[Pkg-freeipa-devel] [Git][freeipa-team/389-ds-base][upstream] 17 commits: Issue 50486 - Update jemalloc to 5.2.0

Timo Aaltonen gitlab at salsa.debian.org
Wed Sep 11 15:02:33 BST 2019

Timo Aaltonen pushed to branch upstream at FreeIPA packaging / 389-ds-base

22d97542 by Mark Reynolds at 2019-07-09T17:17:32Z
Issue 50486 - Update jemalloc to 5.2.0

Description:  Update jemalloc from 5.1.0 to 5.2.0


Refers: https://pagure.io/389-ds-base/issue/50486

Reviewed by: mhonek(Thanks!)

- - - - -
7f58c064 by William Brown at 2019-07-11T00:41:59Z
Ticket 50484 - Add a release build dockerfile and dscontainer improvements

Bug Description: In testing a production deployment of 389-ds-base
from the source tree, a new dockerfile was added to handle the release
build and proper image cleanups. Additionally, some issues with sigchld
handling were noted.

Fix Description:
* Add a .release dockerfile for the suse base image which cleans up
  after itself correctly.
* Catch extra arguments to the sigchld handler
* Create directories in /data with more open permissions to account for
  id changes.


Author: William Brown <william at blackhats.net.au>

Review by: mhonek (Thank you!)

- - - - -
d6226865 by William Brown at 2019-07-12T01:09:19Z
Ticket 50459 - c_mutex to use pthread_mutex to allow ns sharing

Bug Description: To allow nunc-stans to share the same lock as c_mutex
we need to change conn to use a pthread_mutex instead.

Fix Description: Change c_mutex to pthread


Author: William Brown <william at blackhats.net.au>

Review by: tbordaz, mreynolds (Thank you!)

- - - - -
20e0d266 by Simon Pichugin at 2019-07-15T22:45:16Z
Issue 50499 - Fix audit issues and remove jquery from the whitelist

Description: 50 high vulnerabilities were found during audit. Fix them.
It updates the Patternfly version to 3.59.3 version.
Package jquery is no longer an issue, remove it from the whitelist.


Reviewed by: mreynolds (Thanks!)

- - - - -
d5b23dcb by William Brown at 2019-07-15T23:06:59Z
Ticket 50459 - Correct issue with allocation state

Bug Description: While adding the connection state, due to
a misunderstanding on my part, it was possible that a connection
was more likely to fail to allocate causing the server to exit(1)

Fix Description: Fix the state handler to correctly account for
connection structure reuse.


Author: William Brown <william at blackhats.net.au>

Review by: tbordaz (Thanks!)

- - - - -
9529cfc0 by William Brown at 2019-07-15T23:08:45Z
Ticket 50493 - connection_is_free to trylock

Bug Description: Due to the nature of the connection table
being single threaded, in connection_is_free, we would iterate
over the CT attempting to lock and check connection free states.
However, because this required the lock, if the connection was
currently in io, or other operations, the ct would delay behind
the c_mutex until it was released, then we would check the free

Fix Description: Change the connection_is_free to use trylock
instead of lock - this means if the connection is locked it's
probably inuse and we can skip over it directly. We also change the
fn to iterate over the ct twice to check for possible connections
incase something frees up.


Author: William Brown <william at blackhats.net.au>

Review by: tbordaz (Thanks!)

- - - - -
3aa14161 by Emanuel Rietveld at 2019-07-15T23:43:03Z
Ticket 49421 - on bind password upgrade proof of concept

Bug Description: Improve security of accounts by upgrading their password
hashes on login when we have the plaintext password available.

Fix Description: Implement the upgrade on bind function and provide
it to bind.c


Author: Emanuel Rietveld <erietveld at dearnova.nl>

Review by: William Brown

- - - - -
b84669f8 by William Brown at 2019-07-15T23:43:17Z
Ticket 49421 - Implement password hash upgrade on bind.

Bug Description: As time goes on, password hash mechanisms
change and need to become more resistant to brute force and
other attacks. However long lived, and service passwords do
not change frequently - and in fact, frequent password changes
is a security anti-pattern which is now discouraged.

As a result, it's important to be able to improve the
cryptographic strength and resitance of our passwords for
users as time goes on.

Fix Description: We can implement this because during a bind
operation we have short amount of access to the plaintext
password - we then use that to upgrade the content of the
hash. This builds on Emanuel's proof of concept to improve the
testing of the feature, as well as to avoid updating clear/crypt
due to potential application integrations.


Author: Emanuel Rietveld <https://pagure.io/user/codehotter>
        William Brown <william at blackhats.net.au>

Review by: mreynolds, mhonek (Thanks!)

- - - - -
104be995 by Thierry Bordaz at 2019-07-16T13:33:13Z
Ticket 49789 - By default, do not manage unhashed password

Bug Description:
    By default, unhashed#user#password is recorded into changelog database.
    It is a specific use when some plugin need to know the clear text password on update.
    This should be disabled ('off') by default

Fix Description:
    Switch the default value from 'on' to 'off'


Reviewed by: Viktor Ashirov, Simon Pichugi, Mark Reynolds

Platforms tested: F28

Flag Day: no

Doc impact: no

- - - - -
a77abdbc by Mark Reynolds at 2019-07-16T15:40:46Z
Issue 50325 - Add Security tab to UI

Description:  This updates the CLI and UI to handle a majority of
              the security configuration.  It also adds support
              for PF dual list selection even though I ended up
              not using it.

Relates: https://pagure.io/389-ds-base/issue/50325

Reviewed by: spichugi, and mhonek (Thanks!!)

Fixed Simon's issues

Fix issue with listing certs with spaces in the name

Fix npm vulnerabilities

Fix selinux port labeling, and add 'saving' spinners

Use a regex for parsing certutil output

- - - - -
7466be33 by Mark Reynolds at 2019-07-16T19:22:39Z
Issue 50425 - Add jemalloc LD_PRELOAD to systemd drop-in file

Description: Add the jemalloc back to the systemd dropin file which
             was accidentally removed from a previous change regarding

Relates: https://pagure.io/389-ds-base/issue/50425

Reviewed by: mhonek(Thanks!)

- - - - -
76c0e75a by Matus Honek at 2019-07-17T13:02:32Z
Issue 50425 - Add jemalloc LD_PRELOAD to systemd drop-in file

The previous fix (7466be3) for jemalloc inclusion stopped installing
template-initconfig rendering ds-setup.pl unusable.

This fix moves the template-initconfig into -legacy-tools
to make it available only when necessary.

Relates: https://pagure.io/389-ds-base/issue/50425

Reviewed by: Viktor, Ludwig, Thierry, Mark (thanks!)

- - - - -
c482e15a by Ludwig Krispenz at 2019-07-18T14:41:08Z
correction to fix for #50417

Bug: The patch for 50417 did break start-dirsrv and stop-dirsrv.
	Some paths were not correctly set

Fix: use path variable like in other legacy scripts, eg @sbindir@

Reviewed by: Mark, thanks

- - - - -
ea390f53 by Anuj Borah at 2019-07-18T15:21:55Z
Issue: 48851 - investigate and port TET matching rules filter tests(Final)

Bug Description: Investigate and port TET matching rules filter tests(Final)

Relates: https://pagure.io/389-ds-base/issue/48851

Author: aborah

Reviewed by: Simon Pichugin

- - - - -
04208edb by Simon Pichugin at 2019-07-19T09:28:05Z
Issue 50497 - Port cl-dump.pl tool to Python using lib389

Bug Description: We're going to deprecate all Perl scripts in 389-ds
so cl-dump.pl should be ported as soon as possible.

Fix Description: Put the tool to dsconf replication dump-changelog.
Preserve all the functionality and output format.
Depricate ChangelogLegacy object.
Move Changelog5 object to replica.py so we can avoid import loops.
Also it makes more sense to have it there because it is part of Replication.
Add ChangelogLDIF object.
Add process_and_dump_changelog() method to Replicas object.


Reviewed by: mreynolds, mhonek, wibrown (Thanks!)

- - - - -
57b990de by Mark Reynolds at 2019-07-19T14:26:01Z
Issue 50355 - SSL version min and max not correctly applied

Bug Description:  Setting the sslVersionMin or SSLVersionMax was not
                  correctly applied and the NSS default min and max
                  became the valid range.

Fix Description:  Do not attempt to reset the requested range based off
                  of hardcoded limits.  Also removed obsolete SSL3 code,
                  and fixed a minor memory leak in main.c found during
                  ASAN testing.

Relates: https://pagure.io/389-ds-base/issue/50355

ASAN approved

Reviewed by: tbordaz(Thanks!)

- - - - -
5ac5a8aa by Mark Reynolds at 2019-07-19T14:44:46Z
Bump version to

- - - - -

30 changed files:

- Makefile.am
- + dirsrvtests/tests/suites/filter/filter_with_non_root_user_test.py
- + dirsrvtests/tests/suites/password/pwd_upgrade_on_bind.py
- dirsrvtests/tests/suites/password/regression_test.py
- dirsrvtests/tests/suites/replication/changelog_trimming_test.py
- dirsrvtests/tests/suites/replication/regression_test.py
- + dirsrvtests/tests/suites/tls/ssl_version_test.py
- docker/389-ds-suse/Dockerfile
- + docker/389-ds-suse/Dockerfile.release
- ldap/admin/src/scripts/start-dirsrv.in
- ldap/admin/src/scripts/stop-dirsrv.in
- ldap/servers/slapd/abandon.c
- ldap/servers/slapd/bind.c
- ldap/servers/slapd/connection.c
- ldap/servers/slapd/conntable.c
- ldap/servers/slapd/daemon.c
- ldap/servers/slapd/extendop.c
- ldap/servers/slapd/libglobs.c
- ldap/servers/slapd/main.c
- ldap/servers/slapd/operation.c
- ldap/servers/slapd/opshared.c
- ldap/servers/slapd/pagedresults.c
- ldap/servers/slapd/pblock.c
- ldap/servers/slapd/proto-slap.h
- ldap/servers/slapd/psearch.c
- ldap/servers/slapd/pw.c
- ldap/servers/slapd/saslbind.c
- ldap/servers/slapd/slap.h
- ldap/servers/slapd/slapi-plugin.h

The diff was not included because it is too large.

View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/compare/7483341432b1a7c3d8448ff3b3e01b09d0540bc7...5ac5a8aadd42551ea0389907fd286b7d60157685

View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/compare/7483341432b1a7c3d8448ff3b3e01b09d0540bc7...5ac5a8aadd42551ea0389907fd286b7d60157685
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20190911/dd96e733/attachment-0001.html>

More information about the Pkg-freeipa-devel mailing list