1147982 – Rebase openldap to 2.4.40

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1147982 - Rebase openldap to 2.4.40

Summary: Rebase openldap to 2.4.40

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	openldap
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Matus Honek
QA Contact:	Patrik Kis
Docs Contact:	Tomas Capek
URL:
Whiteboard:
Depends On:
Blocks:	1110700 1147983 1191021 1205796 1250949
TreeView+	depends on / blocked

Reported:	2014-09-30 13:11 UTC by Jan Synacek
Modified:	2015-11-19 08:52 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Release Note
Doc Text:	openldap rebase to version 2.4.40 The _openldap_ packages have been upgraded to upstream version 2.4.40, which provides a number of bug fixes and one enhancement over the previous version. Notably, the ORDERING matching rules have been added to the ppolicy attribute type descriptions. Among the fixed bugs are: The server no longer terminates unexpectedly when processing SRV records, and missing objectClass information has been added, which enables the user to modify the front-end configuration by standard means.
Clone Of:
Clones:	1147983 (view as bug list)
Environment:
Last Closed:	2015-11-19 08:52:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:2131	0	normal	SHIPPED_LIVE	Moderate: openldap security, bug fix, and enhancement update	2015-11-19 09:10:21 UTC

Description Jan Synacek 2014-09-30 13:11:27 UTC

Description of problem:

OpenLDAP 2.4.40 Release (2014/09/20)
	Fixed libldap DNS SRV priority handling (ITS#7027)
	Fixed libldap don't leak libldap err codes (ITS#7676)
	Fixed libldap CR/LF handling (ITS#4635)
	Fixed libldap ldif-wrap length (ITS#7871)
	Fixed libldap GnuTLS ciphersuite parsing (ITS#7500)
	Fixed libldap GnuTLS with newer versions (ITS#7430,ITS#6359)
	Fixed libldif to correctly handle 4096 character lines (ITS#7859)
	Fixed librewrite reference counting (ITS#7723)
	Fixed slapacl with back-mdb reader transactions (ITS#7920)
	Fixed slapd syncrepl to send cookie on fallback (ITS#7849)
	Fixed slapd syncrepl SEGV when abandoning a connection (ITS#7928)
	Fixed slapd slapcat with external schema (ITS#7895)
	Fixed slapd schema RDN normalization (ITS#7935)
	Fixed slapd with repeated language tags (ITS#7941)
	Fixed slapd modrdn crash on naming attr with no matching rule (ITS#7850)
	Fixed slapd memory leak in control handling (ITS#7942)
	Fixed slapd-ldap removed dead code (ITS#7922)
	Fixed slapd-mdb to work concurrently with slapadd (ITS#7798)
	Fixed slapd-mdb with paged results (ITS#7705, ITS#7800)
	Fixed slapd-mdb slapcat with nonexistent indices (ITS#7870)
	Fixed slapd-mdb long lived reader transactions (ITS#7904)
	Fixed slapd-mdb memory leak on matchedDN (ITS#7872)
	Fixed slapd-mdb sorting of attribute values (ITS#7902)
	Fixed slapd-mdb to flag attribute values as sorted (ITS#7903)
	Fixed slapd-mdb index config handling (ITS#7912)
	Fixed slapd-mdb entry release handling (ITS#7915)
	Fixed slapd-mdb with aliases and referrals (ITS#7927)
	Fixed slapd-mdb alias dereferencing (ITS#7702)
	Fixed slapd-sock socket flushing (ITS#7937)
	Fixed slapo-accesslog attribute normalization (ITS#7934)
	Fixed slapo-accesslog internal search logging (ITS#7929)
	Fixed slapo-auditlog connection destroy logic (ITS#7906,ITS#7923)
	Fixed slapo-chain interaction with slapo-rwm (ITS#7930)
	Fixed slapo-constraint connection destroy logic (ITS#7906,ITS#7923)
	Fixed slapo-dds connection destroy logic (ITS#7906,ITS#7923)
	Fixed slapo-dyngroup connection destroy logic (ITS#7906,ITS#7923)
	Fixed slapo-memberof attr count (ITS#7893)
	Fixed slapo-memberof frontendDB handling (ITS#7249)
	Fixed slapo-memberof internal search logging (ITS#7929)
	Fixed slapo-pcache config processing (ITS#7919)
	Fixed slapo-pcache connection destroy logic (ITS#7906,ITS#7923)
	Added slapo-ppolicy ORDERING rules (ITS#7838)
	Fixed slapo-ppolicy timestamp resolution to use microseconds (ITS#7161)
	Fixed slapo-ppolicy connection destroy logic (ITS#7906,ITS#7923)
	Fixed slapo-refint to check for pauses in cn=config (ITS#7873)
	Fixed slapo-refint internal search logging (ITS#7929)
	Fixed slapo-refint connection destroy logic (ITS#7906,ITS#7923)
	Fixed slapo-seqmod connection destroy logic (ITS#7906,ITS#7923)
	Fixed slapo-slapover connection destroy logic (ITS#7906,ITS#7923)
	Fixed slapo-sock db_init (ITS#7868)
	Fixed slapo-sssvlv fix olcSssVlvMaxPerConn (ITS#7908)
	Fixed slapo-translucent double free (ITS#7587)
	Fixed slapo-translucent to work with manageDSAit (ITS#7864)
	Fixed slapo-translucent to use local backend with local entries (ITS#7915)
	Fixed slapo-unique connection destroy logic (ITS#7906,ITS#7923)
	Fixed slapcacl with invalid suffix (ITS#7827)
	Build Environment
		Remove support for gcrypt (ITS#7877)
		BDB 6.0.20 and later is not supported (ITS#7890)
		Fixed ODBC link check (ITS#7891)
		Fixed slapd.ldif frontend config (ITS#7933)
	Contrib
		Added pbkdf2 module (ITS#7742)
		Fixed autogroup double free (ITS#7831)
		Fixed autogroup modification callback responses (ITS#6970)
		Fixed ldapc++ memory leak in Async connection (ITS#7806)
		Fixed nssov install path (ITS#7858)
		Fixed passwd rpath (ITS#7885)
		Fixed apr1 do_phk_hash argument order (ITS#7869)
		Fixed slapd-sha2 buffer overrun (ITS#7851)
	Documentation
		Fixed slapd.ldif man page reference (ITS#7803)
		Fixed slapd.conf(5) man page to reference exattrs (ITS#7847)
		Fixed guide to work with mkrelease (ITS#7887)
		Fixed ldap_get_dn(3) ldap_ava definition (ITS#7860)

Comment 7 Louis Abel 2015-06-29 01:14:06 UTC

Can we consider on going to 2.4.41 instead? Or at least patching the mdb portion of 2.4.40 while rebasing? The below change logs explain why.

mdb change log:
LMDB 0.9.15 Release (2015/06/19)
	Fix txn init (ITS#7961,#7987)
	Fix MDB_PREV_DUP (ITS#7955,#7671)
	Fix compact of empty env (ITS#7956)
	Fix mdb_copy file mode
	Fix mdb_env_close() after failed mdb_env_open()
	Fix mdb_rebalance collapsing root (ITS#8062)
	Fix mdb_load with large values (ITS#8066)
	Fix to retry writes on EINTR (ITS#8106)
	Fix mdb_cursor_del on empty DB (ITS#8109)
	Fix MDB_INTEGERDUP key compare (ITS#8117)
	Fix error handling (ITS#7959,#8157,etc.)
	Fix race conditions (ITS#7969,7970)
	Added workaround for fdatasync bug in ext3fs
	Build
		Don't use -fPIC for static lib
		Update .gitignore (ITS#7952,#7953)
		Cleanup for "make test" (ITS#7841), "make clean", mtest*.c
		Misc. Android/Windows cleanup
	Documentation
		Fix MDB_APPEND doc
		Fix MDB_MAXKEYSIZE doc (ITS#8156)
		Fix mdb_cursor_put,mdb_cursor_del EACCES description
		Fix mdb_env_sync(MDB_RDONLY env) doc (ITS#8021)
		Clarify MDB_WRITEMAP doc (ITS#8021)
		Clarify mdb_env_open doc
		Clarify mdb_dbi_open doc

OpenLDAP change log: 
OpenLDAP 2.4.41 Release (2015/06/21)
	Fixed ldapsearch to explicitly flush its buffer (ITS#8118)
	Fixed libldap async connections (ITS#8090)
	Fixed libldap double free of request during abandon (ITS#7967)
	Fixed libldap error string for LDAP_X_CONNECTING (ITS#8093)
	Fixed libldap segfault in ldap_sync_initialize (ITS#8001)
	Fixed libldap ldif-wrap off by one error (ITS#8003)
	Fixed libldap handling of TLS in async mode (ITS#8022)
	Fixed libldap null pointer dereference (ITS#8028)
	Fixed libldap mutex handling with LDAP_OPT_SESSION_REFCNT (ITS#8050)
	Fixed slapd slapadd config db import of minimal frontend entry (ITS#8150)
	Fixed slapd slapadd onetime leak with -w (ITS#8014)
	Fixed slapd sasl auxprop crash with invalid config (ITS#8092)
	Fixed slapd syncrepl delta-mmr issue with overlays and slapd.conf (ITS#7976)
	Fixed slapd syncrepl mutex for cookie state (ITS#7968)
	Fixed slapd syncrepl memory leaks (ITS#8035)
	Fixed slapd syncrepl to free presentlist at end of refresh mode (ITS#8038)
	Fixed slapd syncrepl to streamline presentlist (ITS#8042)
	Fixed slapd syncrepl concurrency when CHECK_CSN is enabled (ITS#8120)
	Fixed slapd rootdn checks for hidden backends (ITS#8108)
	Fixed slapd segfault when using matched values control (ITS#8046)
	Fixed slapd-ldap reconnection behavior on remote failure (ITS#8142)
	Fixed slapd-mdb minor case typo (ITS#8049)
	Fixed slapd-mdb one-level search (ITS#7975)
	Fixed slapd-mdb heap corruption (ITS#7965)
	Fixed slapd-mdb crash after deleting in-use schema (ITS#7995)
	Fixed slapd-mdb minor code cleanup (ITS#8011)
	Fixed slapd-mdb to return errors when using incorrect env flags (ITS#8016)
	Fixed slapd-mdb to correctly update search candidates (ITS#8036, ITS#7904)
	Fixed slapd-mdb when there were more than 65535 aliases in scope (ITS#8103)
	Fixed slapd-mdb alias deref when objectClass is not indexed (ITS#8146)
	Fixed slapd-meta TLS initialization with ldaps URIs (ITS#8022)
	Fixed slapd-meta to have better error logging (ITS#8131)
	Fixed slapd-perl conversion to cn=config (ITS#8105)
	Fixed slapd-sql autocommit config variable (ITS#8129,ITS#6613)
	Fixed slapo-collect segfault (ITS#7797)
	Fixed slapo-constraint with 0 count constraint (ITS#7780,ITS#7781)
	Fixed slapo-deref with empty attribute list (ITS#8027)
	Fixed slapo-memberof to correctly reject invalid members (ITS#8107)
	Fixed slapo-sock result parser for CONTINUE (ITS#8048)
	Fixed slapo-syncprov synprov_matchops usage of test_filter (ITS#8013)
	Fixed slapo-syncprov segfault on disconnect/abandon (ITS#5452,ITS#8012)
	Fixed slapo-syncprov memory leak (ITS#8039)
	Fixed slapo-syncprov segfault on disconnect/abandon (ITS#8043)
	Fixed slapo-syncprov deadlock when autogroup is in use (ITS#8063)
	Fixed slapo-syncprov potential loss of changes when under load (ITS#8081)
	Fixed slapo-unique enforcement of uniqueness with manageDSAit control (ITS#8057)

Comment 8 Louis Abel 2015-06-29 01:20:47 UTC

Links to the relevant information:

http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob_plain;f=libraries/liblmdb/CHANGES;h=957742e7525a5122399e6269699a4718f1f18ebe;hb=a23fc2fd947fa86b240732d5421e82528e42509e

http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob_plain;f=CHANGES;h=dc5d405fe3fbe7e4f36e7a438ac5145c2b78330b;hb=refs/heads/OPENLDAP_REL_ENG_2_4

Comment 9 Matus Honek 2015-06-30 15:16:34 UTC

I would be in favour of rebasing to 2.4.41. Unfortunately, Development Freeze for RHEL-7.2 is in a week and OpenLDAP 2.4.41 has not still been released officially (even though the upstream git branch is already tagged so). Therefore, I do not find it realistic to be included in next release.

Should you find some particular patch needed to be included, please pose a reasoning and I will try to include it in the next release.

Comment 10 Louis Abel 2015-06-30 18:34:58 UTC

I understand the reasoning for holding off (freezes, etc). But it just seems to me that the fixes alone in both the slapo-mdb AND OpenLDAP itself would warrant the rebase to .41. The slapo-syncprov and slapo-mdb show significant fixes in the next release.

But because of your points (freeze/41 release), it may need to be considered later after the freeze, however it works on your side.

Comment 14 Louis Abel 2015-08-27 01:40:40 UTC

I noticed 2.4.40 is around for EL6. It has not arrived for EL7 (as this bug is listed for RHEL 7). Is there a reason for this? 1147983 shows closed for EL6.

Comment 15 Patrik Kis 2015-08-27 08:12:31 UTC

(In reply to Louis Abel from comment #14)
> I noticed 2.4.40 is around for EL6. It has not arrived for EL7 (as this bug
> is listed for RHEL 7). Is there a reason for this? 1147983 shows closed for
> EL6.

openldap-2.4.40 is still in testing; it will be released in next RHEL-7 update.

Comment 17 errata-xmlrpc 2015-11-19 08:52:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2131.html

Note You need to log in before you can comment on or make changes to this bug.