openeuler-ci-bot
Gitee
commit
658511e808
29
CVE-2020-15719.patch
Normal file
29
CVE-2020-15719.patch
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
Do not check CN when checking SAN failed
|
||||||
|
|
||||||
|
This is to make it compliant with RFC 6125:
|
||||||
|
https://tools.ietf.org/html/rfc6125#section-6.4.4
|
||||||
|
|
||||||
|
Author: Matus Honek <mhonek@redhat.com>
|
||||||
|
|
||||||
|
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
|
||||||
|
index 92c708be0..46b48a3fb 100644
|
||||||
|
--- a/libraries/libldap/tls_o.c
|
||||||
|
+++ b/libraries/libldap/tls_o.c
|
||||||
|
@@ -675,11 +675,16 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
|
||||||
|
GENERAL_NAMES_free(alt);
|
||||||
|
if (i < n) { /* Found a match */
|
||||||
|
ret = LDAP_SUCCESS;
|
||||||
|
+ } else { /* None matched */
|
||||||
|
+ Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match any "
|
||||||
|
+ "SAN in certificate.\n",
|
||||||
|
+ name, NULL, NULL );
|
||||||
|
+ ret = LDAP_CONNECT_ERROR;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (ret != LDAP_SUCCESS) {
|
||||||
|
+ if (ret == LDAP_LOCAL_ERROR) {
|
||||||
|
X509_NAME *xn;
|
||||||
|
X509_NAME_ENTRY *ne;
|
||||||
|
ASN1_OBJECT *obj;
|
||||||
109
openldap.spec
109
openldap.spec
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
Name: openldap
|
Name: openldap
|
||||||
Version: 2.4.50
|
Version: 2.4.50
|
||||||
Release: 2
|
Release: 3
|
||||||
Summary: LDAP support libraries
|
Summary: LDAP support libraries
|
||||||
License: OpenLDAP
|
License: OpenLDAP
|
||||||
URL: https://www.openldap.org/
|
URL: https://www.openldap.org/
|
||||||
@ -11,38 +11,38 @@ Source1: slapd.service
|
|||||||
Source2: slapd.tmpfiles
|
Source2: slapd.tmpfiles
|
||||||
Source3: slapd.ldif
|
Source3: slapd.ldif
|
||||||
Source4: ldap.conf
|
Source4: ldap.conf
|
||||||
Source10: ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
|
Source10: ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
|
||||||
Source50: libexec-functions
|
Source50: libexec-functions
|
||||||
Source52: libexec-check-config.sh
|
Source52: libexec-check-config.sh
|
||||||
Source53: libexec-upgrade-db.sh
|
Source53: libexec-upgrade-db.sh
|
||||||
|
|
||||||
Patch0: openldap-manpages.patch
|
Patch0: openldap-manpages.patch
|
||||||
Patch2: openldap-reentrant-gethostby.patch
|
Patch1: openldap-reentrant-gethostby.patch
|
||||||
Patch3: openldap-smbk5pwd-overlay.patch
|
Patch2: openldap-smbk5pwd-overlay.patch
|
||||||
Patch5: openldap-ai-addrconfig.patch
|
Patch3: openldap-ai-addrconfig.patch
|
||||||
Patch17: openldap-allop-overlay.patch
|
Patch4: openldap-allop-overlay.patch
|
||||||
|
|
||||||
# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585
|
# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585
|
||||||
Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
|
Patch5: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
|
||||||
Patch21: openldap-openssl-allow-ssl3.patch
|
Patch6: openldap-openssl-allow-ssl3.patch
|
||||||
Patch90: check-password-makefile.patch
|
Patch7: check-password-makefile.patch
|
||||||
Patch91: check-password.patch
|
Patch8: check-password.patch
|
||||||
Patch6000: bugfix-openldap-autoconf-pkgconfig-nss.patch
|
Patch9: bugfix-openldap-autoconf-pkgconfig-nss.patch
|
||||||
Patch6001: bugfix-openldap-nss-ciphers-use-nss-defaults.patch
|
Patch10: bugfix-openldap-nss-ciphers-use-nss-defaults.patch
|
||||||
Patch6002: bugfix-openldap-nss-ignore-certdb-type-prefix.patch
|
Patch11: bugfix-openldap-nss-ignore-certdb-type-prefix.patch
|
||||||
Patch6003: bugfix-openldap-nss-pk11-freeslot.patch
|
Patch12: bugfix-openldap-nss-pk11-freeslot.patch
|
||||||
Patch6004: bugfix-openldap-nss-protocol-version-new-api.patch
|
Patch13: bugfix-openldap-nss-protocol-version-new-api.patch
|
||||||
Patch6005: bugfix-openldap-nss-unregister-on-unload.patch
|
Patch14: bugfix-openldap-nss-unregister-on-unload.patch
|
||||||
Patch6006: bugfix-openldap-nss-update-list-of-ciphers.patch
|
Patch15: bugfix-openldap-nss-update-list-of-ciphers.patch
|
||||||
Patch6007: bugfix-openldap-nss-ciphersuite-handle-masks-correctly.patch
|
Patch16: bugfix-openldap-nss-ciphersuite-handle-masks-correctly.patch
|
||||||
Patch6008: bugfix-openldap-ssl-deadlock-revert.patch
|
Patch17: bugfix-openldap-ssl-deadlock-revert.patch
|
||||||
Patch6009: bugfix-openldap-support-tlsv1-and-later.patch
|
Patch18: bugfix-openldap-support-tlsv1-and-later.patch
|
||||||
Patch6010: bugfix-openldap-temporary-ssl-thr-init-race.patch
|
Patch19: bugfix-openldap-temporary-ssl-thr-init-race.patch
|
||||||
Patch6011: Fix-calls-to-SLAP_DEVPOLL_SOCK_LX-for-multi-listener.patch
|
Patch20: Fix-calls-to-SLAP_DEVPOLL_SOCK_LX-for-multi-listener.patch
|
||||||
Patch6012: Fixup-for-binary-config-attrs.patch
|
Patch21: Fixup-for-binary-config-attrs.patch
|
||||||
Patch6013: bugfix-openldap-ITS9160-OOM-Handing.patch
|
Patch22: bugfix-openldap-ITS9160-OOM-Handing.patch
|
||||||
Patch6014: bugfix-openldap-fix-implicit-function-declaration.patch
|
Patch23: bugfix-openldap-fix-implicit-function-declaration.patch
|
||||||
Patch6015: bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch
|
Patch24: bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch
|
||||||
|
Patch25: CVE-2020-15719.patch
|
||||||
|
|
||||||
BuildRequires: cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel
|
BuildRequires: cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel
|
||||||
BuildRequires: glibc-devel libtool libtool-ltdl-devel groff perl-interpreter perl-devel perl-generators perl-ExtUtils-Embed
|
BuildRequires: glibc-devel libtool libtool-ltdl-devel groff perl-interpreter perl-devel perl-generators perl-ExtUtils-Embed
|
||||||
@ -109,29 +109,30 @@ pushd openldap-%{version}
|
|||||||
AUTOMAKE=%{_bindir}/true autoreconf -fi
|
AUTOMAKE=%{_bindir}/true autoreconf -fi
|
||||||
|
|
||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
|
%patch1 -p1
|
||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
|
%patch4 -p1
|
||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
%patch17 -p1
|
%patch6 -p1
|
||||||
%patch19 -p1
|
|
||||||
%patch21 -p1
|
|
||||||
|
|
||||||
%patch6000 -p1
|
%patch9 -p1
|
||||||
%patch6001 -p1
|
%patch10 -p1
|
||||||
%patch6002 -p1
|
%patch11 -p1
|
||||||
%patch6003 -p1
|
%patch12 -p1
|
||||||
%patch6004 -p1
|
%patch13 -p1
|
||||||
%patch6005 -p1
|
%patch14 -p1
|
||||||
%patch6006 -p1
|
%patch15 -p1
|
||||||
%patch6007 -p1
|
%patch16 -p1
|
||||||
%patch6008 -p1
|
%patch17 -p1
|
||||||
%patch6009 -p1
|
%patch18 -p1
|
||||||
%patch6010 -p1
|
%patch19 -p1
|
||||||
%patch6011 -p1
|
%patch20 -p1
|
||||||
%patch6012 -p1
|
%patch21 -p1
|
||||||
%patch6013 -p1
|
%patch22 -p1
|
||||||
%patch6014 -p1
|
%patch23 -p1
|
||||||
%patch6015 -p1
|
%patch24 -p1
|
||||||
|
%patch25 -p1
|
||||||
|
|
||||||
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
|
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
|
||||||
mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
|
mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
|
||||||
@ -149,8 +150,8 @@ done
|
|||||||
popd
|
popd
|
||||||
|
|
||||||
pushd ltb-project-openldap-ppolicy-check-password-1.1
|
pushd ltb-project-openldap-ppolicy-check-password-1.1
|
||||||
%patch90 -p1
|
%patch7 -p1
|
||||||
%patch91 -p1
|
%patch8 -p1
|
||||||
popd
|
popd
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -414,6 +415,12 @@ popd
|
|||||||
%doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd
|
%doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Aug 05 2020 lunankun<lunankun@huawei.com> - 2.4.50-3
|
||||||
|
- Type:cves
|
||||||
|
- ID:CVE-2020-15719
|
||||||
|
- SUG:restart
|
||||||
|
- DESC:fix CVE-2020-15719
|
||||||
|
|
||||||
* Thu Jul 23 2020 zhouyihang<zhouyihang3@huawei.com> - 2.4.50-2
|
* Thu Jul 23 2020 zhouyihang<zhouyihang3@huawei.com> - 2.4.50-2
|
||||||
- Type:bugfix
|
- Type:bugfix
|
||||||
- ID:NA
|
- ID:NA
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user