openldap (2.5.13+dfsg-5) unstable; urgency=medium * Fix sha2-contrib autopkgtest failure. Call slappasswd using its full path. (Closes: #1030814) * Disable flaky test test069-delta-multiprovider-starttls. -- Ryan Tandy <ryan@nardis.ca> Tue, 07 Feb 2023 17:56:12 -0800 openldap (2.5.13+dfsg-4) unstable; urgency=medium [ Andreas Hasenack ] * d/rules: Fix passwd/sha2 build (Closes: #1030716, LP: #2000817) * d/t/sha2-contrib: add test for sha2 module -- Ryan Tandy <ryan@nardis.ca> Mon, 06 Feb 2023 19:21:05 -0800 openldap (2.5.13+dfsg-3) unstable; urgency=medium [ Ryan Tandy ] * Disable flaky test test063-delta-multiprovider. Mitigates #1010608. [ Gioele Barabucci ] * slapd.scripts-common: Avoid double-UTF8-encoding org name (Closes: #1016185) * d/slapd.scripts-common: Remove outdated `migrate_to_slapd_d_style` * d/slapd.postinst: Remove test for ancient version * slapd.scripts-common: Remove unused `normalize_ldif` * d/slapd.scripts-common: Use sed instead of perl in `release_diagnostics` -- Ryan Tandy <ryan@nardis.ca> Fri, 13 Jan 2023 16:29:59 -0800 openldap (2.5.13+dfsg-2) unstable; urgency=medium * d/tests/smbk5pwd: Grant slapd access to /var/lib/heimdal-kdc. Fixes the autopkgtest failure due to heimdal setting mode 700 on this directory. (Closes: #1020442) * d/source/lintian-overrides: Add wildcards to make overrides compatible with both older and newer versions of lintian. * d/slapd-contrib.lintian-overrides: Remove unused custom-library-search-path override now that krb5-config no longer sets -rpath. -- Ryan Tandy <ryan@nardis.ca> Sat, 24 Sep 2022 12:40:21 -0700 openldap (2.5.13+dfsg-1) unstable; urgency=medium * d/rules: Remove get-orig-source, now unnecessary. * Check PGP signature when running uscan. * d/watch: Modernize watch file; use repacksuffix. * d/copyright: Update according to DEP-5. * d/control: Add myself to Uploaders. * New upstream release. -- Sergio Durigan Junior <sergiodj@debian.org> Sun, 18 Sep 2022 18:29:46 -0400 openldap (2.5.12+dfsg-2) unstable; urgency=medium * Stop slapd explicitly in prerm as a workaround for #1006147, which caused dpkg-reconfigure to not restart the service, so the new configuration was not applied. See also #994204. (Closes: #1010971) -- Ryan Tandy <ryan@nardis.ca> Mon, 23 May 2022 10:14:53 -0700 openldap (2.5.12+dfsg-1) unstable; urgency=medium * New upstream release. - Fixed SQL injection in back-sql (ITS#9815) (CVE-2022-29155) * Update debconf translations: - German, thanks to Helge Kreutzmann. (Closes: #1007728) - Spanish, thanks to Camaleón. (Closes: #1008529) - Dutch, thanks to Frans Spiesschaert. (Closes: #1010034) -- Ryan Tandy <ryan@nardis.ca> Wed, 04 May 2022 18:00:16 -0700 openldap (2.5.11+dfsg-1) unstable; urgency=medium * Upload to unstable. -- Ryan Tandy <ryan@nardis.ca> Fri, 11 Mar 2022 19:38:02 -0800 openldap (2.5.11+dfsg-1~exp1) experimental; urgency=medium * New upstream release. * Add openssl to Build-Depends to enable more checks in test067-tls. * Update slapd-contrib's custom-library-search-path override to work with current Lintian. -- Ryan Tandy <ryan@nardis.ca> Sun, 23 Jan 2022 17:16:05 -0800 openldap (2.5.8+dfsg-1~exp1) experimental; urgency=medium * New upstream release. * Update slapd-contrib's custom-library-search-path override to work with Lintian 2.108.0. -- Ryan Tandy <ryan@nardis.ca> Wed, 13 Oct 2021 18:42:55 -0700 openldap (2.5.7+dfsg-1~exp1) experimental; urgency=medium * New upstream release. * Don't run autoreconf in contrib/ldapc++. We don't build it, and it is not yet compatible with autoconf 2.71. (Closes: #993032) * Stop disabling automake in debian/rules now that upstream removed the AM_INIT_AUTOMAKE invocation. * Drop custom config.{guess,sub} handling. dh_update_autotools_config does the right thing for us. * Update Standards-Version to 4.6.0; no changes required. * debian/not-installed: Add the ldapvc.1 man page. -- Ryan Tandy <ryan@nardis.ca> Mon, 30 Aug 2021 18:54:25 -0700 openldap (2.5.6+dfsg-1~exp1) experimental; urgency=medium [ Ryan Tandy ] * New upstream release. * Export the cn=config database to LDIF format before upgrading from 2.4. * slapd.README.Debian: - Remove text about the dropped evolution-ntlm patch. - Add guidance for recovering from upgrade failures. * Remove the debconf warning and README text about the unsafe ACL configured by default in versions before jessie. * Remove upgrade code for adding the pwdMaxRecordedFailure attribute to the ppolicy schema. It's obsolete since the schema has been internalized. [ Sergio Durigan Junior ] * Implement the "escape hatch" mechanism. - d/po/*.po: Update PO files given the new template note. - d/po/templates.pot: Update file. - d/slapd.templates: Add note warning user about a postinst failure, its possible cause and what to do. - d/slapd.postinst: Make certain upgrade functions return failure instead of exiting, which allows the postinst script to gracefully fail when applicable. Also, when the general configuration upgrade fails, display a critical warning to the user. Implement ignore_init_failure function. - d/slapd.prerm: Implement ignore_init_failure function. - d/slapd.scripts-common: Make certain functions return failure instead of exiting. - d/rules: Use dh_installinit's --error-handler to instruct it on how to handle possible errors with the init script. - d/slapd.NEWS: Add excerpt mentioning that the postinst script might error out if it can't migrate the existing (old) database backend. -- Ryan Tandy <ryan@nardis.ca> Mon, 16 Aug 2021 18:32:29 -0700 openldap (2.5.5+dfsg-1~exp1) experimental; urgency=medium * New upstream release. - Drop patches applied upstream: ITS#9544, ITS#9548. * Mark slapd-contrib as breaking the old version of slapd to reduce the chance of upgrade failure due to slapd-contrib being unpacked first. -- Ryan Tandy <ryan@nardis.ca> Fri, 11 Jun 2021 11:43:15 -0700 openldap (2.5.4+dfsg-1~exp1) experimental; urgency=medium * New upstream release. - Changing olcAuthzRegexp dynamically is supported. (Closes: #761407) - Support for LANMAN password hashes has been removed. (Closes: #988033) - Added pkg-config files for liblber and libldap. (Closes: #670824) - libldap_r has been merged into libldap. The Debian package will continue to install a libldap_r.so symlink for backwards compatibility with applications that still link with -lldap_r. - The Berkeley DB backends, slapd-bdb(5) and slapd-hdb(5), have been removed. - The shell backend, slapd-shell(5), has been removed. - New backend: slapd-asyncmeta(5). - New core overlays: slapd-homedir(5), slapd-otp(5), and slapd-remoteauth(5). - The ppolicy schema has been merged into the slapo-ppolicy(5) module. - The argon2 password module has been promoted from contrib to core. * Add a superficial autopkgtest for smbk5pwd. * Update Standards-Version to 4.5.1; no changes needed. * Upgrade to debhelper compat level 12. - Remove debian/compat, add Build-Depends: debhelper-compat. * Run dh_missing --fail-missing during build. - Add debian/not-installed. * Drop debian/tmp/ prefix from paths in *.install and *.manpages. * Override Lintian false positives: * slapd: lacks-unversioned-link-to-shared-library. See #687022. * libldap-2.4-2: shared-library-not-shipped. * Follow renamed Lintian tags: - dev-pkg-without-shlib-symlink => lacks-unversioned-link-to-shared-library - binary-or-shlib-defines-rpath => custom-library-search-path * Rename libldap2-dev to libldap-dev (Policy 8.4). Keep libldap2-dev as a transitional package for now. - Drop ancient Conflicts/Replaces: libopenldap-dev. * Prune implied or unneeded directories from debian/*.dirs. - Stop installing empty /var/lib/slapd directory. (Closes: #714174) * Stop disabling test060-mt-hot on ppc64el. The underlying kernel bug (#866122) is fixed in all relevant suites by now. * Drop evolution-ntlm patch. (Closes: #457374) * Drop patches applied or superseded upstream. * Update or refresh remaining patches as needed. * debian/configure.options: - Refresh with new `./configure --help' output. - Drop directory options set automatically by debhelper: --prefix, --sysconfdir, --localstatedir, and --mandir. - Enable the perl and sql backends explicitly. They are deprecated and --enable-backends= no longer includes them. - Disable the experimental wiredtiger backend. - Disable the autoca overlay. It does not support GnuTLS yet. - Enable the argon2 password hashing module. - Disable the new load balancer daemon (lloadd) for now. - Disable systemd service notification support for now. * debian/rules: - Enable all current and future hardening flags. - Use the new STRIP_OPTS variable to disable stripping. - Drop -Wno-format-extra-args from DEB_CFLAGS_MAINT_APPEND. The Debug macro has been changed upstream to use variadic args. - Override OPT variable to empty for contrib modules. * debian/schema: Sync with upstream. - core.{schema,ldif}: Update description of deltaCRL. - cosine.schema, pmi.schema: spelling fixes. - namedobject.schema: Added. - ppolicy.schema: Removed upstream, dropped. * Add Build-Depends: pkg-config, required for autoreconf. * Add upstream patch to fix SLAPI compilation. (ITS#9544) * Move the argon2 password module from slapd-contrib to slapd. - Add upstream patch to fix argon2 installation. * Transition libldap-2.4-2 to libldap-2.5-0. - Install the real libldap instead of a symlink to libldap_r. - Symlink libldap_r.{a,so} to libldap for backwards compatibility. - Drop the shlibs file, no longer needed. * Remove references to removed BDB backends. - Drop Build-Depends: libdb5.3-dev. - Drop arch-specific configure options to disable those backends on Hurd. - Delete example DB_CONFIG file and README.DB_CONFIG. - Remove information about Berkeley DB from slapd README. * Install new slapmodify(8) tool as a hard link to slapd(8). * Install new man pages: slapo-deref(5), slapo-pw-pbkdf2(5), and slapo-pw-sha2(5). - Drop debian/slapo-pw-pbkdf2.5, included upstream. * Add unpackaged files to debian/not-installed: - ldapvc(1): undocumented tool supporting the vc overlay (contrib) - lloadd(8) and lloadd.conf(5) man pages - slapd-wt(5) and slapo-autoca(5) man pages * Delete obsolete ppolicy.schema and ppolicy.ldif conffiles on upgrade. * Dump and reload slapd-mdb(5) databases on upgrade from 2.4. - Call dh_installinit with --no-restart-after-upgrade to ensure slapd is stopped before dumping the old database. -- Ryan Tandy <ryan@nardis.ca> Sun, 30 May 2021 08:41:25 -0700 openldap (2.4.59+dfsg-1) unstable; urgency=medium * New upstream release. * Fix FTBFS with autoconf 2.71 (Closes: #993032): - Backport upstream changes to support Autoconf 2.69 instead of simply disabling automake in debian/rules. Fixes FTBFS due to autoreconf thinking files required by Automake are missing, even though Automake is not actually used. - Stop running autoreconf in contrib/ldapc++ since we don't build it. - Drop custom config.{guess,sub} handling. dh_update_autotools_config does the right thing for us. * Update Standards-Version to 4.6.0; no changes required. * Add a superficial autopkgtest for smbk5pwd. * Stop disabling test060-mt-hot on ppc64el. The underlying kernel bug (#866122) is fixed in all relevant suites by now. -- Ryan Tandy <ryan@nardis.ca> Fri, 27 Aug 2021 09:42:31 -0700 openldap (2.4.57+dfsg-3) unstable; urgency=medium * Link smbk5pwd with -lkrb5. (Closes: #988565) -- Ryan Tandy <ryan@nardis.ca> Sat, 15 May 2021 16:03:34 -0700 openldap (2.4.57+dfsg-2) unstable; urgency=medium * Fix slapd assertion failure in Certificate List Exact Assertion validation (ITS#9454) (CVE-2021-27212) -- Ryan Tandy <ryan@nardis.ca> Sun, 14 Feb 2021 09:26:41 -0800 openldap (2.4.57+dfsg-1) unstable; urgency=medium * New upstream release. - Fixed slapd crashes in Certificate Exact Assertion processing (ITS#9404, ITS#9424) (CVE-2020-36221) - Fixed slapd assertion failures in saslAuthzTo validation (ITS#9406, ITS#9407) (CVE-2020-36222) - Fixed slapd crash in Values Return Filter control handling (ITS#9408) (CVE-2020-36223) - Fixed slapd crashes in saslAuthzTo processing (ITS#9409, ITS#9412, ITS#9413) (CVE-2020-36224, CVE-2020-36225, CVE-2020-36226) - Fixed slapd assertion failure in X.509 DN parsing (ITS#9423) (CVE-2020-36230) - Fixed slapd crash in X.509 DN parsing (ITS#9425) (CVE-2020-36229) - Fixed slapd crash in Certificate List Exact Assertion processing (ITS#9427) (CVE-2020-36228) - Fixed slapd infinite loop with Cancel operation (ITS#9428) (CVE-2020-36227) -- Ryan Tandy <ryan@nardis.ca> Sat, 23 Jan 2021 08:57:07 -0800 openldap (2.4.56+dfsg-1) unstable; urgency=medium * New upstream release. - Fixed slapd abort due to assertion failure in Certificate List syntax validation (ITS#9383) (CVE-2020-25709) - Fixed slapd abort due to assertion failure in CSN normalization with invalid input (ITS#9384) (CVE-2020-25710) -- Ryan Tandy <ryan@nardis.ca> Wed, 11 Nov 2020 09:13:56 -0800 openldap (2.4.55+dfsg-1) unstable; urgency=medium * New upstream release. - Fixed slapd normalization handling with modrdn (ITS#9370) (CVE-2020-25692) -- Ryan Tandy <ryan@nardis.ca> Tue, 27 Oct 2020 21:07:29 -0700 openldap (2.4.54+dfsg-1) unstable; urgency=medium * New upstream release. * Change upstream Homepage and get-orig-source URLs to HTTPS. * Create debian/gbp.conf. -- Ryan Tandy <ryan@nardis.ca> Sun, 18 Oct 2020 16:03:46 +0000 openldap (2.4.53+dfsg-1) unstable; urgency=medium * New upstream release. -- Ryan Tandy <ryan@nardis.ca> Mon, 07 Sep 2020 09:47:28 -0700 openldap (2.4.51+dfsg-1) unstable; urgency=medium * New upstream release. - Add ldap_parse_password_expiring_control to libldap-2.4-2.symbols. * Merge some changes from Ubuntu: - slapd.default, slapd.README.Debian: update to refer to slapd.d instead of slapd.conf. - debian/slapd.scripts-common: dump_databases: make slapcat_opts a local variable. * Drop paragraph about patch gnutls-altname-nulterminated (#465197) from slapd.README.Debian. The patch referred to was dropped in 2.4.7-6. * debian/patches/set-maintainer-name: Extract maintainer address dynamically from debian/control. (Closes: #960448) * Fix Torsten's email address in a historic debian/changelog entry to resolve a Lintian error (bogus-mail-host-in-debian-changelog). * Rename debian/source.lintian-overrides to debian/source/lintian-overrides. Fixes a Lintian pedantic tag (old-source-override-location). * Override Lintian pedantic tag maintainer-manual-page for slapo-pw-pbkdf2.5, which will be included upstream in a future release. * Remove the trailing whitespaces from debian/changelog, debian/control, and debian/rules. Fixes a Lintian pedantic tag (trailing-whitespace). * Convert debian/po/de.po to UTF-8. Fixes a Lintian warning (national-encoding). * Relax libldap's dependency on libldap-common to Recommends. This is intended to mitigate the impact of bug #915948 in the case where the arch:all build is delayed for so long that the old libldap-common disappears. Previously, a delayed arch:all build could become BD-Uninstallable if new amd64 binaries were published before the arch:all build starts, due to the transitive build-dependency on libldap. Although libldap works fine without libldap-common, in normal installations it is still recommended to install libldap-common. * Append a timestamp to the backup directory created by dpkg-reconfigure. (Closes: #599585, #960449) * Remove the redundant cn=admin,<suffix> entry from the default DIT for new installs. For new installs going forward, the root credentials will be stored in olcRootDN/olcRootPW only. (Closes: #821331) * Change slapd's Suggests: ldap-utils to Recommends. While any LDAP client suffices, ldap-utils contains the standard tools recommended by upstream for basic administration and management. * Relax Recommends: libsasl2-modules to Suggests on slapd and ldap-utils. Many deployments do not use SASL at all, and therefore SASL mechanisms are not needed "in all but unusual installations". -- Ryan Tandy <ryan@nardis.ca> Sun, 23 Aug 2020 11:09:57 -0700 openldap (2.4.50+dfsg-1) unstable; urgency=medium * New upstream release. - Fixed slapd to limit depth of nested filters (ITS#9202) (CVE-2020-12243) - Drop patches included upstream: argon2.patch, ITS#9171, ITS#8650. * Update Spanish debconf translation. Thanks to Camaleón. (Closes: #958869) -- Ryan Tandy <ryan@nardis.ca> Tue, 28 Apr 2020 10:18:12 -0700 openldap (2.4.49+dfsg-4) unstable; urgency=medium * Annotate libsodium-dev dependency with <!pkg.openldap.noslapd>. Thanks to Helmut Grohne. (Closes: #955993) * Add the man page for the Argon2 password module. Thanks to Peter Marschall. (Closes: #955977) * Build the Argon2 password module with libargon2-dev instead of libsodium-dev. Rationale: - libargon2 contains the specific functionality needed; libsodium is a larger library and contains many features not used here - libsodium does not support configuring the p= (parallelism) parameter * Import upstream patch to properly retry gnutls_handshake() after it returns GNUTLS_E_AGAIN. (ITS#8650) (Closes: #861838) * Update the Argon2 password module to upstream commit feb6f21d2e. -- Ryan Tandy <ryan@nardis.ca> Tue, 14 Apr 2020 21:33:16 -0700 openldap (2.4.49+dfsg-3) unstable; urgency=medium * Drop patch no-AM_INIT_AUTOMAKE. Instead, configure dh_autoreconf to skip automake by setting AUTOMAKE=/bin/true. (Closes: #864637) * debian/patches/debian-version: Show Debian version, instead of upstream version, in version strings. * Add ${perl:Depends} to slapd Depends to silence a dpkg-gencontrol warning. This is practically a no-op since slapd explicitly Depends on perl because of the maintainer scripts. * Import the Argon2 password module from upstream git and install it in slapd-contrib. New Build-Depends: libsodium-dev. (Closes: #920283) -- Ryan Tandy <ryan@nardis.ca> Sat, 04 Apr 2020 10:43:56 -0700 openldap (2.4.49+dfsg-2) unstable; urgency=medium * slapd.README.Debian: Document the initial setup performed by slapd's maintainer scripts in more detail. Thanks to Karl O. Pinc. (Closes: #952501) * Import upstream patch to fix slapd crashing in certain configurations when a client attempts a login to a locked account. (ITS#9171) (Closes: #953150) -- Ryan Tandy <ryan@nardis.ca> Thu, 05 Mar 2020 12:59:46 -0800 openldap (2.4.49+dfsg-1) unstable; urgency=medium * New upstream release. - Drop patch no-gnutls_global_set_mutex, applied upstream. * When validating the DNS domain chosen for slapd's default suffix, set LC_COLLATE explicitly for grep to ensure character ranges behave as expected. Thanks to Fredrik Roubert. (Closes: #940908) * Backport proposed upstream patch to emit detailed messages about errors in the TLS configuration. (ITS#9086) (Closes: #837341) * slapd.scripts-common: Delete unused copy_example_DB_CONFIG function. * Remove debconf support for choosing a database backend. Always use the LMDB backend for new installs, as recommended by upstream. * Remove the empty olcBackend section from the default configuration. * Remove the unused slapd.conf template from /usr/share/slapd. Continue shipping it as an example in /usr/share/doc/slapd. * Fix a typo in index-files-created-as-root patch. Thanks to Quanah Gibson-Mount. * Annotate slapd's Depends on perl with :any. Fixes installation of foreign-arch slapd. Thanks to Andreas Hasenack. * Rename 'stage1' build profile to 'pkg.openldap.noslapd'. Thanks to Helmut Grohne. (Closes: #949722) * Drop Build-Conflicts: libicu-dev as upstream's configure no longer tests for or links with libicu. * Note ITS#9126 recommendation in slapd.NEWS. * Update Standards-Version to 4.5.0; no changes required. -- Ryan Tandy <ryan@nardis.ca> Thu, 06 Feb 2020 10:08:12 -0800 openldap (2.4.48+dfsg-1) unstable; urgency=medium * New upstream release. - fixed slapd to restrict rootDN proxyauthz to its own databases (CVE-2019-13057) (ITS#9038) (Closes: #932997) - fixed slapd to enforce sasl_ssf ACL statement on every connection (CVE-2019-13565) (ITS#9052) (Closes: #932998) - added new openldap.h header with OpenLDAP specific libldap interfaces (ITS#8671) - updated lastbind overlay to support forwarding authTimestamp updates (ITS#7721) (Closes: #880656) * Update Standards-Version to 4.4.0. * Add a systemd drop-in to set RemainAfterExit=no on the slapd service, so that systemd marks the service as dead after it crashes or is killed. Thanks to Heitor Alves de Siqueira. (Closes: #926657, LP: #1821343) * Use more entropy for generating a random admin password, if none was set during initial configuration. Thanks to Judicael Courant. (Closes: #932270) * Replace debian/rules calls to dpkg-architecture and dpkg-parsechangelog with variables provided by dpkg-dev includes. * Declare R³: no. * Create a simple autopkgtest that tests installing slapd and connecting to it with an ldap tool. * Install the new openldap.h header in libldap2-dev. -- Ryan Tandy <ryan@nardis.ca> Thu, 25 Jul 2019 08:32:00 -0700 # Older entries have been removed from this changelog. # To read the complete changelog use `apt changelog libldap-dev`.
Generated by dwww version 1.15 on Sat May 18 08:17:42 CEST 2024.