From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: [PATCH 0/1] Update OpenLDAP, fixing CVE-2015-6908 Date: Sat, 23 Apr 2016 21:40:13 -0400 Message-ID: <20160424014013.GA2732@jasmine> References: <87y485f1gr.fsf@netris.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="RnlQjJ0d97Da+TV1" Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:45581) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1au923-0005dy-Fs for guix-devel@gnu.org; Sat, 23 Apr 2016 21:40:20 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1au920-0008NP-9b for guix-devel@gnu.org; Sat, 23 Apr 2016 21:40:19 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:51336) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1au91z-0008NE-2F for guix-devel@gnu.org; Sat, 23 Apr 2016 21:40:16 -0400 Content-Disposition: inline In-Reply-To: <87y485f1gr.fsf@netris.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Mark H Weaver Cc: guix-devel@gnu.org --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Apr 22, 2016 at 11:28:20PM -0400, Mark H Weaver wrote: > Leo Famulari writes: > > There is a remote denial of service bug in OpenLDAP in version 2.4.42 > > and earlier [0]. > > I think we'll need to graft this. Would you like to try grafting it on > your own system, see if anything obvious breaks, and then report back? My last patch was, to be nice, incomplete. Here is an updated version. I've tried to replicate the examples in caeadfddb and d8173f21f. --RnlQjJ0d97Da+TV1 Content-Type: text/x-diff; charset=iso-8859-1 Content-Disposition: attachment; filename="0001-gnu-openldap-Update-to-2.4.44-fixes-CVE-2015-6908.patch" Content-Transfer-Encoding: 8bit >From 267f0cf5e5f062484780b8e0c9d246a56b9a3a35 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Thu, 21 Apr 2016 12:49:48 -0400 Subject: [PATCH] gnu: openldap: Update to 2.4.44 [fixes CVE-2015-6908]. * gnu/packages/openldap.scm (openldap)[replacement]: New field. (openldap-fixed): New variable. --- gnu/packages/openldap.scm | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm index d416a43..429078f 100644 --- a/gnu/packages/openldap.scm +++ b/gnu/packages/openldap.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès ;;; Copyright © 2013 Andreas Enge +;;; Copyright © 2016 Leo Famulari ;;; ;;; This file is part of GNU Guix. ;;; @@ -33,6 +34,7 @@ (define-public openldap (package + (replacement openldap-2.4.44) (name "openldap") (version "2.4.42") (source (origin @@ -76,3 +78,24 @@ "OpenLDAP is a free implementation of the Lightweight Directory Access Protocol.") (license openldap2.8) (home-page "http://www.openldap.org/"))) + +(define openldap-2.4.44 + (package + (inherit openldap) + (replacement #f) + (source + (let ((version "2.4.44")) + (origin + (method url-fetch) + (uri (list (string-append + "ftp://mirror.switch.ch/mirror/OpenLDAP/" + "openldap-release/openldap-" version ".tgz") + (string-append + "ftp://ftp.OpenLDAP.org/pub/OpenLDAP/" + "openldap-release/openldap-" version ".tgz") + (string-append + "ftp://ftp.dti.ad.jp/pub/net/OpenLDAP/" + "openldap-release/openldap-" version ".tgz"))) + (sha256 + (base32 + "0044p20hx07fwgw2mbwj1fkx04615hhs1qyx4mawj2bhqvrnppnp"))))))) -- 2.7.4 --RnlQjJ0d97Da+TV1--