389-ds-base (1.3.3.5-4+deb8u6) jessie-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2019-3883: Before reading from a secure socket, the LDAP consumer now polls the socket for a read. The socket is polled (with a 0.1s timeout) until read is possible or sum of poll timeout is greater than ioblocktimeout. (Closes: #927939). -- Mike Gabriel Mon, 06 May 2019 18:42:39 +0200 389-ds-base (1.3.3.5-4+deb8u5) jessie-security; urgency=high * Non-maintainer upload by the LTS Team. * Fix regression introduced by +deb8u4: checking of empty attributes causes crash. -- Hugo Lefeuvre Thu, 25 Oct 2018 13:03:54 +0200 389-ds-base (1.3.3.5-4+deb8u4) jessie-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2018-14648: A specially crafted search query could lead to excessive CPU consumption in the do_search() function. An unauthenticated attacker could leverage this flaw to cause a denial of service. -- Hugo Lefeuvre Wed, 24 Oct 2018 17:16:21 +0200 389-ds-base (1.3.3.5-4+deb8u3) jessie-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2018-14624: The emergency logging system is affected by a race condition caused by the invalidation of the concurrently used log file FD without proper locking. This issue might be triggered by remote attackers to cause DoS (crash) and cause any other undefined behavior. -- Hugo Lefeuvre Sat, 15 Sep 2018 10:11:57 -0400 389-ds-base (1.3.3.5-4+deb8u2) jessie-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2018-10935: Check if the we are able to index the provided value. If we are not then slapd_qsort returns an error (LDAP_OPERATION_ERROR) . Fixes: Any authenticated user doing a search using ldapsearch with extended controls for server side sorting is bringing down the ldap server itself. (Closes: #906985). * CVE-2018-10871: Set nsslapd-unhashed-pw-switch by default to 'off'. Fixes: By default nsslapd-unhashed-pw-switch is set to 'on'. So a copy of the unhashed password is kept in modifiers and is possibly logged in changelog and retroCL. -- Mike Gabriel Thu, 30 Aug 2018 16:40:44 +0200 389-ds-base (1.3.3.5-4+deb8u1) jessie-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2015-1854 A flaw was found while doing authorization of modrdn operations. An unauthenticated attacker able to issue an ldapmodrdn call to the directory server could perform unauthorized modifications of entries in the directory server. * CVE-2017-15134 Improper handling of a search filter in slapi_filter_sprintf() in slapd/util.c can lead to remote server crash and denial of service. * CVE-2018-1054 When read access on is enabled, a flaw in SetUnicodeStringFromUTF_8 function in collate.c, can lead to out-of-bounds memory operations. This might result in a server crash, caused by unauthorized users. * CVE-2018-1089 Any user (anonymous or authenticated) can crash ns-slapd with a crafted ldapsearch query with very long filter value. * CVE-2018-10850 Due to a race condition the server could crash in turbo mode (because of high traffic) or when a worker reads several requests in the read buffer (more_data). Thus an anonymous attacker could trigger a denial of service. -- Thorsten Alteholz Thu, 12 Jul 2018 19:03:02 +0200 389-ds-base (1.3.3.5-4) unstable; urgency=medium * Security fixes (Closes: #779909) - cve-2014-8105.diff: Fix for CVE-2014-8105 - cve-2014-8112.diff: Fix for CVE-2014-8112 -- Timo Aaltonen Mon, 09 Mar 2015 10:53:03 +0200 389-ds-base (1.3.3.5-3) unstable; urgency=medium * use-bash-instead-of-sh.diff: Drop admin_scripts.diff and patch the scripts to use bash instead of trying to fix bashisms. (Closes: #772195) -- Timo Aaltonen Fri, 16 Jan 2015 15:40:23 +0200 389-ds-base (1.3.3.5-2) unstable; urgency=medium * fix-saslpath.diff: Fix SASL library path. -- Timo Aaltonen Sat, 25 Oct 2014 01:48:34 +0300 389-ds-base (1.3.3.5-1) unstable; urgency=medium * New upstream bugfix release. * control: Bump policy, no changes. -- Timo Aaltonen Mon, 20 Oct 2014 09:57:14 +0300 389-ds-base (1.3.3.3-1) unstable; urgency=medium * New upstream release. * Dropped upstreamed patches, refresh others. * control, rules, 389-ds-base.install: Add support for systemd. * fix-obsolete-target.diff: Drop syslog.target from the service files. * 389-ds-base.links: Mask the initscript so that it's not used with systemd. -- Timo Aaltonen Mon, 06 Oct 2014 17:13:01 +0300 389-ds-base (1.3.2.23-2) unstable; urgency=medium * Team upload. * Add fix-bsd.patch and support-kfreebsd.patch to fix the build failure on kFreeBSD. -- Benjamin Drung Wed, 03 Sep 2014 15:32:22 +0200 389-ds-base (1.3.2.23-1) unstable; urgency=medium * New bugfix release. * watch: Update the url. * control: Update Vcs-Browser url to use cgit. -- Timo Aaltonen Mon, 01 Sep 2014 13:32:59 +0300 389-ds-base (1.3.2.21-1) unstable; urgency=medium * New upstream release. - CVE-2014-3562 (Closes: #757437) -- Timo Aaltonen Fri, 08 Aug 2014 10:48:55 +0300 389-ds-base (1.3.2.19-1) unstable; urgency=medium * New upstream release. * admin_scripts.diff: Updated to fix more bashisms. * watch: Update the url. * Install failedbinds.py and logregex.py scripts. * init: Use status from init-functions. * control: Update my email. -- Timo Aaltonen Tue, 08 Jul 2014 15:50:11 +0300 389-ds-base (1.3.2.9-1.1) unstable; urgency=medium * Non-maintainer upload. * Apply fix for CVE-2014-0132, see like named patch (Closes: 741600) * Fix m4-macro for libsrvcore and add missing B-D on libpci-dev (Closes: #745821) -- Tobias Frost Fri, 25 Apr 2014 15:11:16 +0200 389-ds-base (1.3.2.9-1) unstable; urgency=low * New upstream release. - fixes CVE-2013-0336 (Closes: #704077) - fixes CVE-2013-1897 (Closes: #704421) - fixes CVE-2013-2219 (Closes: #718325) - fixes CVE-2013-4283 (Closes: #721222) - fixes CVE-2013-4485 (Closes: #730115) * Drop fix-CVE-2013-0312.diff, upstream. * rules: Add new scripts to rename. * fix-sasl-path.diff: Use a triplet path to find libsasl2. (LP: #1088822) * admin_scripts.diff: Add patch from upstream #47511 to fix bashisms. * control: Add ldap-utils to -base depends. * rules, rename-online-scripts.diff: Some scripts with .pl suffix are meant for an online server, so instead of overwriting the offline scripts use -online suffix. * rules: Enable parallel build, but limit the jobs to 1 for dh_auto_install. * control: Bump policy to 3.9.5, no changes. * rules: Add get-orig-source target. * lintian-overrides: Drop obsolete entries, add comments for the rest. -- Timo Aaltonen Mon, 03 Feb 2014 11:08:50 +0200 389-ds-base (1.3.0.3-1) unstable; urgency=low * New upstream release. * control: Bump the policy to 3.9.4, no changes. * fix-CVE-2013-0312.diff: Patch to fix handling LDAPv3 control data. -- Timo Aaltonen Mon, 11 Mar 2013 14:23:20 +0200 389-ds-base (1.2.11.17-1) UNRELEASED; urgency=low * New upstream release. * watch: Add a comment about the upstream git tree. * fix-cve-2012-4450.diff: Remove, upstream. -- Timo Aaltonen Sat, 01 Dec 2012 14:22:13 +0200 389-ds-base (1.2.11.15-1) unstable; urgency=low * New upstream release. * Add fix-cve-2012-4450.diff. (Closes: #688942) * dirsrv.init: Fix stop() to remove the pidfile only when the process is finished. (Closes: #689389) * copyright: Update the source url. * control: Drop quilt from build-depends, since using 3.0 (quilt) * lintian-overrides: Add an override for hardening-no-fortify- functions, since it's a false positive in this case. * control: Drop dpkg-dev from build-depends, no need to specify it directly. * copyright: Add myself as a copyright holder for debian/*. * 389-ds-base.prerm: Add 'set -e'. * rules: drop DEB_HOST_MULTIARCH, dh9 handles it. -- Timo Aaltonen Wed, 03 Oct 2012 19:33:52 +0300 389-ds-base (1.2.11.7-5) unstable; urgency=low * control: Drop debconf-utils and po-debconf from build-depends. * control: Add libnetaddr-ip-perl and libsocket-getaddrinfo-perl to 389-ds-base Depends for ipv6 support. (Closes: #682847) -- Timo Aaltonen Mon, 30 Jul 2012 13:12:23 +0200 389-ds-base (1.2.11.7-4) unstable; urgency=low * debian/po: Remove, leftover from the template purge. (Closes: #681543) -- Timo Aaltonen Thu, 19 Jul 2012 23:12:01 +0300 389-ds-base (1.2.11.7-3) unstable; urgency=low * 389-ds-base.config: Removed, the debconf template is no more. (Closes: #680351) * control: Remove duplicate 'the' from the 389-ds description. -- Timo Aaltonen Wed, 11 Jul 2012 11:59:36 +0300 389-ds-base (1.2.11.7-2) unstable; urgency=low * control: Stop hardcoding libs to binary depends. (Closes: #679790) * control: Add libnspr4-dev and libldap2-dev to 389-ds-base-dev Depends. (Closes: #679742) * l10n review (Closes: #679870) : - Drop the debconf template, and rewrap README.Debian. - control: Update the descriptions -- Timo Aaltonen Tue, 03 Jul 2012 17:58:20 +0300 389-ds-base (1.2.11.7-1) unstable; urgency=low [ Timo Aaltonen ] * New upstream release. * watch: Fix the url. * patches/remove_license_prompt: Dropped, included upstream. * patches/default_user: Refreshed. * control: Change the VCS header to point to the git repository. * control: Rename last remnants of Fedora to 389. * changelog, control: Be consistent with the naming; renamed the source to just '389-ds-base', which matches upstream tarball naming. * control: Wrap Depends. * compat, control: Bump compat to 9, and debhelper build-dep to (>= 9). * rules: Switch to dh. * Move dirsrv.lintian to dirsrv.lintian-overrides, adjust dirsrv.install. * *.dirs: Clean up. * control: Build-depend on dh-autoreconf, drop duplicate bdeps. * Fold dirsrv-tools into the main package. * Build against libldap2-dev (>= 2.4.28). * Rename binary package to 389-ds-base. * -dev.install: Install the pkgconfig file. * rules: Enable PIE hardening. * Add a default file, currently sets LD_BIND_NOW=1. * control: 'dbgen' uses old perl libs, add libperl4-corelibs-perl dependency to 389-ds-base. * rules: Add --fail-missing for dh_install, remove files not needed and make sure to install the rest. * rules, control: Fix the installation name of ds-logpipe.py, add python dependency to 389-ds-base.. * libns-dshttpd is internal to the server, ship it in 389-ds-base. * Rename libdirsrv{-dev,0} -> 389-ds-base-{dev,libs}, includes only libslapd and headers for external plugin development. * control: Breaks/Replaces old libdirsrv-dev/libdirsrv0/dirsrv. * Drop hyphen_used_as_minus, applied upstream. * copyright: Use DEP5 format. * Cherry-pick upstream commit ee320163c6 to get rid of unnecessary and non-free MIB's from the tree, and build a dfsg compliant tarball. * lintian-overrides: Update, create one for -libs. * Fix the initscript to create the lockdir, and refactor code into separate functions. * Drop obsolete entries from copyright, and make it lintian clean. * debian/po: Refer to the correct file after rename. * control: Bump Standards-Version to 3.9.3, no changes. * postinst: Drop unused 'lastversion'. * patches: Add DEP3 compliant headers. * rules, postinst: Add an error handler function for dh_installinit, so that clean installs don't fail due to missing configuration. * postinst: Run the update tool. * dirsrv.init: - Make the start and stop functions much simpler and LSB compliant - Fix starting multiple instances - Use '-b' for start-stop-daemon, since ns-slapd doesn't detach properly * control: Add 389-ds metapackage. * control: Change libdb4.8-dev build-depends to libdb-dev, since this version supports db5.x. * 389-ds-base.prerm: Add prerm script for removing installed instances on purge. [ Krzysztof Klimonda ] * dirsrv.init: - return 0 code if there are no instances configured and tweak message so it doesn't indicate a failure. -- Krzysztof Klimonda Tue, 27 Mar 2012 14:26:16 +0200 389-directory-server (1.2.6.1-5) unstable; urgency=low * Removed db_stop from dirsrv.postinst * Fix short description in libdirsrv0-dbg -- Michele Baldessari Wed, 20 Oct 2010 20:24:20 +0200 389-directory-server (1.2.6.1-4) unstable; urgency=low * Make libicu dep dependent on dpkg-vendor -- Michele Baldessari Mon, 18 Oct 2010 21:21:52 +0200 389-directory-server (1.2.6.1-3) unstable; urgency=low * Remove dirsrv user and group in postrm * Clean up postrm and postinst -- Michele Baldessari Sun, 17 Oct 2010 21:54:08 +0200 389-directory-server (1.2.6.1-2) unstable; urgency=low * Fix QUILT_STAMPFN -- Michele Baldessari Sun, 17 Oct 2010 15:03:34 +0200 389-directory-server (1.2.6.1-1) unstable; urgency=low * New upstream -- Michele Baldessari Sat, 16 Oct 2010 23:08:09 +0200 389-directory-server (1.2.6-2) unstable; urgency=low * Update my email address -- Michele Baldessari Sat, 16 Oct 2010 22:34:19 +0200 389-directory-server (1.2.6-1) unstable; urgency=low * New upstream * s/Fedora/389/g to clean up the branding * Remove automatic configuration (breaks too often with every update) * Remove dirsrv.config translation, no questions are asked anymore * Fix old changelog versions with proper ~ on rc versions * Update policy to 3.9.1 * Improve README.Debian * Depend on libicu44 * Remove /var/run/dirsrv from the postinst scripts (managed by init script) -- Michele Baldessari Sat, 04 Sep 2010 11:58:21 +0200 389-directory-server (1.2.6~rc7-1) unstable; urgency=low * New upstream -- Michele Baldessari Fri, 03 Sep 2010 20:06:08 +0200 389-directory-server (1.2.6~a3-1) unstable; urgency=low * New upstream * Rename man page remove-ds.pl in remove-ds * Removed Debian.source -- Michele Baldessari Sun, 23 May 2010 22:12:13 +0200 389-directory-server (1.2.6~a2-1) unstable; urgency=low * New upstream * Removed speling_fixes patch, applied upstream -- Michele Baldessari Sun, 23 May 2010 13:36:25 +0200 389-directory-server (1.2.5-1) unstable; urgency=low * New upstream * Add libpcre3-dev Build-dep * ldap-agent moved ti /usr/sbin * Fix spelling errors in code and manpages * Fix some lintian warnings * Bump policy to 3.8.3 * Ignore lintian warning pkg-has-shlibs-control-file-but-no-actual-shared-libs as the shlibs file is for dirsrv plugins * Upgraded deps to libicu42 and libdb4.8 * Do create /var/lib/dirsrv as dirsrv user's home * Added libsasl2-modules-gssapi-mit as a dependency for dirsrv (needed by mandatory LDAP SASL mechs) * Install all files of etc/dirsrv/config * Add some missing start scripts in usr/sbin * Fixed a bug in the dirsrv.init script * Switch to dpkg-source 3.0 (quilt) format * Bump policy to 3.8.4 -- Michele Baldessari Sun, 23 May 2010 12:31:24 +0200 389-directory-server (1.2.1-0) unstable; urgency=low * Rename of source package (note, since this is still staging work no replace or upgrade is in place) * Update watch file * New Upstream -- Michele Baldessari Fri, 12 Jun 2009 22:08:42 +0200 fedora-directory-server (1.2.0-1) unstable; urgency=low * New upstream release * Add missing libkrb5-dev dependency * Fix section of -dbg packages * Fix all "dpatch-missing-description" lintian warnings -- Michele Baldessari Wed, 22 Apr 2009 23:36:22 +0200 fedora-directory-server (1.1.3-1) unstable; urgency=low * New upstream * Added watch file * Make setup-ds use dirsrv:dirsrv user/group as defaults * Added VCS-* fields * --enable-autobind * Add ldap/servers/plugins/replication/winsync-plugin.h to libdirsrv-dev -- Michele Baldessari Mon, 24 Nov 2008 22:42:26 +0100 fedora-directory-server (1.1.2-2) unstable; urgency=low * Fixed build+configure twice issue * Added Conflicts: slapd (thanks Alessandro) -- Michele Baldessari Tue, 23 Sep 2008 21:12:44 +0200 fedora-directory-server (1.1.2-1) unstable; urgency=low * New upstream * Removed /usr/sbin PATH from postinst script -- Michele Baldessari Sat, 20 Sep 2008 20:10:52 +0000 fedora-directory-server (1.1.1-0) unstable; urgency=low * New upstream * Don't apply patch for 439829, fixed upstream * Bump to policy 3.8.0 * Added README.source -- Michele Baldessari Fri, 22 Aug 2008 00:09:40 +0200 fedora-directory-server (1.1.0-4) unstable; urgency=low * dirsrv should depend on libmozilla-ldap-perl (thanks Mathias Kaufmann ) -- Michele Baldessari Sun, 20 Jul 2008 18:41:58 +0200 fedora-directory-server (1.1.0-3) unstable; urgency=low * Fix up some descriptions -- Michele Baldessari Sun, 25 May 2008 21:36:32 +0200 fedora-directory-server (1.1.0-2) unstable; urgency=low * Silenced init warning messages when chowning pid directory -- Michele Baldessari Wed, 21 May 2008 23:08:32 +0200 fedora-directory-server (1.1.0-1) unstable; urgency=low * Removed template lintian warning * Cleaned up manpages -- Michele Baldessari Sun, 18 May 2008 13:39:58 +0200 fedora-directory-server (1.1.0-0) unstable; urgency=low * Initial release (Closes: #497098). * Fixed postinst after renaming setup-ds.pl to setup-ds * Applied patch from https://bugzilla.redhat.com/show_bug.cgi?id=439829 to fix segfault against late NSS versions * Switched to parseable copyright format * Source package is lintian clean now * Added initial manpage patch * Switched to dh_install -- Michele Baldessari Thu, 27 Mar 2008 23:56:17 +0200