[Pkg-openldap-devel] Bug#901192: stretch-pu: package openldap/2.4.44+dfsg-5+deb9u2

Ryan Tandy ryan at nardis.ca
Sun Jun 10 02:01:45 BST 2018 

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org at packages.debian.org
Usertags: pu

Dear SRM,

Please consider this openldap update for stretch. I apologize for the 
late request and will understand if it doesn't make it.

Both fixes have already had some time in testing and stretch-backports.

  * Import upstream patch to fix an out-of-sync issue with delta-syncrepl
    replication in multi-master environments, resulting from changes losing
    tracking information and being applied multiple times.
    (ITS#84444) (Closes: #877166)

This issue impacts replication when the memberof overlay is used in a 
multi-master setup. Sven Mäder (in X-D-CC) has tested the proposed 
package on a stretch system and verified the fix.

  * Really fix upgrades when the config contains backslash-escaped special
    characters. The previous fix was incomplete and didn't fully fix upgrades
    involving a database reload. (Closes: #864719)

The first part of this, fixing simple upgrades that don't require a 
database reload, is already in stretch (as +deb9u1). This additional 
patch deals with code that is not executed in a typical upgrade but 
might be triggered based on the old version or the debconf settings.

thanks,
Ryan

-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-------------- next part --------------
diff -Nru openldap-2.4.44+dfsg/debian/changelog openldap-2.4.44+dfsg/debian/changelog
--- openldap-2.4.44+dfsg/debian/changelog	2017-08-10 12:12:46.000000000 -0700
+++ openldap-2.4.44+dfsg/debian/changelog	2018-05-22 21:25:19.000000000 -0700
@@ -1,3 +1,15 @@
+openldap (2.4.44+dfsg-5+deb9u2) stretch; urgency=medium
+
+  * Import upstream patch to fix an out-of-sync issue with delta-syncrepl
+    replication in multi-master environments, resulting from changes losing
+    tracking information and being applied multiple times.
+    (ITS#8444) (Closes: #877166)
+  * Really fix upgrades when the config contains backslash-escaped special
+    characters. The previous fix was incomplete and didn't fully fix upgrades
+    involving a database reload. (Closes: #864719)
+
+ -- Ryan Tandy <ryan at nardis.ca>  Tue, 22 May 2018 21:25:19 -0700
+
 openldap (2.4.44+dfsg-5+deb9u1) stretch; urgency=medium
 
   * Relax the dependency of libldap-2.4-2 on libldap-common to also permit 
diff -Nru openldap-2.4.44+dfsg/debian/patches/ITS-8444-Do-not-clear-the-pending-operation-when-che.patch openldap-2.4.44+dfsg/debian/patches/ITS-8444-Do-not-clear-the-pending-operation-when-che.patch
--- openldap-2.4.44+dfsg/debian/patches/ITS-8444-Do-not-clear-the-pending-operation-when-che.patch	1969-12-31 16:00:00.000000000 -0800
+++ openldap-2.4.44+dfsg/debian/patches/ITS-8444-Do-not-clear-the-pending-operation-when-che.patch	2018-05-22 21:25:19.000000000 -0700
@@ -0,0 +1,30 @@
+From bb6438fb7ae32a622f456af8c4c9b8d479d5b209 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra at mistotebe.net>
+Date: Fri, 25 Aug 2017 16:25:23 +0100
+Subject: [PATCH] ITS#8444 Do not clear the pending operation when
+ checkpointing
+
+When a checkpoint happens, if we remove the CSN from the pending list,
+accesslog won't pass it onto the accesslog DB. But in a delta-mmr
+scenario, an accesslog entry without a CSN faces a race where it might
+be applied twice - that usually fails and causes a full refresh, other
+times it can cause a silent desync - both are undesirable.
+---
+ servers/slapd/overlays/syncprov.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c
+index 3e7667336..4c2d939d4 100644
+--- a/servers/slapd/overlays/syncprov.c
++++ b/servers/slapd/overlays/syncprov.c
+@@ -1494,6 +1494,7 @@ syncprov_checkpoint( Operation *op, slap_overinst *on )
+ 	opm.o_bd->bd_info = on->on_info->oi_orig;
+ 	opm.o_managedsait = SLAP_CONTROL_NONCRITICAL;
+ 	opm.o_no_schema_check = 1;
++	opm.o_opid = -1;
+ 	opm.o_bd->be_modify( &opm, &rsm );
+ 
+ 	if ( rsm.sr_err == LDAP_NO_SUCH_OBJECT &&
+-- 
+2.11.0
+
diff -Nru openldap-2.4.44+dfsg/debian/patches/series openldap-2.4.44+dfsg/debian/patches/series
--- openldap-2.4.44+dfsg/debian/patches/series	2017-08-09 22:07:34.000000000 -0700
+++ openldap-2.4.44+dfsg/debian/patches/series	2018-05-22 21:25:19.000000000 -0700
@@ -31,3 +31,4 @@
 ITS-8432-fix-infinite-looping-mods-in-delta-mmr.patch
 ITS-8648-check-result-of-ldap_int_initialize-in-ldap.patch
 ITS-8648-init-SASL-library-in-global-init.patch
+ITS-8444-Do-not-clear-the-pending-operation-when-che.patch
diff -Nru openldap-2.4.44+dfsg/debian/slapd.scripts-common openldap-2.4.44+dfsg/debian/slapd.scripts-common
--- openldap-2.4.44+dfsg/debian/slapd.scripts-common	2017-08-09 22:07:34.000000000 -0700
+++ openldap-2.4.44+dfsg/debian/slapd.scripts-common	2018-05-22 21:25:19.000000000 -0700
@@ -182,11 +182,11 @@
 
 	dir=`database_dumping_destdir`
 	echo >&2 "  Dumping to $dir: "
-	(get_suffix | while read suffix; do
+	(get_suffix | while read -r suffix; do
 		dbdir=`get_directory "$suffix"`
 		if [ -n "$dbdir" ]; then
 			file="$dir/$suffix.ldif"
-			echo -n "  - directory $suffix... " >&2
+			printf '  - directory %s... ' "$suffix" >&2
 			# Need to support slapd.d migration from preinst
 			if [ -f "${SLAPD_CONF}" ]; then
 				slapcat_opts="-g -f ${SLAPD_CONF}"
@@ -215,7 +215,7 @@
 	echo >&2 "  Loading from $dir: "
 	# restore by increasing suffix length due to possibly glued databases
 	get_suffix | awk '{ print length, $0 }' | sort -n | cut -d ' ' -f 2- \
-	| while read suffix; do
+	| while read -r suffix; do
 		dbdir=`get_directory "$suffix"`
 		if [ -z "$dbdir" ]; then
 			continue
@@ -227,11 +227,11 @@
 		fi
 
 		file="$dir/$suffix.ldif"
-		echo -n "  - directory $suffix... " >&2
+		printf '  - directory %s... ' "$suffix" >&2
 
 		# If there is an old DB_CONFIG file, restore it before
 		# running slapadd
-		backupdir=`compute_backup_path -n "$dbdir" "$suffix"`
+		backupdir="$(compute_backup_path -n "$dbdir" "$suffix")"
 		if [ -e "$backupdir"/DB_CONFIG ]; then
 			cp -a "$backupdir"/DB_CONFIG "$dbdir"/
 		fi
@@ -267,7 +267,7 @@
 # }}}
 move_incompatible_databases_away() {					# {{{
 	echo >&2 "  Moving old database directories to /var/backups:"
-	(get_suffix | while read suffix; do
+	(get_suffix | while read -r suffix; do
 		dbdir=`get_directory "$suffix"`
 		move_old_database_away "$dbdir" "$suffix" <&5
 	done) 5<&0 </dev/null
@@ -287,7 +287,7 @@
 get_suffix() {								# {{{
 	if [ -f "${SLAPD_CONF}" ]; then
 		for f in `get_all_slapd_conf_files`; do
-			sed -n -e's/^suffix[[:space:]]\+"*\([^"]\+\)"*/\1/p' $f
+			sed -n -e '/^suffix[[:space:]]/ { s/^suffix[[:space:]]\+"*\([^"]\+\)"*/\1/; s/\\\\/\\/g; p }' $f
 		done
 	else
 		grep -h ^olcSuffix ${SLAPD_CONF}/cn\=config/olcDatabase*.ldif | cut -d: -f 2
@@ -297,13 +297,15 @@
 get_directory() {							# {{{
 # Returns the db directory for a given suffix
 	if [ -d "${SLAPD_CONF}" ] && get_suffix | grep -Fq "$1" ; then
-		sed -n 's/^olcDbDirectory: *//p' `grep -Fl "^olcSuffix: $1" ${SLAPD_CONF}/cn\=config/olcDatabase*.ldif`
+		sed -n 's/^olcDbDirectory: *//p' `grep -Flx "olcSuffix: $1" ${SLAPD_CONF}/cn\=config/olcDatabase*.ldif`
 	elif [ -f "${SLAPD_CONF}" ]; then
 		# Extract the directory for the given suffix ($1)
+		# Quote backslashes once for slapd.conf parser, again for awk
+		quoted="$(printf '%s' "$1" | sed 's/\\/\\\\\\\\/g')"
 		for f in `get_all_slapd_conf_files`; do
 		awk  ' BEGIN { DB=0; SUF=""; DIR="" } ;
 		       /^database/ { DB=1; SUF=""; DIR="" } ; 
-		       DB==1 && /^suffix[ \t]+"?'"$1"'"?$/ { SUF=$2 ; } ; 
+		       DB==1 && /^suffix[ \t]+"?'"$quoted"'"?$/ { SUF=$2 ; } ; 
 		       DB==1 && /^directory/ { DIR=$2 ;} ; 
 		       DB==1 && SUF!="" && DIR!="" { sub(/^"/,"",DIR) ; sub(/"$/,"",DIR) ; print DIR; SUF=""; DIR="" }' "${f}" | \
 		sed -e's/\([^\\]\|^\)"/\1/g; s/\\"/"/g; s/\\\\/\\/g'
@@ -369,7 +371,7 @@
 		exit 1
 	fi
 
-	echo "$target"
+	printf '%s' "$target"
 }
 
 # }}}
@@ -397,8 +399,8 @@
 	# include mount points as well anyway, but it's much less likely.
 	db_get slapd/move_old_database
 	if [ "$RET" = true ]; then
-		backupdir=`compute_backup_path "$databasedir" "$suffix"`
-		echo -n "  - directory $suffix... " >&2
+		backupdir="$(compute_backup_path "$databasedir" "$suffix")"
+		printf '  - directory %s... ' "$suffix" >&2
 		mkdir -p "$backupdir"
 		find -H "$databasedir" -mindepth 1 -maxdepth 1 -type f \
 			-exec mv {} "$backupdir" \;

More information about the Pkg-openldap-devel mailing list