[Pkg-openldap-devel] Bug#863569: (pre-approval) unblock: openldap/2.4.44+dfsg-5

Ryan Tandy ryan at nardis.ca
Sun May 28 18:24:00 UTC 2017 

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock

Dear release team,

I would like to upload a late-breaking security fix to openldap:

  * debian/patches/ITS-8655-paged-results-double-free.patch: Fix a double free
    in the MDB backend on a search including the Paged Results control with a
    page size of 0. (ITS#8655) (Closes: #863563)

A Debian user reported this crash bug in slapd. The default Debian 
configuration uses the MDB backend and allows unauthenticated users to 
search the directory; therefore for us this qualifies as a remote DoS.

With your permission, I'd like to include one additional fix:

  * ITS-8644-wait-for-slapd-to-start-in-test064.patch: Fix an intermittently
    failing test by waiting for slapd to start before running tests.
    (ITS#8644) (Closes: #770890)

This issue caused some havoc in the last upload; you may remember that 
we ended up re-bootstrapping on ppc64el and binNMUing everywhere. The 
root cause was actually the tight dependency between libldap-2.4-2 and 
libldap-common, but I think revisiting that should wait for buster. For 
now, including this patch will improve the reliability of maintenance 
uploads during stretch's lifetime.

Both patches have already been reviewed upstream and will be included in 
the upcoming 2.4.45 release.

Thanks again for all your work on making stretch great,

Ryan

-- System Information:
Debian Release: 8.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-0.bpo.3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openldap_2.4.44+dfsg-5.debdiff
Type: text/x-diff
Size: 4434 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20170528/170965ab/attachment-0001.diff>

More information about the Pkg-openldap-devel mailing list