Thanks to Ondrej, this list is a bit shorter now. :)
The following ITSes have a patch or have been committed already. -------------------------------------------------------------------
ITS#7721 - contrib/lastbind - allow authtimestamp forwarding with updateref (44e9bda0e42f40e0baf0a2c0ef733eb757abd366)
ITS#7770 - back-monitor - Add mdb_stat info (e19c683c41e14365d28e82278eec1d8b12c71d4c , 6e2bac6465bb81a8c1aeb083b6dc497eb4187264 )
**** ITS#8037 - slapd - Fix delta-syncrepl with relax (cb9a4d01bc1ecf1eeb3fb7ef39067b2b30b6c545)
ITS#8349 - Fix ppolicy behavior with pwdHistory
ITS#8508 - liblunicode - Fix ucgendat (cc99da182f53d3d4f3874703643b277773717af3)
**** ITS#8637 - slapd-ldap - Correctly reject invalid config with slapd-config (has patch, IPR OK)
**** ITS#8671 - libldap - ldap_init_fd() in ldap.h (6a5e30674b63b17587738ba9a3d1ea3633c33fb1)
ITS#8695 - slapd - "sleep" is deprecated (WINDOWS ONLY) (has patch, IPR OK)
**** ITS#8755 - libldap - leaking file descriptor when closing connection (has patch, IPR OK)
ITS#8794 - libraries/libldap - Fix implicit declaration (has minor patch)
**** ITS#8799 - back-chain - Fix conversion from slapd.conf (has patch, IPR OK)
**** ITS#8864 - liblber - fix ber_flush (fb49d486a35fd4b2e993398c1eea0c8f7bc6ac40)
ITS#8875 - back-mdb - fix performance problems with large DIT and many aliases (has patch, RE25 only)
**** ITS#8997 - slapd-ldap - Fix segfault (Howard already wrote the patch, just needs to be committed)
ITS#9000 - slapo-memberof - Fix group rename issue (Ondrej has already written the patch, just needs to be committed?)
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Quanah Gibson-Mount wrote:
Thanks to Ondrej, this list is a bit shorter now. :)
The following ITSes have a patch or have been committed already.
ITS#7721 - contrib/lastbind - allow authtimestamp forwarding with updateref (44e9bda0e42f40e0baf0a2c0ef733eb757abd366)
This is an enhancement, not a bugfix.
ITS#7770 - back-monitor - Add mdb_stat info (e19c683c41e14365d28e82278eec1d8b12c71d4c , 6e2bac6465bb81a8c1aeb083b6dc497eb4187264 )
This is also an enhancement, not a bugfix.
Already discussed adding #7770 to RE24, seems like a good idea. Are we allowing other enhancements into RE24?
**** ITS#8037 - slapd - Fix delta-syncrepl with relax (cb9a4d01bc1ecf1eeb3fb7ef39067b2b30b6c545)
OK.
ITS#8349 - Fix ppolicy behavior with pwdHistory
OK.
ITS#8508 - liblunicode - Fix ucgendat (cc99da182f53d3d4f3874703643b277773717af3)
OK.
**** ITS#8637 - slapd-ldap - Correctly reject invalid config with slapd-config (has patch, IPR OK)
OK.
**** ITS#8671 - libldap - ldap_init_fd() in ldap.h (6a5e30674b63b17587738ba9a3d1ea3633c33fb1)
already merged
ITS#8695 - slapd - "sleep" is deprecated (WINDOWS ONLY) (has patch, IPR OK)
Needs version checks.
**** ITS#8755 - libldap - leaking file descriptor when closing connection (has patch, IPR OK)
OK.
ITS#8794 - libraries/libldap - Fix implicit declaration (has minor patch)
OK.
**** ITS#8799 - back-chain - Fix conversion from slapd.conf (has patch, IPR OK)
OK.
**** ITS#8864 - liblber - fix ber_flush (fb49d486a35fd4b2e993398c1eea0c8f7bc6ac40)
OK.
ITS#8875 - back-mdb - fix performance problems with large DIT and many aliases (has patch, RE25 only)
**** ITS#8997 - slapd-ldap - Fix segfault (Howard already wrote the patch, just needs to be committed)
OK.
ITS#9000 - slapo-memberof - Fix group rename issue (Ondrej has already written the patch, just needs to be committed?)
OK.
--On Monday, June 17, 2019 2:23 PM +0100 Howard Chu hyc@symas.com wrote:
The following ITSes have a patch or have been committed already.
ITS#7721 - contrib/lastbind - allow authtimestamp forwarding with updateref (44e9bda0e42f40e0baf0a2c0ef733eb757abd366)
This is an enhancement, not a bugfix.
Generally we've allowed that for contrib modules.
ITS#7770 - back-monitor - Add mdb_stat info (e19c683c41e14365d28e82278eec1d8b12c71d4c , 6e2bac6465bb81a8c1aeb083b6dc497eb4187264 )
This is also an enhancement, not a bugfix.
Already discussed adding #7770 to RE24, seems like a good idea. Are we allowing other enhancements into RE24?
We've done a few: back-sock enhancements in 2.4.47, for example, support for OpenSSL 1.1.0+ in 2.4.45, support for "nordahead" flag in 2.4.37 with back-mdb. So it's your call.
ITS#8695 - slapd - "sleep" is deprecated (WINDOWS ONLY) (has patch, IPR OK)
Needs version checks.
Ok, will work on that bit. :)
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Quanah Gibson-Mount wrote:
--On Monday, June 17, 2019 2:23 PM +0100 Howard Chu hyc@symas.com wrote:
The following ITSes have a patch or have been committed already.
ITS#7721 - contrib/lastbind - allow authtimestamp forwarding with updateref (44e9bda0e42f40e0baf0a2c0ef733eb757abd366)
This is an enhancement, not a bugfix.
Generally we've allowed that for contrib modules.
OK, go ahead.
ITS#7770 - back-monitor - Add mdb_stat info (e19c683c41e14365d28e82278eec1d8b12c71d4c , 6e2bac6465bb81a8c1aeb083b6dc497eb4187264 )
This is also an enhancement, not a bugfix.
Already discussed adding #7770 to RE24, seems like a good idea. Are we allowing other enhancements into RE24?
We've done a few: back-sock enhancements in 2.4.47, for example, support for OpenSSL 1.1.0+ in 2.4.45, support for "nordahead" flag in 2.4.37 with back-mdb. So it's your call.
ITS#8695 - slapd - "sleep" is deprecated (WINDOWS ONLY) (has patch, IPR OK)
Needs version checks.
Ok, will work on that bit. :)
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 6/14/19 5:15 PM, Quanah Gibson-Mount wrote:
Thanks to Ondrej, this list is a bit shorter now. :)
But one more I'd love to see in 2.4.48:
ITS#8866: RFE: slapo-constraint to return filter used in diagnostic message
https://www.openldap.org/its/index.cgi?findid=8866
I have a back-port patch for this in my own 2.4.47 packages because it is very useful.
Ciao, Michael.
Michael Ströder wrote:
On 6/14/19 5:15 PM, Quanah Gibson-Mount wrote:
Thanks to Ondrej, this list is a bit shorter now. :)
But one more I'd love to see in 2.4.48:
ITS#8866: RFE: slapo-constraint to return filter used in diagnostic message
I don't believe the information disclosure issues have been sufficiently answered there. Overall it's a bad idea and goes against our standing policy of minimal disclosure.
At most you would expect something relevant in syslog. The actual rules in play are only the sysadmin's business, not any end user's.
I have a back-port patch for this in my own 2.4.47 packages because it is very useful.
Ciao, Michael.
On 6/27/19 6:18 PM, Howard Chu wrote:
Michael Ströder wrote:
On 6/14/19 5:15 PM, Quanah Gibson-Mount wrote:
Thanks to Ondrej, this list is a bit shorter now. :)
But one more I'd love to see in 2.4.48:
ITS#8866: RFE: slapo-constraint to return filter used in diagnostic message
I don't believe the information disclosure issues have been sufficiently answered there. Overall it's a bad idea and goes against our standing policy of minimal disclosure.
Sorry, you already have the disclosure.
Citing from my old e-mail found here: https://www.openldap.org/lists/openldap-devel/201711/msg00003.html
But this problem exists anyway because an attacker can probe values by adding entries with non-unique attributes and determine whether an attribute value exists or not by distinguishing the result code constraintViolation(19) vs. insufficientAccessRights(50). Even worse this even works in case the attacker does not have read access anywhere!
Ciao, Michael.
On 6/27/19 6:23 PM, Michael Ströder wrote:
On 6/27/19 6:18 PM, Howard Chu wrote:
Michael Ströder wrote:
On 6/14/19 5:15 PM, Quanah Gibson-Mount wrote:
Thanks to Ondrej, this list is a bit shorter now. :)
But one more I'd love to see in 2.4.48:
ITS#8866: RFE: slapo-constraint to return filter used in diagnostic message
I don't believe the information disclosure issues have been sufficiently answered there. Overall it's a bad idea and goes against our standing policy of minimal disclosure.
Sorry, you already have the disclosure.
Citing from my old e-mail found here: https://www.openldap.org/lists/openldap-devel/201711/msg00003.html
But this problem exists anyway because an attacker can probe values by adding entries with non-unique attributes and determine whether an attribute value exists or not by distinguishing the result code constraintViolation(19) vs. insufficientAccessRights(50). Even worse this even works in case the attacker does not have read access anywhere!
Furthermore the security of a system should not rely on confidentiality of the configuration. E.g. with Æ-DIR the config is publicly known.
Also note I'm usually blamed for making directory contents too confidential.
Ciao, Michael.
Michael Ströder wrote:
On 6/27/19 6:23 PM, Michael Ströder wrote:
On 6/27/19 6:18 PM, Howard Chu wrote:
Michael Ströder wrote:
On 6/14/19 5:15 PM, Quanah Gibson-Mount wrote:
Thanks to Ondrej, this list is a bit shorter now. :)
But one more I'd love to see in 2.4.48:
ITS#8866: RFE: slapo-constraint to return filter used in diagnostic message
I don't believe the information disclosure issues have been sufficiently answered there. Overall it's a bad idea and goes against our standing policy of minimal disclosure.
Sorry, you already have the disclosure.
Citing from my old e-mail found here: https://www.openldap.org/lists/openldap-devel/201711/msg00003.html
But this problem exists anyway because an attacker can probe values by adding entries with non-unique attributes and determine whether an attribute value exists or not by distinguishing the result code constraintViolation(19) vs. insufficientAccessRights(50). Even worse this even works in case the attacker does not have read access anywhere!
Then that's a bug that should be fixed.
Furthermore the security of a system should not rely on confidentiality of the configuration. E.g. with Æ-DIR the config is publicly known.
That was your choice to decide for yourself. Not for everyone else though. The default behavior has always been to restrict viewing of the config to administrators. I see no reason to change this policy.
Also note I'm usually blamed for making directory contents too confidential.
Ciao, Michael.
On 6/27/19 6:37 PM, Howard Chu wrote:
Michael Ströder wrote:
On 6/27/19 6:23 PM, Michael Ströder wrote:
On 6/27/19 6:18 PM, Howard Chu wrote:
Michael Ströder wrote:
On 6/14/19 5:15 PM, Quanah Gibson-Mount wrote:
Thanks to Ondrej, this list is a bit shorter now. :)
But one more I'd love to see in 2.4.48:
ITS#8866: RFE: slapo-constraint to return filter used in diagnostic message
I don't believe the information disclosure issues have been sufficiently answered there. Overall it's a bad idea and goes against our standing policy of minimal disclosure.
Sorry, you already have the disclosure.
Citing from my old e-mail found here: https://www.openldap.org/lists/openldap-devel/201711/msg00003.html
But this problem exists anyway because an attacker can probe values by adding entries with non-unique attributes and determine whether an attribute value exists or not by distinguishing the result code constraintViolation(19) vs. insufficientAccessRights(50). Even worse this even works in case the attacker does not have read access anywhere!
Then that's a bug that should be fixed.
If you really want to fix this bug then you have to fully enforce access control when processing the write operation *before* enforcing the constraints. (I guess this is not easily done with the current overlay stack processing.)
But if you fixed it then the disclosure will only happen if the user is authorized to modify the entry. So same fix for the very same problem. ;-)
Conclusion: 1. Applying ITS#8866 patch to RE24 will not make things worse. 2. The real fix will also fix the disclosure issue.
Ciao, Michael.
-
Howard Chu -
Michael Ströder -
Quanah Gibson-Mount