From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: [PATCH 0/1] Update OpenLDAP, fixing CVE-2015-6908 Date: Sat, 23 Apr 2016 20:58:49 -0400 Message-ID: <20160424005849.GA1786@jasmine> References: <87y485f1gr.fsf@netris.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="Qxx1br4bt0+wmkIi" Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:40897) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1au8Nz-00008g-D6 for guix-devel@gnu.org; Sat, 23 Apr 2016 20:58:56 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1au8Nw-0000G8-5p for guix-devel@gnu.org; Sat, 23 Apr 2016 20:58:55 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:36455) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1au8Nw-0000G4-0u for guix-devel@gnu.org; Sat, 23 Apr 2016 20:58:52 -0400 Content-Disposition: inline In-Reply-To: <87y485f1gr.fsf@netris.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Mark H Weaver Cc: guix-devel@gnu.org --Qxx1br4bt0+wmkIi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Apr 22, 2016 at 11:28:20PM -0400, Mark H Weaver wrote: > Leo Famulari writes: > > > There is a remote denial of service bug in OpenLDAP in version 2.4.42 > > and earlier [0]. > > I think we'll need to graft this. Would you like to try grafting it on > your own system, see if anything obvious breaks, and then report back? I've attached a patch that does seem to work, but as discussed on IRC, it's ugly. Specifically, I've hand-coded the version into the URI string rather than setting the "version" field. Again, your advice requested... --Qxx1br4bt0+wmkIi Content-Type: text/x-diff; charset=iso-8859-1 Content-Disposition: attachment; filename="0001-gnu-openldap-Update-to-2.4.44-fixes-CVE-2015-6908.patch" Content-Transfer-Encoding: 8bit >From a096a89674fc52b6554840cacc8d5998b8e22e7c Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Thu, 21 Apr 2016 12:49:48 -0400 Subject: [PATCH] gnu: openldap: Update to 2.4.44 [fixes CVE-2015-6908]. * gnu/packages/openldap.scm (openldap)[replacement]: New field. (openldap-fixed): New variable. --- gnu/packages/openldap.scm | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm index d416a43..d34458b 100644 --- a/gnu/packages/openldap.scm +++ b/gnu/packages/openldap.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès ;;; Copyright © 2013 Andreas Enge +;;; Copyright © 2016 Leo Famulari ;;; ;;; This file is part of GNU Guix. ;;; @@ -35,6 +36,7 @@ (package (name "openldap") (version "2.4.42") + (replacement openldap-fixed) (source (origin (method url-fetch) @@ -76,3 +78,22 @@ "OpenLDAP is a free implementation of the Lightweight Directory Access Protocol.") (license openldap2.8) (home-page "http://www.openldap.org/"))) + +(define openldap-fixed + (package + (inherit openldap) + (source (origin + (method url-fetch) + ;; We are using version 2.4.44, but the output path will + ;; include the version string "2.4.42". + (uri (list (string-append + "ftp://mirror.switch.ch/mirror/OpenLDAP/" + "openldap-release/openldap-" "2.4.44" ".tgz") + (string-append + "ftp://ftp.OpenLDAP.org/pub/OpenLDAP/" + "openldap-release/openldap-" "2.4.44" ".tgz") + (string-append + "ftp://ftp.dti.ad.jp/pub/net/OpenLDAP/"))) + (sha256 + (base32 + "0044p20hx07fwgw2mbwj1fkx04615hhs1qyx4mawj2bhqvrnppnp")))))) -- 2.7.4 --Qxx1br4bt0+wmkIi--