Ubuntu
openldap package

New upstream microrelease 2.5.12

Bug #1977627 reported by Sergio Durigan Junior
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Invalid
High
Unassigned
Ubuntu ubuntu-22.06
Jammy
Fix Released
High
Sergio Durigan Junior

Bug Description

[ Impact ]

 * MRE for the latest stable OpenLDAP 2.5.x release, 2.5.12.

This update includes bugfixes only following the SRU policy exception defined at https://wiki.ubuntu.com/OpenLDAPUpdates.

[ Major Changes ]

 * See the list of bugs fixed in this release here:

https://<email address hidden>/thread/LSEQKADYZFFMZJGPEVBRR3OVOY4IOGRA/

 * In particular, this release includes the fix for CVE-2022-29155, but since the CVE has already been addressed by the currently OpenLDAP version in Jammy (2.5.11+dfsg-1~exp1ubuntu3.1), this does not classify as a security upload.

[ Test Plan ]

 * Upstream gitlab pipeline results: https://git.openldap.org/openldap/openldap/-/pipelines/4298

 * Upstream "call for testing": https://<email address hidden>/thread/5ZJEOQSVFQBG5TRLAAF6S5M3VRJH5IAV/

 * As described in the MRE wiki page for OpenLDAP, the test plan is to build the package in bileto and make sure that (1) all build-time tests pass and (2) all autopkgtest runs (from reverse dependencies) also pass.

 * Build log (amd64) confirming that the build-time testsuite has been performed and completed successfully: https://launchpadlibrarian.net/606922528/buildlog_ubuntu-jammy-amd64.openldap_2.5.12+dfsg-0ubuntu0.22.04.1_BUILDING.txt.gz

 * Bileto ticket: https://bileto.ubuntu.com/#/ticket/4868

[ Where problems could occur ]

 * Upstream tests are always executed during build-time. There are many reverse dependencies whose dep8 tests depend on OpenLDAP so the coverage is good. Nevertheless, there is always a risk for something to break since we are dealing with a microrelease upgrade. Whenever a test failure is detected, we will be on top of it and make sure it doesn't affect existing users.

[ Other Info ]

 * This is a reoccurring MRE. See below for links to previous OpenLDAP MREs.

 * CVEs fixed by this release:
   - CVE-2022-29155, which has already been addressed in Jammy.

Current versions in supported releases that got updates:
 openldap | 2.5.11+dfsg-1~exp1ubuntu3.1 | jammy-updates | source

Special cases:
- None.

Previous MREs for OpenLDAP:
- None so far.

As usual we test and prep from the PPA and then push through SRU/Security as applicable.

See original description

Related branches

~sergiodj/ubuntu/+source/openldap:mre-2.5.12-JAMMY
git-ubuntu bot: Approve
Athos Ribeiro (community): Approve
Canonical Server: Pending requested
Canonical Server packageset reviewers: Pending requested
Diff: 1976 lines (+489/-393)
36 files modified
CHANGES (+30/-0)
build/dir.mk (+5/-5)
build/version.var (+4/-4)
contrib/slapd-modules/vc/vc.c (+2/-4)
debian/changelog (+14/-0)
debian/patches/series (+0/-1)
dev/null (+0/-274)
doc/guide/admin/guide.html (+1/-1)
doc/man/man3/ldap_get_option.3 (+22/-1)
doc/man/man5/slapd-config.5 (+2/-3)
doc/man/man5/slapd.conf.5 (+2/-3)
include/ldap_pvt.h (+2/-2)
libraries/libldap/ldif.c (+5/-0)
libraries/libldap/result.c (+10/-4)
libraries/libldap/tls_o.c (+4/-0)
servers/slapd/back-asyncmeta/add.c (+1/-0)
servers/slapd/back-asyncmeta/config.c (+5/-3)
servers/slapd/back-asyncmeta/meta_result.c (+11/-4)
servers/slapd/back-asyncmeta/search.c (+1/-0)
servers/slapd/back-ldap/config.c (+5/-3)
servers/slapd/back-mdb/monitor.c (+2/-1)
servers/slapd/back-meta/config.c (+17/-13)
servers/slapd/back-sql/search.c (+105/-18)
servers/slapd/bconfig.c (+24/-7)
servers/slapd/connection.c (+10/-8)
servers/slapd/daemon.c (+13/-1)
servers/slapd/overlays/dynlist.c (+7/-4)
servers/slapd/overlays/pcache.c (+3/-2)
servers/slapd/overlays/ppolicy.c (+12/-8)
servers/slapd/overlays/syncprov.c (+1/-0)
servers/slapd/overlays/translucent.c (+23/-1)
servers/slapd/proto-slap.h (+1/-0)
servers/slapd/syncrepl.c (+122/-18)
tests/data/dynlist.out (+4/-0)
tests/scripts/test034-translucent (+8/-0)
tests/scripts/test044-dynlist (+11/-0)

CVE References

Sergio Durigan Junior (sergiodj)
Changed in openldap (Ubuntu Jammy):
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Sergio Durigan Junior (sergiodj)
Changed in openldap (Ubuntu):
assignee: Sergio Durigan Junior (sergiodj) → nobody
status: Confirmed → Invalid
Sergio Durigan Junior (sergiodj)
Changed in openldap (Ubuntu):
status: Invalid → New
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote (last edit ):

Bileto ticket: https://bileto.ubuntu.com/#/ticket/4868

Changed in openldap (Ubuntu Jammy):
status: Confirmed → In Progress
Sergio Durigan Junior (sergiodj)
description: updated
description: updated
description: updated
Sergio Durigan Junior (sergiodj)
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Sergio, or anyone else affected,

Accepted openldap into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openldap/2.5.12+dfsg-0ubuntu0.22.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in openldap (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Sergio Durigan Junior (sergiodj)
description: updated
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

As usual with non-security updates, we use the results of autopkgtest in order to perform the verification. In this case, all tests succeeded for openldap in Jammy. Therefore, tagging as verification-done-jammy.

tags: added: verification-done-jammy
removed: verification-needed verification-needed-jammy
Sergio Durigan Junior (sergiodj)
Changed in openldap (Ubuntu):
status: New → Invalid
Christian Ehrhardt  (paelzer)
tags: added: verification-done
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.5.12+dfsg-0ubuntu0.22.04.1

---------------
openldap (2.5.12+dfsg-0ubuntu0.22.04.1) jammy; urgency=medium

  * New upstream version (LP: #1977627).
    - Fixed slapd syncrepl handling of new sessions (ITS#9584)
    - Fixed slapd-sql to properly escape filter value (ITS#9815)
      (CVE-2022-29155)
      [ Already included in 2.5.11+dfsg-1~exp1ubuntu3.1 ]
    - More details about this release can be found at:
      https://git.openldap.org/openldap/openldap/-/blob/2bda1fa98fbcedc6cd5995ea905427b8bef89f9d/CHANGES
  * d/p/CVE-2022-29155.patch: Dropped patch; included in this new upstream
    version.

 -- Sergio Durigan Junior <email address hidden> Mon, 13 Jun 2022 13:19:52 -0400

Changed in openldap (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for openldap has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.