Symas OpenLDAP 2.4.29.1 Available
29, Feb, 2012Symas OpenLDAP 2.4.29.1 has been released and is available for download from our portal. The following platforms are available now, with more coming:
- Red Hat Enterprise Linux 4/5/6 x86 and x86_64
- Solaris 10 SPARC 32- and 64-bit
- Debian 5/6 x86 and amd64
- Ubuntu 10/11 x86 and amd64
The new release includes the new mdb backend- a faster, more compact database.
Release notes for 2.4.29.1:
February 23, 2012
Release Notes for Symas OpenLDAP
Gold and Silver, Version 2.4.29.1
This release of Symas OpenLDAP contains the following component versions:
OpenLDAP 2.4.29 + patches
BDB 4.8.30
Cyrus SASL 2.1.25
OpenSSL 0.9.8t
Heimdal Kerberos 1.5.1 (Selected platforms only)
Packaging:
No Changes
OpenLDAP:
Fixed slapd pcache uninitialized op->ors_deref (ITS#7178)
Fixed slapd mdb quick mode index generation (ITS#7170)
Fixed slapd cn=config modification of first schema element (ITS#7098)
Fixed slapd operation reuse (ITS#7107)
Fixed slapd blocked writers to not interfere with pool pause (ITS#7115)
Fixed slapd connection loop connindex usage (ITS#7131)
Fixed slapd double mutex unlock via connection_done (ITS#7125)
Fixed slapd check order in connection_write (ITS#7113)
Fixed slapd slapadd to exit on failure (ITS#7142)
Fixed slapd syncrepl reference to freed memory (ITS#7127,ITS#7132)
Fixed slapd syncrepl to ignore some errors on delete (ITS#7052)
Fixed slapd syncrepl to handle missing oldRDN (ITS#7144)
Fixed slapd-mdb to handle overlays in tool mode (ITS#7099)
Fixed slapd-mdb segfaults with page splits (ITS#7121)
Fixed slapd-mdb cleanup on transaction abort (ITS#7140)
Fixed slapd-mdb with attribute descriptions (ITS#7146)
Fixed slapd-meta to correctly handle multiple targets (ITS#7050)
Fixed slapd-monitor compare op to update cached entry (ITS#7123)
Fixed slapd-perl initialization (ITS#7075)
Fixed slapd-sql to properly initialize be_cf_ocs (ITS#7158)
Fixed slapo-dds to properly exit when in tool mode (ITS#7099)
Fixed slapo-rwm not leave empty lots with normalized attrs (ITS#7143)
Fixed slapo-syncprov with already abandoned operation (ITS#7150)
Fixed contrib/smbk5pwd uninitialized keys in shadowLastChange (ITS#7138)
Fixed libldap socket polling for writes (ITS#7167)
Fixed liblutil string modifications (ITS#7174)
Fixed slapd crash when attrsOnly is true (ITS#7143)
Fixed slapd syncrepl delete handling (ITS#7052,ITS#7162)
Fixed slapd-mdb slapindex with -q and -t (ITS#7176)
Fixed slapo-syncprov loop detection (ITS#6024)
Fixed ldap_modify(3) prototypes (ITS#7173)
Fixed adauth security bug and adauth_retry_count crash
issue (Symas #1566)
Fixed ITS#7174 lutil_str2bin: can’t modify input strings
Berkeley DB
No Canges
OpenSSL:
Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
Thanks to Antonio Martin, Enterprise Secure Access
Research and Development, Cisco Systems, Inc. for
discovering this bug and preparing a fix. (CVE-2012-0050)
Nadhem Alfardan and Kenny Paterson have discovered an
extension of the Vaudenay padding oracle attack on CBC
mode encryption which enables an efficient plaintext
recovery attack against the OpenSSL implementation of
DTLS. Their attack exploits timing differences arising
during decryption processing. A research paper describing
this attack can be found at:
http://www.isg.rhul.ac.uk/~kp/dtls.pdf
Thanks go to Nadhem Alfardan and Kenny Paterson of the
Information Security Group at Royal Holloway, University
of London (www.isg.rhul.ac.uk) for discovering this flaw
and to Robin Seggelmann <seggelmann@fh-muenster.de> and
Michael Tuexen <tuexen@fh-muenster.de> for preparing the
fix. (CVE-2011-4108)
Stop policy check failure freeing same buffer twice.
(CVE-2011-4109)
Clear bytes used for block padding of SSL 3.0 records.
(CVE-2011-4576)
Only allow one SGC handshake restart for SSL/TLS. Thanks to
George Kadianakis <desnacked@gmail.com> for discovering
this issue and Adam Langley for preparing the
fix. (CVE-2011-4619)
Prevent malformed RFC3779 data triggering an assertion
failure. Thanks to Andrew Chi, BBN Technologies, for
discovering the flaw and Rob Austein <sra@hactrn.net> for
fixing it. (CVE-2011-4577)
Fix ssl_ciph.c set-up race.
Fix spurious failures in ecdsatest.c.
Fix the BIO_f_buffer() implementation (which was mixing
different interpretations of the ‘…_len’ fields).
Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather
than BN_BLINDING_invert_ex) calls BN_BLINDING_update,
ensuring that concurrent threads won’t reuse the same
blinding coefficients.
Fix SSL memory handling for (EC)DH ciphersuites, in particular
for multi-threaded use of ECDH.
Fix x509_name_ex_d2i memory leak on bad inputs.
Add protection against ECDSA timing attacks as mentioned in
the paper by Billy Bob Brumley and Nicola Tuveri, see:
http://eprint.iacr.org/2011/232.pdf
SASL:
Fixed core dump in sasl gssapi module (Symas #1546)
Fixed incorrect runpath in sasl modules (Symas #1547)
Fixed missing runpath in sasl utilities (Symas #1548)
Heimdal Kerberos:
No Changes
Status of this release:
This is a production release and is made available for general use. We
have tested it in our labs and in the field and we believe it is
suitable for use in production environments. However, as is always the
case with any software, please test it in your own environment to make
sure it meets your requirements, Maintain backups of critical data and
make appropriate provisions for unexpected outages.
Bug reports, comments, and suggestions should be submitted to your
dedicated support email address or to support@symas.com.
We look forward to hearing from you!
- Posted by Symas in in Symas OpenLDAP