packages/openldap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-15719

Browse Source
This commit is contained in:
lunankun 2020-08-05 15:36:15 +08:00
parent 0cd7a8610d
commit 9abc10868b
2 changed files with 87 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
CVE-2020-15719.patch Normal file
View File

@ -0,0 +1,29 @@
Do not check CN when checking SAN failed
This is to make it compliant with RFC 6125:
https://tools.ietf.org/html/rfc6125#section-6.4.4
Author: Matus Honek <mhonek@redhat.com>
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 92c708be0..46b48a3fb 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -675,11 +675,16 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
GENERAL_NAMES_free(alt);
if (i < n) { /* Found a match */
ret = LDAP_SUCCESS;
+ } else { /* None matched */
+ Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match any "
+ "SAN in certificate.\n",
+ name, NULL, NULL );
+ ret = LDAP_CONNECT_ERROR;
}
}
}
- if (ret != LDAP_SUCCESS) {
+ if (ret == LDAP_LOCAL_ERROR) {
X509_NAME *xn;
X509_NAME_ENTRY *ne;
ASN1_OBJECT *obj;

109
openldap.spec
View File

@ -2,7 +2,7 @@
Name: openldap
Version: 2.4.50
Release: 2
Release: 3
Summary: LDAP support libraries
License: OpenLDAP
URL: https://www.openldap.org/
@ -11,38 +11,38 @@ Source1: slapd.service
Source2: slapd.tmpfiles
Source3: slapd.ldif
Source4: ldap.conf
Source10: ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
Source50: libexec-functions
Source52: libexec-check-config.sh
Source53: libexec-upgrade-db.sh
Source10: ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
Source50: libexec-functions
Source52: libexec-check-config.sh
Source53: libexec-upgrade-db.sh
Patch0: openldap-manpages.patch
Patch2: openldap-reentrant-gethostby.patch
Patch3: openldap-smbk5pwd-overlay.patch
Patch5: openldap-ai-addrconfig.patch
Patch17: openldap-allop-overlay.patch
Patch1: openldap-reentrant-gethostby.patch
Patch2: openldap-smbk5pwd-overlay.patch
Patch3: openldap-ai-addrconfig.patch
Patch4: openldap-allop-overlay.patch
# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585
Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
Patch21: openldap-openssl-allow-ssl3.patch
Patch90: check-password-makefile.patch
Patch91: check-password.patch
Patch6000: bugfix-openldap-autoconf-pkgconfig-nss.patch
Patch6001: bugfix-openldap-nss-ciphers-use-nss-defaults.patch
Patch6002: bugfix-openldap-nss-ignore-certdb-type-prefix.patch
Patch6003: bugfix-openldap-nss-pk11-freeslot.patch
Patch6004: bugfix-openldap-nss-protocol-version-new-api.patch
Patch6005: bugfix-openldap-nss-unregister-on-unload.patch
Patch6006: bugfix-openldap-nss-update-list-of-ciphers.patch
Patch6007: bugfix-openldap-nss-ciphersuite-handle-masks-correctly.patch
Patch6008: bugfix-openldap-ssl-deadlock-revert.patch
Patch6009: bugfix-openldap-support-tlsv1-and-later.patch
Patch6010: bugfix-openldap-temporary-ssl-thr-init-race.patch
Patch6011: Fix-calls-to-SLAP_DEVPOLL_SOCK_LX-for-multi-listener.patch
Patch6012: Fixup-for-binary-config-attrs.patch
Patch6013: bugfix-openldap-ITS9160-OOM-Handing.patch
Patch6014: bugfix-openldap-fix-implicit-function-declaration.patch
Patch6015: bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch
Patch5: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
Patch6: openldap-openssl-allow-ssl3.patch
Patch7: check-password-makefile.patch
Patch8: check-password.patch
Patch9: bugfix-openldap-autoconf-pkgconfig-nss.patch
Patch10: bugfix-openldap-nss-ciphers-use-nss-defaults.patch
Patch11: bugfix-openldap-nss-ignore-certdb-type-prefix.patch
Patch12: bugfix-openldap-nss-pk11-freeslot.patch
Patch13: bugfix-openldap-nss-protocol-version-new-api.patch
Patch14: bugfix-openldap-nss-unregister-on-unload.patch
Patch15: bugfix-openldap-nss-update-list-of-ciphers.patch
Patch16: bugfix-openldap-nss-ciphersuite-handle-masks-correctly.patch
Patch17: bugfix-openldap-ssl-deadlock-revert.patch
Patch18: bugfix-openldap-support-tlsv1-and-later.patch
Patch19: bugfix-openldap-temporary-ssl-thr-init-race.patch
Patch20: Fix-calls-to-SLAP_DEVPOLL_SOCK_LX-for-multi-listener.patch
Patch21: Fixup-for-binary-config-attrs.patch
Patch22: bugfix-openldap-ITS9160-OOM-Handing.patch
Patch23: bugfix-openldap-fix-implicit-function-declaration.patch
Patch24: bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch
Patch25: CVE-2020-15719.patch
BuildRequires: cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel
BuildRequires: glibc-devel libtool libtool-ltdl-devel groff perl-interpreter perl-devel perl-generators perl-ExtUtils-Embed
@ -109,29 +109,30 @@ pushd openldap-%{version}
AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch17 -p1
%patch19 -p1
%patch21 -p1
%patch6 -p1
%patch6000 -p1
%patch6001 -p1
%patch6002 -p1
%patch6003 -p1
%patch6004 -p1
%patch6005 -p1
%patch6006 -p1
%patch6007 -p1
%patch6008 -p1
%patch6009 -p1
%patch6010 -p1
%patch6011 -p1
%patch6012 -p1
%patch6013 -p1
%patch6014 -p1
%patch6015 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
@ -149,8 +150,8 @@ done
popd
pushd ltb-project-openldap-ppolicy-check-password-1.1
%patch90 -p1
%patch91 -p1
%patch7 -p1
%patch8 -p1
popd
%build
@ -414,6 +415,12 @@ popd
%doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd
%changelog
* Wed Aug 05 2020 lunankun<lunankun@huawei.com> - 2.4.50-3
- Type:cves
- ID:CVE-2020-15719
- SUG:restart
- DESC:fix CVE-2020-15719
* Thu Jul 23 2020 zhouyihang<zhouyihang3@huawei.com> - 2.4.50-2
- Type:bugfix
- ID:NA