VERSION.sh | 2 -
ldap/servers/slapd/bind.c | 51 ++++++++++++++++++++----------------------
ldap/servers/slapd/saslbind.c | 4 +--
3 files changed, 28 insertions(+), 29 deletions(-)
New commits:
commit 695f0b73e9a4e6ce682526265fb1ec7f18ba7970
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Thu Aug 11 15:11:57 2016 -0700
bump version to 1.3.4.14
diff --git a/VERSION.sh b/VERSION.sh
index 42e3e7e..0309bf5 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -10,7 +10,7 @@ vendor="389 Project"
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=3
-VERSION_MAINT=4.13
+VERSION_MAINT=4.14
# if this is a PRERELEASE, set VERSION_PREREL
# otherwise, comment it out
# be sure to include the dot prefix in the prerel
commit c5521864b2996db2ae18f24ef34acb6aec92ad78
Author: Ludwig Krispenz <lkrispen(a)redhat.com>
Date: Thu Aug 4 11:45:49 2016 -0700
Bug 1347760 - CVE-2016-4992 389-ds-base: Information disclosure via repeated use of LDAP ADD operation, etc.
Description: do not overwrite rc used to decide if bind was successful.
When the bind is through ldapi/autobind, an entry does not exist to be
checked with slapi_check_account_lock. In that case, a variable rc is
not supposed to be modified which confuses the following code path.
Reviewed by nhosoi(a)redhat.com.
(cherry picked from commit caa351ae0cc81cbf2309a43c5f74b359cda152d0)
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index 8f5375a..399eaf7 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -775,10 +775,12 @@ do_bind( Slapi_PBlock *pb )
*/
if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) {
bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn));
- rc = slapi_check_account_lock(pb, bind_target_entry, pw_response_requested, 1, 1);
- if (1 == rc) { /* account is locked */
+ myrc = slapi_check_account_lock(pb, bind_target_entry, pw_response_requested, 1, 1);
+ if (1 == myrc) { /* account is locked */
+ rc = myrc;
goto account_locked;
}
+ myrc = 0;
}
if (!auto_bind) {
/*
commit e88a1ba32ec1b02f278e7febef6024f4e6bf9f55
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Tue Jul 26 18:08:38 2016 -0700
Bug 1347760 - CVE-2016-4992 389-ds-base: Information disclosure via repeated use of LDAP ADD operation, etc.
Description:
1. When an account is inactivated, the error UNWILLING_TO_PERFORM with
the inactivated message should be returned only when the bind is
successful.
2. When SASL bind fails, instead of returning the cause of the failure
directly to the client, but logging it in the access log.
https://bugzilla.redhat.com/show_bug.cgi?id=1347760
Reviewed by wibrown(a)redhat.com (Thank you, William!)
(cherry picked from commit b8767d510d11c7cbfede24daaae3348b9f028f47)
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index 6763fc3..8f5375a 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -720,25 +720,6 @@ do_bind( Slapi_PBlock *pb )
}
}
}
-
- /*
- * Is this account locked ?
- * could be locked through the account inactivation
- * or by the password policy
- *
- * rc=0: account not locked
- * rc=1: account locked, can not bind, result has been sent
- * rc!=0 and rc!=1: error. Result was not sent, lets be_bind
- * deal with it.
- *
- */
-
- /* get the entry now, so that we can give it to slapi_check_account_lock and reslimit_update_from_dn */
- if (! slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) {
- bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn));
- rc = slapi_check_account_lock ( pb, bind_target_entry, pw_response_requested, 1, 1);
- }
-
slapi_pblock_set( pb, SLAPI_PLUGIN, be->be_database );
set_db_default_result_handlers(pb);
if ( (rc != 1) &&
@@ -777,6 +758,28 @@ do_bind( Slapi_PBlock *pb )
if ( rc == SLAPI_BIND_SUCCESS ) {
int myrc = 0;
+ /*
+ * The bind is successful.
+ * We can give it to slapi_check_account_lock and reslimit_update_from_dn.
+ */
+ /*
+ * Is this account locked ?
+ * could be locked through the account inactivation
+ * or by the password policy
+ *
+ * rc=0: account not locked
+ * rc=1: account locked, can not bind, result has been sent
+ * rc!=0 and rc!=1: error. Result was not sent, lets be_bind
+ * deal with it.
+ *
+ */
+ if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) {
+ bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn));
+ rc = slapi_check_account_lock(pb, bind_target_entry, pw_response_requested, 1, 1);
+ if (1 == rc) { /* account is locked */
+ goto account_locked;
+ }
+ }
if (!auto_bind) {
/*
* There could be a race that bind_target_entry was not added
@@ -787,13 +790,7 @@ do_bind( Slapi_PBlock *pb )
if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA) &&
!bind_target_entry) {
bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn));
- if (bind_target_entry) {
- myrc = slapi_check_account_lock(pb, bind_target_entry,
- pw_response_requested, 1, 1);
- if (1 == myrc) { /* account is locked */
- goto account_locked;
- }
- } else {
+ if (!bind_target_entry) {
slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "No such entry");
send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, "", 0, NULL);
goto free_and_return;
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index 76294ac..d56f0ed 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -1049,8 +1049,8 @@ sasl_check_result:
errstr = sasl_errdetail(sasl_conn);
PR_ExitMonitor(pb->pb_conn->c_mutex); /* BIG LOCK */
- send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL,
- (char*)errstr, 0, NULL);
+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, (void *)errstr);
+ send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
break;
}
ldap/admin/src/base-initconfig.in | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
New commits:
commit 06a4adb4ad42a2d7cee383d6e2ef69a7188251a2
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Thu Aug 11 10:50:02 2016 -0400
Ticket 48950 - Change example in /etc/sysconfig/dirsrv to use tcmalloc
Description: Update the example to use tcmalloc instead of jemalloc.
https://fedorahosted.org/389/ticket/48950
Reviewed by: nhosoi(Thanks!)
diff --git a/ldap/admin/src/base-initconfig.in b/ldap/admin/src/base-initconfig.in
index e803a36..0481c3e 100644
--- a/ldap/admin/src/base-initconfig.in
+++ b/ldap/admin/src/base-initconfig.in
@@ -43,8 +43,8 @@
# if using systemd, omit the "; export VARNAME" at the end
#PID_TIME=600 ; export PID_TIME
-# jemalloc is a general purpose malloc implementation that emphasizes
-# fragmentation avoidance and scalable concurrency support. jemalloc
-# has been shown to have a significant positive impact on the Directory
-# Server's process size/growth.
-#LD_PRELOAD=@libdir@/@package_name@/libjemalloc.so.1 ; export LD_PRELOAD
+# The tcmalloc memory allocator has been shown to have a positive impact on
+# the Directory Server's virtual & resident memory size/growth. tcmalloc is
+# available on RHEL/Fedora in the gperftools package (this could be different
+# on other platforms). Here is an example of preloading tcmalloc:
+#LD_PRELOAD=@libdir@/libtcmalloc.so.4 ; export LD_PRELOAD