diff options
| author | he <he@pkgsrc.org> | 2016-12-13 10:38:06 +0000 |
|---|---|---|
| committer | he <he@pkgsrc.org> | 2016-12-13 10:38:06 +0000 |
| commit | aa549a0a907238bde25b4c9ce69a336605d44ab3 (patch) | |
| tree | 40c79ae1fd748cf1346b9a86927057d940e9953b /databases | |
| parent | 2c0641da9a33560a15d39e5d6a299c5654de14ce (diff) | |
| download | pkgsrc-aa549a0a907238bde25b4c9ce69a336605d44ab3.tar.gz | |
Apply fix from https://bugzilla.redhat.com/show_bug.cgi?id=1238322
Incorrect multi-keyword mode cipherstring parsing.
Fixes CVE-2015-3276.
Submitted upstream as ITS#8543, it apparently wasn't already(!)
http://www.openldap.org/its/index.cgi/Incoming?id=8543
Bump PKGREVISION for both openldap, openldap-server and openldap-client
(to be on the safe side...)
Diffstat (limited to 'databases')
| -rw-r--r-- | databases/openldap-client/Makefile | 4 | ||||
| -rw-r--r-- | databases/openldap-server/Makefile | 4 | ||||
| -rw-r--r-- | databases/openldap/Makefile | 4 | ||||
| -rw-r--r-- | databases/openldap/distinfo | 3 | ||||
| -rw-r--r-- | databases/openldap/patches/patch-libraries_libldap_tls__m.c | 44 |
5 files changed, 52 insertions, 7 deletions
diff --git a/databases/openldap-client/Makefile b/databases/openldap-client/Makefile index 1d99a5dc352..86ba85c6ebb 100644 --- a/databases/openldap-client/Makefile +++ b/databases/openldap-client/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.24 2016/06/17 14:01:58 jperkin Exp $ +# $NetBSD: Makefile,v 1.25 2016/12/13 10:38:06 he Exp $ PKGNAME= ${DISTNAME:S/-/-client-/} -PKGREVISION= 2 +PKGREVISION= 3 COMMENT= Lightweight Directory Access Protocol libraries and client programs CONFLICTS+= openldap<2.3.23nb1 diff --git a/databases/openldap-server/Makefile b/databases/openldap-server/Makefile index 7a8883b849f..c29d4cbbf20 100644 --- a/databases/openldap-server/Makefile +++ b/databases/openldap-server/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.49 2016/07/02 21:03:08 jperkin Exp $ +# $NetBSD: Makefile,v 1.50 2016/12/13 10:38:06 he Exp $ PKGNAME= ${DISTNAME:S/-/-server-/} -PKGREVISION= 3 +PKGREVISION= 4 COMMENT= Lightweight Directory Access Protocol server suite CONFLICTS+= openldap<2.3.23nb1 diff --git a/databases/openldap/Makefile b/databases/openldap/Makefile index d1c2dc4a7bb..ad6027ecd5d 100644 --- a/databases/openldap/Makefile +++ b/databases/openldap/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.145 2016/03/05 11:28:12 jperkin Exp $ +# $NetBSD: Makefile,v 1.146 2016/12/13 10:38:06 he Exp $ -PKGREVISION= 1 +PKGREVISION= 2 .include "../../databases/openldap/Makefile.version" DISTNAME= openldap-${OPENLDAP_VERSION} diff --git a/databases/openldap/distinfo b/databases/openldap/distinfo index f48dffcf017..9c98acd8e7b 100644 --- a/databases/openldap/distinfo +++ b/databases/openldap/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.107 2016/10/30 05:04:09 manu Exp $ +$NetBSD: distinfo,v 1.108 2016/12/13 10:38:06 he Exp $ SHA1 (openldap-2.4.44.tgz) = 016a738d050a68d388602a74b5e991035cdba149 RMD160 (openldap-2.4.44.tgz) = 6ea3139f630e93c6e0af60638672d88d6c535a6a @@ -22,4 +22,5 @@ SHA1 (patch-dd) = 9c74118ff0b2232bda729c9917082fceef41dd16 SHA1 (patch-its7506) = a50f9428d6d7dd28f71d21e11ae3f8b0f1372f75 SHA1 (patch-its7595) = 9ea396adb7f2fd572d60190534caa80a01ef79d2 SHA1 (patch-libraries_libldap_os-local.c) = 7cd4f8638456fae12499de0d36d7802e47d3d688 +SHA1 (patch-libraries_libldap_tls__m.c) = 91dab1dcfa6560c30093094586ea9eabf2e977b8 SHA1 (patch-libraries_liblmdb_mdb.c) = 590a059d784687f678ac44a577770551b11a2be5 diff --git a/databases/openldap/patches/patch-libraries_libldap_tls__m.c b/databases/openldap/patches/patch-libraries_libldap_tls__m.c new file mode 100644 index 00000000000..c213793555d --- /dev/null +++ b/databases/openldap/patches/patch-libraries_libldap_tls__m.c @@ -0,0 +1,44 @@ +$NetBSD: patch-libraries_libldap_tls__m.c,v 1.1 2016/12/13 10:38:06 he Exp $ + +Incorrect multi-keyword mode cipherstring parsing. +Lifted from https://bugzilla.redhat.com/show_bug.cgi?id=1238322 +Fixes CVE-2015-3276. +Submitted upstream as ITS#8543 +http://www.openldap.org/its/index.cgi/Incoming?id=8543 + +--- libraries/libldap/tls_m.c.orig 2016-02-05 23:57:45.000000000 +0000 ++++ libraries/libldap/tls_m.c +@@ -621,17 +621,23 @@ nss_parse_ciphers(const char *cipherstr, + */ + if (mask || strength || protocol) { + for (i=0; i<ciphernum; i++) { +- if (((ciphers_def[i].attr & mask) || +- (ciphers_def[i].strength & strength) || +- (ciphers_def[i].version & protocol)) && +- (cipher_list[i] != -1)) { +- /* Enable the NULL ciphers only if explicity +- * requested */ +- if (ciphers_def[i].attr & SSL_eNULL) { +- if (mask & SSL_eNULL) +- cipher_list[i] = action; +- } else ++ /* if more than one mask is provided ++ * then AND logic applies (to match openssl) ++ */ ++ if ( cipher_list[i] == -1) ) ++ continue; ++ if ( mask && ! (ciphers_def[i].attr & mask) ) ++ continue; ++ if ( strength && ! (ciphers_def[i].strength & strength) ) ++ continue; ++ if ( protocol && ! (ciphers_def[i].version & protocol) ) ++ continue; ++ /* Enable the NULL ciphers only if explicity requested */ ++ if (ciphers_def[i].attr & SSL_eNULL) { ++ if (mask & SSL_eNULL) + cipher_list[i] = action; ++ } else ++ cipher_list[i] = action; + } + } + } else { |