Security fixes:
CVE-2019-13057: Fixed slapd to restrict rootDN proxyauthz to its own databases
CVE-2019-13565: Fixed slapd to initialize SASL SSF per connection
Full changelog:
https://www.openldap.org/lists/openldap-announce/201907/msg00001.html
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
[Peter: fix sha256 hash line]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Openldap builds fine with current libressl 2.7.2.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit fixes the warnings reported by check-package on the help
text of all package Config.in files, related to the formatting of the
help text: should start with a tab, then 2 spaces, then at most 62
characters.
The vast majority of warnings fixed were caused by too long lines. A
few warnings were related to spaces being used instead of a tab to
indent the help text.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
http://autobuild.buildroot.net/results/ffc/ffc9c10c55c2838ab7002c5ec35244e9bfe46189/
Commit dfa1817d31 (openldap: supports only the real OpenSSL, not LibreSSL)
tried to ensure openldap would only use openssl, but changed the wrong
variable. OPENLDAP_TLS is passed to configure, so it shouldn't be changed:
./configure --target=aarch64-buildroot-linux-gnu .. --with-tls=libopenssl ..
Configuring OpenLDAP 2.4.45-Release ...
checking build system type... x86_64-pc-linux-gnu
checking host system type... aarch64-buildroot-linux-gnu
checking target system type... aarch64-buildroot-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking for aarch64-buildroot-linux-gnu-strip... /usr/lfs/v0/rc-buildroot-test/scripts/instance-0/output/host/bin/aarch64-linux-gnu-strip
checking configure arguments... configure: error: bad value libopenssl for --with-tls
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
openldap will not build with LibreSSL without patches, so let's
support only OpenSSL.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
- Bump version to 2.4.43
- Use md5 and sha1 upstream provided hashes. This combination is
stronger than a sha256 hash.
- Switch to an http download site to avoid problems with firewalls
blocking the ftp.
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
It is often difficult to know exactly when make will expand the
variable, and usually it can only be expanded after the dependencies
have been built (e.g. pkg-config or the .pc file). Using a backtick
instead makes it very clear that it will be expanded only while
executing the command.
This change is useful for two cases:
1. The per-package staging (and host) directory will be created as part
of the configure step, so any $(shell ...) variable that is used in
the configure step will fail because the directory doesn't exist
yet.
2. 'make printvars' evaluates the variables it prints. It will therefore
trigger a lot of errors from missing .pc files and others. The
backticks, on the other hand, are not expanded, so with this change
the output of 'make printvars' becomes clean again.
This commit contains only the easy changes: replace $(shell ...) with
`...`, and also replace ' with " where needed. Follow-up commits will
tackle the more complicated cases that need additional explanation.
After this change, the following instances of $(shell ...) will remain:
- All assignments that use :=
- All variables that are used in make conditionals (which don't expand
the backticks).
- All variables that only refer to system executables and make
variables that don't change.
- The calls to check-host-* in dependencies.mk, because it is eval'ed.
[Original patch by Fabio Porcedda, but extended quite a bit by Arnout.]
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Some OpenLDAP deployment only need the client libraries and not the client
tools, so make the tool installation optional.
[Thomas: implement the for loop in make rather than in shell.]
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: David Bender <codehero@gmail.com>
[yann.morin.1998@free.fr:
- remove ldaps config option, use build-time dependencies
- add dependencies against openssl/gnutls/libnss as appropriate
- fix mis-detected tls support when openssl is enabled
- fix strip at install time
- cleanup configure arguments
- add hash file
- fix help entry
]
[Peter: needs wchar]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
