unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* [PATCH 0/1] Update OpenLDAP, fixing CVE-2015-6908
@ 2016-04-21 18:57 Leo Famulari
  2016-04-21 18:57 ` [PATCH 1/1] gnu: openldap: Update to 2.4.44 [fixes CVE-2015-6908] Leo Famulari
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Leo Famulari @ 2016-04-21 18:57 UTC (permalink / raw)
  To: guix-devel

There is a remote denial of service bug in OpenLDAP in version 2.4.42
and earlier [0].

This patch updates OpenLDAP to the latest version.

This change will require several hundred packages to be rebuilt. Should
it go on security-updates? Your advice requested...

[0]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-6908

Leo Famulari (1):
  gnu: openldap: Update to 2.4.44 [fixes CVE-2015-6908].

 gnu/packages/openldap.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

-- 
2.7.4

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH 1/1] gnu: openldap: Update to 2.4.44 [fixes CVE-2015-6908].
  2016-04-21 18:57 [PATCH 0/1] Update OpenLDAP, fixing CVE-2015-6908 Leo Famulari
@ 2016-04-21 18:57 ` Leo Famulari
  2016-04-23  3:28 ` [PATCH 0/1] Update OpenLDAP, fixing CVE-2015-6908 Mark H Weaver
  2016-04-24 19:04 ` Leo Famulari
  2 siblings, 0 replies; 6+ messages in thread
From: Leo Famulari @ 2016-04-21 18:57 UTC (permalink / raw)
  To: guix-devel

* gnu/packages/openldap.scm (openldap): Update to 2.4.44.
---
 gnu/packages/openldap.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm
index d416a43..adb6f36 100644
--- a/gnu/packages/openldap.scm
+++ b/gnu/packages/openldap.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
+;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -34,7 +35,7 @@
 (define-public openldap
   (package
    (name "openldap")
-   (version "2.4.42")
+   (version "2.4.44")
    (source (origin
             (method url-fetch)
 
@@ -51,7 +52,7 @@
                         "openldap-release/openldap-" version ".tgz")))
             (sha256
              (base32
-              "0qwfpb5ipp2l76v11arghq5mr0sjc6xhjfg8a0kgsaw5qpib1dzf"))))
+              "0044p20hx07fwgw2mbwj1fkx04615hhs1qyx4mawj2bhqvrnppnp"))))
    (build-system gnu-build-system)
    (inputs `(("bdb" ,bdb)
              ("openssl" ,openssl)
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH 0/1] Update OpenLDAP, fixing CVE-2015-6908
  2016-04-21 18:57 [PATCH 0/1] Update OpenLDAP, fixing CVE-2015-6908 Leo Famulari
  2016-04-21 18:57 ` [PATCH 1/1] gnu: openldap: Update to 2.4.44 [fixes CVE-2015-6908] Leo Famulari
@ 2016-04-23  3:28 ` Mark H Weaver
  2016-04-24  0:58   ` Leo Famulari
  2016-04-24  1:40   ` Leo Famulari
  2016-04-24 19:04 ` Leo Famulari
  2 siblings, 2 replies; 6+ messages in thread
From: Mark H Weaver @ 2016-04-23  3:28 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Leo Famulari <leo@famulari.name> writes:

> There is a remote denial of service bug in OpenLDAP in version 2.4.42
> and earlier [0].
>
> This patch updates OpenLDAP to the latest version.
>
> This change will require several hundred packages to be rebuilt. Should
> it go on security-updates? Your advice requested...

I think we'll need to graft this.  Would you like to try grafting it on
your own system, see if anything obvious breaks, and then report back?

  Thank you!
     Mark

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 0/1] Update OpenLDAP, fixing CVE-2015-6908
  2016-04-23  3:28 ` [PATCH 0/1] Update OpenLDAP, fixing CVE-2015-6908 Mark H Weaver
@ 2016-04-24  0:58   ` Leo Famulari
  2016-04-24  1:40   ` Leo Famulari
  1 sibling, 0 replies; 6+ messages in thread
From: Leo Famulari @ 2016-04-24  0:58 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 573 bytes --]

On Fri, Apr 22, 2016 at 11:28:20PM -0400, Mark H Weaver wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > There is a remote denial of service bug in OpenLDAP in version 2.4.42
> > and earlier [0].
> 
> I think we'll need to graft this.  Would you like to try grafting it on
> your own system, see if anything obvious breaks, and then report back?

I've attached a patch that does seem to work, but as discussed on IRC,
it's ugly. Specifically, I've hand-coded the version into the URI string
rather than setting the "version" field.

Again, your advice requested...

[-- Attachment #2: 0001-gnu-openldap-Update-to-2.4.44-fixes-CVE-2015-6908.patch --]
[-- Type: text/x-diff, Size: 2042 bytes --]

From a096a89674fc52b6554840cacc8d5998b8e22e7c Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 21 Apr 2016 12:49:48 -0400
Subject: [PATCH] gnu: openldap: Update to 2.4.44 [fixes CVE-2015-6908].

* gnu/packages/openldap.scm (openldap)[replacement]: New field.
(openldap-fixed): New variable.
---
 gnu/packages/openldap.scm | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm
index d416a43..d34458b 100644
--- a/gnu/packages/openldap.scm
+++ b/gnu/packages/openldap.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
+;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -35,6 +36,7 @@
   (package
    (name "openldap")
    (version "2.4.42")
+   (replacement openldap-fixed)
    (source (origin
             (method url-fetch)
 
@@ -76,3 +78,22 @@
     "OpenLDAP is a free implementation of the Lightweight Directory Access Protocol.")
    (license openldap2.8)
    (home-page "http://www.openldap.org/")))
+
+(define openldap-fixed
+  (package
+    (inherit openldap)
+    (source (origin
+             (method url-fetch)
+             ;; We are using version 2.4.44, but the output path will
+             ;; include the version string "2.4.42".
+             (uri (list (string-append
+                         "ftp://mirror.switch.ch/mirror/OpenLDAP/"
+                         "openldap-release/openldap-" "2.4.44" ".tgz")
+                        (string-append
+                         "ftp://ftp.OpenLDAP.org/pub/OpenLDAP/"
+                         "openldap-release/openldap-" "2.4.44" ".tgz")
+                        (string-append
+                         "ftp://ftp.dti.ad.jp/pub/net/OpenLDAP/")))
+             (sha256
+              (base32
+               "0044p20hx07fwgw2mbwj1fkx04615hhs1qyx4mawj2bhqvrnppnp"))))))
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH 0/1] Update OpenLDAP, fixing CVE-2015-6908
  2016-04-23  3:28 ` [PATCH 0/1] Update OpenLDAP, fixing CVE-2015-6908 Mark H Weaver
  2016-04-24  0:58   ` Leo Famulari
@ 2016-04-24  1:40   ` Leo Famulari
  1 sibling, 0 replies; 6+ messages in thread
From: Leo Famulari @ 2016-04-24  1:40 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 489 bytes --]

On Fri, Apr 22, 2016 at 11:28:20PM -0400, Mark H Weaver wrote:
> Leo Famulari <leo@famulari.name> writes:
> > There is a remote denial of service bug in OpenLDAP in version 2.4.42
> > and earlier [0].
> 
> I think we'll need to graft this.  Would you like to try grafting it on
> your own system, see if anything obvious breaks, and then report back?

My last patch was, to be nice, incomplete. Here is an updated version.

I've tried to replicate the examples in caeadfddb and d8173f21f.

[-- Attachment #2: 0001-gnu-openldap-Update-to-2.4.44-fixes-CVE-2015-6908.patch --]
[-- Type: text/x-diff, Size: 2008 bytes --]

From 267f0cf5e5f062484780b8e0c9d246a56b9a3a35 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 21 Apr 2016 12:49:48 -0400
Subject: [PATCH] gnu: openldap: Update to 2.4.44 [fixes CVE-2015-6908].

* gnu/packages/openldap.scm (openldap)[replacement]: New field.
(openldap-fixed): New variable.
---
 gnu/packages/openldap.scm | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm
index d416a43..429078f 100644
--- a/gnu/packages/openldap.scm
+++ b/gnu/packages/openldap.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
+;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -33,6 +34,7 @@
 
 (define-public openldap
   (package
+   (replacement openldap-2.4.44)
    (name "openldap")
    (version "2.4.42")
    (source (origin
@@ -76,3 +78,24 @@
     "OpenLDAP is a free implementation of the Lightweight Directory Access Protocol.")
    (license openldap2.8)
    (home-page "http://www.openldap.org/")))
+
+(define openldap-2.4.44
+  (package
+    (inherit openldap)
+    (replacement #f)
+    (source
+      (let ((version "2.4.44"))
+        (origin
+          (method url-fetch)
+          (uri (list (string-append
+                      "ftp://mirror.switch.ch/mirror/OpenLDAP/"
+                      "openldap-release/openldap-" version ".tgz")
+                     (string-append
+                      "ftp://ftp.OpenLDAP.org/pub/OpenLDAP/"
+                      "openldap-release/openldap-" version ".tgz")
+                     (string-append
+                      "ftp://ftp.dti.ad.jp/pub/net/OpenLDAP/"
+                      "openldap-release/openldap-" version ".tgz")))
+          (sha256
+           (base32
+            "0044p20hx07fwgw2mbwj1fkx04615hhs1qyx4mawj2bhqvrnppnp")))))))
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH 0/1] Update OpenLDAP, fixing CVE-2015-6908
  2016-04-21 18:57 [PATCH 0/1] Update OpenLDAP, fixing CVE-2015-6908 Leo Famulari
  2016-04-21 18:57 ` [PATCH 1/1] gnu: openldap: Update to 2.4.44 [fixes CVE-2015-6908] Leo Famulari
  2016-04-23  3:28 ` [PATCH 0/1] Update OpenLDAP, fixing CVE-2015-6908 Mark H Weaver
@ 2016-04-24 19:04 ` Leo Famulari
  2 siblings, 0 replies; 6+ messages in thread
From: Leo Famulari @ 2016-04-24 19:04 UTC (permalink / raw)
  To: guix-devel

On Thu, Apr 21, 2016 at 02:57:48PM -0400, Leo Famulari wrote:
> There is a remote denial of service bug in OpenLDAP in version 2.4.42
> and earlier [0].
> 
> This patch updates OpenLDAP to the latest version.
> 
> This change will require several hundred packages to be rebuilt. Should
> it go on security-updates? Your advice requested...

Fixed on master, with a graft, as 80c13759745.

> 
> [0]
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-6908
> 
> Leo Famulari (1):
>   gnu: openldap: Update to 2.4.44 [fixes CVE-2015-6908].
> 
>  gnu/packages/openldap.scm | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> -- 
> 2.7.4
> 

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2016-04-24 19:05 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-04-21 18:57 [PATCH 0/1] Update OpenLDAP, fixing CVE-2015-6908 Leo Famulari
2016-04-21 18:57 ` [PATCH 1/1] gnu: openldap: Update to 2.4.44 [fixes CVE-2015-6908] Leo Famulari
2016-04-23  3:28 ` [PATCH 0/1] Update OpenLDAP, fixing CVE-2015-6908 Mark H Weaver
2016-04-24  0:58   ` Leo Famulari
2016-04-24  1:40   ` Leo Famulari
2016-04-24 19:04 ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).