.bb => openldap_2.5.8.bb} | 68 +++++++------------ > 7 files changed, 37 insertions(+), 158 deletions(-) > delete mode 100644 meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch > delete mode 100644 meta-oe/recipes-support/openldap/openldap/openldap-m4-pthread.patch > delete mode 100644 meta-oe/recipes-support/openldap/openldap/thread_stub.patch > rename meta-oe/recipes-support/openldap/{openldap_2.4.58.bb => openldap_2.5.8.bb} (82%) > > diff --git a/meta-oe/recipes-support/openldap/openldap/install-strip.patch b/meta-oe/recipes-support/openldap/openldap/install-strip.patch > index b59db3939..b757aabb0 100644 > --- a/meta-oe/recipes-support/openldap/openldap/install-strip.patch > +++ b/meta-oe/recipes-support/openldap/openldap/install-strip.patch > @@ -6,7 +6,7 @@ Upstream-Status: Pending > > --- a/build/top.mk > +++ b/build/top.mk > -@@ -121,7 +121,7 @@ LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) > +@@ -125,7 +125,7 @@ LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \ > LTLINK_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=link \ > $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_MOD) > > diff --git a/meta-oe/recipes-support/openldap/openldap/openldap-2.4.28-gnutls-gcrypt.patch b/meta-oe/recipes-support/openldap/openldap/openldap-2.4.28-gnutls-gcrypt.patch > index 91bcc0435..f551861a3 100644 > --- a/meta-oe/recipes-support/openldap/openldap/openldap-2.4.28-gnutls-gcrypt.patch > +++ b/meta-oe/recipes-support/openldap/openldap/openldap-2.4.28-gnutls-gcrypt.patch > @@ -2,13 +2,11 @@ From http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-nds/openldap/fi > > Upstream-status: Pending > > --- > - > ---- a/configure.in > -+++ b/configure.in > -@@ -1227,7 +1227,7 @@ if test $ol_link_tls = no ; then > - ol_with_tls=gnutls > +--- a/configure.ac > ++++ b/configure.ac > +@@ -1263,7 +1263,7 @@ if test $ol_link_tls = no ; then > ol_link_tls=yes > + WITH_TLS_TYPE=gnutls > > - TLS_LIBS="-lgnutls" > + TLS_LIBS="-lgnutls -lgcrypt" > diff --git a/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch b/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch > deleted file mode 100644 > index ab5c4de66..000000000 > --- a/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch > +++ /dev/null > @@ -1,58 +0,0 @@ > -openldap CVE-2015-3276 > - > -the patch comes from: > -https://bugzilla.redhat.com/show_bug.cgi?id=1238322 > -https://bugzilla.redhat.com/attachment.cgi?id=1055640 > - > -The nss_parse_ciphers function in libraries/libldap/tls_m.c in > -OpenLDAP does not properly parse OpenSSL-style multi-keyword mode > -cipher strings, which might cause a weaker than intended cipher to > -be used and allow remote attackers to have unspecified impact via > -unknown vectors. > - > -Upstream-Status: Pending > - > -CVE: CVE-2015-3276 > - > -Signed-off-by: Li Wang <li.wang@windriver.com> > ---- > - libraries/libldap/tls_m.c | 27 ++++++++++++++++----------- > - 1 file changed, 16 insertions(+), 11 deletions(-) > - > ---- a/libraries/libldap/tls_m.c > -+++ b/libraries/libldap/tls_m.c > -@@ -620,18 +620,23 @@ nss_parse_ciphers(const char *cipherstr, > - */ > - if (mask || strength || protocol) { > - for (i=0; i<ciphernum; i++) { > -- if (((ciphers_def[i].attr & mask) || > -- (ciphers_def[i].strength & strength) || > -- (ciphers_def[i].version & protocol)) && > -- (cipher_list[i] != -1)) { > -- /* Enable the NULL ciphers only if explicity > -- * requested */ > -- if (ciphers_def[i].attr & SSL_eNULL) { > -- if (mask & SSL_eNULL) > -- cipher_list[i] = action; > -- } else > -+ /* if more than one mask is provided > -+ * then AND logic applies (to match openssl) > -+ */ > -+ if ( cipher_list[i] == -1) ) > -+ continue; > -+ if ( mask && ! (ciphers_def[i].attr & mask) ) > -+ continue; > -+ if ( strength && ! (ciphers_def[i].strength & strength) ) > -+ continue; > -+ if ( protocol && ! (ciphers_def[i].version & protocol) ) > -+ continue; > -+ /* Enable the NULL ciphers only if explicity requested */ > -+ if (ciphers_def[i].attr & SSL_eNULL) { > -+ if (mask & SSL_eNULL) > - cipher_list[i] = action; > -- } > -+ } else > -+ cipher_list[i] = action; > - } > - } else { > - for (i=0; i<ciphernum; i++) { > diff --git a/meta-oe/recipes-support/openldap/openldap/openldap-m4-pthread.patch b/meta-oe/recipes-support/openldap/openldap/openldap-m4-pthread.patch > deleted file mode 100644 > index 4d1fda96e..000000000 > --- a/meta-oe/recipes-support/openldap/openldap/openldap-m4-pthread.patch > +++ /dev/null > @@ -1,22 +0,0 @@ > -Upstream-Status: Pending > - > ---- a/build/openldap.m4 > -+++ b/build/openldap.m4 > -@@ -651,7 +651,7 @@ AC_DEFUN([OL_PTHREAD_TEST_FUNCTION],[[ > - ]]) > - > - AC_DEFUN([OL_PTHREAD_TEST_PROGRAM], > --AC_LANG_SOURCE([OL_PTHREAD_TEST_INCLUDES > -+[AC_LANG_SOURCE([[OL_PTHREAD_TEST_INCLUDES > - > - int main(argc, argv) > - int argc; > -@@ -659,7 +659,7 @@ int main(argc, argv) > - { > - OL_PTHREAD_TEST_FUNCTION > - } > --])) > -+]])]) > - dnl -------------------------------------------------------------------- > - AC_DEFUN([OL_PTHREAD_TRY], [# Pthread try link: $1 ($2) > - if test "$ol_link_threads" = no ; then > diff --git a/meta-oe/recipes-support/openldap/openldap/thread_stub.patch b/meta-oe/recipes-support/openldap/openldap/thread_stub.patch > deleted file mode 100644 > index 540ba4a63..000000000 > --- a/meta-oe/recipes-support/openldap/openldap/thread_stub.patch > +++ /dev/null > @@ -1,20 +0,0 @@ > -openldap: set pointer > - > -When the function ldap_pvt_thread_pool_getkey() succeeds, it > -must set the value of *data since the caller may try to use it. > - > -Upstream-Status: pending > - > -Signed-off-by: Joe Slater <jslater@windriver.com> > - > - > ---- a/libraries/libldap_r/thr_stub.c > -+++ b/libraries/libldap_r/thr_stub.c > -@@ -217,6 +217,7 @@ ldap_pvt_thread_pool_unidle ( ldap_pvt_t > - int ldap_pvt_thread_pool_getkey ( > - void *ctx, void *key, void **data, ldap_pvt_thread_pool_keyfree_t **kfree ) > - { > -+ if (data) *data = NULL; /* avoid problems with uninitialized *data */ > - return(0); > - } > - > diff --git a/meta-oe/recipes-support/openldap/openldap/use-urandom.patch b/meta-oe/recipes-support/openldap/openldap/use-urandom.patch > index 96a03369a..6783b5175 100644 > --- a/meta-oe/recipes-support/openldap/openldap/use-urandom.patch > +++ b/meta-oe/recipes-support/openldap/openldap/use-urandom.patch > @@ -8,20 +8,17 @@ Upstream-Status: pending > > Signed-off-by: Joe Slater <jslater@windriver.com> > > - > ---- a/configure.in > -+++ b/configure.in > -@@ -2153,8 +2153,8 @@ fi > +--- a/configure.ac > ++++ b/configure.ac > +@@ -2117,6 +2117,7 @@ AC_SUBST(systemdsystemunitdir) > > dnl ---------------------------------------------------------------- > dnl Check for entropy sources > +dev=no > if test $cross_compiling != yes && test "$ac_cv_mingw32" != yes ; then > -- dev=no > + dev=no > if test -r /dev/urandom ; then > - dev="/dev/urandom"; > - elif test -r /idev/urandom ; then > -@@ -2167,9 +2167,11 @@ if test $cross_compiling != yes && test > +@@ -2131,9 +2132,11 @@ if test $cross_compiling != yes && test "$ac_cv_mingw32" != yes ; then > dev="/idev/random"; > fi > > @@ -29,7 +26,7 @@ Signed-off-by: Joe Slater <jslater@windriver.com> > - AC_DEFINE_UNQUOTED(URANDOM_DEVICE,"$dev",[set to urandom device]) > - fi > +elif test $cross_compiling == yes ; then > -+ dev="/dev/urandom"; > ++ dev="/dev/urandom"; > +fi > +if test $dev != no ; then > + AC_DEFINE_UNQUOTED(URANDOM_DEVICE,"$dev",[set to urandom device]) > diff --git a/meta-oe/recipes-support/openldap/openldap_2.4.58.bb b/meta-oe/recipes-support/openldap/openldap_2.5.8.bb > similarity index 82% > rename from meta-oe/recipes-support/openldap/openldap_2.4.58.bb > rename to meta-oe/recipes-support/openldap/openldap_2.5.8.bb > index f9dc58a4c..ca005de70 100644 > --- a/meta-oe/recipes-support/openldap/openldap_2.4.58.bb > +++ b/meta-oe/recipes-support/openldap/openldap_2.5.8.bb > @@ -7,7 +7,7 @@ HOMEPAGE = "http://www.OpenLDAP.org/license.html" > # basically BSD. opensource.org does not record this license > # at present (so it is apparently not OSI certified). > LICENSE = "OpenLDAP" > -LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=b6dea6c170362fc46381fe3690c722cb \ > +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=5cc6ef74da4ad25d707c4f5903d64975 \ > file://LICENSE;md5=153d07ef052c4a37a8fac23bc6031972 \ > " > SECTION = "libs" > @@ -15,18 +15,15 @@ SECTION = "libs" > LDAP_VER = "${@'.'.join(d.getVar('PV').split('.')[0:2])}" > > SRC_URI = "http://www.openldap.org/software/download/OpenLDAP/openldap-release/${BP}.tgz \ > - file://openldap-m4-pthread.patch \ > file://openldap-2.4.28-gnutls-gcrypt.patch \ > file://use-urandom.patch \ > file://initscript \ > file://slapd.service \ > - file://thread_stub.patch \ > - file://openldap-CVE-2015-3276.patch \ > file://remove-user-host-pwd-from-version.patch \ > " > > -SRC_URI[md5sum] = "c203d735ba69976e5b28dc39006f29b5" > -SRC_URI[sha256sum] = "57b59254be15d0bf6a9ab3d514c1c05777b02123291533134a87c94468f8f47b" > +SRC_URI[md5sum] = "86e3ffce4adfc57cbb76ac0ff48b2614" > +SRC_URI[sha256sum] = "366ea1c3b24202de4481978b632128c0cfe4148d4ae13cabf93a1f38c56472dc" > > DEPENDS = "util-linux groff-native" > > @@ -35,7 +32,7 @@ DEPENDS = "util-linux groff-native" > # environments > SRC_URI += "file://install-strip.patch" > > -inherit autotools-brokensep update-rc.d systemd > +inherit autotools-brokensep update-rc.d systemd pkgconfig > > # CV SETTINGS > # Required to work round AC_FUNC_MEMCMP which gets the wrong answer > @@ -50,8 +47,8 @@ EXTRA_OECONF += "--with-yielding-select=yes" > # Shared libraries are nice... > EXTRA_OECONF += "--enable-dynamic" > > -PACKAGECONFIG ??= "gnutls modules \ > - mdb ldap meta monitor null passwd shell proxycache dnssrv \ > +PACKAGECONFIG ??= "asyncmeta gnutls modules \ > + mdb ldap meta null passwd proxycache dnssrv \ > ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \ > " > #--with-tls with TLS/SSL support auto|openssl|gnutls [auto] > @@ -72,25 +69,20 @@ EXTRA_OECONF += "--enable-crypt" > # The backend must be set by the configuration. This controls the > # required database. > # > -# Backends="bdb dnssrv hdb ldap mdb meta monitor ndb null passwd perl relay shell sock sql" > +# Backends="asyncmeta dnssrv ldap mdb meta ndb null passwd perl relay sock sql wt" > # > # Note that multiple backends can be built. The ldbm backend requires a > -# build-time choice of database API. The bdb backend forces this to be > -# DB4. To use the gdbm (or other) API the Berkely database module must > -# be removed from the build. > +# build-time choice of database API. To use the gdbm (or other) API the > +# Berkely database module must be removed from the build. > md = "${libexecdir}/openldap" > # > -#--enable-bdb enable Berkeley DB backend no|yes|mod yes > -# The Berkely DB is the standard choice. This version of OpenLDAP requires > -# the version 4 implementation or better. > -PACKAGECONFIG[bdb] = "--enable-bdb=yes,--enable-bdb=no,db" > + > +#--enable-asyncmeta enable asyncmeta backend no|yes|mod no > +PACKAGECONFIG[asyncmeta] = "--enable-asyncmeta=mod,--enable-asyncmeta=no" > > #--enable-dnssrv enable dnssrv backend no|yes|mod no > PACKAGECONFIG[dnssrv] = "--enable-dnssrv=mod,--enable-dnssrv=no" > > -#--enable-hdb enable Hierarchical DB backend no|yes|mod no > -PACKAGECONFIG[hdb] = "--enable-hdb=yes,--enable-hdb=no,db" > - > #--enable-ldap enable ldap backend no|yes|mod no > PACKAGECONFIG[ldap] = "--enable-ldap=mod,--enable-ldap=no," > > @@ -100,9 +92,6 @@ PACKAGECONFIG[mdb] = "--enable-mdb=yes,--enable-mdb=no," > #--enable-meta enable metadirectory backend no|yes|mod no > PACKAGECONFIG[meta] = "--enable-meta=mod,--enable-meta=no," > > -#--enable-monitor enable monitor backend no|yes|mod yes > -PACKAGECONFIG[monitor] = "--enable-monitor=mod,--enable-monitor=no," > - > #--enable-ndb enable MySQL NDB Cluster backend no|yes|mod [no] > PACKAGECONFIG[ndb] = "--enable-ndb=mod,--enable-ndb=no," > > @@ -121,10 +110,6 @@ PACKAGECONFIG[perl] = "--enable-perl=mod,--enable-perl=no,perl" > #--enable-relay enable relay backend no|yes|mod [yes] > PACKAGECONFIG[relay] = "--enable-relay=mod,--enable-relay=no," > > -#--enable-shell enable shell backend no|yes|mod no > -# configure: WARNING: Use of --without-threads is recommended with back-shell > -PACKAGECONFIG[shell] = "--enable-shell=mod --without-threads,--enable-shell=no," > - > #--enable-sock enable sock backend no|yes|mod [no] > PACKAGECONFIG[sock] = "--enable-sock=mod,--enable-sock=no," > > @@ -133,6 +118,10 @@ PACKAGECONFIG[sock] = "--enable-sock=mod,--enable-sock=no," > # sqlite.h (which may be compatible but hasn't been tried.) > PACKAGECONFIG[sql] = "--enable-sql=mod,--enable-sql=no,sqlite3" > > +#--enable-wt enable wt backend no|yes|mod no > +# back-wt is marked currently as experimental > +PACKAGECONFIG[wt] = "--enable-wt=mod,--enable-wt=no" > + > #--enable-dyngroup Dynamic Group overlay no|yes|mod no > # This is a demo, Proxy Cache defines init_module which conflicts with the > # same symbol in dyngroup > @@ -176,7 +165,7 @@ FILES:${PN}-slapd = "${sysconfdir}/init.d ${libexecdir}/slapd ${sbindir} ${local > ${sysconfdir}/openldap/DB_CONFIG.example ${systemd_unitdir}/system/*" > FILES:${PN}-slurpd = "${libexecdir}/slurpd ${localstatedir}/openldap-slurp" > FILES:${PN}-bin = "${bindir}" > -FILES:${PN}-dev = "${includedir} ${libdir}/lib*.so ${libdir}/*.la ${libexecdir}/openldap/*.a ${libexecdir}/openldap/*.la ${libexecdir}/openldap/*.so" > +FILES:${PN}-dev = "${includedir} ${libdir}/lib*.so ${libdir}/*.la ${libexecdir}/openldap/*.a ${libexecdir}/openldap/*.la ${libexecdir}/openldap/*.so ${libdir}/pkgconfig/*.pc" > FILES:${PN}-dbg += "${libexecdir}/openldap/.debug" > > do_install:append() { > @@ -210,8 +199,6 @@ do_install:append() { > -i ${D}${sysconfdir}/openldap/slapd.conf > > mkdir -p ${D}${localstatedir}/${BPN}/data > - > - > } > > INITSCRIPT_PACKAGES = "${PN}-slapd" > @@ -220,21 +207,18 @@ INITSCRIPT_PARAMS:${PN}-slapd = "defaults" > SYSTEMD_SERVICE:${PN}-slapd = "hostapd.service" > SYSTEMD_AUTO_ENABLE:${PN}-slapd ?= "disable" > > - > PACKAGES_DYNAMIC += "^${PN}-backends.* ^${PN}-backend-.*" > > # The modules require their .so to be dynamicaly loaded > -INSANE_SKIP:${PN}-backend-dnssrv += "dev-so" > -INSANE_SKIP:${PN}-backend-ldap += "dev-so" > -INSANE_SKIP:${PN}-backend-meta += "dev-so" > -INSANE_SKIP:${PN}-backend-mdb += "dev-so" > -INSANE_SKIP:${PN}-backend-monitor += "dev-so" > -INSANE_SKIP:${PN}-backend-null += "dev-so" > -INSANE_SKIP:${PN}-backend-passwd += "dev-so" > -INSANE_SKIP:${PN}-backend-shell += "dev-so" > - > - > -python populate_packages:prepend () { > +INSANE_SKIP:${PN}-backend-asyncmeta += "dev-so" > +INSANE_SKIP:${PN}-backend-dnssrv += "dev-so" > +INSANE_SKIP:${PN}-backend-ldap += "dev-so" > +INSANE_SKIP:${PN}-backend-meta += "dev-so" > +INSANE_SKIP:${PN}-backend-mdb += "dev-so" > +INSANE_SKIP:${PN}-backend-null += "dev-so" > +INSANE_SKIP:${PN}-backend-passwd += "dev-so" > + > +python populate_packages_prepend () { this should be populate_packages:prepend I have corrected it before staging this patch so no need to send a v2 > backend_dir = d.expand('${libexecdir}/openldap') > do_split_packages(d, backend_dir, 'back_([a-z]*)\.so$', 'openldap-backend-%s', 'OpenLDAP %s backend', prepend=True, extra_depends='', allow_links=True) > do_split_packages(d, backend_dir, 'back_([a-z]*)\-.*\.so\..*$', 'openldap-backend-%s', 'OpenLDAP %s backend', extra_depends='', allow_links=True) > -- > 2.32.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#93562): https://lists.openembedded.org/g/openembedded-devel/message/93562 > Mute This Topic: https://lists.openembedded.org/mt/86574889/1997914 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [oe] [meta-oe] [PATCH 1/1] openldap: upgrade 2.4.58 -> 2.5.8 2021-10-25 16:00 ` [oe] " Khem Raj @ 2021-10-25 17:40 ` Khem Raj 0 siblings, 0 replies; 4+ messages in thread From: Khem Raj @ 2021-10-25 17:40 UTC (permalink / raw) To: Salman Ahmed; +Cc: openembeded-devel in addition, I think this python3-ldap failure is due to this patch as well. Can you look into it ? https://errors.yoctoproject.org/Errors/Details/614796/ On Mon, Oct 25, 2021 at 9:00 AM Khem Raj <raj.khem@gmail.com> wrote: > > On Mon, Oct 25, 2021 at 4:45 AM Salman Ahmed <salman.isd@gmail.com> wrote: > > > > - dropped retired backends (bdb, hdb, shell) > > - back-monitor is now built as part of slapd > > - added asyncmeta and wt backends > > - dropped patches for functionalities which don't > > exist anymore > > > > Signed-off-by: Salman Ahmed <salman.ahmed@weidmueller.com> > > --- > > .../openldap/openldap/install-strip.patch | 2 +- > > .../openldap-2.4.28-gnutls-gcrypt.patch | 10 ++- > > .../openldap/openldap-CVE-2015-3276.patch | 58 ---------------- > > .../openldap/openldap-m4-pthread.patch | 22 ------ > > .../openldap/openldap/thread_stub.patch | 20 ------ > > .../openldap/openldap/use-urandom.patch | 15 ++-- > > .../{openldap_2.4.58.bb => openldap_2.5.8.bb} | 68 +++++++------------ > > 7 files changed, 37 insertions(+), 158 deletions(-) > > delete mode 100644 meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch > > delete mode 100644 meta-oe/recipes-support/openldap/openldap/openldap-m4-pthread.patch > > delete mode 100644 meta-oe/recipes-support/openldap/openldap/thread_stub.patch > > rename meta-oe/recipes-support/openldap/{openldap_2.4.58.bb => openldap_2.5.8.bb} (82%) > > > > diff --git a/meta-oe/recipes-support/openldap/openldap/install-strip.patch b/meta-oe/recipes-support/openldap/openldap/install-strip.patch > > index b59db3939..b757aabb0 100644 > > --- a/meta-oe/recipes-support/openldap/openldap/install-strip.patch > > +++ b/meta-oe/recipes-support/openldap/openldap/install-strip.patch > > @@ -6,7 +6,7 @@ Upstream-Status: Pending > > > > --- a/build/top.mk > > +++ b/build/top.mk > > -@@ -121,7 +121,7 @@ LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) > > +@@ -125,7 +125,7 @@ LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \ > > LTLINK_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=link \ > > $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_MOD) > > > > diff --git a/meta-oe/recipes-support/openldap/openldap/openldap-2.4.28-gnutls-gcrypt.patch b/meta-oe/recipes-support/openldap/openldap/openldap-2.4.28-gnutls-gcrypt.patch > > index 91bcc0435..f551861a3 100644 > > --- a/meta-oe/recipes-support/openldap/openldap/openldap-2.4.28-gnutls-gcrypt.patch > > +++ b/meta-oe/recipes-support/openldap/openldap/openldap-2.4.28-gnutls-gcrypt.patch > > @@ -2,13 +2,11 @@ From http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-nds/openldap/fi > > > > Upstream-status: Pending > > > > --- > > - > > ---- a/configure.in > > -+++ b/configure.in > > -@@ -1227,7 +1227,7 @@ if test $ol_link_tls = no ; then > > - ol_with_tls=gnutls > > +--- a/configure.ac > > ++++ b/configure.ac > > +@@ -1263,7 +1263,7 @@ if test $ol_link_tls = no ; then > > ol_link_tls=yes > > + WITH_TLS_TYPE=gnutls > > > > - TLS_LIBS="-lgnutls" > > + TLS_LIBS="-lgnutls -lgcrypt" > > diff --git a/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch b/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch > > deleted file mode 100644 > > index ab5c4de66..000000000 > > --- a/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch > > +++ /dev/null > > @@ -1,58 +0,0 @@ > > -openldap CVE-2015-3276 > > - > > -the patch comes from: > > -https://bugzilla.redhat.com/show_bug.cgi?id=1238322 > > -https://bugzilla.redhat.com/attachment.cgi?id=1055640 > > - > > -The nss_parse_ciphers function in libraries/libldap/tls_m.c in > > -OpenLDAP does not properly parse OpenSSL-style multi-keyword mode > > -cipher strings, which might cause a weaker than intended cipher to > > -be used and allow remote attackers to have unspecified impact via > > -unknown vectors. > > - > > -Upstream-Status: Pending > > - > > -CVE: CVE-2015-3276 > > - > > -Signed-off-by: Li Wang <li.wang@windriver.com> > > ---- > > - libraries/libldap/tls_m.c | 27 ++++++++++++++++----------- > > - 1 file changed, 16 insertions(+), 11 deletions(-) > > - > > ---- a/libraries/libldap/tls_m.c > > -+++ b/libraries/libldap/tls_m.c > > -@@ -620,18 +620,23 @@ nss_parse_ciphers(const char *cipherstr, > > - */ > > - if (mask || strength || protocol) { > > - for (i=0; i<ciphernum; i++) { > > -- if (((ciphers_def[i].attr & mask) || > > -- (ciphers_def[i].strength & strength) || > > -- (ciphers_def[i].version & protocol)) && > > -- (cipher_list[i] != -1)) { > > -- /* Enable the NULL ciphers only if explicity > > -- * requested */ > > -- if (ciphers_def[i].attr & SSL_eNULL) { > > -- if (mask & SSL_eNULL) > > -- cipher_list[i] = action; > > -- } else > > -+ /* if more than one mask is provided > > -+ * then AND logic applies (to match openssl) > > -+ */ > > -+ if ( cipher_list[i] == -1) ) > > -+ continue; > > -+ if ( mask && ! (ciphers_def[i].attr & mask) ) > > -+ continue; > > -+ if ( strength && ! (ciphers_def[i].strength & strength) ) > > -+ continue; > > -+ if ( protocol && ! (ciphers_def[i].version & protocol) ) > > -+ continue; > > -+ /* Enable the NULL ciphers only if explicity requested */ > > -+ if (ciphers_def[i].attr & SSL_eNULL) { > > -+ if (mask & SSL_eNULL) > > - cipher_list[i] = action; > > -- } > > -+ } else > > -+ cipher_list[i] = action; > > - } > > - } else { > > - for (i=0; i<ciphernum; i++) { > > diff --git a/meta-oe/recipes-support/openldap/openldap/openldap-m4-pthread.patch b/meta-oe/recipes-support/openldap/openldap/openldap-m4-pthread.patch > > deleted file mode 100644 > > index 4d1fda96e..000000000 > > --- a/meta-oe/recipes-support/openldap/openldap/openldap-m4-pthread.patch > > +++ /dev/null > > @@ -1,22 +0,0 @@ > > -Upstream-Status: Pending > > - > > ---- a/build/openldap.m4 > > -+++ b/build/openldap.m4 > > -@@ -651,7 +651,7 @@ AC_DEFUN([OL_PTHREAD_TEST_FUNCTION],[[ > > - ]]) > > - > > - AC_DEFUN([OL_PTHREAD_TEST_PROGRAM], > > --AC_LANG_SOURCE([OL_PTHREAD_TEST_INCLUDES > > -+[AC_LANG_SOURCE([[OL_PTHREAD_TEST_INCLUDES > > - > > - int main(argc, argv) > > - int argc; > > -@@ -659,7 +659,7 @@ int main(argc, argv) > > - { > > - OL_PTHREAD_TEST_FUNCTION > > - } > > --])) > > -+]])]) > > - dnl -------------------------------------------------------------------- > > - AC_DEFUN([OL_PTHREAD_TRY], [# Pthread try link: $1 ($2) > > - if test "$ol_link_threads" = no ; then > > diff --git a/meta-oe/recipes-support/openldap/openldap/thread_stub.patch b/meta-oe/recipes-support/openldap/openldap/thread_stub.patch > > deleted file mode 100644 > > index 540ba4a63..000000000 > > --- a/meta-oe/recipes-support/openldap/openldap/thread_stub.patch > > +++ /dev/null > > @@ -1,20 +0,0 @@ > > -openldap: set pointer > > - > > -When the function ldap_pvt_thread_pool_getkey() succeeds, it > > -must set the value of *data since the caller may try to use it. > > - > > -Upstream-Status: pending > > - > > -Signed-off-by: Joe Slater <jslater@windriver.com> > > - > > - > > ---- a/libraries/libldap_r/thr_stub.c > > -+++ b/libraries/libldap_r/thr_stub.c > > -@@ -217,6 +217,7 @@ ldap_pvt_thread_pool_unidle ( ldap_pvt_t > > - int ldap_pvt_thread_pool_getkey ( > > - void *ctx, void *key, void **data, ldap_pvt_thread_pool_keyfree_t **kfree ) > > - { > > -+ if (data) *data = NULL; /* avoid problems with uninitialized *data */ > > - return(0); > > - } > > - > > diff --git a/meta-oe/recipes-support/openldap/openldap/use-urandom.patch b/meta-oe/recipes-support/openldap/openldap/use-urandom.patch > > index 96a03369a..6783b5175 100644 > > --- a/meta-oe/recipes-support/openldap/openldap/use-urandom.patch > > +++ b/meta-oe/recipes-support/openldap/openldap/use-urandom.patch > > @@ -8,20 +8,17 @@ Upstream-Status: pending > > > > Signed-off-by: Joe Slater <jslater@windriver.com> > > > > - > > ---- a/configure.in > > -+++ b/configure.in > > -@@ -2153,8 +2153,8 @@ fi > > +--- a/configure.ac > > ++++ b/configure.ac > > +@@ -2117,6 +2117,7 @@ AC_SUBST(systemdsystemunitdir) > > > > dnl ---------------------------------------------------------------- > > dnl Check for entropy sources > > +dev=no > > if test $cross_compiling != yes && test "$ac_cv_mingw32" != yes ; then > > -- dev=no > > + dev=no > > if test -r /dev/urandom ; then > > - dev="/dev/urandom"; > > - elif test -r /idev/urandom ; then > > -@@ -2167,9 +2167,11 @@ if test $cross_compiling != yes && test > > +@@ -2131,9 +2132,11 @@ if test $cross_compiling != yes && test "$ac_cv_mingw32" != yes ; then > > dev="/idev/random"; > > fi > > > > @@ -29,7 +26,7 @@ Signed-off-by: Joe Slater <jslater@windriver.com> > > - AC_DEFINE_UNQUOTED(URANDOM_DEVICE,"$dev",[set to urandom device]) > > - fi > > +elif test $cross_compiling == yes ; then > > -+ dev="/dev/urandom"; > > ++ dev="/dev/urandom"; > > +fi > > +if test $dev != no ; then > > + AC_DEFINE_UNQUOTED(URANDOM_DEVICE,"$dev",[set to urandom device]) > > diff --git a/meta-oe/recipes-support/openldap/openldap_2.4.58.bb b/meta-oe/recipes-support/openldap/openldap_2.5.8.bb > > similarity index 82% > > rename from meta-oe/recipes-support/openldap/openldap_2.4.58.bb > > rename to meta-oe/recipes-support/openldap/openldap_2.5.8.bb > > index f9dc58a4c..ca005de70 100644 > > --- a/meta-oe/recipes-support/openldap/openldap_2.4.58.bb > > +++ b/meta-oe/recipes-support/openldap/openldap_2.5.8.bb > > @@ -7,7 +7,7 @@ HOMEPAGE = "http://www.OpenLDAP.org/license.html" > > # basically BSD. opensource.org does not record this license > > # at present (so it is apparently not OSI certified). > > LICENSE = "OpenLDAP" > > -LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=b6dea6c170362fc46381fe3690c722cb \ > > +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=5cc6ef74da4ad25d707c4f5903d64975 \ > > file://LICENSE;md5=153d07ef052c4a37a8fac23bc6031972 \ > > " > > SECTION = "libs" > > @@ -15,18 +15,15 @@ SECTION = "libs" > > LDAP_VER = "${@'.'.join(d.getVar('PV').split('.')[0:2])}" > > > > SRC_URI = "http://www.openldap.org/software/download/OpenLDAP/openldap-release/${BP}.tgz \ > > - file://openldap-m4-pthread.patch \ > > file://openldap-2.4.28-gnutls-gcrypt.patch \ > > file://use-urandom.patch \ > > file://initscript \ > > file://slapd.service \ > > - file://thread_stub.patch \ > > - file://openldap-CVE-2015-3276.patch \ > > file://remove-user-host-pwd-from-version.patch \ > > " > > > > -SRC_URI[md5sum] = "c203d735ba69976e5b28dc39006f29b5" > > -SRC_URI[sha256sum] = "57b59254be15d0bf6a9ab3d514c1c05777b02123291533134a87c94468f8f47b" > > +SRC_URI[md5sum] = "86e3ffce4adfc57cbb76ac0ff48b2614" > > +SRC_URI[sha256sum] = "366ea1c3b24202de4481978b632128c0cfe4148d4ae13cabf93a1f38c56472dc" > > > > DEPENDS = "util-linux groff-native" > > > > @@ -35,7 +32,7 @@ DEPENDS = "util-linux groff-native" > > # environments > > SRC_URI += "file://install-strip.patch" > > > > -inherit autotools-brokensep update-rc.d systemd > > +inherit autotools-brokensep update-rc.d systemd pkgconfig > > > > # CV SETTINGS > > # Required to work round AC_FUNC_MEMCMP which gets the wrong answer > > @@ -50,8 +47,8 @@ EXTRA_OECONF += "--with-yielding-select=yes" > > # Shared libraries are nice... > > EXTRA_OECONF += "--enable-dynamic" > > > > -PACKAGECONFIG ??= "gnutls modules \ > > - mdb ldap meta monitor null passwd shell proxycache dnssrv \ > > +PACKAGECONFIG ??= "asyncmeta gnutls modules \ > > + mdb ldap meta null passwd proxycache dnssrv \ > > ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \ > > " > > #--with-tls with TLS/SSL support auto|openssl|gnutls [auto] > > @@ -72,25 +69,20 @@ EXTRA_OECONF += "--enable-crypt" > > # The backend must be set by the configuration. This controls the > > # required database. > > # > > -# Backends="bdb dnssrv hdb ldap mdb meta monitor ndb null passwd perl relay shell sock sql" > > +# Backends="asyncmeta dnssrv ldap mdb meta ndb null passwd perl relay sock sql wt" > > # > > # Note that multiple backends can be built. The ldbm backend requires a > > -# build-time choice of database API. The bdb backend forces this to be > > -# DB4. To use the gdbm (or other) API the Berkely database module must > > -# be removed from the build. > > +# build-time choice of database API. To use the gdbm (or other) API the > > +# Berkely database module must be removed from the build. > > md = "${libexecdir}/openldap" > > # > > -#--enable-bdb enable Berkeley DB backend no|yes|mod yes > > -# The Berkely DB is the standard choice. This version of OpenLDAP requires > > -# the version 4 implementation or better. > > -PACKAGECONFIG[bdb] = "--enable-bdb=yes,--enable-bdb=no,db" > > + > > +#--enable-asyncmeta enable asyncmeta backend no|yes|mod no > > +PACKAGECONFIG[asyncmeta] = "--enable-asyncmeta=mod,--enable-asyncmeta=no" > > > > #--enable-dnssrv enable dnssrv backend no|yes|mod no > > PACKAGECONFIG[dnssrv] = "--enable-dnssrv=mod,--enable-dnssrv=no" > > > > -#--enable-hdb enable Hierarchical DB backend no|yes|mod no > > -PACKAGECONFIG[hdb] = "--enable-hdb=yes,--enable-hdb=no,db" > > - > > #--enable-ldap enable ldap backend no|yes|mod no > > PACKAGECONFIG[ldap] = "--enable-ldap=mod,--enable-ldap=no," > > > > @@ -100,9 +92,6 @@ PACKAGECONFIG[mdb] = "--enable-mdb=yes,--enable-mdb=no," > > #--enable-meta enable metadirectory backend no|yes|mod no > > PACKAGECONFIG[meta] = "--enable-meta=mod,--enable-meta=no," > > > > -#--enable-monitor enable monitor backend no|yes|mod yes > > -PACKAGECONFIG[monitor] = "--enable-monitor=mod,--enable-monitor=no," > > - > > #--enable-ndb enable MySQL NDB Cluster backend no|yes|mod [no] > > PACKAGECONFIG[ndb] = "--enable-ndb=mod,--enable-ndb=no," > > > > @@ -121,10 +110,6 @@ PACKAGECONFIG[perl] = "--enable-perl=mod,--enable-perl=no,perl" > > #--enable-relay enable relay backend no|yes|mod [yes] > > PACKAGECONFIG[relay] = "--enable-relay=mod,--enable-relay=no," > > > > -#--enable-shell enable shell backend no|yes|mod no > > -# configure: WARNING: Use of --without-threads is recommended with back-shell > > -PACKAGECONFIG[shell] = "--enable-shell=mod --without-threads,--enable-shell=no," > > - > > #--enable-sock enable sock backend no|yes|mod [no] > > PACKAGECONFIG[sock] = "--enable-sock=mod,--enable-sock=no," > > > > @@ -133,6 +118,10 @@ PACKAGECONFIG[sock] = "--enable-sock=mod,--enable-sock=no," > > # sqlite.h (which may be compatible but hasn't been tried.) > > PACKAGECONFIG[sql] = "--enable-sql=mod,--enable-sql=no,sqlite3" > > > > +#--enable-wt enable wt backend no|yes|mod no > > +# back-wt is marked currently as experimental > > +PACKAGECONFIG[wt] = "--enable-wt=mod,--enable-wt=no" > > + > > #--enable-dyngroup Dynamic Group overlay no|yes|mod no > > # This is a demo, Proxy Cache defines init_module which conflicts with the > > # same symbol in dyngroup > > @@ -176,7 +165,7 @@ FILES:${PN}-slapd = "${sysconfdir}/init.d ${libexecdir}/slapd ${sbindir} ${local > > ${sysconfdir}/openldap/DB_CONFIG.example ${systemd_unitdir}/system/*" > > FILES:${PN}-slurpd = "${libexecdir}/slurpd ${localstatedir}/openldap-slurp" > > FILES:${PN}-bin = "${bindir}" > > -FILES:${PN}-dev = "${includedir} ${libdir}/lib*.so ${libdir}/*.la ${libexecdir}/openldap/*.a ${libexecdir}/openldap/*.la ${libexecdir}/openldap/*.so" > > +FILES:${PN}-dev = "${includedir} ${libdir}/lib*.so ${libdir}/*.la ${libexecdir}/openldap/*.a ${libexecdir}/openldap/*.la ${libexecdir}/openldap/*.so ${libdir}/pkgconfig/*.pc" > > FILES:${PN}-dbg += "${libexecdir}/openldap/.debug" > > > > do_install:append() { > > @@ -210,8 +199,6 @@ do_install:append() { > > -i ${D}${sysconfdir}/openldap/slapd.conf > > > > mkdir -p ${D}${localstatedir}/${BPN}/data > > - > > - > > } > > > > INITSCRIPT_PACKAGES = "${PN}-slapd" > > @@ -220,21 +207,18 @@ INITSCRIPT_PARAMS:${PN}-slapd = "defaults" > > SYSTEMD_SERVICE:${PN}-slapd = "hostapd.service" > > SYSTEMD_AUTO_ENABLE:${PN}-slapd ?= "disable" > > > > - > > PACKAGES_DYNAMIC += "^${PN}-backends.* ^${PN}-backend-.*" > > > > # The modules require their .so to be dynamicaly loaded > > -INSANE_SKIP:${PN}-backend-dnssrv += "dev-so" > > -INSANE_SKIP:${PN}-backend-ldap += "dev-so" > > -INSANE_SKIP:${PN}-backend-meta += "dev-so" > > -INSANE_SKIP:${PN}-backend-mdb += "dev-so" > > -INSANE_SKIP:${PN}-backend-monitor += "dev-so" > > -INSANE_SKIP:${PN}-backend-null += "dev-so" > > -INSANE_SKIP:${PN}-backend-passwd += "dev-so" > > -INSANE_SKIP:${PN}-backend-shell += "dev-so" > > - > > - > > -python populate_packages:prepend () { > > +INSANE_SKIP:${PN}-backend-asyncmeta += "dev-so" > > +INSANE_SKIP:${PN}-backend-dnssrv += "dev-so" > > +INSANE_SKIP:${PN}-backend-ldap += "dev-so" > > +INSANE_SKIP:${PN}-backend-meta += "dev-so" > > +INSANE_SKIP:${PN}-backend-mdb += "dev-so" > > +INSANE_SKIP:${PN}-backend-null += "dev-so" > > +INSANE_SKIP:${PN}-backend-passwd += "dev-so" > > + > > +python populate_packages_prepend () { > > this should be populate_packages:prepend > I have corrected it before staging this patch so no need to send a v2 > > > backend_dir = d.expand('${libexecdir}/openldap') > > do_split_packages(d, backend_dir, 'back_([a-z]*)\.so$', 'openldap-backend-%s', 'OpenLDAP %s backend', prepend=True, extra_depends='', allow_links=True) > > do_split_packages(d, backend_dir, 'back_([a-z]*)\-.*\.so\..*$', 'openldap-backend-%s', 'OpenLDAP %s backend', extra_depends='', allow_links=True) > > -- > > 2.32.0 > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#93562): https://lists.openembedded.org/g/openembedded-devel/message/93562 > > Mute This Topic: https://lists.openembedded.org/mt/86574889/1997914 > > Group Owner: openembedded-devel+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [raj.khem@gmail.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-10-25 17:40 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-10-25 11:45 [meta-oe] [PATCH 0/1] openldap: upgrade 2.4.58 -> 2.5.8 Salman Ahmed 2021-10-25 11:45 ` [meta-oe] [PATCH 1/1] " Salman Ahmed 2021-10-25 16:00 ` [oe] " Khem Raj 2021-10-25 17:40 ` Khem Raj
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.