Ubuntu
openldap package

FFe: update to 2.4.53, fixing crash bugs

Bug #1894838 reported by Andreas Hasenack
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Fix Released
High
Andreas Hasenack

Bug Description

Groovy has openldap 2.4.51

Upstream made two quick new releases after that: 2.4.52 and 2.4.53. A crash was reported in the mailing list:

https://<email address hidden>/thread/NKOM6DI7RQY6FDLRZGSGYJSGONKIRFEP/

"""
This segfault is due to a problem with the fix for ITS#9282 that went into
the OpenLDAP 2.4.51 and OpenLDAP 2.4.52 releases. This is fixed in the
2.4.53 release (released today).
"""

Almost all changes in 2.4.52 and 2.4.53 are bug fixes, but a few feathre changes/additions slipped through, hence this FFe:
OpenLDAP 2.4.53 (2020/09/07)
    Added slapd syncrepl additional SYNC logging (ITS#9043)
    Fixed slapd syncrepl segfault on NULL cookie on REFRESH (ITS#9282)
    Fixed slapd syncrepl to use fresh connection on REFRESH fallback (ITS#9338)
    Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302,ITS#9334)
    Build
        Require OpenSSL 1.0.2 or later (ITS#9323)
        Fixed libldap compilation issue with broken C compilers (ITS#9332)

OpenLDAP 2.4.52 (2020/08/28)
    Added libldap LDAP_OPT_X_TLS_REQUIRE_SAN option (ITS#9318)
    Added libldap OpenSSL support for multiple EECDH curves (ITS#9054)
    Added slapd OpenSSL support for multiple EECDH curves (ITS#9054)
    Fixed librewrite malloc/free corruption (ITS#9249)
    Fixed libldap hang when using UDP and server down (ITS#9328)
    Fixed slapd syncrepl rare deadlock due to network issues (ITS#9324)
    Fixed slapd syncrepl regression that could trigger an assert (ITS#9329)
    Fixed slapd-mdb index error with collapsed range (ITS#9135)

I grouped the changes with links to the bug reports:
Replication fixes:
Fixed slapd syncrepl segfault on NULL cookie on REFRESH (https://bugs.openldap.org/show_bug.cgi?id=9282)
Fixed slapd syncrepl to use fresh connection on REFRESH fallback (https://bugs.openldap.org/show_bug.cgi?id=9338)
Fixed slapd syncrepl rare deadlock due to network issues (https://bugs.openldap.org/show_bug.cgi?id=9324)
Fixed slapd syncrepl regression that could trigger an assert (https://bugs.openldap.org/show_bug.cgi?id=9329)

Features and other non-fixes changes:
Added slapd syncrepl additional SYNC logging (https://bugs.openldap.org/show_bug.cgi?id=9043)
Require OpenSSL 1.0.2 or later (https://bugs.openldap.org/show_bug.cgi?id=9323)
Added libldap LDAP_OPT_X_TLS_REQUIRE_SAN option (https://bugs.openldap.org/show_bug.cgi?id=9318)
Added libldap OpenSSL support for multiple EECDH curves (https://bugs.openldap.org/show_bug.cgi?id=9054)
Added slapd OpenSSL support for multiple EECDH curves (https://bugs.openldap.org/show_bug.cgi?id=9054)

Other fixes:
Fixed slapo-ppolicy race condition for pwdFailureTime (https://bugs.openldap.org/show_bug.cgi?id=9302,https://bugs.openldap.org/show_bug.cgi?id=9334)
Fixed libldap compilation issue with broken C compilers (https://bugs.openldap.org/show_bug.cgi?id=9332)
Fixed librewrite malloc/free corruption (https://bugs.openldap.org/show_bug.cgi?id=9249)
Fixed libldap hang when using UDP and server down (https://bugs.openldap.org/show_bug.cgi?id=9328)
Fixed slapd-mdb index error with collapsed range (https://bugs.openldap.org/show_bug.cgi?id=9135)

PPA with a groovy proposed and all arches test build (still ongoing as I write this): https://launchpad.net/~ahasenack/+archive/ubuntu/openldap-2453/+packages

I believe a backport of that many fixes is riskier than an update to the new upstream version at this point.

See original description

Related branches

~ahasenack/ubuntu/+source/openldap:groovy-openldap-2453
Christian Ehrhardt  (community): Approve
Canonical Server: Pending requested
Diff: 3463 lines (+3005/-7)
15 files modified
debian/apparmor-profile (+61/-0)
debian/changelog (+2643/-0)
debian/configure.options (+1/-0)
debian/control (+5/-3)
debian/libldap-2.4-2.symbols (+7/-0)
debian/patches/contrib-makefiles (+21/-0)
debian/patches/fix_test_timing.patch (+27/-0)
debian/patches/gssapi.diff (+140/-0)
debian/patches/series (+2/-0)
debian/rules (+24/-4)
debian/slapd.README.Debian (+11/-0)
debian/slapd.install (+2/-0)
debian/slapd.manpages (+1/-0)
debian/slapd.py (+51/-0)
debian/slapd.ufw.profile (+9/-0)
Andreas Hasenack (ahasenack)
description: updated
Andreas Hasenack (ahasenack)
description: updated
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The sssd DEP8 tests, which exercise the ldap server a bit, passed locally:

...
autopkgtest [09:48:35]: @@@@@@@@@@@@@@@@@@@@ summary
ldap-user-group-ldap-auth PASS
ldap-user-group-krb5-auth PASS

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Switched bug to "New" so it can be considered by the release team.

Changed in openldap (Ubuntu):
status: In Progress → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openldap (Ubuntu):
status: New → Confirmed
Revision history for this message
Iain Lane (laney) wrote :

Agreed that taking the unit which upstream has validated is more sensible than backporting. Thanks for the detailed report. I think the only thing which I would like to see in future is you saying that (and how) you've tested it manually and spotted no regressions.

But go ahead this time.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks for the review laney

I did run the sssd dep8 tests, which exercise openldap, but not a replication.

So I followed the server guide on setting up replication with TLS (https://ubuntu.com/server/docs/service-ldap-replication and https://ubuntu.com/server/docs/service-ldap-with-tls) and confirmed replication was working. I added data to the provider, and it immediately appeared on the consumer. Of course, this is a basic test, and didn't even show the original bug in the current groovy packages, nor when I updated to 2.4.53 from my ppa, but at least it's not a brown paper bag release.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.53+dfsg-1ubuntu1

---------------
openldap (2.4.53+dfsg-1ubuntu1) groovy; urgency=medium

  * Merge with Debian unstable (LP: #1894838). Remaining changes:
    - Enable AppArmor support:
      + d/apparmor-profile: add AppArmor profile
      + d/rules: use dh_apparmor
      + d/control: Build-Depends on dh-apparmor
      + d/slapd.README.Debian: add note about AppArmor
    - Enable GSSAPI support (first added in 2.4.18-0ubuntu2):
      + d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
        - Add --with-gssapi support
        - Make guess_service_principal() more robust when determining
          principal
      + d/configure.options: Configure with --with-gssapi
      + d/control: Added heimdal-dev as a build depend
      + d/rules:
        - Explicitly add -I/usr/include/heimdal to CFLAGS.
        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
      + d/libldap-2.4-2.symbols: add symbols for GSSAPI support
      This should be dropped when the soname changes.
    - Enable ufw support:
      + d/control: suggest ufw.
      + d/rules: install ufw profile.
      + d/slapd.ufw.profile: add ufw profile.
    - Enable nss overlay:
      + d/rules:
        - add nssov to CONTRIB_MODULES
        - add sysconfdir to CONTRIB_MAKEVARS
      + d/slapd.install: install nssov overlay
      + d/slapd.manpages: install slapo-nssov(5) man page
      + d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
        Debian bug #919136, we also have to patch the nssov makefile
        accordingly and thus update this patch.
    - d/{rules,slapd.py}: Add apport hook.
    - Add support for CLDAP (UDP) support, back then required by
      likewise-open (first enabled in 2.4.17-1ubuntu2):
      + d/rules: Enable -DLDAP_CONNECTIONLESS
      + d/libldap-2.4-2.symbols: add symbols for CLDAP (UDP)
      This should be dropped when the soname changes.
    - debian/patches/fix_test_timing.patch: fix FTBFS on riscv64 because
      of test timing issue.
    - d/rules: better regexp to match the Maintainer tag in d/control,
      needed in the Ubuntu case because of XSBC-Original-Maintainer
      (Closes #960448, LP #1875697)

openldap (2.4.53+dfsg-1) unstable; urgency=medium

  * New upstream release.

 -- Andreas Hasenack <email address hidden> Tue, 08 Sep 2020 09:36:58 -0300

Changed in openldap (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.