October 7, 2021 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.59.4 Release Highlights: This is the fourth release for OpenLDAP 2.4.59. It includes fixes for delete operations when multival is in use, conversion from slapd.conf to slapd-config TLS settings, changes to ppolicy10 module to restore behavior to match the older ppolicy module, and a fix to ppolicy and ppolicy10 handling when pwdChangedTime is not present in an entry. This release is recommended for all users. Upgrade warning: ********************************************************************** * The 2.4.49-1 and later releases fix an issue with how the * * slapo-ppolicy(5) overlay stores the pwdChangedTime attribute in * * the database. Existing incorrect records could cause slapd to * * crash if a database administrator uses the Relax control to modify * * pwdChangedTime. * * * * Users of the ppolicy overlay who are upgrading from a release * * prior to 2.4.49-1 are recommended to reload the database via * * slapcat/slapadd to fix their existing data * * * ********************************************************************** ********************************************************************** * The deprecated back-bdb and back-hdb backends have been removed. * * * * If you are currently using either of these backends it will be * * necessary to migrate to back-mdb prior to upgrade. * * * * Please contact support for additional assistance. * ********************************************************************** ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.59 Cyrus SASL 2.1.26 OpenSSL 1.1.1l GPerftools 2.7.0 (Select platforms) Heimdal Kerberos 7.7.0 (Select platforms) Kstart 4.2 (Select platforms) libsodium 1.0.18 Summary of Changes: OpenLDAP: Post 2.4.59 Updates: Fixed slapd slaptest migration to correctly set olcTSLVerifyClient (ITS#9711) Fixed slapd-mdb multival delete handling (ITS#9712) Fixed slapo-ppolicy and slapo-ppolicy10 logging when pwdChangedTime attribute is not present (ITS#9625) Fixed slapo-ppolicy10 to restore OpenLDAP 2.4 compatibilty (ITS#9671) Cyrus SASL: No changes OpenSSL: No changes Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Libsodium: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ August 26, 2021 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.59.3 Release Highlights: This is the third release for OpenLDAP 2.4.59. It updates to the OpenSSL 1.1.1l release and fixes a rare delta-syncrepl issue. This release is recommended for all users. Upgrade warning: ********************************************************************** * The 2.4.49-1 and later releases fix an issue with how the * * slapo-ppolicy(5) overlay stores the pwdChangedTime attribute in * * the database. Existing incorrect records could cause slapd to * * crash if a database administrator uses the Relax control to modify * * pwdChangedTime. * * * * Users of the ppolicy overlay who are upgrading from a release * * prior to 2.4.49-1 are recommended to reload the database via * * slapcat/slapadd to fix their existing data * * * ********************************************************************** ********************************************************************** * The deprecated back-bdb and back-hdb backends have been removed. * * * * If you are currently using either of these backends it will be * * necessary to migrate to back-mdb prior to upgrade. * * * * Please contact support for additional assistance. * ********************************************************************** ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.59 Cyrus SASL 2.1.26 OpenSSL 1.1.1l GPerftools 2.7.0 (Select platforms) Heimdal Kerberos 7.7.0 (Select platforms) Kstart 4.2 (Select platforms) libsodium 1.0.18 Summary of Changes: OpenLDAP: Post 2.4.59 Updates: Fixed slapo-accesslog to make reqMod optional (ITS#9569 Cyrus SASL: No changes OpenSSL: OpenSSL 1.1.1l: SM2 Decryption Buffer Overflow (CVE-2021-3711) ============================================== Severity: High In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. OpenSSL versions 1.1.1k and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1l. Read buffer overruns processing ASN.1 strings (CVE-2021-3712) ============================================================= Severity: Moderate ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Libsodium: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ August 14, 2021 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.59.2 Release Highlights: This is the second release for OpenLDAP 2.4.59. It fixes a syncrepl refresh issue, a multival segfault, and a possible sessionlog segfault. This release is recommended for all users. Upgrade warning: ********************************************************************** * The 2.4.49-1 and later releases fix an issue with how the * * slapo-ppolicy(5) overlay stores the pwdChangedTime attribute in * * the database. Existing incorrect records could cause slapd to * * crash if a database administrator uses the Relax control to modify * * pwdChangedTime. * * * * Users of the ppolicy overlay who are upgrading from a release * * prior to 2.4.49-1 are recommended to reload the database via * * slapcat/slapadd to fix their existing data * * * ********************************************************************** ********************************************************************** * The deprecated back-bdb and back-hdb backends have been removed. * * * * If you are currently using either of these backends it will be * * necessary to migrate to back-mdb prior to upgrade. * * * * Please contact support for additional assistance. * ********************************************************************** ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.59 Cyrus SASL 2.1.26 OpenSSL 1.1.1k GPerftools 2.7.0 (Select platforms) Heimdal Kerberos 7.7.0 (Select platforms) Kstart 4.2 (Select platforms) libsodium 1.0.18 Summary of Changes: OpenLDAP: Post 2.4.59 Updates: Fixed slapd syncrepl to include full set of changes in a diff (ITS#7766) Fixed slapo-syncprov delete of nonexistent sessionlog (ITS#9608) Fixed slapd-mdb multival crash when attribute is missing an equality matchingrule (ITS#9621) Cyrus SASL: No changes OpenSSL: No changes Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Libsodium: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ June 8, 2021 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.59.1 Release Highlights: This is the first release for OpenLDAP 2.4.59. It fixes configuration of TLS cipher suites with TLS 1.3 and other minor changes. This release is recommended for all users. Upgrade warning: ********************************************************************** * The 2.4.49-1 and later releases fix an issue with how the * * slapo-ppolicy(5) overlay stores the pwdChangedTime attribute in * * the database. Existing incorrect records could cause slapd to * * crash if a database administrator uses the Relax control to modify * * pwdChangedTime. * * * * Users of the ppolicy overlay who are upgrading from a release * * prior to 2.4.49-1 are recommended to reload the database via * * slapcat/slapadd to fix their existing data * * * ********************************************************************** ********************************************************************** * The deprecated back-bdb and back-hdb backends have been removed. * * * * If you are currently using either of these backends it will be * * necessary to migrate to back-mdb prior to upgrade. * * * * Please contact support for additional assistance. * ********************************************************************** ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.59 Cyrus SASL 2.1.26 OpenSSL 1.1.1k GPerftools 2.7.0 (Select platforms) Heimdal Kerberos 7.7.0 (Select platforms) Kstart 4.2 (Select platforms) libsodium 1.0.18 Summary of Changes: OpenLDAP: OpenLDAP 2.4.59 Release Fixed libldap TLSv1.3 cipher suites with OpenSSL 1.1.1 (ITS#9521) Fixed libldap double free of LDAP_OPT_DEFBASE (ITS#9530) Fixed slapd syncrepl handling of add+delete on single value attr (ITS#9295) Fixed slapd-mdb cursor init check (ITS#9526) Fixed slapd-mdb deletion of context entry (ITS#9531) Fixed slapd-mdb off-by-one affecting search scope (ITS#9557) Fixed slapo-pcache locking during expiration (ITS#9529) Contrib Fixed slapo-autogroup to not thrash thread context (ITS#9494) Documentation ldap_modify(3) - Delete non-existent mod_next parameter (ITS#9559) Cyrus SASL: No changes OpenSSL: No changes Heimdal Kerberos: hx509: correct ASN.1 OID typo for SHA-384 (Issue 776) GPerfTools: No changes Libtool: No changes Libsodium: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ April 28, 2021 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.58.3 Release Highlights: This is the third release for OpenLDAP 2.4.58. It fixes an rare issue with delta-sync replication and single valued attributes, fixes OpenLDAP to correctly honor TLS v1.3 cipher suites, fixes the autogroup overlay thread context, fixes an issue where slapadd -w could segfault, and fixes mutex locking with the pcache overlay. It also adds TCP timeout support to the asyncmeta backend. This release is recommended for all users. Upgrade warning: ********************************************************************** * The 2.4.49-1 and later releases fix an issue with how the * * slapo-ppolicy(5) overlay stores the pwdChangedTime attribute in * * the database. Existing incorrect records could cause slapd to * * crash if a database administrator uses the Relax control to modify * * pwdChangedTime. * * * * Users of the ppolicy overlay who are upgrading from a release * * prior to 2.4.49-1 are recommended to reload the database via * * slapcat/slapadd to fix their existing data * * * ********************************************************************** ********************************************************************** * The deprecated back-bdb and back-hdb backends have been removed. * * * * If you are currently using either of these backends it will be * * necessary to migrate to back-mdb prior to upgrade. * * * * Please contact support for additional assistance. * ********************************************************************** ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.58 Cyrus SASL 2.1.26 OpenSSL 1.1.1k GPerftools 2.7.0 (Select platforms) Heimdal Kerberos 7.7.0 (Select platforms) Kstart 4.2 (Select platforms) libsodium 1.0.18 Summary of Changes: OpenLDAP: Post 2.4.58 Updates: Added back-asyncmeta TCP user timeout support (ITS#9502) Fixed libldap TLSv1.3 cipher suites with OpenSSL 1.1.1 (ITS#9521) Fixed slapd syncrepl handling of add+delete on single value attr (ITS#9295) Fixed slapd-mdb to cursor init check (ITS#9526) Fixed slapo-autogroup to not thrash thead context (ITS#9494) Fixed slapo-pcache locking in consistency_check (ITS#9529) Fixed slapo-ppolicy10 hashing should be independent of a usable policy (ITS#7788) Cyrus SASL: No changes OpenSSL: OpenSSL 1.1.1k Release *) Fixed a problem with verifying a certificate chain when using the X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. (CVE-2021-3450) [Tomáš Mráz] *) Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. (CVE-2021-3449) [Peter Kästle and Samuel Sapalski] Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Libsodium: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ March 25, 2021 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.58.2 Release Highlights: This is the second release for OpenLDAP 2.4.58. It fixes password hashing in ppolicy10 when there is no usable policy. It also upgrades OpenSSL to 1.1.1k. This release is recommended for all users. Upgrade warning: ********************************************************************** * The 2.4.49-1 and later releases fix an issue with how the * * slapo-ppolicy(5) overlay stores the pwdChangedTime attribute in * * the database. Existing incorrect records could cause slapd to * * crash if a database administrator uses the Relax control to modify * * pwdChangedTime. * * * * Users of the ppolicy overlay who are upgrading from a release * * prior to 2.4.49-1 are recommended to reload the database via * * slapcat/slapadd to fix their existing data * * * ********************************************************************** ********************************************************************** * The deprecated back-bdb and back-hdb backends have been removed. * * * * If you are currently using either of these backends it will be * * necessary to migrate to back-mdb prior to upgrade. * * * * Please contact support for additional assistance. * ********************************************************************** ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.58 Cyrus SASL 2.1.26 OpenSSL 1.1.1k GPerftools 2.7.0 (Select platforms) Heimdal Kerberos 7.7.0 (Select platforms) Kstart 4.2 (Select platforms) libsodium 1.0.18 Summary of Changes: OpenLDAP: Post 2.4.58 Updates: Fixed slapo-ppolicy10 hashing should be independent of a usable policy (ITS#7788) Cyrus SASL: No changes OpenSSL: OpenSSL 1.1.1k Release *) Fixed a problem with verifying a certificate chain when using the X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. (CVE-2021-3450) [Tomáš Mráz] *) Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. (CVE-2021-3449) [Peter Kästle and Samuel Sapalski] Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Libsodium: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ March 16, 2021 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.58.1 Release Highlights: This is the first release for OpenLDAP 2.4.58. It includes fixes for slapd for replication and various fixes for malicious packets. It also upgrades to OpenSSL 1.1.1j. This release is recommended for all users. Upgrade warning: ********************************************************************** * The 2.4.49-1 and later releases fix an issue with how the * * slapo-ppolicy(5) overlay stores the pwdChangedTime attribute in * * the database. Existing incorrect records could cause slapd to * * crash if a database administrator uses the Relax control to modify * * pwdChangedTime. * * * * Users of the ppolicy overlay who are upgrading from a release * * prior to 2.4.49-1 are recommended to reload the database via * * slapcat/slapadd to fix their existing data * * * ********************************************************************** ********************************************************************** * The deprecated back-bdb and back-hdb backends have been removed. * * * * If you are currently using either of these backends it will be * * necessary to migrate to back-mdb prior to upgrade. * * * * Please contact support for additional assistance. * ********************************************************************** ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.58 Cyrus SASL 2.1.26 OpenSSL 1.1.1j GPerftools 2.7.0 (Select platforms) Heimdal Kerberos 7.7.0 (Select platforms) Kstart 4.2 (Select platforms) libsodium 1.0.18 Summary of Changes: OpenLDAP: OpenLDAP 2.4.58 Release Fixed slapd validity checks for issuerAndThisUpdateCheck (ITS#9454) Fixed slapd to alloc new conn struct after freeing old one (ITS#9458) Fixed slapd syncrepl to check all contextCSNs (ITS#9282) Fixed slapd-bdb lockdetect config (ITS#9449) Fixed slapd-asyncmeta hanging operations (ITS#9479) Fixed slapd-asyncmeta memory leak (ITS#9491) Fixed slapd-asyncmeta timeout loop (ITS#9456) Cyrus SASL: No changes OpenSSL: OpenSSL 1.1.1j Release *) Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. (CVE-2021-23841) [Matt Caswell] *) Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. This is considered a bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is CVE-2021-23839. [Matt Caswell] *) Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. (CVE-2021-23840) [Matt Caswell] *) Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this issue. Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Libsodium: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ January 20, 2021 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.57.1 Release Highlights: This is the first release for OpenLDAP 2.4.57. It includes fixes for slapd-ldap to fix binds on retry with closed connections and various fixes for malicious packets. It also upgrades to OpenSSL 1.1.1i. This release is recommended for all users. Upgrade warning: ********************************************************************** * The 2.4.49-1 and later releases fix an issue with how the * * slapo-ppolicy(5) overlay stores the pwdChangedTime attribute in * * the database. Existing incorrect records could cause slapd to * * crash if a database administrator uses the Relax control to modify * * pwdChangedTime. * * * * Users of the ppolicy overlay who are upgrading from a release * * prior to 2.4.49-1 are recommended to reload the database via * * slapcat/slapadd to fix their existing data * * * ********************************************************************** ********************************************************************** * The deprecated back-bdb and back-hdb backends have been removed. * * * * If you are currently using either of these backends it will be * * necessary to migrate to back-mdb prior to upgrade. * * * * Please contact support for additional assistance. * ********************************************************************** ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.57 Cyrus SASL 2.1.26 OpenSSL 1.1.1i GPerftools 2.7.0 (Select platforms) Heimdal Kerberos 7.7.0 (Select platforms) Kstart 4.2 (Select platforms) libsodium 1.0.18 Summary of Changes: OpenLDAP: OpenLDAP 2.4.57 Release Fixed ldapexop to use correct return code (ITS#9417) Fixed slapd to remove asserts in UUIDNormalize (ITS#9391) Fixed slapd to remove assert in csnValidate (ITS#9410) Fixed slapd validity checks for issuerAndThisUpdateCheck (ITS#9411, ITS#9427) Fixed slapd validity checks for serialNumberAndIssuerCheck (ITS#9404, ITS#9424) Fixed slapd AVA sort with invalid RDN (ITS#9412) Fixed slapd ldap_X509dn2bv to check for invalid BER after RDN count (ITS#9423, ITS#9425) Fixed slapd saslauthz to remove asserts in validation (ITS#9406, ITS#9407) Fixed slapd saslauthz to use slap_sl_free on normalized DN (ITS#9409) Fixed slapd saslauthz SEGV in slap_parse_user (ITS#9413) Fixed slapd modrdn memory leak (ITS#9420) Fixed slapd double-free in vrfilter (ITS#9408) Fixed slapd cancel operation to correctly terminate (ITS#9428) Fixed slapd-ldap fix binds on retry with closed connection (ITS#9400) Fixed slapo-syncprov to ignore duplicate sessionlog entries (ITS#9394) Cyrus SASL: No changes OpenSSL: *) Fixed NULL pointer deref in the GENERAL_NAME_cmp function This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME. If an attacker can control both items being compared then this could lead to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) (CVE-2020-1971) [Matt Caswell] *) Add support for Apple Silicon M1 Macs with the darwin64-arm64-cc target. [Stuart Carnie] *) The security callback, which can be customised by application code, supports the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY in the "other" parameter. In most places this is what is passed. All these places occur server side. However there was one client side call of this security operation and it passed a DH object instead. This is incorrect according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all of the other locations. Therefore this client side call has been changed to pass an EVP_PKEY instead. [Matt Caswell] *) In 1.1.1h, an expired trusted (root) certificate was not anymore rejected when validating a certificate path. This check is restored in 1.1.1i. [David von Oheimb] Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Libsodium: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ October 28, 2020 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.55.1 Release Highlights: This is the first release for OpenLDAP 2.4.55. It includes fixes for dynlist filtering and three potential asserts from malicious packets. This release is recommended for all users. Upgrade warning: ********************************************************************** * The 2.4.49-1 and later releases fix an issue with how the * * slapo-ppolicy(5) overlay stores the pwdChangedTime attribute in * * the database. Existing incorrect records could cause slapd to * * crash if a database administrator uses the Relax control to modify * * pwdChangedTime. * * * * Users of the ppolicy overlay who are upgrading from a release * * prior to 2.4.49-1 are recommended to reload the database via * * slapcat/slapadd to fix their existing data * * * ********************************************************************** ********************************************************************** * The deprecated back-bdb and back-hdb backends have been removed. * * * * If you are currently using either of these backends it will be * * necessary to migrate to back-mdb prior to upgrade. * * * * Please contact support for additional assistance. * ********************************************************************** ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.55 Cyrus SASL 2.1.26 OpenSSL 1.1.1h GPerftools 2.7.0 (Select platforms) Heimdal Kerberos 7.7.0 (Select platforms) Kstart 4.2 (Select platforms) libsodium 1.0.18 Summary of Changes: OpenLDAP: OpenLDAP 2.4.55 Release Fixed slapd normalization handling with modrdn (ITS#9370) Fixed slapd-meta to check ldap_install_tls return code (ITS#9366) Contrib Fixed nssov misplaced semicolon (ITS#8731, ITS#9368) OpenLDAP 2.4.54 Release (2020/10/12) Fixed slapd delta-syncrepl to ignore delete ops on deleted entry (ITS#9342) Fixed slapd delta-syncrepl to be fully serialized (ITS#9330) Fixed slapd delta-syncrepl MOD on zero-length context entry (ITS#9352) Fixed slapd syncrepl to be fully serialized (ITS#8102) Fixed slapd syncrepl to call check_syncprov on fresh consumer (ITS#9345) Fixed slapd syncrepl to propagate errors from overlay_entry_get_ov (ITS#9355) Fixed slapd syncrepl to not create empty ADD ops (ITS#9359) Fixed slapd syncrepl replace usage on single valued attrs (ITS#9295) Fixed slapd-monitor fix monitor_back_register_database for empty suffix DB (ITS#9353) Fixed slapo-accesslog normalizer for reqStart (ITS#9358) Fixed slapo-accesslog to not generate new contextCSN on purge (ITS#9361) Fixed slapo-syncprov contextCSN generation with empty suffix (ITS#9015) Fixed slapo-syncprov sessionlog to use a TAVL tree (ITS#8486) Post 2.4.55 Updates: Fixed slapd to remove assert in certificateListValidate (ITS#9383) Fixed slapd to remove assert in csnNormalize23 (ITS#9384) Fixed slapd to better parse ldapi listener URIs (ITS#9379) Cyrus SASL: No changes OpenSSL: No changes Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Libsodium: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ October 3, 2020 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.53.2 Release Highlights: This is the second release for OpenLDAP 2.4.53. It includes several fixes to replication. This release is recommended for all users. Upgrade warning: ********************************************************************** * The 2.4.49-1 and later releases fix an issue with how the * * slapo-ppolicy(5) overlay stores the pwdChangedTime attribute in * * the database. Existing incorrect records could cause slapd to * * crash if a database administrator uses the Relax control to modify * * pwdChangedTime. * * * * Users of the ppolicy overlay who are upgrading from a release * * prior to 2.4.49-1 are recommended to reload the database via * * slapcat/slapadd to fix their existing data * * * ********************************************************************** ********************************************************************** * The deprecated back-bdb and back-hdb backends have been removed. * * * * If you are currently using either of these backends it will be * * necessary to migrate to back-mdb prior to upgrade. * * * * Please contact support for additional assistance. * ********************************************************************** ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.53 Cyrus SASL 2.1.26 OpenSSL 1.1.1h GPerftools 2.7.0 (Select platforms) Heimdal Kerberos 7.7.0 (Select platforms) Kstart 4.2 (Select platforms) libsodium 1.0.18 Summary of Changes: OpenLDAP: OpenLDAP 2.4.53 Updates: More fixes for slapd delta-syncrepl to ignore delete ops on deleted entry (ITS#9342) More fixes for slapd syncrepl replace usage on single valued attrs (ITS#9295) Fixed slapd syncrepl to not create empty ADD ops (ITS#9359) Fixed slapo-accesslog normalizer for reqStart (ITS#9358) Fixed slapo-accesslog to not generate new contextCSN on purge (ITS#9361) Fixed slapo-syncprov to use an AVL tree for sessionlog (ITS#8486) Cyrus SASL: No changes OpenSSL: No changes Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Libsodium: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ September 24, 2020 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.53.1 Release Highlights: This is the first release for OpenLDAP 2.4.53. It includes a fix for being able to modify listener threads for slapd on the fly and an enhancement to dynlist that makes it easier to replace the memberOf overlay. It upgrades to OpenSSL 1.1.1h This release is recommended for all users. Upgrade warning: ********************************************************************** * The 2.4.49-1 and later releases fix an issue with how the * * slapo-ppolicy(5) overlay stores the pwdChangedTime attribute in * * the database. Existing incorrect records could cause slapd to * * crash if a database administrator uses the Relax control to modify * * pwdChangedTime. * * * * Users of the ppolicy overlay who are upgrading from a release * * prior to 2.4.49-1 are recommended to reload the database via * * slapcat/slapadd to fix their existing data * * * ********************************************************************** ********************************************************************** * The deprecated back-bdb and back-hdb backends have been removed. * * * * If you are currently using either of these backends it will be * * necessary to migrate to back-mdb prior to upgrade. * * * * Please contact support for additional assistance. * ********************************************************************** ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.53 Cyrus SASL 2.1.26 OpenSSL 1.1.1h GPerftools 2.7.0 (Select platforms) Heimdal Kerberos 7.7.0 (Select platforms) Kstart 4.2 (Select platforms) libsodium 1.0.18 Summary of Changes: OpenLDAP: Added libldap LDAP_OPT_X_TLS_REQUIRE_SAN option (ITS#9318) Added libldap OpenSSL support for multiple EECDH curves (ITS#9054) Added slapd syncrepl additional SYNC logging (ITS#9043) Added slapd OpenSSL support for multiple EECDH curves (ITS#9054) Fixed librewrite malloc/free corruption (ITS#9249) Fixed libldap hang when using UDP and server down (ITS#9328) Fixed slapd syncrepl rare deadlock due to network issues (ITS#9324) Fixed slapd syncrepl regression that could trigger an assert (ITS#9329) Fixed slapd-mdb index error with collapsed range (ITS#9135) Fixed slapd syncrepl segfault on NULL cookie on REFRESH (ITS#9282) Fixed slapd syncrepl to use fresh connection on REFRESH fallback (ITS#9338) Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302,ITS#9334) Build Require OpenSSL 1.0.2 or later (ITS#9323) Fixed libldap compilation issue with broken C compilers (ITS#9332) OpenLDAP 2.4.53 Updates: Added slapd syncrepl status to cn=monitor (ITS#9339) Added slapo-dynlist to have memberOf attribute built in (ITS#9121) Fixed slapd elapsed time calculation (ITS#8054) Fixed slapd cn=config modification of olcListenerThreads (ITS#7926) Fixed slapd delta-syncrepl to ignore delete ops on deleted entry (ITS#9342) Fixed slapd delta-syncrepl to be fully serialized (ITS#9330) Fixed slapd delta-syncrepl MOD on zero-length context entry (ITS#9352) Fixed slapd syncrepl to be fully serialized (ITS#8102) Fixed slapd syncrepl cookie on restart (ITS#9345) Fixed slapd syncrepl to propagate errors from overlay_entry_get_ov (ITS#9355) Fixed slapd syncrepl to not update main CSN during delete phase (ITS#8768) Fixed slapd syncrepl to track delcsn (ITS#8768) Fixed slapd syncrepl to use btree for sessionlog (ITS#8486, ITS#9222) Build Fixed test063-delta-multiprovider to use more than 2 MPR nodes (ITS#9346) Fixed test067-tls for Solaris (ITS#9302, ITS#9344) Cyrus SASL: No changes OpenSSL: Upgrade to 1.1.1h release Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Libsodium: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ August 17, 2020 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.51.1 Release Highlights: This is the first release for OpenLDAP 2.4.51. In addition to the main OpenLDAP release changes, it contains a fix for a deadlock in Heimdal, adds the ability to do locking for slapo-unique, adds support for ppolicy draft 10 in a seperate module named ppolicy10, and adds several new improvements to the slapo-dynlist overlay, such as dynamic memberOf generation from static groups and reverse lookups on dynamic groups. See the slapo-dynlist(5) man page for additional details. This release is recommended for all users. Upgrade warning: ********************************************************************** * The 2.4.49-1 and later releases fix an issue with how the * * slapo-ppolicy(5) overlay stores the pwdChangedTime attribute in * * the database. Existing incorrect records could cause slapd to * * crash if a database administrator uses the Relax control to modify * * pwdChangedTime. * * * * Users of the ppolicy overlay who are upgrading from a release * * prior to 2.4.49-1 are recommended to reload the database via * * slapcat/slapadd to fix their existing data * * * ********************************************************************** ********************************************************************** * The deprecated back-bdb and back-hdb backends have been removed. * * * * If you are currently using either of these backends it will be * * necessary to migrate to back-mdb prior to upgrade. * * * * Please contact support for additional assistance. * ********************************************************************** ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.51 Cyrus SASL 2.1.26 OpenSSL 1.1.1g GPerftools 2.7.0 (Select platforms) Heimdal Kerberos 7.7.0 (Select platforms) Kstart 4.2 (Select platforms) libsodium 1.0.18 Summary of Changes: OpenLDAP: Added locking ability to slapo-unique (ITS#9264) Added slapo-ppolicy implement Netscape password policy controls (ITS#9279) Fixed libldap retry loop in ldap_int_tls_connect (ITS#8650) Fixed libldap to use getaddrinfo in ldap_pvt_get_fqdn (ITS#9287) Fixed slapd to enforce singular existence of some overlays (ITS#9309) Fixed slapd syncrepl to not delete non-replicated attrs (ITS#9227) Fixed slapd syncrepl to correctly delete entries on resync (ITS#9282) Fixed slapd syncrepl to use replace on single valued attrs (ITS#9294, ITS#9295) Fixed slapd syncrepl mincsn check with successful sessionlog replay (ITS#9059) Fixed slapd-perl dynamic config with threaded slapd (ITS#7573) Fixed slapo-ppolicy to expose the ppolicy control (ITS#9285) Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302) Fixed slapo-ppolicy so it can only exist once per DB (ITS#9309) Fixed slapo-chain to check referral (ITS#9262) Build Environment Fix test064 so it no longer uses bashisms (ITS#9263) Contrib Fix default prefix value for pw-argon2, pw-pbkdf2 modules (ITS#9248) slapo-allowed - Fix usage of unitialized variable (ITS#9308) Documentation ldap_parse_result(3) - Document ldap_parse_intermediate (ITS#9271) Cyrus SASL: No changes OpenSSL: No changes Heimdal Kerberos: Fix CVE-2019-14870 Fix deadlock in lib/krb5/mcache.c #432 GPerfTools: No changes Libtool: No changes Libsodium: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ April 28, 2020 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.50.1 Release Highlights: This is the first release for OpenLDAP 2.4.50. It additionally includes an upgrade of OpenSSL to the 1.1.1g release and adds a new password hashing module for OpenLDAP, pw-argon2. This release is recommended for all users. Upgrade warning: ********************************************************************** * The 2.4.49-1 and later releases fix an issue with how the * * slapo-ppolicy(5) overlay stores the pwdChangedTime attribute in * * the database. Existing incorrect records could cause slapd to * * crash if a database administrator uses the Relax control to modify * * pwdChangedTime. * * * * Users of the ppolicy overlay who are upgrading from a release * * prior to 2.4.49-1 are recommended to reload the database via * * slapcat/slapadd to fix their existing data * * * ********************************************************************** ********************************************************************** * The deprecated back-bdb and back-hdb backends have been removed. * * * * If you are currently using either of these backends it will be * * necessary to migrate to back-mdb prior to upgrade. * * * * Please contact support for additional assistance. * ********************************************************************** ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.50 Cyrus SASL 2.1.26 OpenSSL 1.1.1g GPerftools 2.7.0 (Select platforms) Heimdal Kerberos 7.7.0 (Select platforms) Kstart 4.2 (Select platforms) libsodium 1.0.18 Summary of Changes: OpenLDAP: OpenLDAP 2.4.50 Updates: Fixed client benign typos (ITS#8890) Fixed libldap type cast (ITS#9175) Fixed libldap retry loop in ldap_int_tls_connect (ITS#8650) Fixed libldap_r race on Windows mutex initialization (ITS#9181) Fixed liblunicode memory leak (ITS#9198) Fixed slapd benign typos (ITS#8890) Fixed slapd to limit depth of nested filters (ITS#9202) Fixed slapd-mdb memory leak in dnSuperiorMatch (ITS#9214) Fixed slapo-pcache database initialization (ITS#9182) Fixed slapo-ppolicy callback (ITS#9171) Build Fix olcDatabaseDummy initialization for windows (ITS#7074) Fix detection for ws2tcpip.h for windows (ITS#8383) Fix back-mdb types for windows (ITS#7878) Contrib Update ldapc++ config.guess and config.sub to support newer architectures (ITS#7855) Added pw-argon2 module (ITS#9233, ITS#8575, ITS#9203, ITS#9206) Documentation slapd-ldap(5) - Clarify idassert-authzfrom behavior (ITS#9003) slapd-meta(5) - Remove client-pr option (ITS#8683) slapdinex(8) - Fix truncate option information for back-mdb (ITS#9230) Cyrus SASL: No changes OpenSSL: Upgrade to 1.1.1g release Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Libsodium: Added Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ April 14, 2020 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.49.1 Release Highlights: This is the first release for OpenLDAP 2.4.49. This release also upgrades kstart to the 4.2 release, includes a fix for CVE-2019-19906 for Cyrus-SASL, and includes a fix for CVE-2019-1551 for OpenSSL. This release is recommended for all users. Upgrade warning: ********************************************************************** * This release fixes an issue with how the slapo-ppolicy(5) overlay * * stores the pwdChangedTime attribute in the database. Existing * * incorrect records could cause slapd to crash if a database * * administrator uses the Relax control to modify pwdChangedTime. * * * * Users of the ppolicy overlay are recommended to reload the * * database via slapcat/slapadd to fix their existing data * * * ********************************************************************** ********************************************************************** ********************************************************************** * The deprecated back-bdb and back-hdb backends have been removed. * * * * If you are currently using either of these backends it will be * * necessary to migrate to back-mdb prior to upgrade. * * * * Please contact support for additional assistance. * ********************************************************************** ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.49 Cyrus SASL 2.1.26 OpenSSL 1.1.1d GPerftools 2.7.0 (Select platforms) Heimdal Kerberos 7.7.0 (Select platforms) Kstart 4.2 (Select platforms) Summary of Changes: OpenLDAP: 2.4.49 Updates: Added slapd-monitor database entry count for slapd-mdb (ITS#9154) Fixed client tools to not add controls on cancel/abandon (ITS#9145) Fixed client tools SyncInfo message to be LDIF compliant (ITS#8116) Fixed libldap to correctly free sb (ITS#9081, ITS#8755) Fixed libldap descriptor leak if ldaps fails (ITS#9147) Fixed libldap remove unnecessary global mutex for GnuTLS (ITS#9069) Fixed slapd syntax evaluation of preferredDeliveryMethod (ITS#9067) Fixed slapd to relax domainScope control check (ITS#9100) Fixed slapd to have cleaner error handling during connection setup (ITS#9112) Fixed slapd data check when processing cancel exop (ITS#9124) Fixed slapd attribute description processing (ITS#9128) Fixed slapd-ldap to set oldctrls correctly (ITS#9076) Fixed slapd-mdb to honor unchecked limit with alias deref (ITS#7657) Fixed slapd-mdb missing final commit with slapindex (ITS#9095) Fixed slapd-mdb drop attr mappings added in an aborted txn (ITS#9091) Fixed slapd-mdb nosync FLAG configuration handling (ITS#9150) Fixed slapd-monitor global operation counter reporting (ITS#9119) Fixed slapo-ppolicy when used with slapauth (ITS#8629) Fixed slapo-ppolicy to add a missed normalised copy of pwdChangedTime (ITS#9126) Fixed slapo-syncprov fix sessionlog init (ITS#9146) Fixed slapo-unique loop termination (ITS#9077) Build Environment Fix mkdep to honor TMPDIR if set (ITS#9062) Remove ICU library detection (ITS#9144) Update config.guess and config.sub to support newer architectures (ITS#7855) Disable ITS8521 regression test as it is no longer valid (ITS#9015) Documentation admin24 - Fix inconsistent whitespace in replication section (ITS#9153) slapd-config(5)/slapd.conf(5) - Fix missing bold tag for keyword (ITS#9063) slapd-ldap(5) - Document "tls none" option (ITS#9071) slapo-ppolicy(5) - Correctly document pwdGraceAuthnLimit (ITS#9065) Post 2.4.49 Updates: Enhanced dynlist functionality (ITS#9121) Cyrus SASL: Backport fix for cyrus-sasl issue #587 OpenSSL: Backport fix for CVE-2019-1551 Heimdal Kerberos: Backport fix for Heimdal issue #431 GPerfTools: No changes Libtool: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ September 12, 2019 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.48.2 Release Highlights: This is the second release for OpenLDAP 2.4.48. This release fixes SOLD to work correctly with systemd when present, updates OpenSSL to the 1.1.1d release, and includes a fix for back-ldap (ITS#9076). This release is recommended for all users. Upgrade warning: ********************************************************************** * The deprecated back-bdb and back-hdb backends have been removed. * * * * If you are currently using either of these backends it will be * * necessary to migrate to back-mdb prior to upgrade. * * * * Please contact support for additional assistance. * ********************************************************************** ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.48 Cyrus SASL 2.1.26 OpenSSL 1.1.1d GPerftools 2.7.0 (Select platforms) Heimdal Kerberos 7.7.0 (Select platforms) Summary of Changes: OpenLDAP: Post 2.4.48 Updates: Fixed back-ldap freeing wrong controls (ITS#9076) Cyrus SASL: No changes OpenSSL: Update to OpenSSL 1.1.1d Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ July 24, 2019 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.48.1 Release Highlights: This is the first release for OpenLDAP 2.4.48. This release fixes the feature for slapd-mdb to allow a configurable IDL size. This can improve search performance on large databases where a specific value for an attribute is used in more than 64k objects. It also includes the OpenLDAP 2.4.48 release fixes as documented below, including fixes for CVE-2019-13057 (ITS#9038) and CVE-2019-13565 (ITS#9052). This release contains the ability to replicate from DSEE. This release is recommended for all users. Upgrade warning: ********************************************************************** * The deprecated back-bdb and back-hdb backends have been removed. * * * * If you are currently using either of these backends it will be * * necessary to migrate to back-mdb prior to upgrade. * * * * Please contact support for additional assistance. * ********************************************************************** ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.48 Cyrus SASL 2.1.26 OpenSSL 1.1.1b GPerftools 2.7.0 (Select platforms) Heimdal Kerberos 7.7.0 (Select platforms) Summary of Changes: OpenLDAP: 2.4.48 Updates: Added libldap OpenSSL Elliptic Curve support (ITS#7595) Added libldap Expose OpenLDAP specific interfaces via openldap.h (ITS#8671) Added slapd-monitor support for slapd-mdb (ITS#7770) Fixed liblber leaks (ITS#8727) Fixed liblber with partial flush (ITS#8864) Fixed libldap ASYNC TLS so it works (ITS#8957,ITS#8980) Fixed libldap ASYNC connections with Solaris 10 (ITS#8968) Fixed libldap with SASL_NOCANON=on and ldapi connections (ITS#7585) Fixed libldap to be able to unset syncrepl TLS options (ITS#7042) Fixed libldap race condition in ldap_int_initialize (ITS#7996, ITS#8450) Fixed libldap return code in ldap_create_assertion_control_value (ITS#8674) Fixed libldap to correctly disable IPv6 when configured to do so (ITS#8754) Fixed libldap to correctly close TLS connection (ITS#8755) Fixed libldap_r handling of deprecated OpenSSL function (ITS#8353) Fixed liblunicode case correspondance (ITS#8508) Fixed slapd with an idletimeout of less than four seconds (ITS#8952) Fixed slapd config parser variable for Windows64 (ITS#9012) Fixed slapd syncrepl fallback handling with delta-syncrepl (ITS#9015) Fixed slapd telephoneNumberNormalize, cert DN validation (ITS#8999) Fixed slapd syncrepl for relax with delta-syncrepl (ITS#8037) Fixed slapd to restrict rootDN proxyauthz to its own databases (ITS#9038) Fixed slapd to initialize SASL SSF per connection (ITS#9052) Fixed slapo-accesslog with SLAP_MOD_SOFT modifications (ITS#8990) Fixed slapd-ldap starttls connections timeout behavior (ITS#8963) Fixed slapd-ldap segfault when entry result doesn't match filter (ITS#8997) Fixed slapd-meta conversion from slapd.conf to cn=config (ITS#8743) Fixed slapd-meta assertion when network interface goes down (ITS#8841) Fixed slapd-mdb fix bitshift integer overflow (ITS#8989) Fixed slapd-mdb index cleanup with cn=config (ITS#8472) Fixed slapd-mdb to improve performance with alias deref (ITS#7657) Fixed slapo-accesslog possible assert with exops (ITS#8971) Fixed slapo-chain to correctly reject multiple chaining URIs (ITS#8637) Fixed slapo-chain conversion from slapd.conf to cn=config (ITS#8799) Fixed slapo-memberof conversion from slapd.conf to cn=config (ITS#8663) Fixed slapo-memberof for group name change to itself (ITS#9000) Fixed slapo-ppolicy behavior when pwdInHistory is changed (ITS#8349) Fixed slapo-rwm to not free original filter (ITS#8964) Fixed slapo-syncprov contextCSN generation (ITS#9015) Build Environment Fixed slapd to only link to BDB libraries with static build (ITS#8948) Fixed libldap implicit declaration with LDAP_CONNECTIONLESS (ITS#8794) Fixed libldap double inclusion of limits.h in cyrus.c (ITS#9041) Documentation General - Fixed minor typos (ITS#8764, ITS#8761) admin24 - Miscellaneous updates promoting mdb and fixing examples (ITS#9031) slapd.access(5) - Note MDB is the primary backend (ITS#8881) slapd.backends(5) - Note MDB is the recommended backend (ITS#8771) slapd-ldap(5) - Document starttls parameter (ITS#8693) Contrib Added slapo-lastbind capability to forward authTimestamp updates (ITS#7721) Post 2.4.48 Updates: Fixed slapd alias deref to honor sizelimit.unchecked settings (ITS#7657) Cyrus SASL: No changes OpenSSL: No changes Heimdal Kerberos: 7.7.0 Updates: - PKCS#11 hcrypto back-end . initialize the p11_module_load function list . verify that not only is a mechanism present but that its mechanism info states that it offers the required encryption, decryption or digest services - krb5: . Starting with 7.6, Heimdal permitted requesting authenticated anonymous tickets. However, it did not verify that a KDC in fact returned an anonymous ticket when one was requested. - Cease setting the KDCOption reaquest_anonymous flag when issuing S4UProxy (constrained delegation) TGS requests. . when the Win2K PKINIT compatibility option is set, do not require krbtgt otherName to match when validating KDC certificate. . set PKINIT_BTMM flag per Apple implementation . use memset_s() instead of memset() - kdc: . When generating KRB5SignedPath in the AS, use the reply client name rather than the one from the request, so validation will work correctly in the TGS. . allow checksum of PA-FOR-USER to be HMAC_MD5. Even if tgt used an enctype with a different checksum. Per [MS-SFU] 2.2.1 PA-FOR-USER the checksum is always HMAC_MD5, and that's what Windows and MIT clients send. In heimdal both the client and kdc use instead the checksum of the tgt, and therefore work with each other but Windows and MIT clients fail against heimdal KDC. Both Windows and MIT KDCs would allow any keyed checksum to be used so Heimdal client interoperates with them. Change Heimdal KDC to allow HMAC_MD5 even for non RC4 based tgt in order to support per-spec clients. . use memset_s() instead of memset(). - Detect Heimdal 1.0 through 7.6 clients that issue S4UProxy (constrained delegation) TGS Requests with the request anonymous flag set. These requests will be treated as S4UProxy requests and not anonymous requests. - HDB: . Set SQLite3 backend default page size to 8KB. . Add hdb_set_sync() method - kadmind: . disable HDB sync during database load avoiding unnecessary disk i/o. - ipropd: . disable HDB sync during receive_everything. Doing an fsync per-record when receiving the complete HDB is a performance disaster. Among other things, if the HDB is very large, then one slave receving a full HDB can cause other slaves to timeout and, if HDB write activity is high enough to cause iprop log truncation, then also need full syncs, which leads to a cycle of full syncs for all slaves until HDB write activity drops. Allowing the iprop log to be larger helps, but improving receive_everything() performance helps even more. - kinit: . Anonymous PKINIT tickets discard the realm information used to locate the issuing AS. Store the issuing realm in the credentials cache in order to locate a KDC which can renew them. . Do not leak the result of krb5_cc_get_config() when determining anonymous PKINIT start realm. - klist: . Show transited-policy-checked, ok-as-delegate and anonymous flags when listing credentials. - tests: . Regenerate certs so that they expire before the 2038 armageddon so the test suite will pass on 32-bit operating systems until the underlying issues can be resolved. - Solaris: . Define _STDC_C11_BCI for memset_s prototype - build tooling: . Convert from python 2 to python 3 - documentation . rename verify-password to verify-password-quality . hprop default mode is encrypt . kadmind "all" permission does not include "get-keys" . verify-password-quality might not be stateless GPerfTools: No changes Libtool: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ March 20, 2019 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.47.3 Release Highlights: This is the third release for OpenLDAP 2.4.47. This release adds a new feature for slapd-mdb to allow a configurable IDL size. This can improve search performance on large databases where a specific value for an attribute is used in more than 64k objects. It also includes additional post-OpenLDAP 2.4.47 fixes as documented below. For the Solaris 11 platform only, the init system has been migrated to using the Solaris manifest system instead of the deprecated init.d method. The svcadmin command should be used for managing solserver. This release is recommended for all users. Upgrade warning: ********************************************************************** * The deprecated back-bdb and back-hdb backends have been removed. * * * * If you are currently using either of these backends it will be * * necessary to migrate to back-mdb prior to upgrade. * * * * Please contact support for additional assistance. * ********************************************************************** ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.47 Cyrus SASL 2.1.26 OpenSSL 1.1.1b GPerftools 2.7.0 (Select platforms) Heimdal Kerberos 7.5.0 (Select platforms) Summary of Changes: OpenLDAP: Post 2.4.47 Updates: Fixed libldap ASYNC connections with Solaris 10 (ITS#8968) Fixed libldap ASYNC TLS so it works (ITS#8957) Fixed liblmdb ITS#8969 Tweak mdb_page_split Fixed liblmdb ITS#8975 WIN32 fix writemap set_mapsize crash Fixed slapd-mdb index cleanup with cn=config (ITS#8472) Fixed slapd-ldap starttls connections timeout behavior (ITS#8963) Fixed slapo-accesslog possible assert with exops (ITS#8971) Fixed slapo-accesslog with SLAP_MOD_SOFT modifications (ITS#8990) Updated slapd.overlays(5) man page to include Symas specific overlays (Symas #206) New feature: Configurable IDL sizes with slapd-mdb (ITS#8977) Fixed slapo-remoteauth so it can work on multiple databases (Symas #214) Cyrus SASL: No changes OpenSSL: Fixed runpath for OpenSSL binaries Updated to version 1.1.1b Post 1.1.1b fixes: Applied fix for CVE-2019-1543 Applied fix for a memory corruption issue (OpenSSL#8375) Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ January 26, 2019 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.47.2 Release Highlights: This is the second release for OpenLDAP 2.4.47. This release fixes an issue with the RUNPATH for the OpenSSL binaries. This release is recommended for all users. Upgrade warning: ********************************************************************** * The deprecated back-bdb and back-hdb backends have been removed. * * * * If you are currently using either of these backends it will be * * necessary to migrate to back-mdb prior to upgrade. * * * * Please contact support for additional assistance. * ********************************************************************** ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.47 Cyrus SASL 2.1.26 OpenSSL 1.1.1a GPerftools 2.7.0 (Select platforms) Heimdal Kerberos 7.5.0 (Select platforms) Summary of Changes: OpenLDAP: No changes Cyrus SASL: No changes OpenSSL: Heimdal Kerberos: No changes GPerfTools: Updated to version 2.7.0 Libtool: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ January 9, 2019 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.47.1 Release Highlights: This is the first release for OpenLDAP 2.4.47. This release is recommended for all users. This release contains several new features: slapo-autoca, an overlay for automated certificate management sync replication support for MS Active Directory ECDHE support at the TLS layer slapo-pbkdf2, an overlay to allow PBKDF2 hashes TLSv1.3 support Upgrade warning: ********************************************************************** * This release removes the deprecated back-bdb and back-hdb backends * * * * If you are currently using either of these backends it will be * * necessary to migrate to back-mdb prior to upgrade. * * * * Please contact support for additional assistance. * ********************************************************************** ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.47 BDB 5.3.28 Cyrus SASL 2.1.26 OpenSSL 1.1.1a GPerftools 2.6.1 (Select platforms) Heimdal Kerberos 7.5.0 (Select platforms) Summary of Changes: OpenLDAP: 2.4.47 Updates: Added slapd-sock DN qualifier for subtrees to be processed (ITS#8051) Added slapd-sock ability to send extended operations to external listeners (ITS#8714) Fixed liblber to avoid incremental access to user-supplied bv in dupbv (ITS#8752) Fixed libldap dn to domain parsing with bad input (ITS#8842) Fixed slapd slapcat to correctly honor -g option (ITS#8667) Fixed slapd to correctly handle NO_SUCH_OBJECT with dynamic groups (ITS#8923) Fixed slapd to check status of rdnNormalize (ITS#8932) Fixed slapd cn=config when modifying slapo-syncprov config (ITS#8616) Fixed slapd sasl authz-policy "all" behavior (ITS#8909) Fixed slapd sasl minor typo (ITS#8918) Fixed slapd to correctly hide hidden DBs in the rootDSE (ITS#8912) Fixed slapd domainScope control to match Microsoft specification (ITS#8840) Fixed slapd-bdb/hdb/mdb to not convert certain IDLs to ranges (ITS#8868) Fixed slapo-accesslog deadlock during cleanup (ITS#8752) Fixed slapo-memberof cn=config modifications (ITS#8663) Fixed slapo-ppolicy with multimaster replication (ITS#8927) Fixed slapo-syncprov with NULL modlist (ITS#8843) Build Environment Added slapd reproducible build support (ITS#8928) Fixed missing includes with OpenSSL 1.0.2 (ITS#8809) Contrib Fixed slapo-pbkdf2 hash generation (ITS#8878) Documentation admin24 fixed minor typo (ITS#8887) Post 2.4.47 Updates: Added matching rules for cn=config attributes (ITS#8286) Added Elliptic Curve (ECDHE) support (ITS#7595) Added PBKDF2 password hash overlay Fixed liblber leaks (ITS#8727) Fixed libldap_r handling of deprecated OpenSSL function (ITS#8353) Cyrus SASL: No changes OpenSSL: OpenSSL 1.1.1a Updates: TLSv1.3 support Berkeley DB: No changes Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ November 20, 2018 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.46.3 Release Highlights: This release is the third release for OpenLDAP 2.4.46. This release is recommended for all users. This release adds contrib module support to the Windows Gold edition. Upgrade warning: ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.46 BDB 5.3.28 Cyrus SASL 2.1.26 OpenSSL 1.0.2n GPerftools 2.6.1 (Select platforms) Heimdal Kerberos 7.5.0 (Select platforms) Summary of Changes: OpenLDAP: No changes Cyrus SASL: No changes OpenSSL: No changes Berkeley DB: No changes Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ November 2, 2018 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.46.2 Release Highlights: This release is the second for OpenLDAP 2.4.46. This release is recommended for all users. Users that have configured their installation for replication are strongly advised to upgrade. Upgrade warning: ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.46 BDB 5.3.28 Cyrus SASL 2.1.26 OpenSSL 1.0.2n GPerftools 2.6.1 (Select platforms) Heimdal Kerberos 7.5.0 (Select platforms) Summary of Changes: OpenLDAP: Added Password Policy Module support for additional strength check rules Cyrus SASL: Enable saslauthd passthrough support OpenSSL: No changes Berkeley DB: No changes Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ July 26, 2018 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.46.1 Release Highlights: This release is the first for OpenLDAP 2.4.46. It contains a critical replication related fix. This release is recommended for all users. Users that have configured their installation for replication are strongly advised to upgrade. Upgrade warning: ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.46 BDB 5.3.28 Cyrus SASL 2.1.26 OpenSSL 1.0.2n GPerftools 2.6.1 (Select platforms) Heimdal Kerberos 7.5.0 (Select platforms) Summary of Changes: Packaging: Added support for FreeBSD 11 OpenLDAP: 2.4.46 Updates: Fixed libldap connection delete callbacks when TLS fails to start (ITS#8717) Fixed libldap to not reuse tls_session if TLS hostname check fails (ITS#7373) Fixed libldap cross-compiling with OpenSSL 1.1 (ITS#8687) Fixed libldap OpenSSL 1.1.1 compatibility with BIO_method (ITS#8791) Fixed libldap MozNSS CA certificate hash matching (ITS#7374) Fixed libldap MozNSS with PEM certs when also using an NSS cert db (ITS#7389) Fixed libldap MozNSS initialization (ITS#8484) Fixed libldap GnuTLS with GNUTLS_E_AGAIN (ITS#8650) Fixed libldap memory leak with cancel operations (ITS#8782) Fixed slapd Eventlog registry key creation on 64-bit Windows (ITS#8705) Fixed slapd to maintain SSF across SASL binds (ITS#8796) Fixed slapd syncrepl deadlock when updating cookie (ITS#8752) Fixed slapd syncrepl callback to always be last in the stack (ITS#8752) Fixed slapd telephoneNumberNormalize when the value is spaces and hyphens (ITS#8778) Fixed slapd CSN queue processing (ITS#8801) Fixed slapd-ldap TLS connection timeout with high latency connections (ITS#8720) Fixed slapd-ldap to ignore unknown schema when omit-unknown-schema is set (ITS#7520) Fixed slapd-mdb with an optimization for long lived read transactions (ITS#8226) Fixed slapd-meta assert when olcDbRewrite is modified (ITS#8404) Fixed slapd-sock with LDAP_MOD_INCREMENT operations (ITS#8692) Fixed slapo-accesslog cleanup to only occur on failed operations (ITS#8752) Fixed slapo-dds entryTTL to actually decrease as per RFC 2589 (ITS#7100) Fixed slapo-syncprov memory leak with delete operations (ITS#8690) Fixed slapo-syncprov to not clear pending operation when checkpointing (ITS#8444) Fixed slapo-syncprov to correctly record contextCSN values in the accesslog (ITS#8100) Fixed slapo-syncprov not to log checkpoints to accesslog db (ITS#8607) Fixed slapo-syncprov to process changes from this SID on REFRESH (ITS#8800) Fixed slapo-syncprov session log parsing to not block other operations (ITS#8486) Build Environment Fixed Windows build with newer MINGW version (ITS#8697) Fixed compiler warnings and removed unused variables (ITS#8578) Contrib Fixed ldapc++ Control structure (ITS#8583) Documentation Delete stub manpage for back-ldbm (ITS#8713) Fixed ldap_bind(3) to mention the LDAP_SASL_SIMPLE mechanism (ITS#8121) Fixed ldap.conf(5) to note SASL_MECH/SASL_REALM are no longer user-only (ITS#8818) Fixed slapd-config(5) typo for olcTLSCipherSuite (ITS#8715) Fixed slapo-syncprov(5) indexing requirements (ITS#5048) Post 2.4.46 Updates: Added the slapo-eds contrib module (ITS#8882) Fixed libldap dn to domain parsing with bad input (ITS#8842) Fix domainScope control to ensure the control value is absent as per Microsoft specification (ITS#8840) Fix segfault with empty operations modlist (ITS#8843) Fixed slapd slapcat to correctly honor -g option (ITS#8667) Fixed slapd-bdb/hdb/mdb AND/OR range processing of filters (ITS#8868) Fixed slapo-member cn=config modifications (ITS#8663) Fixed slapo-syncprov cn=config modifications (ITS#8616) Fixed slapd-mdb multival to make sure a->a_numvals matches id2v counts Cyrus SASL: No changes OpenSSL: No changes Berkeley DB: No changes Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ March 7, 2018 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.45.4 Release Highlights: This release is the fourth for OpenLDAP 2.4.45. It contains an upgrade to OpenSSL 1.0.2n and Heimdal 7.5.0. It also contains several critical replication related fixes. This release is recommended for all users. Users that have configured their installation for replication are strongly advised to upgrade. Upgrade warning: ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.45 BDB 5.3.28 Cyrus SASL 2.1.26 OpenSSL 1.0.2n GPerftools 2.6.1 (Select platforms) Heimdal Kerberos 7.5.0 (Select platforms) Summary of Changes: Packaging: OpenLDAP: Added certificate pinning to slapo-remoteauth Updated eduperson schema to be current Fixed libldap to not reuse tls_session if TLS hostname check fails (ITS#7373) Fixed libldap memory leak with cancel operations (ITS#8782) Fixed libldap connection delete callbacks when TLS fails to start (ITS#8717) Fixed slapd telephoneNumberNormalize when the value is spaces and hyphens (ITS#8778) Fixed slapd to maintain SSF across SASL binds (ITS#8796) Fixed slapd CSN queue processing (ITS#8801) Fixed slapd-mdb multival handling with attribute value reset Fixed slapo-syncprov to correctly record contextCSN values in the accesslog (ITS#8100) Fixed slapo-syncprov not to log checkpoints to accesslog db (ITS#8607) Fixed slapo-syncprov to process changes from this SID on REFRESH (ITS#8800) Fixed slapo-syncprov session log parsing to not block other operations (ITS#8486) Cyrus SASL: No changes OpenSSL: Upgrade to OpenSSL 1.0.2n Berkeley DB: No changes Heimdal Kerberos: Upgrade to Heimdal 7.5.0 GPerfTools: No changes Libtool: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ October 9, 2017 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.45.3 Release Highlights: This release is the third for OpenLDAP 2.4.45. It contains an upgrade to OpenSSL 1.0.2l. This release is recommended for all users. Users that have configured their installation for large multi-valued attributes are strongly urged to update. Upgrade warning: ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.45 BDB 5.3.28 Cyrus SASL 2.1.26 OpenSSL 1.0.2l GPerftools 2.6.1 (Select platforms) Heimdal Kerberos 7.4.0 (Select platforms) Summary of Changes: Packaging: OpenLDAP: Fixed syncprov deadlock with multimaster (ITS#8752) Fixed slapo-syncprov to not clear pending operation when checkpointing (ITS#8444) Added ldapurl binary (SOLD-85) Cyrus SASL: No changes OpenSSL: Upgrade to OpenSSL 1.0.2l Berkeley DB: No changes Heimdal Kerberos: Added iprop-log utility (SOLD-78) GPerfTools: No changes Libtool: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ August 2, 2017 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.45.2 Release Highlights: This release is the second for OpenLDAP 2.4.45. This release is recommended for all users. Users that have configured their installation for large multi-valued attributes are strongly urged to update. Upgrade warning: ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.45 BDB 5.3.28 Cyrus SASL 2.1.26 OpenSSL 1.0.2k GPerftools 2.6.1 (Select platforms) Heimdal Kerberos 7.4.0 (Select platforms) Summary of Changes: Packaging: Fixed SLES package names (SOLD-42) Fixed reference to CDS in ldap.conf.default (SOLD-37) Fixed Windows version detection (SOLD-50) Added Kerberos support to Solaris builds (SOLD-57) Added Windows 2016 to supported OSes (SOLD-51) Added Debian 9 support (SOLD-58) Fixed path to python for GetSymasConfig.py (SOLD-61) OpenLDAP: Fixed startTLS support for slapo-remoteauth (SOLD-66) Fixed syncprov memory leak on delete operations (ITS#8690) Fixed Windows Eventlog registry key setting (ITS#8705) Cyrus SASL: No changes OpenSSL: No changes Berkeley DB: No changes Heimdal Kerberos: Upgrade to 7.4.0 (SOLD-70) GPerfTools: Upgrade to 2.6.1 (SOLD-71) Libtool: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ June 1, 2017 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.45.1 Release Highlights: This release is the first for OpenLDAP 2.4.45. This release is recommended for all users. Users that have configured their installation for large multi-valued attributes are strongly urged to update. Upgrade warning: ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** ********************************************************************** * This release has the potential to change the schema requirements * * for slapo-ppolicy for customers using the cn=config backend if * * it was configured prior to the SOLD 2.4.43.1 release. * * * * If upgrading from a release prior to 2.4.43.1 and slapo-ppolicy is * * in use via cn=config, then it will be necessary to modify the * * schema for ppolicy prior to upgrading * * * * Specifically, the following attribute definition must be added: * * olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRe * * cordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch * * SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) * * * * Please contact support for additional assistance. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.45 BDB 5.3.28 Cyrus SASL 2.1.26 OpenSSL 1.0.2k GPerftools 2.2.1 + updates (Selected platforms) Heimdal Kerberos 7.3.0 (Selected platforms) Summary of Changes: Packaging: Added new script for support: bin/GetSymasConfig.py (SOLD#38) Fixed non-optimized builds for RHEL to actually be non-optimized (SOLD#39) Fixed Heimdal KDC Schema (SOLD#40) Fixed missing cn=config formatted schema files (SOLD#35) Fixed missing upgrade notes for slapo-ppolicy and cn=config (SOLD#36) OpenLDAP: 2.4.45 Updates: Added slapd support for OpenSSL 1.1.0 series (ITS#8353, ITS#8533, ITS#8634) Fixed libldap to fail ldap_result if the handle is already bad (ITS#8585) Fixed libldap to expose error if user specified CA doesn't exist (ITS#8529) Fixed libldap handling of Diffie-Hellman parameters (ITS#7506) Fixed libldap GnuTLS use after free (ITS#8385) Fixed libldap SASL initialization (ITS#8648) Fixed slapd bconfig rDN escape handling (ITS#8574) Fixed slapd segfault with invalid hostname (ITS#8631) Fixed slapd sasl SEGV rebind in same session (ITS#8568) Fixed slapd syncrepl filter handling (ITS#8413) Fixed slapd syncrepl infinite looping mods with delta-sync MMR (ITS#8432) Fixed slapd callback struct so older modules without writewait should function. Custom modules may need to be updated for sc_writewait callback (ITS#8435) Fixed slapd-ldap/meta broken LDAP_TAILQ macro (ITS#8576) Fixed slapd-mdb so it passes ITS6794 regression test (ITS#6794) Fixed slapd-mdb double free with size zero paged result (ITS#8655) Fixed slapd-meta uninitialized diagnostic message (ITS#8442) Fixed slapo-accesslog to honor pauses during purge for cn=config update (ITS#8423) Fixed slapo-accesslog with multiple modifications to the same attribute (ITS#6545) Fixed slapo-relay to correctly initialize sc_writewait (ITS#8428) Fixed slapo-sssvlv double free (ITS#8592) Fixed slapo-unique with empty modifications (ITS#8266) Added test065 for proxyauthz (ITS#8571) Fix test008 to be portable (ITS#8414) Fix test064 to wait for slapd to start (ITS#8644) Fix its4336 regression test (ITS#8534) Fix its4337 regression test (ITS#8535) Fix regression tests to execute on all backends (ITS#8539) Added slapo-autogroup(5) man page (ITS#8569) Added passwd missing conversion scripts for apr1 (ITS#6826) Fixed contrib modules where the writewait callback was not correctly initialized (ITS#8435) Fixed smbk5pwd to build with newer OpenSSL releases (ITS#8525) admin24 fixed tls_cipher_suite bindconf option (ITS#8099) admin24 fixed typo cn=config to be slapd.d (ITS#8449) admin24 fixed slapo-syncprov information to be current (ITS#8253) admin24 fixed typo in access control docs (ITS#7341, ITS#8391) admin24 fixed minor typo in tuning guide (ITS#8499) admin24 fixed information about the limits option (ITS#7700) admin24 fixed missing options for syncrepl configuration (ITS#7700) admin24 fixed accesslog documentation to note it should not be replicated (ITS#8344) Fixed ldap.conf(5) missing information on SASL_NOCANON option (ITS#7177) Fixed ldapsearch(1) information on the V[V] flag behavior (ITS#7177, ITS#6339) Fixed slapd-config(5), slapd.conf(5) clarification on interval keyword for refreshAndPersist (ITS#8538) Fixed slapd-config(5), slapd.conf(5) clarify serverID requirements (ITS#8635) Fixed slapd-config(5), slapd.conf(5) clarification on loglevel settings (ITS#8123) Fixed slapo-ppolicy(5) to clearly note rootdn requirement (ITS#8565) Fixed slapo-memberof(5) to note it is not safe to use with replication (ITS#8613) Fixed slapo-syncprov(5) documentation to be current (ITS#8253) Fixed slapadd(8) manpage to note slapd-mdb (ITS#8215) Fixed various minor grammar issues in the man pages (ITS#8544) Fixed various typos (ITS#8587) Cyrus SASL: No changes OpenSSL: No changes Berkeley DB: No changes Heimdal Kerberos: Upgrade to the Heimdal 7.3.0 release + additional fixes Fix transit path validation. Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm to not be added to the transit path of issued tickets. This may, in some cases, enable bypass of capath policy in Heimdal versions 1.5 through 7.2. GPerfTools: No changes Libtool: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ March 20, 2017 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.44.7 Release Highlights: This release contains a fix for LMDB with multivalued attributes, the upgrade of Heimdal from 1.6 to 7.2, the upgrade of OpenSSL to 1.0.2k, and adds support for Diffie-Hellman Key Exchange in the TLS configuration. This release is recommended for all users. Users that have configured their installation for large multi-valued attributes are strongly urged to update. Upgrade warning: ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.44 + updates BDB 5.3.28 Cyrus SASL 2.1.26 OpenSSL 1.0.2k GPerftools 2.2.1 + updates (Selected platforms) Heimdal Kerberos 7.2.0 (Selected platforms) Summary of Changes: Packaging: None OpenLDAP: Post-2.4.44.6 Updates: 20161128 Add TLS protocol and ciphersuite logging (ITS#7683) 20170117 Fix ldap_queue macro (ITS#8570) 20170206 Document threadqueues option to slapd 20170126 Additional fixes for large multival attributes 20170303 Additional logging for CSN state mismatches 20170303 Fix Diffie-Hellman support (ITS#7506) 20170303 Fix rDN handling in back-ldif (ITS#8574) 20170315 Fix multiple threadqueues 20170317 Fix ldap_result to fail if handle has already failed (ITS#8585) Cyrus SASL: No changes OpenSSL: No changes Berkeley DB: No changes Heimdal Kerberos: Upgrade to the Heimdal 7.1.0 release + additional fixes GPerfTools: No changes Libtool: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ November 3, 2016 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.44.6 Release Highlights: This release contains a fix for LMDB with multivalued attributes. This release is recommended for all users. Users that have configured their installation for large multi-valued attributes are strongly urged to update. Upgrade warning: ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases for versions prior to 2.4.44.5. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.44 + updates BDB 5.3.28 Cyrus SASL 2.1.26 OpenSSL 1.0.2h GPerftools 2.2.1 + updates (Selected platforms) Heimdal Kerberos 1.6 (Selected platforms) Summary of Changes: Packaging: None OpenLDAP: Post-2.4.44.5 Updates: 20161103 slapd-mdb: Delete was broken for multival in some cases Cyrus SASL: No changes OpenSSL: No changes Berkeley DB: No changes Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ September 27, 2016 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.44.5 Release Highlights: This release contains changes that improve LMDB performance with large multivalued attributes. It also brings lmdb database growth under control for applications that have large groups, but also those that use the remoteauth overlay to authenticate users to Active Directory and other remote LDAP databases. Finally, some additional STATS logging was added to track replication. This release is recommended for all users, but in particular for those installations that use the remoteauth overlay with LMDB and that may have multi-valued attribute that contain large numbers of values. Upgrade warning: ********************************************************************** * This release has the potential to change the on-disk format for * * LMDB/MDB databases. * * * * If you are setting or changing the back-mdb values multival_hi and * * multival_lo it will be necessary to back up any affected databases * * using slapcat before making the change and restoring them with * * slapadd after making the change. * * * * If you are not setting these values then a database reload is not * * needed. * * * * Please contact support for additional assistance. Back-BDB/HDB * * databases are unaffected. * ********************************************************************** This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.44 + updates BDB 5.3.28 Cyrus SASL 2.1.26 OpenSSL 1.0.2h GPerftools 2.2.1 + updates (Selected platforms) Heimdal Kerberos 1.6 (Selected platforms) Summary of Changes: Packaging: None OpenLDAP: Post-2.4.44 Updates: 20160729 slapo-remoteauth: Don't keep entry during remote bind, release first. 20160729 slapo-remoteauth: Don't send success result, frontend always does that. 20160726 slapd: Add STATS log for delta sync 20160726 build: Remove extra 'quick' target in Red Hat build stanza 20160726 slapd: Add additional STATS log for a couple SYNC log msgs 20160722 slapd-mdb: Fix id2entry_delete when deleting last multival entry in DB 20160720 slapd-mdb: Modify/replace was broken if attr didn't already exist Cyrus SASL: No changes OpenSSL: No changes Berkeley DB: No changes Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ June 17, 2016 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.44.4 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.44 + updates BDB 5.3.28 Cyrus SASL 2.1.26 OpenSSL 1.0.2h GPerftools 2.2.1 + updates (Selected platforms) Heimdal Kerberos 1.6 (Selected platforms) Summary of Changes: Packaging: None OpenLDAP: Post-2.4.44 Updates: Fixed uninitialized rs->sr_text in back-meta (ITS#8442) Move sc_writewait to end of slap_callback so any initializers in code predating sc_writewait will find sc_private in the expected position. (ITS#8435) Fixed uninited slap_callback.sc_writewait (ITS#8435) Fixed infinite looping mods in delta-mmr (ITS#8432) Fixed init sc_writewait (ITS#8428) Fixed ITS#8339 Fixed ITS#8424 Fixed mutexattr leak on error in mdb_env_setup_locks Fixed Solaris 10/11 robust mutex handling Check for PTHREAD_MUTEX_ROBUST_NP definition (this doesn't work on Linux/glibc because they used an enum). Zero out mutex before initing. (ITS#8339) Fixed missing cursor init in mdb_env_cwalk (ITS#8424) Cyrus SASL: No changes OpenSSL: Changes between 1.0.2g and 1.0.2h [3 May 2016] Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107) Fix EVP_EncodeUpdate overflow (CVE-2016-2105) Fix EVP_EncryptUpdate overflow (CVE-2016-2106) Prevent ASN.1 BIO excessive memory allocation (CVE-2016-2109) EBCDIC overread (CVE-2016-2176) Modify behavior of ALPN to invoke callback after SNI/servername callback, such that updates to the SSL_CTX affect ALPN. Remove LOW from the DEFAULT cipher list. This removes singles DES from the default. Only remove the SSLv2 methods with the no-ssl2-method option. Berkeley DB: No changes Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ May 19, 2016 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.44.3 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.44 + updates BDB 5.3.28 Cyrus SASL 2.1.26 OpenSSL 1.0.2h GPerftools 2.2.1 + updates (Selected platforms) Heimdal Kerberos 1.6 (Selected platforms) Summary of Changes: Packaging: None OpenLDAP: Post-2.4.44 Updates: Fix missing check for pause in accesslog_purge (ITS#8423) Removed use of "time", as it is non portable (ITS#8414) Don't use str2filter on precomputable filters and more importantly, avoid escaping requirements that str2filter has (ITS#8413) Fixed NEXT_DUP after cursor_del (ITS#8412) Fixed xcursors after cursor_del. Don't leave them uninit'd if they now point at a valid DUP node (ITS#8406) Added mdb_drop optimization: If we know there are no sub-DBs and no overflow pages, skip leaf scan. Fixed MDB_GET_BOTH on non-dup record (ITS#8393) Tweak Win32 errmsg buffer Cyrus SASL: No changes OpenSSL: Changes between 1.0.2g and 1.0.2h [3 May 2016] Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107) Fix EVP_EncodeUpdate overflow (CVE-2016-2105) Fix EVP_EncryptUpdate overflow (CVE-2016-2106) Prevent ASN.1 BIO excessive memory allocation (CVE-2016-2109) EBCDIC overread (CVE-2016-2176) Modify behavior of ALPN to invoke callback after SNI/servername callback, such that updates to the SSL_CTX affect ALPN. Remove LOW from the DEFAULT cipher list. This removes singles DES from the default. Only remove the SSLv2 methods with the no-ssl2-method option. Berkeley DB: No changes Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ April 4, 2016 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.44.2 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.44 + updates BDB 5.3.28 Cyrus SASL 2.1.26 OpenSSL 1.0.2g GPerftools 2.2.1 + updates (Selected platforms) Heimdal Kerberos 1.6 (Selected platforms) Summary of Changes: Packaging: None OpenLDAP: Post-2.4.44 Updates Additional fixes for large multi-valued attributes: Do not persist the sorted flag since the sort order between th DB and the attribute's schema don't necessarily agree (SOB-102) Cyrus SASL: No changes OpenSSL: No changes Berkeley DB: No changes Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ March 4, 2016 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.44.1 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.44 BDB 5.3.28 Cyrus SASL 2.1.26 OpenSSL 1.0.2g GPerftools 2.2.1 + updates (Selected platforms) Heimdal Kerberos 1.6 (Selected platforms) Summary of Changes: Packaging: Fixed solserver complains when gdb not installed (SOB-82) Increased slapd shutdown timeout to 300 seconds (SOB-92) Fixed problems with exampledb-krb5.sh that prevented lmdb-backed kdc from working in the example (SOB-86) Fixed heimdal hdb_ldap linking issues that prevented kdc ldap backend from functioning (SOB-86) Fixed openssl.conf.default set the default_bits parameter to 1024 (SOB-77) Fixed pw-sha2 linking with system libs (SOB-47) OpenLDAP: Post-2.4.44 Updates None 2.4.44 Updates Fixed slapd-mdb behavior with long lived read transactions (ITS#8226) Fixed slapd-mdb cleanup after failed transaction (ITS#8360) Fixed slapo-accesslog callback initialization (ITS#8351) Fixed slapo-syncprov abandon processing (ITS#8354) Fixed slapo-syncprov ctxcsn snapshot on refresh (ITS#8365) Cyrus SASL: No changes OpenSSL: Update to 1.0.2g Changes between 1.0.2d and 1.0.2g [1 Mar 2016] CVE-2016-0800 - Weak ciphers in SSLv3 and up have been disabled CVE-2016-0800 - SSLv2 has been disabled CVE-2016-0705 - Double-free while processing malformed DSA private keys results in DoS attack or memory corruption CVE-2016-0798 - Server memory leak in SRP_VBASE_get_by_user call CVE-2016-0797 - Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption CVE-2016-0799 - Fix memory issues in BIO_*printf functions CVE-2016-0702 - Fix side channel attack on modular exponentiation None - Change the req app to generate a 2048-bit RSA/DSA key by default if no keysize is specified with default_bits. CVE-2016-0701 - Fix DH small subgroups CVE-2015-3197 - Fix SSLv2 doesn't block disabled ciphers None - Reject DH handshakes with parameters shorter than 1024 bits CVE-2015-3193 - Fix BN_mod_exp may produce incorrect results on x86_64 CVE-2015-3194 - Fix certificate verify crash with missing PSS parameter CVE-2015-3195 - Fix memory leak when presented with a malformed X509_ATTRIBUTE structure None - Fix several bugs in EVP_DecodeUpdate (base64 decoding) None - Fix DSA_generate_parameters_ex not using a random seed if the provided seed is too short Berkeley DB: No changes Heimdal Kerberos: No changes GPerfTools: No changes Libtool: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ January 5, 2016 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.43.1 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.43 + updates BDB 5.3.28 Cyrus SASL 2.1.26 OpenSSL 1.0.2e GPerftools 2.2.1 + updates (Selected platforms) Heimdal Kerberos 1.6 (Selected platforms) Summary of Changes: Packaging: Enhanced solserver init script to interoperate with GDB OpenLDAP: Post-2.4.43 Updates Fixed slapd-bdb/hdb missing olcDbChecksum config attr (ITS#8337) Fixed slapo-ppolicy pwdMaxRecordedFailure must never be zero (ITS#8327) Fixed page_search_root assert on FreeDB (ITS#8336) Fixed assume Windows paths are UTF-8 (ITS#7992) Fixed Add the id_query config item (ITS#8329) Fixed robust mutex detection for older glibc (ITS#8330) 2.4.43 Updates Added StartTLS support to remoteauth Fixed liblber remove obsolete assert (ITS#8240, ITS#8301) Fixed libldap file URLs on windows (ITS#8273) Fixed libldap microsecond timer for windows (ITS#8295) Fixed slap tools minor one time memory leak (ITS#8082) Fixed slapd to avoid redundant processing of abandon ops (ITS#8232) Fixed slapd syncrepl segv when present list is NULL (ITS#8231, ITS#8042) Fixed slapd segfault with invalid SASL URI (ITS#8218) Fixed slapd configuration parser with unbalanced quotes (ITS#8233) Fixed slapd syncrepl check with config db on windows (ITS#8277) Fixed slapd with mod Increment and inherited attribute type (ITS#8289) Fixed slapd-ldap SEGV after failed retry (ITS#8173) Fixed slapd-ldap to skip client controls in ldap_back_entry_get (ITS#8244) Fixed slapd-null to have an option to return a search entry (ITS#8249) Fixed slapd-relay to correctly handle quoted options (ITS#8284) Fixed slapo-accesslog delta-sync MMR with interrupted refresh phase (ITS#8281) Fixed slapo-dds segfault when using slapo-memberof (ITS#8133) Fixed slapo-ppolicy to allow purging of stale pwdFailureTime attributes (ITS#8185) Fixed slapo-ppolicy to release entry on failure (ITS#7537) Fixed slapo-ppolicy to fall back to default policy if there is a parsing error (ITS#8234) Fixed slapo-syncprov with interrupted refresh phase (ITS#8281) Fixed slapo-refint with subtree renames (ITS#8220) Fixed slapo-rwm missing olcDropUnrequested attribute (ITS#7889) Fixed slapo-rwm parsing to avoid double-escaping rewrite rules (ITS#7964) Fixed ldif-filter option parsing (ITS#8292) Fixed liblber address length for CLDAP (ITS#8158) Fixed libldap dnssrv potential overflow with port number (ITS#7027, ITS#8195) Fixed slapd cn=config when updating olcAttributeTypes (ITS#8199) Fixed slapd-mdb to correctly update search candidates for scoped searches (ITS#8203) Fixed slapo-ppolicy with redundant mod ops on glued trees (ITS#8184) Fixed slapo-rwm crash when deleting rewrite rules (ITS#8213) Fixed ldapsearch to explicitly flush its buffer (ITS#8118) Fixed libldap async connections (ITS#8090) Fixed libldap double free of request during abandon (ITS#7967) Fixed libldap error string for LDAP_X_CONNECTING (ITS#8093) Fixed libldap segfault in ldap_sync_initialize (ITS#8001) Fixed libldap ldif-wrap off by one error (ITS#8003) Fixed libldap handling of TLS in async mode (ITS#8022) Fixed libldap null pointer dereference (ITS#8028) Fixed libldap mutex handling with LDAP_OPT_SESSION_REFCNT (ITS#8050) Fixed slapd slapadd config db import of minimal frontend entry (ITS#8150) Fixed slapd slapadd onetime leak with -w (ITS#8014) Fixed slapd sasl auxprop crash with invalid config (ITS#8092) Fixed slapd syncrepl delta-mmr issue with overlays and slapd.conf (ITS#7976) Fixed slapd syncrepl mutex for cookie state (ITS#7968) Fixed slapd syncrepl memory leaks (ITS#8035) Fixed slapd syncrepl to free presentlist at end of refresh mode (ITS#8038) Fixed slapd syncrepl to streamline presentlist (ITS#8042) Fixed slapd syncrepl concurrency when CHECK_CSN is enabled (ITS#8120) Fixed slapd rootdn checks for hidden backends (ITS#8108) Fixed slapd segfault when using matched values control (ITS#8046) Fixed slapd-ldap reconnection behavior on remote failure (ITS#8142) Fixed slapd-mdb minor case typo (ITS#8049) Fixed slapd-mdb one-level search (ITS#7975) Fixed slapd-mdb heap corruption (ITS#7965) Fixed slapd-mdb crash after deleting in-use schema (ITS#7995) Fixed slapd-mdb minor code cleanup (ITS#8011) Fixed slapd-mdb to return errors when using incorrect env flags (ITS#8016) Fixed slapd-mdb to correctly update search candidates (ITS#8036, ITS#7904) Fixed slapd-mdb when there were more than 65535 aliases in scope (ITS#8103) Fixed slapd-mdb alias deref when objectClass is not indexed (ITS#8146) Fixed slapd-meta TLS initialization with ldaps URIs (ITS#8022) Fixed slapd-meta to have better error logging (ITS#8131) Fixed slapd-perl conversion to cn=config (ITS#8105) Fixed slapd-sql autocommit config variable (ITS#8129,ITS#6613) Fixed slapo-collect segfault (ITS#7797) Fixed slapo-constraint with 0 count constraint (ITS#7780,ITS#7781) Fixed slapo-deref with empty attribute list (ITS#8027) Fixed slapo-memberof to correctly reject invalid members (ITS#8107) Fixed slapo-sock result parser for CONTINUE (ITS#8048) Fixed slapo-syncprov synprov_matchops usage of test_filter (ITS#8013) Fixed slapo-syncprov segfault on disconnect/abandon (ITS#5452,ITS#8012) Fixed slapo-syncprov memory leak (ITS#8039) Fixed slapo-syncprov segfault on disconnect/abandon (ITS#8043) Fixed slapo-syncprov deadlock when autogroup is in use (ITS#8063) Fixed slapo-syncprov potential loss of changes when under load (ITS#8081) Fixed slapo-unique enforcement of uniqueness with manageDSAit control (ITS#8057) Fixed contrib/autogroup internal operation identity (ITS#8006) Fixed contrib/autogroup to skip internal ops with accesslog (ITS#8065) Added pbkdf2 sha256 and sha512 schemes (ITS#7977) Fixed autogroup modification callback responses (ITS#6970) Fixed nssov compare with usergroup (ITS#8079) Fixed nssov password change behavior (ITS#8080) Fixed nssov updated to 0.9.4 (ITS#8097) Added ldap_get_option(3) LDAP_FEATURE_INFO_VERSION information (ITS#8032) Added ldap_get_option(3) LDAP_OPT_API_INFO_VERSION information (ITS#8032) Fixed slapd-config(5), slapd.conf(5) tls_cipher_suite option (ITS#8099) Fixed slapd-meta(5), slapd-ldap(5) tls_cipher_suite option (ITS#8099) Fixed slapd-meta(5) fix minor typo (ITS#7769) Cyrus SASL: Update to 2.1.26: Modernize SASL malloc/realloc callback prototypes Added sasl_config_done() to plug a memory leak when using an application specific config file Fixed PLAIN/LOGIN authentication failure when using saslauthd with no auxprop plugins (bug # 3590). Unlock the mutex in sasl_dispose if the context was freed by another thread MINGW32 compatibility updates Fixed broken logic in get_fqhostname() when abort_if_no_fqdn is 0 Fixed some memory leaks in libsasl GSSAPI plugin: Fixed a segfault in gssapi.c introduced in 2.1.25. Code refactoring Added support for GSS-SPNEGO SASL mechanism (Unix only), which is also HTTP capable DIGEST-MD5 plugin: Correctly send "stale" directive to prevent clients from (re)promtping for password Better handling of HTTP reauthentication cases fixed some memory leaks saslauthd: auth_rimap.c: qstring incorrectly appending the closing double quote, which might be causing crashes auth_rimap.c: read the whole IMAP greeting better error reporting from some drivers fixed some memory leaks OpenSSL: Update to 1.0.2d Berkeley DB: Update to 5.3.28 Heimdal Kerberos: Update to 1.6 GPerfTools: No change Libtool: No change Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, maintain backups of critical data, and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ May 13, 2015 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.40.20150513 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.40 + updates BDB 4.8.30 Cyrus SASL 2.1.25 OpenSSL 1.0.2a GPerftools 2.2.1 + updates (Selected platforms) Heimdal Kerberos 1.5.3 (Selected platforms) Packaging: Cleaned up example files and switched to demo lmdb (Symas #2830) Added new LMDB tools for mdb_dump, mdb_load, and related manpages (Symas #2881) Fixed solserver script on CentOS 7 (Symas #2918) Added slapo-lastbind contrib module (Symas #2927) Added AES-KeyAgent support for select platforms (Symas #2928) Added new safer slapd.conf.default value for TLSCipherSuite (Symas #2974) Added commented out ulimit -n and ulimit -v options to symas- openldap.conf.default (Symas #2287) Updated to OpenSSL 0.9.8ze OpenLDAP: Added experimental high-resolution time reporting (Symas #2882) Fixed libldap DNS SRV priority handling (ITS#7027) Fixed libldap don't leak libldap err codes (ITS#7676) Fixed libldap CR/LF handling (ITS#4635) Fixed libldap ldif-wrap length (ITS#7871) Fixed libldap GnuTLS ciphersuite parsing (ITS#7500) Fixed libldap GnuTLS with newer versions (ITS#7430,ITS#6359) Fixed libldif to correctly handle 4096 character lines (ITS#7859) Fixed librewrite reference counting (ITS#7723) Fixed slapacl with back-mdb reader transactions (ITS#7920) Fixed slapd syncrepl to send cookie on fallback (ITS#7849) Fixed slapd syncrepl SEGV when abandoning a connection (ITS#7928) Fixed slapd slapcat with external schema (ITS#7895) Fixed slapd schema RDN normalization (ITS#7935) Fixed slapd with repeated language tags (ITS#7941) Fixed slapd modrdn crash on naming attr with no matching rule (ITS#7850) Fixed slapd memory leak in control handling (ITS#7942) Fixed slapd-ldap removed dead code (ITS#7922) Fixed slapd-mdb to work concurrently with slapadd (ITS#7798) Fixed slapd-mdb with paged results (ITS#7705, ITS#7800) Fixed slapd-mdb slapcat with nonexistent indices (ITS#7870) Fixed slapd-mdb long lived reader transactions (ITS#7904) Fixed slapd-mdb memory leak on matchedDN (ITS#7872) Fixed slapd-mdb sorting of attribute values (ITS#7902) Fixed slapd-mdb to flag attribute values as sorted (ITS#7903) Fixed slapd-mdb index config handling (ITS#7912) Fixed slapd-mdb entry release handling (ITS#7915) Fixed slapd-mdb with aliases and referrals (ITS#7927) Fixed slapd-mdb alias dereferencing (ITS#7702) Fixed slapd-sock socket flushing (ITS#7937) Fixed slapo-accesslog attribute normalization (ITS#7934) Fixed slapo-accesslog internal search logging (ITS#7929) Fixed slapo-auditlog connection destroy logic (ITS#7906,ITS#7923) Fixed slapo-chain interaction with slapo-rwm (ITS#7930) Fixed slapo-constraint connection destroy logic (ITS#7906,ITS#7923) Fixed slapo-dds connection destroy logic (ITS#7906,ITS#7923) Fixed slapo-dyngroup connection destroy logic (ITS#7906,ITS#7923) Fixed slapo-memberof attr count (ITS#7893) Fixed slapo-memberof frontendDB handling (ITS#7249) Fixed slapo-memberof internal search logging (ITS#7929) Fixed slapo-pcache config processing (ITS#7919) Fixed slapo-pcache connection destroy logic (ITS#7906,ITS#7923) Added slapo-ppolicy ORDERING rules (ITS#7838) Fixed slapo-ppolicy timestamp resolution to use microseconds (ITS#7161) Fixed slapo-ppolicy connection destroy logic (ITS#7906,ITS#7923) Fixed slapo-refint to check for pauses in cn=config (ITS#7873) Fixed slapo-refint internal search logging (ITS#7929) Fixed slapo-refint connection destroy logic (ITS#7906,ITS#7923) Fixed slapo-seqmod connection destroy logic (ITS#7906,ITS#7923) Fixed slapo-slapover connection destroy logic (ITS#7906,ITS#7923) Fixed slapo-sock db_init (ITS#7868) Fixed slapo-sssvlv fix olcSssVlvMaxPerConn (ITS#7908) Fixed slapo-translucent double free (ITS#7587) Fixed slapo-translucent to work with manageDSAit (ITS#7864) (Symas #2805) Fixed slapo-translucent to use local backend with local entries (ITS#7915) Fixed slapo-unique connection destroy logic (ITS#7906,ITS#7923) Fixed slapcacl with invalid suffix (ITS#7827) Remove support for gcrypt (ITS#7877) BDB 6.0.20 and later is not supported (ITS#7890) Fixed ODBC link check (ITS#7891) Fixed slapd.ldif frontend config (ITS#7933) Added pbkdf2 module (ITS#7742) Fixed autogroup double free (ITS#7831) Fixed autogroup modification callback responses (ITS#6970) Fixed ldapc++ memory leak in Async connection (ITS#7806) Fixed nssov install path (ITS#7858) Fixed passwd rpath (ITS#7885) Fixed apr1 do_phk_hash argument order (ITS#7869) Fixed slapd-sha2 buffer overrun (ITS#7851) Fixed slapd.ldif man page reference (ITS#7803) Fixed slapd.conf(5) man page to reference exattrs (ITS#7847) Fixed guide to work with mkrelease (ITS#7887) Fixed ldap_get_dn(3) ldap_ava definition (ITS#7860) Fixed Building of slapadd on Windows (Symas #3000) Fixed heap corruption in mdb_dn2id (ITS#7965) Fixed libldap double free of request during abandon (ITS#7967) Fixed libldap segfault in ldap_sync_initialize (ITS#8001) Fixed libldap ldif-wrap off by one error (ITS#8003) Fixed libldap handling of TLS in async mode (ITS#8022) Fixed libldap null pointer dereference (ITS#8028) Fixed slapd slapadd onetime leak with -w (ITS#8014) Fixed slapd syncrepl delta-mmr issue with overlays and slapd.conf (ITS#7976) Fixed slapd syncrepl mutex for cookie state (ITS#7968) Fixed slapd syncrepl memory leaks (ITS#8035) Fixed slapd syncrepl to free presentlist at end of refresh mode (ITS#8038) Fixed slapd-mdb one-level search (ITS#7975) Fixed slapd-mdb heap corruption (ITS#7965) Fixed slapd-mdb crash after deleting in-use schema (ITS#7995) Fixed slapd-mdb minor code cleanup (ITS#8011) Fixed slapd-mdb to return errors when using incorrect env flags (ITS#8016) Fixed slapd-mdb to correctly update search candidates (ITS#8036, ITS#7904) Fixed slapd-meta TLS initialization with ldaps URIs (ITS#8022) Fixed slapo-collect segfault (ITS#7797) Fixed slapo-constraint with 0 count constraint (ITS#7780,ITS#7781) Fixed slapo-deref with empty attribute list (ITS#8027) Fixed slapo-syncprov synprov_matchops usage of test_filter (ITS#8013) Fixed slapo-syncprov segfault on disconnect/abandon (ITS#5452,ITS#8012) Fixed slapo-syncprov deadlock when autogroup is in use (ITS#8063,ITS#8081) Fixed slapo-syncprov memory leak (ITS#8039) Enhanced contrib modules build paths (ITS#7782) Fixed contrib/autogroup internal operation identity (ITS#8006) Fixed contrib/passwd/sha2 compiler warning (ITS#8000) Fixed contrib/noopsrch compiler warning (ITS#7998) Fixed contrib/dupent compiler warnings (ITS#7997) Added pbkdf2 sha256 and sha512 schemes (ITS#7977) Added ldap_get_option(3) LDAP_FEATURE_INFO_VERSION information (ITS#8032) Added ldap_get_option(3) LDAP_OPT_API_INFO_VERSION information (ITS#8032) Fixed slapd syncrepl to streamline presentlist (ITS#8042) Fixed contrib/autogroup to skip internal ops with accesslog (ITS#8065) SASL: Changed DIGEST-MD5 to use /dev/urandom to prevent entropy exhaustion denial of service attacks (Symas #2802) OpenSSL: Update to OpenSSL 0.9.8ze Fix for CVE-2014-3510 (DTLS anon ECDH client DoS) Fix for CVE-2014-3507 (DTLS memleak DoS) Fix for CVE-2014-3506 (DTLS handshake DoS) Fix for CVE-2014-3505 (DTLS doublefree DoS) Fix for CVE-2014-3508 (Stack echo in prettyprinter) Fix for CVE-2014-0224 (MITM via weaker keying) Fix for CVE-2014-0221 (DTLS recursion DoS) Fix for CVE-2014-0195 (DTLS fragment overrun RCE) Fix for CVE-2014-3470 (Client ECDH DoS) Fix for CVE-2014-0076 (ECDSA nonce recovery) Fix for CVE-2010-5298 (Client library side alert DoS) Build fixes for the Windows and OpenVMS platforms Fix for CVE-2014-3571 (DTLS handshake DoS) Fix for CVE-2014-3569 (ssl23_get_client_hello handshake DOS) Fix for CVE-2014-3572 (ECDHE-to-ECDH downgrade) Fix for CVE-2015-0204 (RSA-to-EXPORT_RSA downgrade) Fix for CVE-2014-8275 (Missing Cert Data Constraints) Fix for CVE-2014-3570 (BN_sqr fix) Fix for CVE-2014-3513 (DTLS SRTP DoS) Fix for CVE-2014-3567 (tls_decrypt_ticket memleak DoS) Mitigation for CVE-2014-3566 (SSL protocol vulnerability) Fix for CVE-2014-3568 (no-ssl3 build option fix) GPerfTools: Update to 2.2.1 + updates (Symas #2903) Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ January 28, 2015 Release Notes for Symas OpenLDAP Gold and Silver Version 2.4.40.20150128 Developer Release This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.40 + updates BDB 4.8.30 Cyrus SASL 2.1.25 OpenSSL 0.9.8ze + updates GPerftools 2.2.1 + updates (Selected platforms) Heimdal Kerberos 1.5.2 (Selected platforms) Security Notice: ***************************************************************** * This release contains an updated version of OpenSSL to * * address the CVE-2014-0224 vulnerability. This bug within * * the OpenSSL project code could allow for a MITM attack * * against versions of OpenLDAP linked against the older OpenSSL * * Libraries including Symas OpenLDAP prior to 2.4.40. * * * * Upgrading is highly recommended. * * * * More Details: * * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 * ***************************************************************** Packaging: Cleaned up example files and switched to demo lmdb (Symas #2830) Added new LMDB tools for mdb_dump, mdb_load, and related manpages (Symas #2881) Fixed solserver script on CentOS 7 (Symas #2918) Added slapo-lastbind contrib module (Symas #2927) Added AES-KeyAgent support for select platforms (Symas #2928) Added new safer slapd.conf.default value for TLSCipherSuite (Symas #2974) Added commented out ulimit -n and ulimit -v options to symas- openldap.conf.default (Symas #2287) Updated to OpenSSL 0.9.8ze OpenLDAP: Added experimental high-resolution time reporting (Symas #2882) Fixed libldap DNS SRV priority handling (ITS#7027) Fixed libldap don't leak libldap err codes (ITS#7676) Fixed libldap CR/LF handling (ITS#4635) Fixed libldap ldif-wrap length (ITS#7871) Fixed libldap GnuTLS ciphersuite parsing (ITS#7500) Fixed libldap GnuTLS with newer versions (ITS#7430,ITS#6359) Fixed libldif to correctly handle 4096 character lines (ITS#7859) Fixed librewrite reference counting (ITS#7723) Fixed slapacl with back-mdb reader transactions (ITS#7920) Fixed slapd syncrepl to send cookie on fallback (ITS#7849) Fixed slapd syncrepl SEGV when abandoning a connection (ITS#7928) Fixed slapd slapcat with external schema (ITS#7895) Fixed slapd schema RDN normalization (ITS#7935) Fixed slapd with repeated language tags (ITS#7941) Fixed slapd modrdn crash on naming attr with no matching rule (ITS#7850) Fixed slapd memory leak in control handling (ITS#7942) Fixed slapd-ldap removed dead code (ITS#7922) Fixed slapd-mdb to work concurrently with slapadd (ITS#7798) Fixed slapd-mdb with paged results (ITS#7705, ITS#7800) Fixed slapd-mdb slapcat with nonexistent indices (ITS#7870) Fixed slapd-mdb long lived reader transactions (ITS#7904) Fixed slapd-mdb memory leak on matchedDN (ITS#7872) Fixed slapd-mdb sorting of attribute values (ITS#7902) Fixed slapd-mdb to flag attribute values as sorted (ITS#7903) Fixed slapd-mdb index config handling (ITS#7912) Fixed slapd-mdb entry release handling (ITS#7915) Fixed slapd-mdb with aliases and referrals (ITS#7927) Fixed slapd-mdb alias dereferencing (ITS#7702) Fixed slapd-sock socket flushing (ITS#7937) Fixed slapo-accesslog attribute normalization (ITS#7934) Fixed slapo-accesslog internal search logging (ITS#7929) Fixed slapo-auditlog connection destroy logic (ITS#7906,ITS#7923) Fixed slapo-chain interaction with slapo-rwm (ITS#7930) Fixed slapo-constraint connection destroy logic (ITS#7906,ITS#7923) Fixed slapo-dds connection destroy logic (ITS#7906,ITS#7923) Fixed slapo-dyngroup connection destroy logic (ITS#7906,ITS#7923) Fixed slapo-memberof attr count (ITS#7893) Fixed slapo-memberof frontendDB handling (ITS#7249) Fixed slapo-memberof internal search logging (ITS#7929) Fixed slapo-pcache config processing (ITS#7919) Fixed slapo-pcache connection destroy logic (ITS#7906,ITS#7923) Added slapo-ppolicy ORDERING rules (ITS#7838) Fixed slapo-ppolicy timestamp resolution to use microseconds (ITS#7161) Fixed slapo-ppolicy connection destroy logic (ITS#7906,ITS#7923) Fixed slapo-refint to check for pauses in cn=config (ITS#7873) Fixed slapo-refint internal search logging (ITS#7929) Fixed slapo-refint connection destroy logic (ITS#7906,ITS#7923) Fixed slapo-seqmod connection destroy logic (ITS#7906,ITS#7923) Fixed slapo-slapover connection destroy logic (ITS#7906,ITS#7923) Fixed slapo-sock db_init (ITS#7868) Fixed slapo-sssvlv fix olcSssVlvMaxPerConn (ITS#7908) Fixed slapo-translucent double free (ITS#7587) Fixed slapo-translucent to work with manageDSAit (ITS#7864) (Symas #2805) Fixed slapo-translucent to use local backend with local entries (ITS#7915) Fixed slapo-unique connection destroy logic (ITS#7906,ITS#7923) Fixed slapcacl with invalid suffix (ITS#7827) Remove support for gcrypt (ITS#7877) BDB 6.0.20 and later is not supported (ITS#7890) Fixed ODBC link check (ITS#7891) Fixed slapd.ldif frontend config (ITS#7933) Added pbkdf2 module (ITS#7742) Fixed autogroup double free (ITS#7831) Fixed autogroup modification callback responses (ITS#6970) Fixed ldapc++ memory leak in Async connection (ITS#7806) Fixed nssov install path (ITS#7858) Fixed passwd rpath (ITS#7885) Fixed apr1 do_phk_hash argument order (ITS#7869) Fixed slapd-sha2 buffer overrun (ITS#7851) Fixed slapd.ldif man page reference (ITS#7803) Fixed slapd.conf(5) man page to reference exattrs (ITS#7847) Fixed guide to work with mkrelease (ITS#7887) Fixed ldap_get_dn(3) ldap_ava definition (ITS#7860) Fixed Building of slapadd on Windows (Symas #3000) Fixed heap corruption in mdb_dn2id (ITS#7965) Fixed libldap double free of request during abandon (ITS#7967) Fixed libldap segfault in ldap_sync_initialize (ITS#8001) Fixed libldap ldif-wrap off by one error (ITS#8003) Fixed libldap handling of TLS in async mode (ITS#8022) Fixed libldap null pointer dereference (ITS#8028) Fixed slapd slapadd onetime leak with -w (ITS#8014) Fixed slapd syncrepl delta-mmr issue with overlays and slapd.conf (ITS#7976) Fixed slapd syncrepl mutex for cookie state (ITS#7968) Fixed slapd syncrepl memory leaks (ITS#8035) Fixed slapd syncrepl to free presentlist at end of refresh mode (ITS#8038) Fixed slapd-mdb one-level search (ITS#7975) Fixed slapd-mdb heap corruption (ITS#7965) Fixed slapd-mdb crash after deleting in-use schema (ITS#7995) Fixed slapd-mdb minor code cleanup (ITS#8011) Fixed slapd-mdb to return errors when using incorrect env flags (ITS#8016) Fixed slapd-mdb to correctly update search candidates (ITS#8036, ITS#7904) Fixed slapd-meta TLS initialization with ldaps URIs (ITS#8022) Fixed slapo-collect segfault (ITS#7797) Fixed slapo-constraint with 0 count constraint (ITS#7780,ITS#7781) Fixed slapo-deref with empty attribute list (ITS#8027) Fixed slapo-syncprov synprov_matchops usage of test_filter (ITS#8013) Fixed slapo-syncprov segfault on disconnect/abandon (ITS#5452,ITS#8012) Fixed slapo-syncprov deadlock when autogroup is in use (ITS#8063,ITS#8081) Fixed slapo-syncprov memory leak (ITS#8039) Enhanced contrib modules build paths (ITS#7782) Fixed contrib/autogroup internal operation identity (ITS#8006) Fixed contrib/passwd/sha2 compiler warning (ITS#8000) Fixed contrib/noopsrch compiler warning (ITS#7998) Fixed contrib/dupent compiler warnings (ITS#7997) Added pbkdf2 sha256 and sha512 schemes (ITS#7977) Added ldap_get_option(3) LDAP_FEATURE_INFO_VERSION information (ITS#8032) Added ldap_get_option(3) LDAP_OPT_API_INFO_VERSION information (ITS#8032) Fixed slapd syncrepl to streamline presentlist (ITS#8042) Fixed contrib/autogroup to skip internal ops with accesslog (ITS#8065) SASL: Changed DIGEST-MD5 to use /dev/urandom to prevent entropy exhaustion denial of service attacks (Symas #2802) OpenSSL: Update to OpenSSL 0.9.8ze Fix for CVE-2014-3510 (DTLS anon ECDH client DoS) Fix for CVE-2014-3507 (DTLS memleak DoS) Fix for CVE-2014-3506 (DTLS handshake DoS) Fix for CVE-2014-3505 (DTLS doublefree DoS) Fix for CVE-2014-3508 (Stack echo in prettyprinter) Fix for CVE-2014-0224 (MITM via weaker keying) Fix for CVE-2014-0221 (DTLS recursion DoS) Fix for CVE-2014-0195 (DTLS fragment overrun RCE) Fix for CVE-2014-3470 (Client ECDH DoS) Fix for CVE-2014-0076 (ECDSA nonce recovery) Fix for CVE-2010-5298 (Client library side alert DoS) Build fixes for the Windows and OpenVMS platforms Fix for CVE-2014-3571 (DTLS handshake DoS) Fix for CVE-2014-3569 (ssl23_get_client_hello handshake DOS) Fix for CVE-2014-3572 (ECDHE-to-ECDH downgrade) Fix for CVE-2015-0204 (RSA-to-EXPORT_RSA downgrade) Fix for CVE-2014-8275 (Missing Cert Data Constraints) Fix for CVE-2014-3570 (BN_sqr fix) Fix for CVE-2014-3513 (DTLS SRTP DoS) Fix for CVE-2014-3567 (tls_decrypt_ticket memleak DoS) Mitigation for CVE-2014-3566 (SSL protocol vulnerability) Fix for CVE-2014-3568 (no-ssl3 build option fix) GPerfTools: Update to 2.2.1 + updates (Symas #2903) Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ Branch for 2.4.39 ============================================================================ Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.39 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.39 + updates BDB 4.8.30 Cyrus SASL 2.1.25 OpenSSL 0.9.8y + updates GPerftools 2.0 (Selected platforms) Heimdal Kerberos 1.5.2 (Selected platforms) Known defects in this release: None. Changes for this release: Packaging: Updated OpenLDAP/Heimdal init script text (Symas #2725) Updated portability of exampledb scripts (Symas #2726) OpenLDAP: Fixed libldap MozNSS crash (ITS#7783) Fixed libldap memory leak with SASL (ITS#7757) Fixed libldap assert in parse_passwdpolicy_control (ITS#7759) Fixed libldap shortcut NULL RDNs (ITS#7762) Fixed libldap deref to use correct control Fixed liblmdb keysizes with mdb_update_key (ITS#7756) Fixed slapd cn=config olcDbConfig modification (ITS#7750) Fixed slapd-bdb/hdb to bail out of search if config is paused (ITS#7761) Fixed slapd-bdb/hdb indexing issue with derived attributes (ITS#7778) Fixed slapd-mdb to bail out of search if config is paused (ITS#7761) Fixed slapd-mdb indexing issue with derived attributes (ITS#7778) Fixed slapd-perl to bail out of search if config is paused (ITS#7761) Fixed slapd-sql to bail out of search if config is paused (ITS#7761) Fixed slapo-constraint handling of softadd/softdel (ITS#7773) Fixed slapo-syncprov assert with findbase (ITS#7749) Test suite: Use $(MAKE) for tests (ITS#7753) admin24 fix TLSDHParamFile to be correct (ITS#7684) Fixed slapo-autogroup double-free (Symas #2728) Fixed back-mdb memory leak (ITS#7972) Improved liblmdb page allocation strategy (Symas #2811) Berkely DB: No changes. SASL: No changes. OpenSSL: No changes. GPerftools: No changes. Heimdal Kerberos: No changes. Status of this release: This is a developer pre-release and is made available for experimental testing purposes. It contains known defects and should not be considered fully operational for production purposes. Please use this release only for experimental evaluation of new features on experimental data. Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ Branch for 2.4.38 ============================================================================ Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.38 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.38 + updates BDB 4.8.30 Cyrus SASL 2.1.25 OpenSSL 0.9.8y + updates GPerftools 2.0 (Selected platforms) Heimdal Kerberos 1.5.2 (Selected platforms) Known defects in this release: None. Changes for this release: Packaging: Updated for MDB binary tools on Windows (Symas #2579 / #2581) Fixed Windows packaging script issue (Symas #2587) Updated Windows readme registry notes (Symas #2589) Removed unnecessary init scripts dependencies (Symas #2552) Added AIX packaging capabilities (Symas #2648) OpenLDAP: Fixed liblmdb nordahead flag (ITS#7734) Fixed liblmdb to check cursor index before cursor_del (ITS#7733) Fixed liblmdb wasted space on split (ITS#7589) Fixed slapd for certs with a NULL issuerDN (ITS#7746) Fixed slapd cn=config with empty nested includes (ITS#7739) Fixed slapd syncrepl memory leak with delta-sync MMR (ITS#7735) Fixed slapd-bdb/hdb to stop processing on dn not found (ITS#7741) Fixed slapd-bdb/hdb with indexed ANDed filters (ITS#7743) Fixed slapd-mdb to stop processing on dn not found (ITS#7741) Fixed slapd-mdb dangling reader (ITS#7662) Fixed slapd-mdb matching rule for OlcDbEnvFlags (ITS#7737) Fixed slapd-mdb with indexed ANDed filters (ITS#7743) Fixed slapd-meta from blocking other threads (ITS#7740) Fixed slapo-syncprov assert with findbase #1 (ITS#7749) Fixed slapo-syncprov assert with findbase #2 (ITS#7749) Fixed liblmdb build issue on Windows (Symas #2579 / #2581) Fixed slapd-sha2 build issue on Windows (Symas #2579 / #2584) Updated init script for presence of dynamic config (Symas #2553) Fixed getpeerid.c build issue on Windows (Symas #2579) Fixed slapd module loading issue on AIX (Symas #2649) Berkely DB: No changes. SASL: No changes. OpenSSL: No changes. GPerftools: No changes. Heimdal Kerberos: No changes. Status of this release: This is a developer pre-release and is made available for experimental testing purposes. It contains known defects and should not be considered fully operational for production purposes. Please use this release only for experimental evaluation of new features on experimental data. Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ Branch for 2.4.37 ============================================================================ This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.37 + updates BDB 4.8.30 Cyrus SASL 2.1.25 OpenSSL 0.9.8y + updates GPerftools 2.0 (Selected platforms) Heimdal Kerberos 1.5.2 (Selected platforms) Known defects in this release: None. Changes for this release: Packaging: No changes. OpenLDAP: Fixed liblmdb nordahead flag (ITS#7734) Fixed liblmdb to check cursor index before cursor_del (ITS#7733) Fixed liblmdb wasted space on split (ITS#7589) Fixed slapd cn=config with empty nested includes (ITS#7739) Fixed slapd syncrepl memory leak with delta-sync MMR (ITS#7735) Fixed slapd-mdb dangling reader (ITS#7662) Fixed slapd-mdb matching rule for OlcDbEnvFlags (ITS#7737) Fixed slapd-meta from blocking other threads (ITS#7740) Added liblmdb nordahead environment flag (ITS#7725) Fixed client tools CLDAP with IPv6 (ITS#7695) Fixed libldap CLDAP with IPv6 (ITS#7695) Fixed libldap lock ordering with abandon op (ITS#7712) Fixed liblmdb segfault with mdb_cursor_del (ITS#7718) Fixed liblmdb when converting to writemap (ITS#7715) Fixed liblmdb assert on MDB_NEXT with delete (ITS#7722) Fixed liblmdb wasted space on split (ITS#7589) Fixed slapd cn=config with olcTLSProtocolMin (ITS#7685) Fixed slapd-bdb/hdb optimize index updates (ITS#7329) Fixed slapd-ldap chaining with cn=config (ITS#7381, ITS#7434) Fixed slapd-ldap chaning with controls (ITS#7687) Fixed slapd-mdb optimize index updates (ITS#7329) Fixed slapd-meta chaining with cn=config (ITS#7381, ITS#7434) Fixed slapo-constraint to no-op on nonexistent entries (ITS#7692) Fixed slapo-dds assert on startup (ITS#7699) Fixed slapo-memberof to not replicate internal ops (ITS#7710) Fixed slapo-refint to not replicate internal ops (ITS#7710) Fixed slapd-mdb ptr arithmetic on void *s (ITS#7720) ldapsearch(1) minor typo fix (ITS#7680) slapd-passwd(5) minor typo fix (ITS#7680) Berkely DB: No changes. SASL: No changes. OpenSSL: No changes. GPerftools: Fixed libtcmalloc missing symbols issue (Symas #2531) Heimdal Kerberos: No changes. Status of this release: This is a developer pre-release and is made available for experimental testing purposes. It contains known defects and should not be considered fully operational for production purposes. Please use this release only for experimental evaluation of new features on experimental data. Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ Branch for 2.4.36 ============================================================================ This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.36 + updates BDB 4.8.30 Cyrus SASL 2.1.25 OpenSSL 0.9.8y + updates GPerftools 2.0 (Selected platforms) Heimdal Kerberos 1.5.2 (Selected platforms) Known defects in this release: None. Changes for this release: Packaging: Fixed RPM update init script removal (Symas #2146) Fixed /var/symas/run/ Permissions (Symas #2077) Added accesslog overlay to silver package (Symas #2463) OpenLDAP: Added back-meta target filter patterns (ITS#7609) Added liblmdb mdb_txn_env to API (ITS#7660) Fixed libldap CLDAP with uninit'd memory (ITS#7582) Fixed libldap with UDP (ITS#7583) Fixed libldap OpenSSL TLS versions (ITS#7645) Fixed liblmdb MDB_PREV behavior (ITS#7556) Fixed liblmdb transaction issues (ITS#7515) Fixed liblmdb mdb_drop overflow page return (ITS#7561) Fixed liblmdb nested split (ITS#7592) Fixed liblmdb overflow page behavior (ITS#7620) Fixed liblmdb race condition with read and write txns (ITS#7635) Fixed liblmdb mdb_del behavior with MDB_DUPSORT and mdb_del (ITS#7658) Fixed slapd cn=config with unknown schema elements (ITS#7608) Fixed slapd cn=config with loglevel 0 (ITS#7611) Fixed slapd slapi filterlist free behavior (ITS#7636) Fixed slapd slapi control free behavior (ITS#7641) Fixed slapd schema countryString as directoryString (ITS#7659) Fixed slapd schema telephoneNumber as directoryString (ITS#7659) Fixed slapd-bdb/hdb to wait for read locks in tool mode (ITS#6365) Fixed slapd-mdb behavior with alias dereferencing (ITS#7577) Fixed slapd-mdb modrdn and base-scoped searches (ITS#7604) Fixed slapd-mdb refcount behavior (ITS#7628) Fixed slapd-meta binding flag is set (ITS#7524) Fixed slapd-meta with minimal config (ITS#7581) Fixed slapd-meta missing results messages (ITS#7591) Added slapd-meta TCP keepalive support (ITS#7513) Fixed slapo-sssvlv double free (ITS#7588) Fixed slaptest to list -Q option (ITS#7568) Fixed slapd-meta declaration warnings (ITS#7654) Fixed nssov group enumeration bug (ITS#7569) Fixed autogroup when URI has no attrs (ITS#7580) Updated admin24 database backend notes (ITS#7590) Fixed ldap.conf(5) typos (ITS#7568) Removed ldapmodify(1) replog reference (ITS#7562) Removed ldif(5) replog reference (ITS#7562) Removed slapd-config(5) replog reference (ITS#7562) Removed slapd.conf(5) replog reference (ITS#7562) Added slapd-config(5) TLSProtocolMin documentation (ITS#5655,ITS#7645) Addedslapd.conf(5) TLSProtocolMin documentation (ITS#5655,ITS#7645) Berkely DB: No changes. SASL: No changes. OpenSSL: No changes. GPerftools: Fixed improper rpath on libtcmalloc (Symas #2185) Heimdal Kerberos: Removed /etc/ conf file listing from lib defaults (Symas #2266) Status of this release: This is a developer pre-release and is made available for experimental testing purposes. It contains known defects and should not be considered fully operational for production purposes. Please use this release only for experimental evaluation of new features on experimental data. Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ Branch for 2.4.35 ============================================================================ This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.35 + updates BDB 4.8.30 Cyrus SASL 2.1.25 OpenSSL 0.9.8y + updates GPerftools 2.0 (Selected platforms) Heimdal Kerberos 1.5.2 (Selected platforms) Known defects in this release: None. Changes for this release: Packaging: No changes. OpenLDAP: Fixed liblmdb compiling on Solaris 8 (Symas #2293) Fixed liblmdb mdb_page_split issue (ITS#7592) Fixed liblmdb MDB_PREV behavior (ITS#7556) Fixed liblmdb transaction issues (ITS#7515) Fixed liblmdb mdb_drop overflow page return (ITS#7561) Fixed liblmdb mdb_cursor_put with MDB_MULTIPLE (ITS#7551) Fixed liblmdb page rebalance (ITS#7536) Fixed liblmdb missing parens (ITS#7377) Fixed liblmdb mdb_cursor_del crash (ITS#7553) Fixed slapd syncrepl updateCookie status (ITS#7531) Fixed slapd connection logging (ITS#7543) Fixed slapd segfault on modify (ITS#7542, ITS#7432) Fixed slapd-mdb to reject undefined attrs (ITS#7540) Fixed slapo-pcache with +/- attrsets (ITS#7552) don't install DB_CONFIG if no BDB backends (ITS#7533) slapschema(8) fix tool name (ITS#7534) admin24 fixed pcache example (ITS#7546) admin24 fixed config examples (ITS#7522) Berkely DB: No changes. SASL: No changes. OpenSSL: No changes. GPerftools: No changes. Heimdal Kerberos: No changes. Status of this release: This is a developer pre-release and is made available for experimental testing purposes. It contains known defects and should not be considered fully operational for production purposes. Please use this release only for experimental evaluation of new features on experimental data. Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ Branch for 2.4.34 ============================================================================ This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.34 + updates BDB 4.8.30 Cyrus SASL 2.1.25 OpenSSL 0.9.8y + updates GPerftools 2.0 (Selected platforms) Heimdal Kerberos 1.5.2 (Selected platforms) Upgrade warning: ********************************************************************** * This release changes the on-disk format for LMDB/MDB databases. * * * * It is possible to update in place using 2.4.34's slapindex on the * * entryDN operational attribute, or to reload with slapcat LDIF from * * the prior version. * * * * Using old LMDB/MDB databases without the format change will not * * work. * * * * Please contact support for assistance. Back-BDB/HDB databases are * * unaffected. * ********************************************************************** Known defects in this release: /var/symas/run/ is only accessible by root on RedHat (Symas #2077) libtcmalloc.so has an invalid rpath (Symas #2185) Changes for this release: Packaging: Add pw-sha2 password module to server (Symas #1788) Add autogroup overlay to distribution (Symas #2082) OpenLDAP: Fixed libldap connections with EINTR (ITS#7476) Fixed libldap lineno overflow in ldif_read_record (ITS#7497) Fixed liblmdb mdb_env_open flag handling (ITS#7453) Fixed liblmdb mdb_midl_sort array optimization (ITS#7432) Fixed liblmdb freelist with large entries (ITS#7455) Fixed liblmdb to check for filled dirty page list (ITS#7491) Fixed liblmdb to validate data limits (ITS#7485) Fixed liblmdb mdb_update_key for large keys (ITS#7505) Fixed ldapmodify to not core dump with invalid LDIF (ITS#7477) Fixed slapd syncrepl for old entries in MMR setup (ITS#7427) Fixed slapd signedness for index_substr_any_* (ITS#7449) Fixed slapd enforce SLAPD_MAX_DAEMON_THREADS (ITS#7450) Fixed slapd mutex in send_ldap_ber (ITS#6164) Added slapd-ldap onerr option (ITS#7492) Added slapd-ldap keepalive support (ITS#7501) Fixed slapd-ldif with empty dir (ITS#7451) Fixed slapd-mdb to reopen attr DBs after env reopen (ITS#7416) Fixed slapd-mdb handling of missing entries (ITS#7483,7496) Fixed slapd-mdb environment flag setting (ITS#7452) Fixed slapd-mdb with sub db slapcat (ITS#7469) Fixed slapd-mdb to correctly work with toolthreads > 2 (ITS#7488,ITS#7527) Fixed slapd-mdb subtree search speed (ITS#7473) Fixed slapd-meta conversion to cn=config (ITS#7525) Fixed slapd-meta segfault when modifying olcDbUri (ITS#7526) Fixed slapd-sql back-config support (ITS#7499) Fixed slapo-constraint handle uri and restrict correctly (ITS#7418) Fixed slapo-constraint with multi-master replication (ITS#7426) Fixed slapo-constraint segfault (ITS#7431) Fixed slapo-deref control initialization (ITS#7436) Fixed slapo-deref control exposure (ITS#7445) Fixed slapo-memberof with internal ops (ITS#7487) Fixed slapo-pcache matching rules for config db (ITS#7459) Fixed slapo-rwm modrdn cleanup (ITS#7414) Fixed slapo-sssvlv maxperconn parameter (ITS#7484) Fixed slapo-constraint test suite (ITS#7423) Added nssov nssov_config support (ITS#7518) Added nssov password_prohibit_message (ITS#7518) Fixed ldapc++ with gcc-4.7 (ITS#7281,ITS#7304) Fixed nssov olcNssPamSession handling (ITS#7481) Fixed nssov connection DN (ITS#7518) Add missing Makefile for various modules (ITS#7308) Unify Makefile structure for modules (ITS#7309) Fixed slapo-allowed attribute replication (ITS#7493) Fixed slapo-passwd SHA2 to correctly zero buffer (ITS#7490) Fixed ldapurl(1) example usage (ITS#7454) Fixed ldap_get_option(3) trailing whitespace (ITS#7411) Fixed slapd-config(5) olcExtraAttrs is per db (ITS#7421) Updated slapd-overlays(5) manpage index (ITS#7489) Fixed slapo-dynlist(5) Search behavior notes (ITS#7486) Added tcp keepalive support to back-meta (ITS#7513) Fixed mdb_rebalance key checking (ITS#7536) Fixed Bus Error on SPARC (Symas #2206) Fix for compiling on Solaris 8 (Symas #2201) Fixed regression from ITS#7536 (ITS#7538) Berkely DB No changes. SASL: No changes. OpenSSL: Update to 0.9.8y Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169 Fix OCSP bad key DoS attack CVE-2013-0166 GPerftools: No changes. Heimdal Kerberos: Added KAD_LISTEN_PORTS option to symas-heimdal.conf (Symas #2135) Added a fix for the disappearing kadmind pid file issue (Symas #2131) Status of this release: This is a developer pre-release and is made available for experimental testing purposes. It contains known defects and should not be considered fully operational for production purposes. Please use this release only for experimental evaluation of new features on experimental data. Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ Branch for 2.4.33 ============================================================================ This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.33 + updates BDB 4.8.30 Cyrus SASL 2.1.25 OpenSSL 0.9.8x + patch GPerftools 2.0 (Selected platforms) Heimdal Kerberos 1.5.2 (Selected platforms) Packaging: Fixed file permissions on exampledb.sh script Added ktutil binary and man page to client package. (symas #2075) Fixed an init script portability issue affecting Solaris (Symas #2064) Allow Solaris installation per individual zones (Symas #2052) Fixed version and numbering and formatting in Release Notes (Symas #2056) Added liblmdb shared and static libs, header file, and mdb_stat utility (Symas #2067) Added kadmin, su and their man pages into client package (Symas #2016) Updated/added init scripts for Kerberos (Symas #2023) Disable aes overlay, as it's not used currently (Symas #2001). Update libassuan to 2.0.3 to support non-linux OSes (Symas #1943) Add libgpg-error to build to support libassuan 2.x (Symas #1942) Added hdb_ldap (ldap backend for kdc) (Symas #1772) Updated exampledb-krb5.sh (Symas #1772) Added man page for slapd-mdb(5) Allow in-place upgrading for platforms that use rpm (Symas #1749) Windows Packaging Changes (Symas #1759) Changed default install location for Windows package to be $(PROGRAMFILES)\symas-openldap on both Silver and Gold packages. Added Instance Manager to Windows packages to handle registry edits when running multiple copies of OpenLDAP. See Windows Readme for additional information. Windows packages install a "Symas OpenLDAP" program group with links to Instance Manager, Symas OpenLDAP Windows Readme, and Release Notes. OpenLDAP: Updated to 2.4.33 Fix for spurious old entries (syncrepl) (OpenLDAP ITS#7427) Add support for 64 bit index hashing (Symas #2020) Re-enable OpenSSL session caching (Symas #2007) Update AES password module to use libassuan 2.0.3 (Symas #1945) Fixed pthread_kill_other_threads_np symbol not resolving in libldap on newer Linux kernels (Symas #1948) Added slapd-meta cn=config support Fixed libldap MozNSS slot picking (ITS#7359) Fixed libldap MozNSS with tokenname:certnickname format (ITS#7360) Fixed libmdb POSIX semaphore cleanup on environment close (ITS#7364) Fixed libmdb mdb_page_split (ITS#7385, ITS#7229) Fixed slapd alock handling on Windows (ITS#7361) Fixed slapd acl handling with zero-length values (ITS#7350) Fixed slapd syncprov to not reference ops inside a lock (Symas #1746, ITS#7172) Fixed slapd delta-syncrepl MMR with large attribute values (ITS#7354) Fixed slapd slapd_rw_destroy function (ITS#7390) Fixed slapd-ldap idassert bind handling (ITS#7403) Fixed slapd-mdb slapadd -q -w double free (ITS#7356) Fixed slapd-mdb to close read txn in reindex commit (ITS#7386) Fixed slapo-constraint with multiple modifications (ITS#7168) Fixed slapd-mdb to reopen attr DBs after env reopen (ITS#7416) Fixed slapo-rwm modrdn cleanup (ITS#7414) Fixed libmdb posix semaphore use on BSD system (ITS#7363) Add slapo-constraint test suite (ITS#7344, ITS#7366) Fixed ldap_get_option(3) trailing whitespace problem (ITS#7411) Added note to slapo-refint(5) that changes made by refint overlay are not replicated (ITS#7405) Berkely DB: No changes (mutex change was a build config change, not a code change). SASL: Fix for SASL Bug #3589: get_fqhostname() ignores getaddrinfo failure as long as gethostname() succeeds. (Symas RT#1539) OpenSSL: Fix possible deadlock when decoding public keys. (PR#2813) GPerftools: No changes. Heimdal Kerberos: Fix for kdc/kadmind/kpasswd PID location from /var/run to /var/symas/run (Symas RT#2028) Status of this release: This is a developer pre-release and is made available for experimental testing purposes. It contains known defects and should not be considered fully operational for production purposes. Please use this release only for experimental evaluation of new features on experimental data. Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ Branch for 2.4.32 ============================================================================ This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.32 + updates BDB 4.8.30 Cyrus SASL 2.1.25 (2.1.22 for Windows) OpenSSL 0.9.8x GPerftools 2.0 (Selected platforms) Heimdal Kerberos 1.5.2 (Selected platforms) Packaging: Add --with-mutex=POSIX/pthreads/library to BDB flags on Red Hat (Symas #1801) Heimdal libraries libheimedit, libheimsqlite, libwind, libsl, and libkadm5clnt are now included in client-only installations (Symas #1796) OpenLDAP: Fixed crasher in slapadd -w -q caused by double free (Symas #1800) Fixed ppolicy module ignores improperly supplied control value in ppolicy request control (Symas #1756, also reported as ITS#7353) Added slappasswd loadable module support (ITS#7284) Fixed tools to not clobber SASL_NOCANON (ITS#7271) Fixed libldap function declarations (ITS#7293) Fixed libldap double free (ITS#7270) Fixed libldap debug level setting (ITS#7290) Fixed libldap gettime() regression (ITS#6262) Fixed libldap sasl handling (ITS#7118, ITS#7133) Fixed libldap to correctly free socket with TLS (ITS#7241) Fixed libmdb leaf node handling (ITS#7266) Fixed libmdb mutexes on Apple/Windows (ITS#7251) Fixed slapd config index renumbering (ITS#6987) Fixed slapd duplicate error response (ITS#7076) Fixed slapd parsing of PermissiveModify control (ITS#7298) Fixed slapd-bdb/hdb cache hang under high load (ITS#7222) Fixed slapd-bdb/hdb alias checking (ITS#7303) Fixed slapd-bdb/hdb olcDbConfig changes work immediately (ITS#7338) Fixed slapd-ldap to encode user DN during password change (ITS#7319) Fixed slapd-ldap assertion when proxying to MS AD (ITS#6851) Fixed slapd-ldap monitoring (ITS#7182, ITS#7225) Fixed slapd-mdb with tool mode (ITS#7255) Fixed slapd-mdb with approx indexing (ITS#7279) Fixed slapd-mdb dn2id delete (ITS#7302) Fixed slapd-mdb memory leak in online indexer (ITS#7323) Fixed slapd-mdb db corruption when hitting maxsize (ITS#7337) Fixed slapd-mdb aborts with online indexing (ITS#7339) Fixed slapd-perl panic (ITS#7325) Fixed slapo-accesslog memory leaks with sync replication (ITS#7292) Fixed slapo-syncprov memory leaks with sync replication (ITS#7292) Fixed contrib/smbk5pwd to not compile with MozNSS (ITS#7327) Fixed contrib/sha2 portability (ITS#7267) Fixed contrib/sha2 thread safety (ITS#7269) Added contrib/sha2 {SSHA256}, {SSHA384}, {SSHA512} support (ITS#7278) Added slapi_[get|free]_client_ip() (ITS#7305) slapo-sssvlv Added note about criticality (ITS#7253) admin24 Fix peername.regex typo (ITS#7282) Fixed slapd-config file include example (ITS#7318) slapd-ldap(5) Reference RFC4526 (ITS#7294) slapd-meta(5) Reference RFC4526 (ITS#7294) Improved man page for remoteauth_domain_attribute (ntUserDomainId) for remoteauth overlay (Symas#1840) Berkeley DB: No changes. OpenSSL: Update to OpenSSL 0.9.8x (Symas #1720) Fix DTLS record length checking bug CVE-2012-2333 GPerftools: No changes. SASL: No changes. Heimdal Kerberos: Update to 1.5.2 (Symas #1738) - CVE-2011-4862 Buffer overflow in libtelnet/encrypt.c in telnetd - escalation of privilege - Check that key types strictly match - denial of service Status of this release: This is a developer pre-release and is made available for experimental testing purposes. It contains known defects and should not be considered fully operational for production purposes. Please use this release only for experimental evaluation of new features on experimental data. Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ Branch for 2.4.31 ============================================================================ This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.31 + updates BDB 4.8.30 Cyrus SASL 2.1.25 OpenSSL 0.9.8w GPerftools 2.0 (Selected platforms) Heimdal Kerberos 1.5.1 (Selected platforms) Packaging: Rolled hp-overlays into Symas-OpenLDAP Gold package (no separate hp-overlays package any more). Available for selected platforms. (Symas #1623) OpenLDAP: Updated to 2.4.31 Added slapo-accesslog support for reqEntryUUID (ITS#6656) Fixed libldap IPv6 URL detection (ITS#7194) Fixed libldap rebinding on failed connection (ITS#7207) Fixed libmdb alignment of MDB_db members (ITS#7191) Fixed libmdb branch page merging on deletes (ITS#7190) Fixed libmdb page split with MDB_APPEND (ITS#7213) Fixed libmdb free page usage with entry deletion (ITS#7210) Fixed libmdb to use IOV_MAX if it is defined and small (ITS#7196) Fixed libmdb key alignment (ITS#7219) Fixed libmdb mdb_page_split (ITS#7229) Fixed libmdb with zero length IDLs (ITS#7230) Fixed slapd listener initialization (ITS#7233) Fixed slapd cn=config with olcTLSVerifyClient (ITS#7197) Fixed slapd delta-syncrepl fallback on non-leaf error (ITS#7195) Fixed slapd to reject MMR setups with bad serverID setting (ITS#7200) Fixed slapd approxIndexer key generation (ITS#7203) Fixed slapd modification of olcSuffix (ITS#7205) Fixed slapd schema validation with missing definitions (ITS#7224) Fixed slapd syncrepl -c with supplied CSN values (ITS#7245) Fixed slapd-bdb/hdb idlcache with only one element (ITS#7231) Fixed slapd-perl modify with binary values (ITS#7149) Fixed slapd-shell cn=config support (ITS#7201) Fixed slapd-shell modify with binary values (ITS#7149) Fixed slapo-accesslog deadlock with non-logged write ops (ITS#7088) Fixed slapo-syncprov sessionlog check (ITS#7218) Fixed slapo-syncprov entry leak (ITS#7234) Fixed slapo-syncprov startup initialization (ITS#7235) Fixed slapschema(8) formatting (ITS#7188) Fixed limdb functionality documentation (ITS#7238) Fixed ldap_get_option(3) note inheritance behavior (ITS#7240) Fixed libldap socket polling for writes (ITS#7167) Fixed liblutil string modifications (ITS#7174) Fixed slapd crash when attrsOnly is true (ITS#7143) Fixed slapd syncrepl delete handling (ITS#7052,ITS#7162) Fixed slapd-mdb slapadd with -q (ITS#7170) Fixed slapd-mdb slapadd with -w (ITS#7180) Fixed slapd-mdb slapindex with -q and -t (ITS#7176) Fixed slapo-pcache time-to-refesh handling (ITS#7178) Fixed slapo-syncprov loop detection (ITS#6024) Added slapo-accesslog support for reqEntryUUID (ITS#6656) Fixed libldap IPv6 URL detection (ITS#7194) Fixed libldap rebinding on failed connection (ITS#7207) Fixed libmdb alignment of MDB_db members (ITS#7191) Fixed libmdb branch page merging on deletes (ITS#7190) Fixed libmdb page split with MDB_APPEND (ITS#7213) Fixed libmdb free page usage with entry deletion (ITS#7210) Fixed libmdb to use IOV_MAX if it is defined and small (ITS#7196) Fixed libmdb key alignment (ITS#7219) Fixed libmdb mdb_page_split (ITS#7229) Fixed libmdb with zero length IDLs (ITS#7230) Fixed slapd listener initialization (ITS#7233) Fixed slapd cn=config with olcTLSVerifyClient (ITS#7197) Fixed slapd delta-syncrepl fallback on non-leaf error (ITS#7195) Fixed slapd to reject MMR setups with bad serverID setting (ITS#7200) Fixed slapd approxIndexer key generation (ITS#7203) Fixed slapd modification of olcSuffix (ITS#7205) Fixed slapd schema validation with missing definitions (ITS#7224) Fixed slapd syncrepl -c with supplied CSN values (ITS#7245) Fixed slapd-bdb/hdb idlcache with only one element (ITS#7231) Fixed slapd-perl modify with binary values (ITS#7149) Fixed slapd-shell cn=config support (ITS#7201) Fixed slapd-shell modify with binary values (ITS#7149) Fixed slapo-accesslog deadlock with non-logged write ops (ITS#7088) Fixed slapo-syncprov sessionlog check (ITS#7218) Fixed slapo-syncprov entry leak (ITS#7234) Fixed slapo-syncprov startup initialization (ITS#7235) Renamed adauth overlay to remoteauth. Added man page slapo-remoteauth.5 (Symas #1614) Fixed remoteauth slapd.conf to dynamic config conversion issues (Symas #1635) Fixed back-ldap TLS issues (Symas #1664) Added back-ldap omit-unknown-schema support (Symas #1673) Added back-monitor enhancements (ITS#7182, Symas #1689) Added option "-o" to ldap*(1) pages (ITS#7152) Fixed ldap*(1) page cleanup (ITS#7177) Fixed ldap_modify(3) prototypes (ITS#7173) Fixed slapschema(8) formatting (ITS#7188) Fixed limdb functionality documentation (ITS#7238) Berkeley DB: No changes. OpenSSL: Updated to 0.9.8w (Symas #1692) Corrected fix for CVS-20122110, (CVE-2012-2131) Fix for CMS/PKCS#7 MMA CVE-2012-0884 Corrected fix for CVE-2011-4619 Various DTLS fixes. Fix for ASN1 overflow bug CVE-2012-2110 Fix for CVE-2012-2131 (corrected fix for 0.9.8 and CVE-2012-2110) GPerftools: Updated to 2.0 SASL: No changes. Heimdal Kerberos: No changes. Status of this release: This is a developer pre-release and is made available for experimental testing purposes. It contains known defects and should not be considered fully operational for production purposes. Please use this release only for experimental evaluation of new features on experimental data. Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ Branch for 2.4.29 ============================================================================ This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.29 + updates BDB 4.8.30 Cyrus SASL 2.1.25 OpenSSL 0.9.8t Packaging: No changes OpenLDAP: Fixed slapd pcache fix uninitialized op->ors_deref (ITS#7178) Fixed slapd mdb quick mode index generation (ITS#7170) Fixed libldap MozNSS deferred initialization handling (ITS#7136) Fixed libldap MozNSS with TLSCertificateKeyFile not set (ITS#7135) Fixed slapd cn=config modification of first schema element (ITS#7098) Fixed slapd operation reuse (ITS#7107) Fixed slapd blocked writers to not interfere with pool pause (ITS#7115) Fixed slapd connection loop connindex usage (ITS#7131) Fixed slapd double mutex unlock via connection_done (ITS#7125) Fixed slapd check order in connection_write (ITS#7113) Fixed slapd slapadd to exit on failure (ITS#7142) Fixed slapd syncrepl reference to freed memory (ITS#7127,ITS#7132) Fixed slapd syncrepl to ignore some errors on delete (ITS#7052) Fixed slapd syncrepl to handle missing oldRDN (ITS#7144) Fixed slapd-mdb to handle overlays in tool mode (ITS#7099) Fixed slapd-mdb segfaults with page splits (ITS#7121) Fixed slapd-mdb cleanup on transaction abort (ITS#7140) Fixed slapd-mdb with attribute descriptions (ITS#7146) Fixed slapd-meta to correctly handle multiple targets (ITS#7050) Fixed slapd-monitor compare op to update cached entry (ITS#7123) Fixed slapd-perl initialization (ITS#7075) Fixed slapd-sql to properly initialize be_cf_ocs (ITS#7158) Fixed slapo-dds to properly exit when in tool mode (ITS#7099) Fixed slapo-rwm not leave empty lots with normalized attrs (ITS#7143) Fixed slapo-syncprov with already abandoned operation (ITS#7150) Fixed contrib/smbk5pwd uninitialized keys in shadowLastChange (ITS#7138) Fixed libldap socket polling for writes (ITS#7167) Fixed liblutil string modifications (ITS#7174) Fixed slapd crash when attrsOnly is true (ITS#7143) Fixed slapd syncrepl delete handling (ITS#7052,ITS#7162) Fixed slapd-mdb slapindex with -q and -t (ITS#7176) Fixed slapo-syncprov loop detection (ITS#6024) Build Environment Fixed ldapsearch build on windows (ITS#7156) Fixed test001 to skip back-ldif (ITS#7101) Fixed POSIX make support (ITS#7160) Fixed slapd-mdb build on POSIX (ITS#7160) Documentation admin24 Fix typo (ITS#7117) Fixed ldap_modify(3) prototypes (ITS#7173) Fixed adauth security bug and adauth_retry_count crash issue (Symas #1566) Fixed ITS#7174 lutil_str2bin: can't modify input strings Berkeley DB OpenSSL: Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. Thanks to Antonio Martin, Enterprise Secure Access Research and Development, Cisco Systems, Inc. for discovering this bug and preparing a fix. (CVE-2012-0050) Nadhem Alfardan and Kenny Paterson have discovered an extension of the Vaudenay padding oracle attack on CBC mode encryption which enables an efficient plaintext recovery attack against the OpenSSL implementation of DTLS. Their attack exploits timing differences arising during decryption processing. A research paper describing this attack can be found at: http://www.isg.rhul.ac.uk/~kp/dtls.pdf Thanks go to Nadhem Alfardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann and Michael Tuexen for preparing the fix. (CVE-2011-4108) Stop policy check failure freeing same buffer twice. (CVE-2011-4109) Clear bytes used for block padding of SSL 3.0 records. (CVE-2011-4576) Only allow one SGC handshake restart for SSL/TLS. Thanks to George Kadianakis for discovering this issue and Adam Langley for preparing the fix. (CVE-2011-4619) Prevent malformed RFC3779 data triggering an assertion failure. Thanks to Andrew Chi, BBN Technologies, for discovering the flaw and Rob Austein for fixing it. (CVE-2011-4577) Fix ssl_ciph.c set-up race. Fix spurious failures in ecdsatest.c. Fix the BIO_f_buffer() implementation (which was mixing different interpretations of the '..._len' fields). Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent threads won't reuse the same blinding coefficients. Fix SSL memory handling for (EC)DH ciphersuites, in particular for multi-threaded use of ECDH. Fix x509_name_ex_d2i memory leak on bad inputs. Add protection against ECDSA timing attacks as mentioned in the paper by Billy Bob Brumley and Nicola Tuveri, see: http://eprint.iacr.org/2011/232.pdf SASL: Fixed core dump in sasl gssapi module (Symas #1546) Fixed incorrect runpath in sasl modules (Symas #1547) Fixed missing runpath in sasl utilities (Symas #1548) Heimdal Kerberos: ============================================================================ January 6, 2012 Preparation for 2.4.28 branch Packaging: Corrected conflict/prereq checking (Symas #1269) Fixed echoing of newlines in exampledb.sh and exampledb-krb5.sh Known defects: Cyrus SASL is unreliable, ONLY when reverse DNS lookup does not work for the system. Correcting reverse DNS resolves the problem. ============================================================================ December 19, 2011 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.28.20111219 (Developer Prerelease) This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.28 BDB 4.8.30 Cyrus SASL 2.1.25 OpenSSL 0.9.8r Upgrade warning: See notes for 2.4.21.0 if upgrading from releases prior to that. (Upgrading anything newer requires no special action) Known defects in this release: Prerequisite/conflict checking does not work correctly Changes for this release: Packaging: Added experimental back-mdb backend Removed back-ndb mysql clustering backend from redhat/suse package OpenLDAP: Fixed back-mdb out of order slapadd (ITS#7090) Fixed assertion failure in back-ldap (Symas#1155) (ITS#6851) Added libldap support for draft-wahl-ldap-session (ITS#6984) Added slapd support for draft-wahl-ldap-session (ITS#6984) Added slapadd pipelining capability (ITS#7078) Added slapd Add-if-not-present (ITS#6561) Added slapd delta-syncrepl MMR (ITS#6734,ITS#7029,ITS#7031) Added slapd-mdb experimental backend (ITS#7079) Added slapd-passwd dynamic config support Added slapd-perl dynamic config support Added slapd-shell dynamic config support Added slapd-sock support as an overlay (ITS#6666) Added slapd-sql dynamic config support Added contrib/passwd APR1 support (ITS#6826) Fixed slapi linking on AIX (ITS#3272) Fixed ldapmodify crash with LDIF controls (ITS#7039) Fixed ldapsearch to honor timeout and timelimit (ITS#7009) Fixed libldap endless looping (ITS#7035) Fixed libldap TLS to not check hostname when using 'allow' (ITS#7014) Fixed libldap GnuTLS cert dn parse (ITS#7051) Fixed libldap MozNSS correctly destroy SSL_PeerCertificate (ITS#6980) Fixed libldap MozNSS with issuer expiration and verify never (ITS#6998) Fixed libldap MozNSS memory leak (ITS#7001) Fixed libldap MozNSS allow/try behavior (ITS#7002) Fixed libldap MozNSS to be thread safe (ITS#7022) Fixed libldap MozNSS SSL_ForceHandshake to use a mutex (ITS#7034) Fixed libldap MozNSS with wildcard certs (ITS#7006) Fixed liblutil MD5 initialization (ITS#6982) Fixed slapadd common code into slapcommon (ITS#6737) Fixed slapd backend connection initialization (ITS#6993) Fixed slapd frontend DB parsing in cn=config (ITS#7016) Fixed slapd hang with {numbered} overlay insertion (ITS#7030) Fixed slapd inet_ntop usage (ITS#6925) Fixed slapd cn=config deletion of bitmasks (ITS#7083) Fixed slapd cn=config modify replace/delete crash (ITS#7065) Fixed slapd schema UTF8StringNormalize with 0 length values (ITS#7059) Fixed slapd with dynamic acls for cn=config (ITS#7066) Fixed slapd response callbacks (ITS#6059,ITS#7062) Fixed slapd no_connection warnings with ldapi (ITS#6548,ITS#7092) Fixed slapd return code processing (ITS#7060) Fixed slapd sl_malloc various issues (ITS#6437) Fixed slapd startup behavior (ITS#6848) Fixed slapd syncrepl crash with non-replicated ops (ITS#6892) Fixed slapd syncrepl with modrdn (ITS#7000,ITS#6472) Fixed slapd syncrepl timeout when using refreshAndPersist (ITS#6999) Fixed slapd syncrepl deletes need a non-empty CSN (ITS#7052) Fixed slapd syncrepl glue for empty suffix (ITS#7037) Fixed slapd results cleanup (ITS#6763,ITS#7053) Fixed slapd validation of args for TLSCertificateFile (ITS#7012) Fixed slapd-bdb/hdb to build entry DN based on parent DN (ITS#5326) Fixed slapd-hdb with zero-length entries (ITS#7073) Fixed slapd-hdb duplicate entries in subtree IDL cache (ITS#6983) Fixed slapo-constraint conversion to back-config (ITS#6986) Fixed slapo-dds tag in refresh response (ITS#6886) Fixed slapo-dds TTL tolerance (ITS#7017) Fixed slapo-lastbind so authTimestamp is manageable (ITS#6873) Fixed slapo-pcache response cleanup (ITS#6981) Fixed slapo-ppolicy pwdAllowUserChange behavior (ITS#7021) Fixed slapo-sssvlv issue with greaterThanorEqual (ITS#6985) Fixed slapo-sssvlv to only return requested attrs (ITS#7061) Fixed slapo-syncprov DSA attribute filtering for Persist mode (ITS#7019) Fixed slapo-syncprov when consumer has newer state of our SID (ITS#7040) Fixed slapo-syncprov crash (ITS#7025) Fixed slapo-unique URI checking of "host" portion (ITS#7018) Fixed contrib/autogroup double-free (ITS#6972) Fixed contrib/smbk5pwd cn=config deletion of bitmasks (ITS#7083) Fixed contrib/smbk5pwd on 64-bit systems (ITS#7082) Added missing LDIF form of schema files (ITS#7063) Fixed creation and installation of slapd.ldif (ITS#7015) Fixed libnet linking (ITS#7071) ldapmodify(1) Fixed minor typo in -S option description (ITS#7086) ldap_sync(3) Document ldap_sync_destroy (ITS#7028) slapo-unique(5) Fix keyword quoting (ITS#7028) Berkeley DB: No changes OpenSSL: No changes SASL: Upgrade to Cyrus SASL 2.1.25 Status of this release: This is a developer pre-release and is made available for experimental testing purposes. It contains known defects and should not be considered fully operational for production purposes. Please use this release only for experimental evaluation of new features on experimental data. Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ October 20, 2011 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.26.20111020 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.26 BDB 4.8.30 Cyrus SASL 2.1.22 OpenSSL 0.9.8r Upgrade warning: See notes for 2.4.21.0 if upgrading from releases prior to that. (Upgrading anything newer requires no special action) Known defects in this release: None Changes for this release: Packaging: None OpenLDAP: Ensure batched syncrepl deletes create no local CSNs (Symas#1414), (ITS#7049), (ITS#7052) Fix slapo-homedir multi-regex insertion support (Symas#1452) Berkeley DB: No changes OpenSSL: No changes SASL: No changes Status of this release: This is a developer pre-release and is made available for experimental testing purposes. It contains known defects and should not be considered fully operational for production purposes. Please use this release only for experimental evaluation of new features on experimental data. Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ September 1, 2011 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.26.20110901 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.26 BDB 4.8.30 Cyrus SASL 2.1.22 OpenSSL 0.9.8r Upgrade warning: See notes for 2.4.21.0 if upgrading from releases prior to that. (Upgrading anything newer requires no special action) Known defects in this release: None Changes for this release: Packaging: None OpenLDAP: Fixed slapd modrdn operations on hdb databases create incorrect return results (ITS#6983) Berkeley DB: No changes OpenSSL: No changes SASL: No changes Status of this release: This is a developer pre-release and is made available for experimental testing purposes. It contains known defects and should not be considered fully operational for production purposes. Please use this release only for experimental evaluation of new features on experimental data. Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ July 22, 2011 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.26.1 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.26 BDB 4.8.30 Cyrus SASL 2.1.22 OpenSSL 0.9.8r Upgrade warning: See notes for 2.4.21.0 if upgrading from releases prior to that. (Upgrading anything newer requires no special action) Known defects in this release: None Changes for this release: Packaging: Correct version number that is reported for Symas OpenLDAP by the Solaris pkginfo command for Solaris platforms (Symas #715) OpenLDAP: Enabled OpenLDAP slapi support (Symas #1320) Fixed SunOS package version numbering (Symas #715) Added Samba 3 schema file to distribution (Symas #1286) Fixed memberof sub-operation timestamp generation (Symas #1238) (ITS#6915) Added libldap LDAP_OPT_X_TLS_PACKAGE (ITS#6969) Fixed libldap MozNSS with CACertDir (ITS#6975) Fixed libldap MozNSS with PR_SetEnv (ITS#6862) Fixed libldap descriptor leak (ITS#6929) Fixed libldap socket leak (ITS#6930) Fixed libldap get option crash (ITS#6931) Fixed libldap lockup (ITS#6898) Fixed libldap ASYNC TLS setup (ITS#6828) Fixed libldap with missing \n terminations (ITS#6947) Fixed tools double free (ITS#6946) Fixed tools verbose output (ITS#6977) Fixed ldapmodify SEGV on invalid LDIF (ITS#6978) Added slapd extra_attrs database option (ITS#6513) Fixed slapd asserts (ITS#6932) Fixed slapd configfile param on windows (ITS#6933) Fixed slapd config with global chaining (ITS#6843) Fixed slapd uninitialized variables (ITS#6935) Fixed slapd config objectclass is readonly (ITS#6963) Fixed slapd entry response with control (ITS#6899) Fixed slapd with unknown attrs (ITS#6819) Fixed slapd normalization of schema RDN (ITS#6967) Fixed slapd operations cache to 10 op limit (ITS#6944) Fixed slapd syncrepl crash with non-replicated ops (ITS#6892) Fixed slapd-bdb/hdb with sparse index ranges (ITS#6961) Fixed slapd-monitor stray code cleanup (ITS#6974) Fixed back-ldap ppolicy updates (ITS#6711) Fixed back-ldap with id-assert (ITS#6817) Fixed slapd-meta reentry issues (ITS#6909) Fixed slapd-sql length of data type (ITS#6657,ITS#6691) Added slapo-accesslog filter matching (ITS#6815) Fixed slapo-accesslog with invalid attrs (ITS#6819) Added slapo-auditlog connID and peername logging (ITS#6936) Fixed slapo-memberof with accesslog (ITS#6329,ITS#6766,ITS#6915) Fixed slapo-pcache with unknown attrs (ITS#6823) Fixed slapo-pcache with '1.1', '+', and '*' attrs (ITS#6950) Fixed slapo-pcache buffersize issues (ITS#6951) Fixed slapo-pcache refresh (ITS#6953) Fixed slapo-pcache with pCacheBind (ITS#6954) Fixed slapo-pcache database corruption (ITS#6831) Fixed slapo-rwm with attributes with no equality rule (ITS#6943) Fixed slapo-sssvlv limits check when global (ITS#6973) Fixed slapo-syncprov with replicated subtrees (ITS#6872) Fixed slapo-unique with managedsait (ITS#6641) Fixed slapo-unique filter with zero-length values (ITS#6901) Added contrib/acl GSS naming extensions ACL module Fixed contrib/smbk5pwd with shadowLastChange (ITS#6955) Build Environment Fixed builds that do not have GETTIMEOFDAY (ITS#6885) Fixed libldap libfetch dependancy (ITS#6889) Documentation ldap_get_dn(3) add man page (ITS#6959) slapo-nssov(5) Fixed typo (ITS#6934) slapd-backends(5) update recommended database backend (ITS#6904) slapd-bdb(5) update recommended database backend (ITS#6904) slapd-hdb(5) update recommended database backend (ITS#6904) admin24 update that cn=config is preferred (ITS#6905) admin24 update information about indexes (ITS#6906) admin24 fix --enable-wrappers option (ITS#6971) Berkeley DB: No changes OpenSSL: No changes SASL: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions should be submitted to your dedicated support email address or to support@symas.com. We look forward to hearing from you! ============================================================================ July 22, 2011 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.25.3 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.25 BDB 4.8.30 Cyrus SASL 2.1.22 OpenSSL 0.9.8r Upgrade warning: See notes for 2.4.21.0 if upgrading from releases prior to that. (Upgrading anything newer requires no special action) Known defects in this release: None Changes for this release: Packaging: Correct version number that is reported for Symas OpenLDAP by the Solaris pkginfo command for Solaris platforms (Symas #715) OpenLDAP: No changes Berkeley DB: No changes OpenSSL: No changes SASL: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions should be submitted to your dedicated support email address or to support@symas.com. We look forward to hearing from you! ============================================================================ April 6, 2011 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.25.2 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.25 BDB 4.8.30 Cyrus SASL 2.1.22 OpenSSL 0.9.8r Upgrade warning: See notes for 2.4.21.0 if upgrading from releases prior to that. (Upgrading anything newer requires no special action) Known defects in this release: The version number that is reported for Symas OpenLDAP by the Solaris pkginfo command is incorrect for Solaris platforms (Symas #715) Changes for this release: Packaging: Correct version number problem in Red Hat/SuSE packaging that interfered with correct dependency tracking (Symas #1280) OpenLDAP: (including previous devrelease notes) No changes Berkeley DB: No changes OpenSSL: No changes SASL: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions should be submitted to your dedicated support email address or to support@symas.com. We look forward to hearing from you! ============================================================================ March 30, 2011 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.25.1 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.25 BDB 4.8.30 Cyrus SASL 2.1.22 OpenSSL 0.9.8r Upgrade warning: See notes for 2.4.21.0 if upgrading from releases prior to that. (Upgrading anything newer requires no special action) Known defects in this release: None Changes for this release: Packaging: Change to the package file name format to reduce confusion (Symas #1241) Fixed missing ldapmodify.exe in windows package (Symas #1057) Fixed openssl tool interpreters for client package (Symas #787) OpenLDAP: (including previous devrelease notes) Fixed ldapsearch pagedresults loop (ITS#6755) Fixed tools for incompatible args (ITS#6849) Fixed libldap MozNSS crash (ITS#6863) Fixed slapd add objectclasses in order (ITS#6837) Added slapd ordering for uidNumber and gidNumber (ITS#6852) Fixed slapd segfault when adding values out of order (ITS#6858) Fixed slapd sortval handling (ITS#6845) Fixed slapd-bdb with slapadd/index quick option (ITS#6853) Fixed slapd-ldap chain cn=config support (ITS#6837) Fixed slapd-ldap chain with slapd.conf (ITS#6857) Fixed slapd-meta deadlock (ITS#6846) Fixed slapo-sssvlv with multiple requests (ITS#6850) Fixed contrib/lastbind install rules (ITS#6238) Fixed contrib/cloak install rules (ITS#6877) Build Environment Fixed windows NT threads build (ITS#6859) Fixed libldap/lberl/util if/else usage (ITS#6832) Fixed Windows odbc32 detection (ITS#6125) Fixed Windows msys build (ITS#6870) Fixed test020 exit codes (ITS#6404) Documentation admin24 guide ldapi usage (ITS#6839) admin24 guide conversion notes (ITS#6834) admin24 guide fix drawback math for syncrepl (ITS#6866) admin24 guide note manpages are definitive (ITS#6855) Berkeley DB: No changes OpenSSL: No changes SASL: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions should be submitted to your dedicated support email address or to support@symas.com. We look forward to hearing from you! ============================================================================ March 28, 2011 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.25.0p20110328 (Developer Prerelease) This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.25 BDB 4.8.30 Cyrus SASL 2.1.22 OpenSSL 0.9.8r Upgrade warning: See notes for 2.4.21.0 if upgrading from releases prior to that. (Upgrading anything newer requires no special action) Known defects in this release: CA.pl and c_rehash may not have the correct path to perl interpreter if installed from the symas-openldap-client package (Symas #787) The version number that is reported for Symas OpenLDAP by the Solaris pkginfo command is incorrect for Solaris platforms (Symas #715) Changes for this release: Packaging: Change to the package file name format to reduce confusion (Symas #1241) Fixed missing ldapmodify.exe in windows package (Symas #1057) OpenLDAP: (including previous devrelease notes) Fixed ldapsearch pagedresults loop (ITS#6755) Fixed tools for incompatible args (ITS#6849) Fixed libldap MozNSS crash (ITS#6863) Fixed slapd add objectclasses in order (ITS#6837) Added slapd ordering for uidNumber and gidNumber (ITS#6852) Fixed slapd segfault when adding values out of order (ITS#6858) Fixed slapd sortval handling (ITS#6845) Fixed slapd-bdb with slapadd/index quick option (ITS#6853) Fixed slapd-ldap chain cn=config support (ITS#6837) Fixed slapd-ldap chain with slapd.conf (ITS#6857) Fixed slapd-meta deadlock (ITS#6846) Fixed slapo-sssvlv with multiple requests (ITS#6850) Fixed contrib/lastbind install rules (ITS#6238) Fixed contrib/cloak install rules (ITS#6877) Build Environment Fixed windows NT threads build (ITS#6859) Fixed libldap/lberl/util if/else usage (ITS#6832) Fixed Windows odbc32 detection (ITS#6125) Fixed Windows msys build (ITS#6870) Fixed test020 exit codes (ITS#6404) Documentation admin24 guide ldapi usage (ITS#6839) admin24 guide conversion notes (ITS#6834) admin24 guide fix drawback math for syncrepl (ITS#6866) admin24 guide note manpages are definitive (ITS#6855) Berkeley DB: No changes OpenSSL: No changes SASL: No changes Status of this release: This is a developer pre-release and is made available for experimental testing purposes. It contains known defects and should not be considered fully operational for production purposes. Please use this release only for experimental evaluation of new features on experimental data. Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ March 23, 2011 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.24.1 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.24 + many updates BDB 4.8.30 Cyrus SASL 2.1.22 OpenSSL 0.9.8r Upgrade warning: See notes for 2.4.21.0 if upgrading from releases prior to that. (Upgrading anything newer requires no special action) Known defects in this release: CA.pl and c_rehash may not have the correct path to perl interpreter if installed from the symas-openldap-client package (Symas #787) The version number that is reported for Symas OpenLDAP by the Solaris pkginfo command is incorrect for Solaris platforms (Symas #715) Changes for this release: Packaging: No changes OpenLDAP: (including previous devrelease notes) Added fix for slapadd -q hang (ITS#6853) Added fix for sortvals and other cases (ITS#6845) Added fix for back-ldap idassert TLS conf without aclbind (ITS#6711) Added LDIF line wrapping setting (ITS#6645) Added MozNSS support (ITS#6714,ITS#6742,ITS#6790,ITS#6791) Added MozNSS support (ITS#6802,ITS#6811,ITS#6816,ITS#5696) Added libldap concurrency support (ITS#6625,ITS#5421) Added libldap cert x500UniqueIdentifier handling (ITS#6741) Added slapadd attribute value checking (ITS#6592) Added slapcat continue mode for problematic DBs (ITS#6482) Added slapd syncrepl suffixmassage support (ITS#6781) Added slapd multiple listener threads (ITS#6780) Added slapd extensible match for ordering rules (ITS#6532) Added slapd-meta paged results control forwarding (ITS#6664) Added slapd-meta subtree-include support (ITS#6801) Added slapd-null back-config support (ITS#6624) Added slapd-sql autocommit support (ITS#6612) Added slapd-sql support for long long keys (ITS#6617) Added slapo-sssvlv multiple sorts per connection (ITS#6686) Added contrib/autogroup LDAP URI with attribute filter (ITS#6536) Added contrib/dupent module (ITS#6630) Added contrib/lastbind (ITS#6238) Added contrib/kinit for kerberos tickets Added contrib/noopsrch for entry counting (ITS#6598) Fixed client tools control logging (ITS#6775) Fixed client tools one time leak (ITS#6778) Fixed liblber to not close invalid sockets (ITS#6585) Fixed liblber unmatched brace handling (ITS#6764) Fixed liblber error setting (ITS#6732) Fixed liblber memory debugging (ITS#6733) Fixed libldap connectionless warnings (ITS#6747) Fixed libldap dnssrv port format specifier (ITS#6644) Fixed libldap EOF handling (ITS#6723) Fixed libldap GnuTLS hang on socket close (ITS#6673) Fixed libldap sasl partial write handling (ITS#6639) Fixed libldap search leak (ITS#6453) Fixed libldap referral chasing (ITS#6602) Fixed libldap leak when chasing referrals (ITS#6744) Fixed libldap url parsing with NULL host (ITS#6653) Fixed libldap ldap_open_internal_connection (ITS#6788) Fixed libldap sync checking for BER errors (ITS#6738) Fixed libldap variable usage (ITS#6813) Fixed liblutil getpass prompts (ITS#6702) Fixed ldapsearch segfault with deref (ITS#6638) Fixed ldapsearch multiple controls parsing (ITS#6651) Fixed slapd SlapReply usage (ITS#6758) Fixed slapd acl parsing overflow (ITS#6611) Fixed slapd acl when resuming parsing (ITS#6804) Fixed slapd default config acls with overlays (ITS#6822) Fixed slapd assert control (ITS#5862) Fixed slapd assertions and debugging (ITS#6759) Fixed slapd config leak with olcDbDirectory (ITS#6634) Fixed slapd connectionless warnings (ITS#6747) Fixed slapd listeners destruction (ITS#6736) Fixed slapd to free controls if needed (ITS#6629) Fixed slapd to stop if given unknown options (ITS#6754) Fixed slapd entry comparisons (ITS#6753) Fixed slapd filter leak (ITS#6635) Fixed slapd matching rules for strict ordering (ITS#6722) Fixed slapd when first acl is value dependent (ITS#6693) Fixed slapd modify to return actual error (ITS#6581) Fixed slapd modrdn with empty DN (ITS#6768) Fixed slapd c_authz_backend setting (ITS#6824) Fixed slapd sortvals of attributes with 1 value (ITS#6715) Fixed slapd syncrepl reuse of presence list (ITS#6707) Fixed slapd syncrepl uninitialized return code (ITS#6719) Fixed slapd syncrepl variable initialization (ITS#6739) Fixed slapd syncrepl refresh to use complete cookie (ITS#6807) Fixed slapd-bdb hasSubordinates generation (ITS#6712) Fixed slapd-bdb entry cache delete failure (ITS#6577) Fixed slapd-bdb entry cache leak on multi-core systems (ITS#6660) Fixed slapd-bdb error propagation to overlays (ITS#6633) Fixed slapd-bdb slapadd -q with glued dbs (ITS#6794) Fixed slapd-ldap debug output of timeout (ITS#6721) Fixed slapd-ldap DNSSRV referral chaining (ITS#6565) Fixed slapd-ldap chaining with bind failures (ITS#6607) Fixed slapd-ldap chaining with onelevel scope (ITS#6699) Fixed slapd-ldap chaining with ppolicy (ITS#6540) Fixed slapd-ldap with SASL/EXTERNAL (ITS#6642) Fixed slapd-ldap crasher on matchedDN (ITS#6793) Fixed slapd-ldap with unknown objectClasses (ITS#6814) Fixed slapd-ldif error strings (ITS#6731) Fixed slapd-ndb to honor rootpw setting (ITS#6661) Fixed slapd-ndb hasSubordinates generation (ITS#6712) Fixed slapd-ndb variable initialization (ITS#6806) Fixed slapd-ndb with out of order attributes (ITS#6821) Fixed slapd-meta anon retry with failed auth method (ITS#6643) Fixed slapd-meta rebind proc (ITS#6665) Fixed slapd-meta to correctly rebind as user (ITS#6574) Fixed slapd-meta with SASL/EXTERNAL (ITS#6642) Fixed slapd-meta matchedDN return code (ITS#6774) Fixed slapd-meta candidate selection (ITS#6799) Fixed slapd-meta attribute normalization (ITS#6818) Fixed slapd-monitor hasSubordinates generation (ITS#6712) Fixed slapd-monitor abandon processing (ITS#6783) Fixed slapd-monitor entry locks (ITS#6787) Fixed slapd-sock missing newline in Compare operation (ITS#6809) Fixed slapd-sql with null objectClass (ITS#6616) Fixed slapd-sql hasSubordinates generation (ITS#6712) Fixed slapo-accesslog with controls (ITS#6652) Fixed slapo-dynlist callbacks (ITS#6752) Fixed slapo-dynlist entry handling (ITS#6752) Fixed slapo-memberof CSN generation (ITS#6766) Fixed slapo-memberof log messages (ITS#6748) Fixed slapo-memberof with an empty groupOfNames (ITS#6670) Fixed slapo-memberof with modrdn operations (ITS#6700) Fixed slapo-pcache callback freeing (ITS#6640) Fixed slapo-pcache to ignore undefined attrs (ITS#6600) Fixed slapo-pcache pointer freeing (ITS#6797) Fixed slapo-pcache with negative caching (ITS#6796) Fixed slapo-pcache monitoring cleanup (ITS#6808) Fixed slapo-ppolicy don't update opattrs on consumers (ITS#6608) Fixed slapo-ppolicy to allow userPassword deletion (ITS#6620) Fixed slapo-refint when last group member is deleted (ITS#6663) Fixed slapo-refint with subtree rename (ITS#6730) Fixed slapo-rwm double free (ITS#6720) Fixed slapo-rwm crasher (ITS#6632,ITS#6727) Fixed slapo-rwm entry handling (ITS#6760) Fixed slapo-rwm response hang (ITS#6792) Fixed slapo-sssvlv initialization (ITS#6649) Fixed slapo-sssvlv to not advertise when unused (ITS#6647) Fixed slapo-sssvlv result code (ITS#6685) Fixed slapo-syncprov to send error if consumer is newer (ITS#6606) Fixed slapo-syncprov filter race condition (ITS#6708) Fixed slapo-syncprov active mod race (ITS#6709) Fixed slapo-syncprov to refresh if context is dirty (ITS#6710) Fixed slapo-syncprov CSN updates to all replicas (ITS#6718) Fixed slapo-syncprov sessionlog ordering (ITS#6716) Fixed slapo-syncprov sessionlog with adds (ITS#6503) Fixed slapo-syncprov mutex (ITS#6438) Fixed slapo-syncprov mincsn check with MMR (ITS#6717) Fixed slapo-syncprov control leak (ITS#6795) Fixed slapo-syncprov error codes (ITS#6812) Fixed slapo-translucent entry leak (ITS#6746) Fixed contrib/autogroup install location (ITS#6684) Fixed contrib/autogroup crash with ppolicy (ITS#6684) Fixed contrib/autogroup with non-DN URIs (ITS#6684) Fixed contrib/autogroup with memberOf overlay (ITS#6684) Fixed contrib/cloak when returning multiple entries (ITS#6762) Fixed contrib/nssov to only close socket on shutdown (ITS#6676) Fixed contrib/nssov multi platform support (ITS#6604) Build Environment Added support for [unsigned] long long (ITS#6622) Added slapd support for BDB 5.0+ (ITS#6698) Fixed config.guess/sub to pick up newer OSes (ITS#6547) Fixed libldap mutex code - cleanup (ITS#6672) Fixed libldap unnecessary ifdef's (ITS#6603) Fixed slapd-tester EOF handling (ITS#6723) Fixed slapd-tester filter initialization (ITS#6735) Fixed test scripts with alternate testdir (ITS#6782) Removed antiquated SunOS LWP support (ITS#6669) Documentation admin24 guide fix examples (ITS#6681) admin24 guide typo fixes (ITS#6609) admin24 guide refint rootdn requirement (ITS#6364) admin24 add pcache overlay section (ITS#6521) ldap_open(3) document ldap_set_urllist_proc (ITS#6601) ldap.conf(5) GnuTLS cipher spec info (ITS#6525) slapd.conf(5) GnlTLS cipher spec info (ITS#6525) slapd.conf(5) multi-listener support (ITS#6780) slapd-config(5) GnuTLS cipher spec info (ITS#6525) slapd-config(5) multi-listener support (ITS#6780) slapd-meta(5) note deprecated items (ITS#6800) slapd-meta(5) document subtree-include (ITS#6801) slapo-pcache(5) note rootdn requirement (ITS#6522) slapo-refint(5) rootdn requirement (ITS#6364) Berkeley DB: No changes OpenSSL: (including changes from the dev release) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014 Fix bug in string printing code: if *any* escaping is enabled we must escape the escape character (backslash) or the resulting string is ambiguous. Disable code workaround for ancient and obsolete Netscape browsers and servers: an attacker can use it in a ciphersuite downgrade attack. Thanks to Martin Rex for discovering this bug. (CVE-2010-4180) Fixed J-PAKE implementation error, originally discovered by Sebastien Martini, further info and confirmation from Stefan Arentz and Feng Hao. Note that this fix is a security fix. (CVE-2010-4252) Fix extension code to avoid race conditions which can result in a buffer overrun vulnerability: resumed sessions must not be modified as they can be shared by multiple threads. (CVE-2010-3864) Fix for double free bug in ssl/s3_clnt.c (CVE-2010-2939) Don't reencode certificate when calculating signature: cache and use the original encoding instead. This makes signature verification of some broken encodings work correctly. ec2_GF2m_simple_mul bugfix: compute correct result if the output EC_POINT is also one of the inputs. Don't repeatedly append PBE algorithms to table if they already exist. Sort table on each new add. This effectively makes the table read only after all algorithms are added and subsequent calls to PKCS12_pbe_add etc are non-op. Correct a typo in the CMS ASN1 module which can result in invalid memory access or freeing data twice (CVE-2010-0742) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more common in certificates and some applications which only call SSL_library_init and not OpenSSL_add_all_algorithms() will fail. SASL: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions should be submitted to your dedicated support email address or to support@symas.com. We look forward to hearing from you! ============================================================================ March 7, 2011 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.24.0p20110307 (Developer Prerelease) This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.24 + updates BDB 4.8.30 Cyrus SASL 2.1.22 OpenSSL 0.9.8r Upgrade warning: See notes for 2.4.21.0 if upgrading from releases prior to that. (Upgrading anything newer requires no special action) Known defects in this release: CA.pl and c_rehash may not have the correct path to perl interpreter if installed from the symas-openldap-client package (Symas #787) The version number that is reported for Symas OpenLDAP by the Solaris pkginfo command is incorrect for Solaris platforms (Symas #715) Changes for this release: Packaging: No changes OpenLDAP: (including changes from the last dev release) Added fix for sortvals and other cases (ITS#6845) Added fix for back-ldap idassert TLS conf without aclbind (ITS#6711) Added LDIF line wrapping setting (ITS#6645) Added MozNSS support (ITS#6714,ITS#6742,ITS#6790,ITS#6791) Added MozNSS support (ITS#6802,ITS#6811,ITS#6816,ITS#5696) Added libldap concurrency support (ITS#6625,ITS#5421) Added libldap cert x500UniqueIdentifier handling (ITS#6741) Added slapadd attribute value checking (ITS#6592) Added slapcat continue mode for problematic DBs (ITS#6482) Added slapd syncrepl suffixmassage support (ITS#6781) Added slapd multiple listener threads (ITS#6780) Added slapd extensible match for ordering rules (ITS#6532) Added slapd-meta paged results control forwarding (ITS#6664) Added slapd-meta subtree-include support (ITS#6801) Added slapd-null back-config support (ITS#6624) Added slapd-sql autocommit support (ITS#6612) Added slapd-sql support for long long keys (ITS#6617) Added slapo-sssvlv multiple sorts per connection (ITS#6686) Added contrib/autogroup LDAP URI with attribute filter (ITS#6536) Added contrib/dupent module (ITS#6630) Added contrib/lastbind (ITS#6238) Added contrib/kinit for kerberos tickets Added contrib/noopsrch for entry counting (ITS#6598) Fixed client tools control logging (ITS#6775) Fixed client tools one time leak (ITS#6778) Fixed liblber to not close invalid sockets (ITS#6585) Fixed liblber unmatched brace handling (ITS#6764) Fixed liblber error setting (ITS#6732) Fixed liblber memory debugging (ITS#6733) Fixed libldap connectionless warnings (ITS#6747) Fixed libldap dnssrv port format specifier (ITS#6644) Fixed libldap EOF handling (ITS#6723) Fixed libldap GnuTLS hang on socket close (ITS#6673) Fixed libldap sasl partial write handling (ITS#6639) Fixed libldap search leak (ITS#6453) Fixed libldap referral chasing (ITS#6602) Fixed libldap leak when chasing referrals (ITS#6744) Fixed libldap url parsing with NULL host (ITS#6653) Fixed libldap ldap_open_internal_connection (ITS#6788) Fixed libldap sync checking for BER errors (ITS#6738) Fixed libldap variable usage (ITS#6813) Fixed liblutil getpass prompts (ITS#6702) Fixed ldapsearch segfault with deref (ITS#6638) Fixed ldapsearch multiple controls parsing (ITS#6651) Fixed slapd SlapReply usage (ITS#6758) Fixed slapd acl parsing overflow (ITS#6611) Fixed slapd acl when resuming parsing (ITS#6804) Fixed slapd default config acls with overlays (ITS#6822) Fixed slapd assert control (ITS#5862) Fixed slapd assertions and debugging (ITS#6759) Fixed slapd config leak with olcDbDirectory (ITS#6634) Fixed slapd connectionless warnings (ITS#6747) Fixed slapd listeners destruction (ITS#6736) Fixed slapd to free controls if needed (ITS#6629) Fixed slapd to stop if given unknown options (ITS#6754) Fixed slapd entry comparisons (ITS#6753) Fixed slapd filter leak (ITS#6635) Fixed slapd matching rules for strict ordering (ITS#6722) Fixed slapd when first acl is value dependent (ITS#6693) Fixed slapd modify to return actual error (ITS#6581) Fixed slapd modrdn with empty DN (ITS#6768) Fixed slapd c_authz_backend setting (ITS#6824) Fixed slapd sortvals of attributes with 1 value (ITS#6715) Fixed slapd syncrepl reuse of presence list (ITS#6707) Fixed slapd syncrepl uninitialized return code (ITS#6719) Fixed slapd syncrepl variable initialization (ITS#6739) Fixed slapd syncrepl refresh to use complete cookie (ITS#6807) Fixed slapd-bdb hasSubordinates generation (ITS#6712) Fixed slapd-bdb entry cache delete failure (ITS#6577) Fixed slapd-bdb entry cache leak on multi-core systems (ITS#6660) Fixed slapd-bdb error propagation to overlays (ITS#6633) Fixed slapd-bdb slapadd -q with glued dbs (ITS#6794) Fixed slapd-ldap debug output of timeout (ITS#6721) Fixed slapd-ldap DNSSRV referral chaining (ITS#6565) Fixed slapd-ldap chaining with bind failures (ITS#6607) Fixed slapd-ldap chaining with onelevel scope (ITS#6699) Fixed slapd-ldap chaining with ppolicy (ITS#6540) Fixed slapd-ldap with SASL/EXTERNAL (ITS#6642) Fixed slapd-ldap crasher on matchedDN (ITS#6793) Fixed slapd-ldap with unknown objectClasses (ITS#6814) Fixed slapd-ldif error strings (ITS#6731) Fixed slapd-ndb to honor rootpw setting (ITS#6661) Fixed slapd-ndb hasSubordinates generation (ITS#6712) Fixed slapd-ndb variable initialization (ITS#6806) Fixed slapd-ndb with out of order attributes (ITS#6821) Fixed slapd-meta anon retry with failed auth method (ITS#6643) Fixed slapd-meta rebind proc (ITS#6665) Fixed slapd-meta to correctly rebind as user (ITS#6574) Fixed slapd-meta with SASL/EXTERNAL (ITS#6642) Fixed slapd-meta matchedDN return code (ITS#6774) Fixed slapd-meta candidate selection (ITS#6799) Fixed slapd-meta attribute normalization (ITS#6818) Fixed slapd-monitor hasSubordinates generation (ITS#6712) Fixed slapd-monitor abandon processing (ITS#6783) Fixed slapd-monitor entry locks (ITS#6787) Fixed slapd-sock missing newline in Compare operation (ITS#6809) Fixed slapd-sql with null objectClass (ITS#6616) Fixed slapd-sql hasSubordinates generation (ITS#6712) Fixed slapo-accesslog with controls (ITS#6652) Fixed slapo-dynlist callbacks (ITS#6752) Fixed slapo-dynlist entry handling (ITS#6752) Fixed slapo-memberof CSN generation (ITS#6766) Fixed slapo-memberof log messages (ITS#6748) Fixed slapo-memberof with an empty groupOfNames (ITS#6670) Fixed slapo-memberof with modrdn operations (ITS#6700) Fixed slapo-pcache callback freeing (ITS#6640) Fixed slapo-pcache to ignore undefined attrs (ITS#6600) Fixed slapo-pcache pointer freeing (ITS#6797) Fixed slapo-pcache with negative caching (ITS#6796) Fixed slapo-pcache monitoring cleanup (ITS#6808) Fixed slapo-ppolicy don't update opattrs on consumers (ITS#6608) Fixed slapo-ppolicy to allow userPassword deletion (ITS#6620) Fixed slapo-refint when last group member is deleted (ITS#6663) Fixed slapo-refint with subtree rename (ITS#6730) Fixed slapo-rwm double free (ITS#6720) Fixed slapo-rwm crasher (ITS#6632,ITS#6727) Fixed slapo-rwm entry handling (ITS#6760) Fixed slapo-rwm response hang (ITS#6792) Fixed slapo-sssvlv initialization (ITS#6649) Fixed slapo-sssvlv to not advertise when unused (ITS#6647) Fixed slapo-sssvlv result code (ITS#6685) Fixed slapo-syncprov to send error if consumer is newer (ITS#6606) Fixed slapo-syncprov filter race condition (ITS#6708) Fixed slapo-syncprov active mod race (ITS#6709) Fixed slapo-syncprov to refresh if context is dirty (ITS#6710) Fixed slapo-syncprov CSN updates to all replicas (ITS#6718) Fixed slapo-syncprov sessionlog ordering (ITS#6716) Fixed slapo-syncprov sessionlog with adds (ITS#6503) Fixed slapo-syncprov mutex (ITS#6438) Fixed slapo-syncprov mincsn check with MMR (ITS#6717) Fixed slapo-syncprov control leak (ITS#6795) Fixed slapo-syncprov error codes (ITS#6812) Fixed slapo-translucent entry leak (ITS#6746) Fixed contrib/autogroup install location (ITS#6684) Fixed contrib/autogroup crash with ppolicy (ITS#6684) Fixed contrib/autogroup with non-DN URIs (ITS#6684) Fixed contrib/autogroup with memberOf overlay (ITS#6684) Fixed contrib/cloak when returning multiple entries (ITS#6762) Fixed contrib/nssov to only close socket on shutdown (ITS#6676) Fixed contrib/nssov multi platform support (ITS#6604) Build Environment Added support for [unsigned] long long (ITS#6622) Added slapd support for BDB 5.0+ (ITS#6698) Fixed config.guess/sub to pick up newer OSes (ITS#6547) Fixed libldap mutex code - cleanup (ITS#6672) Fixed libldap unnecessary ifdef's (ITS#6603) Fixed slapd-tester EOF handling (ITS#6723) Fixed slapd-tester filter initialization (ITS#6735) Fixed test scripts with alternate testdir (ITS#6782) Removed antiquated SunOS LWP support (ITS#6669) Documentation admin24 guide fix examples (ITS#6681) admin24 guide typo fixes (ITS#6609) admin24 guide refint rootdn requirement (ITS#6364) admin24 add pcache overlay section (ITS#6521) ldap_open(3) document ldap_set_urllist_proc (ITS#6601) ldap.conf(5) GnuTLS cipher spec info (ITS#6525) slapd.conf(5) GnlTLS cipher spec info (ITS#6525) slapd.conf(5) multi-listener support (ITS#6780) slapd-config(5) GnuTLS cipher spec info (ITS#6525) slapd-config(5) multi-listener support (ITS#6780) slapd-meta(5) note deprecated items (ITS#6800) slapd-meta(5) document subtree-include (ITS#6801) slapo-pcache(5) note rootdn requirement (ITS#6522) slapo-refint(5) rootdn requirement (ITS#6364) Berkeley DB: No changes OpenSSL: (including changes from the dev release) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014 Fix bug in string printing code: if *any* escaping is enabled we must escape the escape character (backslash) or the resulting string is ambiguous. Disable code workaround for ancient and obsolete Netscape browsers and servers: an attacker can use it in a ciphersuite downgrade attack. Thanks to Martin Rex for discovering this bug. (CVE-2010-4180) Fixed J-PAKE implementation error, originally discovered by Sebastien Martini, further info and confirmation from Stefan Arentz and Feng Hao. Note that this fix is a security fix. (CVE-2010-4252) Fix extension code to avoid race conditions which can result in a buffer overrun vulnerability: resumed sessions must not be modified as they can be shared by multiple threads. (CVE-2010-3864) Fix for double free bug in ssl/s3_clnt.c (CVE-2010-2939) Don't reencode certificate when calculating signature: cache and use the original encoding instead. This makes signature verification of some broken encodings work correctly. ec2_GF2m_simple_mul bugfix: compute correct result if the output EC_POINT is also one of the inputs. Don't repeatedly append PBE algorithms to table if they already exist. Sort table on each new add. This effectively makes the table read only after all algorithms are added and subsequent calls to PKCS12_pbe_add etc are non-op. Correct a typo in the CMS ASN1 module which can result in invalid memory access or freeing data twice (CVE-2010-0742) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more common in certificates and some applications which only call SSL_library_init and not OpenSSL_add_all_algorithms() will fail. SASL: No changes Status of this release: This is a developer pre-release and is made available for experimental testing purposes. It contains known defects and should not be considered fully operational for production purposes. Please use this release only for experimental evaluation of new features on experimental data. Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ December 21, 2010 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.24.0p20101221 (Developer Prerelease) This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.23 + RE24 and stuff BDB 4.8.30 Cyrus SASL 2.1.22 OpenSSL 0.9.8q Upgrade warning: See notes for 2.4.21.0 if upgrading from releases prior to that. (Upgrading anything newer requires no special action) Known defects in this release: CA.pl and c_rehash may not have the correct path to perl interpreter if installed from the symas-openldap-client package (Symas #787) The version number that is reported for Symas OpenLDAP by the Solaris pkginfo command is incorrect for Solaris platforms (Symas #715) Changes for this release: Packaging: No changes OpenLDAP: Added slapd-null back-config support (ITS#6624) Added slapd-sql autocommit support (ITS#6612) Fixed liblber to not close invalid sockets (ITS#6585) Fixed libldap dnssrv port format specifier (ITS#6644) Fixed libldap GnuTLS hang on socket close (ITS#6673) Fixed libldap sasl partial write handling (ITS#6639) Fixed libldap referral chasing (ITS#6602) Fixed libldap url parsing with NULL host (ITS#6653) Fixed liblutil getpass prompts (ITS#6702) Fixed ldapsearch segfault with deref (ITS#6638) Fixed slapd acl parsing overflow (ITS#6611) Fixed slapd when first acl is value dependent (ITS#6693) Fixed slapd modify to return actual error (ITS#6581) Fixed slapd sortvals of attributes with 1 value (ITS#6715) Fixed slapd syncrepl reuse of presence list (ITS#6707) Fixed slapd-bdb entry cache delete failure (ITS#6577) Fixed slapd-ldap debug output of timeout (ITS#6721) Fixed slapd-ldap DNSSRV referral chaining (ITS#6565) Fixed slapd-ndb to honor rootpw setting (ITS#6661) Fixed slapd-meta anon retry with failed auth method (ITS#6643) Fixed slapd-meta rebind proc (ITS#6665) Fixed slapd-meta to correctly rebind as user (ITS#6574) Fixed slapd-sql with null objectClass (ITS#6616) Fixed slapo-pcache callback freeing (ITS#6640) Fixed slapo-pcache to ignore undefined attrs (ITS#6600) Fixed slapo-ppolicy don't update opattrs on consumers (ITS#6608) Fixed slapo-sssvlv initialization (ITS#6649) Fixed slapo-syncprov to send error if consumer is newer (ITS#6606) Fixed slapo-syncprov filter race condition (ITS#6708) Fixed slapo-syncprov active mod race (ITS#6709) Fixed contrib/autogroup LDAP URI with attribute filter (ITS#6536) Fixed contrib/nssov to only close socket on shutdown (ITS#6676) Fixed contrib/nssov multi platform support (ITS#6604) Build Environment Added support for [unsigned] long long (ITS#6622) Fixed slapd-tester EOF handling (ITS#6723) Fixed slapd-tesster filter initialization (ITS#6735) Documentation admin24 guide typo fixes (ITS#6609) ldap_open(3) document ldap_set_urllist_proc (ITS#6601) Berkeley DB No changes OpenSSL: Disable code workaround for ancient and obsolete Netscape browsers and servers: an attacker can use it in a ciphersuite downgrade attack. Thanks to Martin Rex for discovering this bug. (CVE-2010-4180) Fixed J-PAKE implementation error, originally discovered by Sebastien Martini, further info and confirmation from Stefan Arentz and Feng Hao. Note that this fix is a security fix. (CVE-2010-4252) Fix extension code to avoid race conditions which can result in a buffer overrun vulnerability: resumed sessions must not be modified as they can be shared by multiple threads. (CVE-2010-3864) Fix for double free bug in ssl/s3_clnt.c (CVE-2010-2939) Don't reencode certificate when calculating signature: cache and use the original encoding instead. This makes signature verification of some broken encodings work correctly. ec2_GF2m_simple_mul bugfix: compute correct result if the output EC_POINT is also one of the inputs. Don't repeatedly append PBE algorithms to table if they already exist. Sort table on each new add. This effectively makes the table read only after all algorithms are added and subsequent calls to PKCS12_pbe_add etc are non-op. Correct a typo in the CMS ASN1 module which can result in invalid memory access or freeing data twice (CVE-2010-0742) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more common in certificates and some applications which only call SSL_library_init and not OpenSSL_add_all_algorithms() will fail. SASL: No changes Status of this release: This is a developer pre-release and is made available for experimental testing purposes. It contains known defects and should not be considered fully operational for production purposes. Please use this release only for experimental evaluation of new features on experimental data. Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ November 23, 2010 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.23.3 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.23 BDB 4.8.30 Cyrus SASL 2.1.22 OpenSSL 0.9.8n Upgrade warning: See notes for 2.4.21.0 if upgrading from releases prior to that. (Upgrading anything newer requires no special action) Known defects in this release: CA.pl and c_rehash may not have the correct path to perl interpreter if installed from the symas-openldap-client package (Symas #787) The version number that is reported for Symas OpenLDAP by the Solaris pkginfo command is incorrect for Solaris platforms (Symas #715) Changes for this release: Packaging: Add -devel package (Symas #1067) Add rfc2307bis.schema (Symas #1071) OpenLDAP: Protect slapd against OpenSSL 0.9.8p trouble (Symas #1154) (CVE-2010-3864) Berkeley DB No changes OpenSSL: No changes SASL: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions should be submitted to your dedicated support email address or to support@symas.com. We look forward to hearing from you! ============================================================================ August 3, 2010 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.23.2 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.23 BDB 4.8.30 Cyrus SASL 2.1.22 OpenSSL 0.9.8n Upgrade warning: See notes for 2.4.21.0 if upgrading from releases prior to that. (Upgrading anything newer requires no special action) Known defects in this release: CA.pl and c_rehash may not have the correct path to perl interpreter if installed from the symas-openldap-client package (Symas #787) The version number that is reported for Symas OpenLDAP by the Solaris pkginfo command is incorrect for Solaris platforms (Symas #715) Changes for this release: Packaging: No changes OpenLDAP: Fix delta-syncrepl+ppolicy interaction, future cookie results, and chain results (Symas #979) (ITS#6606) (ITS#6607) (ITS#6608) Berkeley DB No changes OpenSSL: No changes SASL: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions should be submitted to your dedicated support email address or to support@symas.com. We look forward to hearing from you! ============================================================================ July 26, 2010 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.23.1 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.23 BDB 4.8.30 Cyrus SASL 2.1.22 OpenSSL 0.9.8n Upgrade warning: See notes for 2.4.21.0 if upgrading from releases prior to that. (Upgrading anything newer requires no special action) Known defects in this release: CA.pl and c_rehash may not have the correct path to perl interpreter if installed from the symas-openldap-client package (Symas #787) The version number that is reported for Symas OpenLDAP by the Solaris pkginfo command is incorrect for Solaris platforms (Symas #715) Changes for this release: Packaging: No changes OpenLDAP: No changes Berkeley DB No changes OpenSSL: Corrected crypto object build error under Windows SASL: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions should be submitted to your dedicated support email address or to support@symas.com. We look forward to hearing from you! ============================================================================ July 2, 2010 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.23.0 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.23 BDB 4.8.30 Cyrus SASL 2.1.22 OpenSSL 0.9.8n Upgrade warning: See notes for 2.4.21.0 if upgrading from releases prior to that. (Upgrading anything newer requires no special action) Known defects in this release: CA.pl and c_rehash may not have the correct path to perl interpreter if installed form the symas-openldap-client package (Symas #787) The version number that is reported for Symas OpenLDAP by the Solaris pkginfo command is incorrect for Solaris platforms (Symas #715) Changes for this release: Packaging: No changes OpenLDAP: Fixed slapd modify to return actual error (ITS#6581) Fixed slapd-bdb entry cache delete failure (ITS#6577) Fixed libldap to return server's error code (ITS#6569) Fixed libldap memleaks (ITS#6568) Fixed liblutil off-by-one with delta (ITS#6541) Fixed slapd acls with glued databases (ITS#6468) Fixed slapd syncrepl rid logging (ITS#6533) Fixed slapd modrdn handling of invalid values (ITS#6570) Fixed slapd-bdb hasSubordinates computation (ITS#6549) (Symas #932) Fixed slapd-bdb to use memcpy instead for strcpy (ITS#6474) Fixed slapd-ldap to return control responses (ITS#6530) Fixed slapo-ppolicy to use Debug (ITS#6566) Fixed slapo-refint to zero out freed DN vals (ITS#6572) Fixed slapo-rwm to use Debug (ITS#6566) Fixed slapo-sssvlv to use Debug (ITS#6566) Fixed slapo-syncprov lost deletes in refresh phase (ITS#6555) Fixed slapo-valsort to use Debug (ITS#6566) Fixed contrib/nssov network.c missing patch (ITS#6562) Build Environment Fixed test043 attribute sorting (ITS#6553) Documentation slapd-config(5) note default rootdn (ITS#6546) Changed slapd option processing under Windows to ignore registry settings when not started from the command line (i.e., not as a service (Symas #933). Fixed URL parsing in bconfig to allow URLs that start with a drive letter (Symas #933) Berkeley DB No changes OpenSSL: No changes SASL: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions should be submitted to your dedicated support email address or to support@symas.com. We look forward to hearing from you! ============================================================================ May 6, 2010 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.22.0p20100506 (Developer Prerelease) This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.22 BDB 4.8.30 Cyrus SASL 2.1.22 OpenSSL 0.9.8n Known defects in this release: CA.pl and c_rehash may not have the correct path to perl interpreter if installed form the symas-openldap-client package (Symas #787) The version number that is reported for Symas OpenLDAP by the Solaris pkginfo command is incorrect for Solaris platforms (Symas #715) Changes for this release: Packaging: No changes OpenLDAP: Fixed mod.sm_numvals used before initialized (Symas #902) Added slapd SLAP_SCHEMA_EXPOSE flag for hidden schema elements (ITS#6435) Added slapd tools selective iterations (ITS#6442) Added slapd syncrepl TCP keepalive (ITS#6389) Added slapo-ldap idassert-passthru (ITS#6456) Added slapo-pbind Fixed libldap gmtime re-entrancy (ITS#6262) Fixed libldap gssapi off by one error (ITS#6223) Fixed libldap GnuTLS serial length (ITS#6460) Fixed libldap MozNSS context and PEM support (ITS#6432) Fixed libldap referral on bind behavior(ITS#6510) Fixed slapd acl non-entry internal searches (ITS#6481) Fixed slapd acl attrval style initialization (ITS#6520) Fixed slapd certificateListValidate (ITS#6466) Fixed slapd empty URI parsing (ITS#6465) Fixed slapd glued misplaced entries (ITS#6506) Fixed slapd glued paged cookies (ITS#6507) Fixed slapd glued paged results (ITS#6504) Fixed slapd gmtime re-entrancy (ITS#6262) Fixed slapd to ignore controls with unrecognized flags (ITS#6480) Fixed slapd entry ownership (ITS#5340) Fixed slapd sasl auxprop_lookup (ITS#6441) Fixed slapd sasl auxprop ssf (ITS#5195) Fixed slapd syncrepl for attributes with no matching rule (ITS#6458) Fixed slapd syncrepl for unknown attrs and delta-sync (ITS#6473) Fixed slapd syncrep loop with moddn (ITS#6472) Fixed slapo-accesslog to not replicate internal purges (ITS#6519) Fixed slapd-bdb contextCSN updates from updatedn (ITS#6469) Fixed slapd-bdb lockobj zeroing (ITS#6501) Fixed slapd-ldap/meta control criticality (ITS#6523) Fixed slapd-ldap/meta with ordered values (ITS#6516) Fixed slapo-collect entry ownership (ITS#5340,ITS#6423) Fixed slapo-dds with NULL backend (ITS#6490) Fixed slapo-dynlist entry ownership (ITS#5340,ITS#6423) Fixed slapo-memberof attr count (ITS#6508) Fixed slapo-pcache to release its own entries (ITS#6484) Fixed slapo-pcache with NULL backend (ITS#6490) Fixed slapo-rwm entry release handling (ITS#6484) Fixed slapo-rwm memory handling with rewrites (ITS#6526) Fixed slapo-rwm olcRwmMap handling (ITS#6436) Fixed slapo-rwm entry ownership (ITS#5340,ITS#6423) Fixed slapo-syncprov memory leak (ITS#6459) Fixed slapo-translucent counter increment (ITS#6497) Fixed slapo-valsort entry ownership (ITS#5340,ITS#6423) Fixed contrib/sha2 adds mechs for more hashes (ITS#6433) Fixed contrib/nssov to use nss-pam-ldapd (ITS#6488) Build Environment Added back-ldif, back-null test support (ITS#5810) Documentation admin24 avoid explicity moduleload statements (ITS#6486) admin24 broken link fixes (ITS#6493,ITS#6515) slapd.access(5) val.regex explanation (ITS#5804) Berkeley DB: Limit the size of a log record generated by freeing pages from a database so it fits in the log file size. [#17313] Fixed a bug that could cause a file to be removed if it was both the source and target of two renames within a transaction. [#18069] Modified how we go about selecting a usable buffer in the cache. Place more emphasis on single version and obsolete buffers. [#18114] Fixed a bug that could lead to btree structure corruption if the db->compact method runs out of locks. [#18361] Allow any file to be truncated even if its not a db file. [#18373] Avoid a segmentation fault error if the lock manager runs out of locks. [#18428] Add dbreg close records for open but missing databases during recovery. [#18459] Fixed a bug where populating a SecondaryDatabase on open could lead to an OutOfMemoryException.. [#18529] Fixed a bug where entries in the db register file did not get cleared out properly after recovery takes place. This will permit a process to perform a dbenv->close and then reconnect to environment without needing to stop the process. [#18535] OpenSSL: No Changes SASL: No Changes Status of this release: This is a developer pre-release and is made available for experimental testing purposes. It contains known defects and should not be considered fully operational for production purposes. Please use this release only for experimental evaluation of new features on experimental data. Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ April 13, 2010 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.21.2 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.21 BDB 4.8.26 Cyrus SASL 2.1.22 OpenSSL 0.9.8n ============== *** Upgrade Alert *** See the Upgrade alert included in the Release Notes for version 2.4.21.0 concerning compatibility with previous versions of Symas OpenLDAP 2.4. ============== Known defects in this release: CA.pl and c_rehash may not have the correct path to perl interpreter if installed form the symas-openldap-client package (Symas #787) The version number that is reported for Symas OpenLDAP by the Solaris pkginfo command is incorrect for Solaris platforms (Symas #715) Changes for this release: Packaging: No changes OpenLDAP: Fixed assert in slaptools under Windows (Symas #865) Fixed assert error in rwm ITS#6484 (Symas #807) Fixed db_sql not in package (Symas #792) Fixed solserver script doesn't handle USER and GROUP settings from config file (Symas #806) Added delete and archive support to slapo-homedir (Symas #738) Added HPOV overlays (Symas #827) Fixed back-ldap+rwm+pcache core dump (Symas #858, ITS#6484) Fixed back-bdb/hdb uninit lock DBT (Symas #844, ITS#6501) Berkeley DB: No changes OpenSSL: Upgrade to 0.9.8n; CFB cipher definition fixes. Fix security issues CVE-2010-0740 and CVE-2010-0433. Cipher definition fixes. Workaround for slow RAND_poll() on some WIN32 versions. Remove MD2 from algorithm tables. SPKAC handling fixes. Support for RFC5746 TLS renegotiation extension. Compression memory leak fixed. Compression session resumption fixed. Ticket and SNI coexistence fixes. Many fixes to DTLS handling. Temporary work around for CVE-2009-3555: disable renegotiation. SASL: No Changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, Maintain backups of critical data and make appropriate provisions for unexpected outages. Because this release contains so many changes, we suggest that upgraders spend a little more time than usual testing this release before putting it into production. Bug reports, comments, and suggestions should be submitted to your dedicated support email address or to support@symas.com. We look forward to hearing from you! ============================================================================ January 19, 2010 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.21.1 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.21 BDB 4.8.26 Cyrus SASL 2.1.22 OpenSSL 0.9.8k ============== *** Upgrade Alert *** See the Upgrade alert included in the Release Notes for version 2.4.21.0 concerning compatibility with previous versions of Symas OpenLDAP 2.4. ============== Known defects in this release: The homedir overlay is experimental (Symas #738) CA.pl and c_rehash may not have the correct path to perl interpreter if installed form the symas-openldap-client package (Symas #787) The version number that is reported for Symas OpenLDAP by the Solaris pkginfo command is incorrect for Solaris platforms (Symas #715) Changes for this release: Packaging: Fixed db_sql not in package (Symas #792) Fixed exampledb.sh problem that could cause it to not find slapd and then to exit (Symas #791) Most silver releases will only contain 32-bit versions of Symas OpenLDAP. OpenLDAP: Fixed lockup problem on MacOS X 10.5 32-bit build (Symas #796) Berkeley DB: No changes OpenSSL: No changes SASL: No Changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, Maintain backups of critical data and make appropriate provisions for unexpected outages. Because this release contains so many changes, we suggest that upgraders spend a little more time than usual testing this release before putting it into production. Bug reports, comments, and suggestions should be submitted to your dedicated support email address or to support@symas.com. We look forward to hearing from you! ============================================================================ January 14, 2010 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.21.0 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.21 BDB 4.8.26 Cyrus SASL 2.1.22 OpenSSL 0.9.8k ============== *** Upgrade Alert *** Berkeley Database: The Berkeley database in this release has been updated from version 4.6.26 to version 4.8.26 in order to correct a defect that may cause server deadlocks under heavy loads. As a result, when upgrading from earlier versions of Symas OpenLDAP to this one, it is necessary to unload all LDAP databases with slapcat and reload them with slapadd. Replication functionality between this and earlier versions of Symas OpenLDAP is unaffected, so multi-server upgrades can take place incrementally. ISA-Specific directories: The use of ISA-specific subdirectories (i.e., sparcv9) has been changed in this release. This means a manual edit of certain configuration files may be necessary when upgrading to this or a later version of Symas OpenLDAP. Specifically, the location of slapd backends and overlays in 64-bit releases has been corrected and so must be changed in existing slapd.conf files. Platforms affected by the change include: Solaris 64-bit AIX 64-bit HP-UX 64-bit In /opt/symas/etc/slapd.conf: Change the 'modulepath' directive to contain the correct path to the backend and overlays directory. For example, in 64-bit Solaris this will change from /opt/symas/lib/sparcv9/openldap to /opt/symas/lib/openldap/sparcv9. Because this release contains so many changes, we suggest that you spend a little more time than usual testing this release before putting it into production. ============== Known defects in this release: The homedir overlay is experimental (Symas #738) CA.pl and c_rehash may not have the correct path to perl interpreter if installed form the symas-openldap-client package (Symas #787) The version number that is reported for Symas OpenLDAP by the Solaris pkginfo command is incorrect for Solaris platforms (Symas #715) db_sql utility is not included (Symas #792) Changes for this release (lots): Packaging: Heimdal Kerberos is now a separate optional package, and is available only for certain platforms Berkeley DB has been updated to version 4.8.26 The symas-openldap-devel package is temporarily unavailable The symas-openldap-source package is now available in a different area of the download portal. Some platforms now include both 32- and 64- bit packages Some platforms now include non-optimized builds to aid in finding problems. These builds are to be used when indicated by Symas support staff. Fixed des_modes.7 duplicate packaging error (Symas#644) Fixed exampledb.sh problem that could cause it to not find slapd and then to exit (Symas #791) OpenLDAP: No changes, but be sure and check the notes for intervening releases since the last production release Berkeley DB: Update to Berkeley DB 4.8.26 The html info pages for the db_* commands are now located in /opt/symas/doc/api_reference/C (Symas #769) OpenSSL: The c_* scripts now use the packaged openssl command or the openssl command pointed to by the OPENSSL environment variable, if set (Symas #717) Fixed CA.pl and c_rehash not being marked executable (Symas #786) Fixed perl interpreter path not being set correctly in CA.pl and c_rehash scripts during symas-openlap-server install. SASL: No Changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, Maintain backups of critical data and make appropriate provisions for unexpected outages. Because this release contains so many changes, we suggest that upgraders spend a little more time than usual testing this release before putting it into production. Bug reports, comments, and suggestions should be submitted to your dedicated support email address or to support@symas.com. We look forward to hearing from you! ============================================================================ December 21, 2009 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.21.0p09122113 (Developer Prerelease) This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.21 BDB 4.6.26 Cyrus SASL 2.1.22 OpenSSL 0.9.8k Heimdal Kerberos 1.2.1 KNOWN DEFECTS: The homedir overlay is experimental. Changes for this release: Fixed des_modes.7 duplicate packaging error (Symas#644) Fixed client tools with null timeouts (ITS#6282) Fixed slapadd to warn about missing attrs for replicas (ITS#6281) Fixed slapd acl cache (ITS#6287) Fixed slapd tools to allow -n for conversion (ITS#6258) Fixed slapd-ldap with null timeouts (ITS#6282) Fixed slapd-ldap with strong binds with relay/translucent (ITS#6296) Fixed slapd-ldif buffer overflow (ITS#6303) Fixed slapo-auditlog comments when modifying (ITS#6286) Fixed slapo-dynlist lock leak (ITS#6308) Fixed slapo-pcache cache corruption (ITS#6242) Fixed slapo-sssvlv sort control dereferencing (ITS#6288) Fixed contrib/autogroup segfaults (ITS#6279) Fixed contrib/nssov getgroupbymembers (ITS#6291) Fixed contrib/smbk5pwd rpath linking (ITS#6323) Fixed client tools with LDAP options (ITS#6283) Fixed liblber embedded NUL values in BerValues (ITS#6353) Fixed liblber inverted LBER_USE_DER test (ITS#6348) Fixed liblber to return failure on certain failures (ITS#6344) Fixed libldap connection initialization (ITS#6386) Fixed libldap sasl buffer sizing (ITS#6327,ITS#6334) Fixed libldap uninitialized return value (ITS#6355) Fixed libldap unlimited timeout (ITS#6388) Added slapd handling of hex server IDs (ITS#6297) Added slapd syncrepl contextCSN storing in subentry (ITS#6373) Fixed slapd asserts in minimal environment (ITS#6361) Fixed slapd authid-rewrite parsing (ITS#6392) Fixed slapd checks of str2filter (ITS#6391) Fixed slapd configArgs initialization (ITS#6363) Fixed slapd debug handling of LDAP_DEBUG_ANY (ITS#6324) Fixed slapd db_open with connection_fake_init (ITS#6381) Fixed slapd with embedded \0 in bervals (ITS#6378,ITS#6379) Fixed slapd inclusion of ac/unistd.h (ITS#6342) Fixed slapd invalid dn log message (ITS#6309) Fixed slapd lockup on shutdown (ITS#6372) Fixed slapd onetime leak (ITS#6398) Fixed slapd RID range to be decimal only (ITS#6394) Fixed slapd sl_free to better reclaim memory (ITS#6380) Fixed slapd syncrepl deletes in MirrorMode (ITS#6368) Fixed slapd syncrepl to use correct SID (ITS#6367) Fixed slapd termination for one level DNs (ITS#6338) Fixed slapd tls_accept to retry in certain cases (ITS#6304) Fixed slapd-bdb/hdb cache corruption (ITS#6341) Fixed slapd-bdb/hdb entry cache (ITS#6360) Fixed slapd-ldap leak (ITS#6326) Fixed slapd-relay bind segfault (ITS#6337) Fixed slapo-accesslog ensure CSNs are normalized (ITS#6400) Fixed slapo-memberof operational attr updates (ITS#6329) Fixed slapo-pcache entry dupe (ITS#6310) Fixed slapo-syncprov checkpoint conversion (ITS#6370) Fixed slapo-syncprov deadlock (ITS#6335) Fixed slapo-syncprov memory leak (ITS#6376) Fixed slapo-syncprov out of order changes (ITS#6346) Fixed slapo-syncprov psearch with stale cookie (ITS#6397) Fixed liblutil for negative microsecond offsets (ITS#6405) Fixed slapd global settings to work without restart (ITS#6428) Fixed slapd looping with SSL/TLS connections (ITS#6412) Fixed slapd syncrepl freeing tasks from queue (ITS#6413) Fixed slapd syncrepl parsing of tls defaults (ITS#6419) Fixed slapd syncrepl uninitialized variables (ITS#6425) Fixed slapd-config Adds with Abstract classes (ITS#6408) Fixed slapo-dynlist behavior with simple filters (ITS#6421) Fixed slapd-ldif access outside database directory (ITS#6414) Fixed slapd-null extraneous assert (ITS#6403) Fixed slapo-translucent with back-null (ITS#6403) Fixed slapo-unique criteria checking (ITS#6270) Added slapo-homedir in add-only mode (Symas#738) Build Environment Fixed --enable-deref support (ITS#6311) Fixed contrib/autogroup default libtool path (ITS#6284) Deleted nadf.schema (ITS#6140) Added additional operations for ITS#6332 Fixed memrchr define (ITS#6351) Fixed slapd MAXPATHLEN handling (ITS#6342) Added test050 rapid add/mod/del sequence (ITS#6368) Fixed test057 handling of memberof/refint (ITS#6343) Fixed slapd test error ignoring (ITS#6345) Fixed liblutil constant (ITS#5909) Deleted broken LBER_INVALID macro (ITS#6402) Fixed test058 kill usage (ITS#6420) Fixed meta regression test (ITS#6418) Documentation admin24 fix RFC4511 and other references (ITS#6399) ldap_get_dn(3) typos (ITS#5366) ldap.conf(5) clarify comment usage (ITS#6384) slapd.conf(5) note hex server IDs (ITS#6297) slapd-config(5) note hex server IDs (ITS#6297) slapd-meta(5) Note deprecated functions (ITS#6424) admin24 fix set example for group of groups (ITS#6382) admin24 fix dynamic group documentation (ITS#6290) ============================================================================ September 1, 2009 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.18p09090100 (Developer Prerelease) This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.18pre BDB 4.6.26 Cyrus SASL 2.1.22 OpenSSL 0.9.8k Heimdal Kerberos 1.2.1 KNOWN DEFECTS: Kerberos is not fully tested or supported. k5start and k5renew are not correctly linked. The sssvlv overlay is experimental and mostly untested. Please try and tell us what breaks! Changes for this release: Fixed client tools common options (ITS#6049) Fixed liblber speed and other problems (ITS#6215) Added libldap MozNSS PEM support (ITS#6278) Added libldap option for SASL_USERNAME (ITS#6257) Fixed libldap error parsing (ITS#6197) Fixed libldap native getpass usage (ITS#4643) Fixed libldap tls_check_hostname for OpenSSL and MozNSS (ITS#6239) Added slapd tcp buffers support (ITS#6234) Fixed slapd allow mirrormode to be set to FALSE (ITS#5946) Fixed slapd certificate list parsing (ITS#6241) Fixed slapd writers blocking (ITS#6276) Fixed slapd dncachesize behavior to unlimited by default (ITS#6222) Fixed slapd incorrectly applying writetimeout when not set (ITS#6220) Fixed slapd with duplicate empty lines for olcDbConfig (ITS#6240) Fixed slapd server URL matching (ITS#5942) Fixed slapd subordinate needs a suffix (ITS#6216) Fixed slapd syncrepl decrement on possible NULL value (ITS#6256) Fixed slapd tools to properly close database (ITS#6214) Fixed slapd uninitialized SlapReply components (ITS#6101) Fixed slapd-meta starttls with targets (ITS#6190) Fixed slapd-monitor stats with glued subordinates (ITS#6243) Fixed slapd-ndb startup (ITS#6203) Fixed slapd-relay various issues (ITS#6133) Fixed slapd-relay response/cleanup callback mismatch (ITS#6154) Fixed slapd-sql with baseObject query (ITS#6172) Fixed slapd-sql with empty attribute (ITS#6163) Fixed slapo-dynlist uninitialized var (ITS#6266) Fixed slapo-pcache multiple enhancements (ITS#6152,ITS#5178) Fixed slapo-ppolicy updating operational attributes (ITS#6265) Fixed slapo-translucent attribute return (ITS#6254) Fixed slapo-translucent filter matching (ITS#6255) Fixed slapo-translucent to honor sizelimit (ITS#6253) Fixed slapo-unique filter matching (ITS#6077) Fixed tools off by one error (ITS#6233) Fixed tools resource leaks (ITS#6145) Added contrib/allowed (ITS#4730) Fixed contrib/autogroup with RE24 (ITS#6227) Fixed contrib/nss symbols (ITS#6273) Build Environment Tests note which backend is being tested (ITS#5810) Fixed test056-monitor with custom ports (ITS#6213) Documentation admin24 fix broken link (ITS#6264) ldap_open(3) document URI (ITS#6261) Status of this release: This is a developer pre-release and is made available for experimental testing purposes. It contains known defects and should not be considered fully operational for production purposes. Please use this release only for experimental evaluation of new features on experimental data. Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ August 18, 2009 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.17p09081821 (Developer Prerelease) This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.17 BDB 4.6.26 Cyrus SASL 2.1.22 OpenSSL 0.9.8k Heimdal Kerberos 1.2.1 KNOWN DEFECTS: Kerberos is not fully tested or supported. k5start and k5renew are not correctly linked. The sssvlv overlay is experimental and mostly untested. Please try and tell us what breaks! Changes for this release: Fixed slapo-sssvlv to be loadable (Symas#601) ============================================================================ August 7, 2009 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.17p09080715 (Developer Prerelease) This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.17 BDB 4.6.26 Cyrus SASL 2.1.22 OpenSSL 0.9.8k Heimdal Kerberos 1.2.1 KNOWN DEFECTS: Kerberos is not fully tested or supported. k5start and k5renew are not correctly linked. MySQL and the Back-NDB clustering backend are not available on 32bit systems. The sssvlv overlay is experimental and mostly untested. Please try and tell us what breaks! Changes for this release: Fixed default permissions on /var/symas/run (Symas#526) Added SLAPD_CONF_FILE config option in symas-openldap.conf (Symas#527) Fixed various solserver script errors (Symas#528) Updated Heimdal Kerberos to 1.2.1 (Symas#314) Removed experimental serversort overlay (Symas#601) Added slapo-sssvlv (server side sort virtual list views) (Symas#601) Fixed liblber to use ber_strnlen (ITS#6080) Fixed libldap gnutls private key init (ITS#6053) Fixed libldap openssl digest initialization (ITS#6192) Fixed libldap tls NULL error messages (ITS#6079) Fixed liblutil opendir/closedir on windows (ITS#6041) Fixed liblutil for _GNU_SOURCE (ITS#5464,ITS#5666) Added slapd sasl auxprop support (ITS#6147) Added slapd schema checking tool (ITS#6150) Added slapd writetimeout keyword (ITS#5836) Fixed slapd abandon/cancel handling for some ops (ITS#6157) Fixed slapd access setstyle to expand (ITS#6179) Fixed slapd assert with closing connections (ITS#6111) Fixed slapd bind race condition (ITS#6189) Fixed slapd cancel behavior (ITS#6137) Fixed slapd cert validation (ITS#6098) Fixed slapd connection_destroy assert (ITS#6089) Fixed slapd csn normalization (ITS#6195) Fixed slapd errno handling (ITS#6037) Fixed slapd global alloc handling (ITS#6054) Fixed slapd hung writers (ITS#5836) Fixed slapd ldapi issues (ITS#6056) Fixed slapd moduleload with static backends and modules (ITS#6016) Fixed slapd normalization of updated schema attributes (ITS#5540) Fixed slapd olcLimits handling (ITS#6159) Fixed slapd olcLogLevel with hex levels (ITS#6162) Fixed slapd pagedresults stacked control with overlays (ITS#6056) Fixed slapd password-hash incorrect limit on arg length (ITS#6139) Fixed slapd readonly restrictions (ITS#6109) Fixed slapd sending cancelled operations results (ITS#6103) Fixed slapd slapi_entry_has_children (ITS#6132) Fixed slapd sockets usage on windows (ITS#6039) Fixed slapd some abandon and cancel race conditions (ITS#6104) Fixed slapd tls context after changes (ITS#6135) Fixed slapd-bdb/hdb adjust dncachesize if too low (ITS#6176) Fixed slapd-bdb/hdb crashes during delete (ITS#6177) Fixed slapd-bdb/hdb multiple olcIndex for same attr (ITS#6196) Fixed slapd-hdb freeing of already freed entries (ITS#6074) Fixed slapd-hdb entryinfo cleanup (ITS#6088) Fixed slapd-hdb dncache lockups (ITS#6095) Fixed slapd-ldap deadlock with non-responsive TLS URIs (ITS#6167) Fixed slapd-relay to return failure on failure (ITS#5328) Fixed slapd-sql with BACKSQL_ARBITRARY_KEY defined (ITS#6100) Fixed slapo-collect collectinfo ordering (ITS#6076) Fixed slapo-collect missing equality match rule (ITS#6075) Fixed slapo-dds entry expiration (ITS#6169) Fixed slapo-perl symbols (ITS#5658) Fixed slapo-ppolicy to honor pwdLockout (ITS#6168) Fixed slapo-ppolicy to return check modules error message (ITS#6082) Fixed slapo-refint refint_repair handling (ITS#6056) Added slapo-rwm rwm-drop-unrequested-attrs config option (ITS#6057) Fixed slapo-rwm dn passing (ITS#6070) Fixed slapo-rwm entry free (ITS#6058) Fixed slapo-rwm entry release (ITS#6081) Fixed slapo-translucent entry gathering (ITS#6156) Fixed tools returning ldif errors (ITS#5892) Fixed contrib/smbk5pwd use of private functions (ITS#5535) Build Environment Added test056-monitor (ITS#5540) Added test057-memberof-refint (ITS#5395) Fixed winsock detection for windows (ITS#6102, ITS#6078) Removed GSSAPI configure option (ITS#6091,ITS#6092,ITS#6093,ITS#5369) Documentation admin24 relocate configuration examples (ITS#6183) admin24 fixed example regex (ITS#6052) admin24 removed temporary back-monitor note (ITS#6130) admin24 slapd.conf to cn=config conversion process (ITS#6060) man page consistency fixes (ITS#6023) ldapcompare(1) note -e option (ITS#6107) ldapdelete(1) note -e option (ITS#6107) ldapmodify(1) note -e option (ITS#6107) ldapmodrdn(1) note -e option (ITS#6107) ldapsearch(1) output format description (ITS#6146) ldapurl(1) note -e option (ITS#6107) ldapwhoami(1) note -e option (ITS#6107) ldap_result(3) Add RETURN VALUE heading (ITS#6180) ldap.conf(5) improve sizelimit/timelimit limits (ITS#6127) slapd.access(5) Fix to use expand (ITS#6179) slapd.conf(5) document default modulepath (ITS#5829) slapd.conf(5) pidfile/argsfile description fix (ITS#5975) slapd-config(5) document default modulepath (ITS#5829) slapd-config(5) pidfile/argsfile description fix (ITS#5975) slapo-constraint(5) clarify URI example (ITS#6118) slapo-unique(5) explicitly note rootdn requirement (ITS#6108) slapadd(8) note it does indexing (ITS#6160) Status of this release: This is a developer pre-release and is made available for experimental testing purposes. It contains known defects and should not be considered fully operational for production purposes. Please use this release only for experimental evaluation of new features on experimental data. Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ April 15, 2009 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.16.0 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.16 BDB 4.6.26 Cyrus SASL 2.1.22 OpenSSL 0.9.8k Heimdal Kerberos 1.1 Changes for this release: Packaging: Changed slapd.conf.default to use back-hdb instead of back-bdb and added sample back-config (Symas #392) Added kstart and krenew from Stanford University OpenLDAP: Fixed libldap GnuTLS with x509v1 CA certs (ITS#5992) Fixed libldap GnuTLS with CA chains (ITS#5991) Fixed libldap GnuTLS TLSVerifyCilent try (ITS#5981) Fixed libldap segfault in checking cert/DN (ITS#5976) Fixed libldap peer cert double free (ITS#5849) Fixed libldap referral chasing (ITS#5980) Fixed slapd backglue with empty DBs (ITS#5986) Fixed slapd ctxcsn race condition (ITS#6001) Fixed slapd debug message (ITS#6027) Fixed slapd redundant module loading (ITS#6030) Fixed slapd schema_init freed value (ITS#6036) Fixed slapd syncrepl newCookie sync messages (ITS#5972) Fixed slapd syncrepl hang during shutdown (ITS#6011) Fixed slapd syncrepl too many MMR messages (ITS#6020) Fixed slapd syncrepl skipped entries with MMR (ITS#5988) Fixed slapd-bdb/hdb cachesize handling (ITS#5860) Fixed slapd-bdb/hdb with slapcat with empty dn (ITS#6006) Fixed slapd-bdb/hdb with NULL transactions (ITS#6012) Fixed slapd-ldap incorrect referral handling (ITS#6003,ITS#5916) Fixed slapd-ldap/meta with broken AD results (ITS#5977) Fixed slapd-ldap/meta with invalid attrs again (ITS#5959) Fixed slapo-accesslog interaction with ppolicy (ITS#5979) Fixed slapo-dynlist conversion to cn=config (ITS#6002) Fixed slapo-syncprov newCookie sync messages (ITS#5972) Fixed slapd-syncprov too many MMR messages (ITS#6020) Fixed slapo-syncprov replica lockout (ITS#5985) Fixed slapo-syncprov modtarget tracking (ITS#5999) Fixed slapo-syncprov multiple CSN propagation (ITS#5973) Fixed slapo-syncprov race condition (ITS#6045) Fixed slapo-syncprov sending cookies without CSN (ITS#6024) Fixed slapo-syncprov skipped entries with MMR (ITS#5988) Fixed tools passphrase free (ITS#6014) admin24 clarified MMR URI requirements (ITS#5942,ITS#5987) Added ldapexop(1) manual page (ITS#5982) slapd-ldap/meta(5) added missing TLS options (ITS#5989) Fixed libldap alias dereferencing in C API again (ITS#5916) Fixed libldap GnuTLS compilation (ITS#5955) Fixed slapd bconfig conversion again (ITS#5346) Fixed slapd behavior with superior objectClasses again (ITS#5517) Fixed slapd RFC4512 behavior with same attr in RDN (ITS#5968) Fixed slapd corrupt contextCSN (ITS#5947) Fixed slapd syncrepl order to match on add/delete (ITS#5954) Fixed slapd adding rdn with other values (ITS#5965) Fixed slapd-bdb/hdb behavior with unallocatable shm (ITS#5956) Fixed slapd-ldap/meta with entries with invalid attrs (ITS#5959) Fixed slapd-relay control initialization (ITS#5724) Fixed slapo-pcache caching invalid entries (ITS#5927) Fixed slapo-syncprov csn updates (ITS#5969) Fixed slapo-rwm objectClass preservation (ITS#5760) Fixed slapo-rwm rwm_bva_rewrite handling (ITS#5960) Berkeley DB: No changes Heimdal Kerberos: No changes OpenSSL: Don't set val to NULL when freeing up structures, it is freed up by underlying code. If sizeof(void *) > sizeof(long) this can result in zeroing past the valid field. (CVE-2009-0789) Fix bug where return value of CMS_SignerInfo_verify_content() was not checked correctly. This would allow some invalid signed attributes to appear to verify correctly. (CVE-2009-0591) Reject UniversalString and BMPString types with invalid lengths. This prevents a crash in ASN1_STRING_print_ex() which assumes the strings have a legal length. (CVE-2009-0590) Set S/MIME signing as the default purpose rather than setting it unconditionally. This allows applications to override it at the store level. Permit restricted recursion of ASN1 strings. This is needed in practice to handle some structures. Improve efficiency of mem_gets: don't search whole buffer each time for a '\n' New -hex option for openssl rand. Print out UTF8String and NumericString when parsing ASN1. Support NumericString type for name components. Allow CC in the environment to override the automatically chosen compiler. Note that nothing is done to ensure flags work with the chosen compiler. SASL: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ February 27, 2009 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.14.0 (Unreleased) This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.14 + Updates BDB 4.6.26 Cyrus SASL 2.1.22 OpenSSL 0.9.8j Heimdal Kerberos 1.1 Changes for this release: Packaging: Changed the solserver init script to respect changes to PID_FILE and other options (Symas #305) OpenLDAP: Fixed crasher in back-ldap when a search is interrupted (Symas #366) Fixed problem with back-ldap when AD returns duplicate attribute values (AD) (Symas #365, ITS #5977) Fixed pcache and back-meta assertion with Active Directory (Symas #325, ITS #5959, ITS #5927) Added libldap option to disable SASL host canonicalization (ITS#5812) Added libldap TLS_PROTOCOL_MIN (ITS#5655) Added libldap GnuTLS support for TLS_CIPHER_SUITE (ITS#5887) Added libldap GnuTLS setting random file (ITS#5462) Added libldap alias dereferencing in C API (ITS#5916) Fixed libldap chasing multiple referrals (ITS#5853) Fixed libldap deref handling (ITS#5768) Fixed libldap NULL pointer deref (ITS#5934) Fixed libldap peer cert memory leak (ITS#5849) Fixed libldap interaction with GnuTLS CN IP-based matches (ITS#5789) Fixed libldap intermediate response behavior (ITS#5896) Fixed libldap IPv6 address handling (ITS#5937) Fixed libldap_r deref building (ITS#5768) Fixed libldap_r slapd lockup when paused during shutdown (ITS#5841) Added slapd syncrepl default retry setting (ITS#5825) Added slapd val.regex expansion (ITS#5804) Added slapd TLS_PROTOCOL_MIN (ITS#5655) Added slapd slapi_pw_find (ITS#2615,ITS#4359) Added slapd compatibility with MSAD ranged values (ITS#5927) Fixed slapd bconfig to return error codes (ITS#5867) Fixed slapd bconfig encoding incorrectly (ITS#5897) Fixed slapd bconfig dangling pointers (ITS#5924) Fixed slapd behavior with superior objectClasses (ITS#5517) Fixed slapd connection assert (ITS#5835) Fixed slapd epoll handling (ITS#5886) Fixed slapd frontend/backend options handling (ITS#5857) Fixed slapd glue with MMR (ITS#5925) Fixed slapd logging on Windows (ITS#5392) Fixed slapd listener comparison (ITS#5613) Fixed slapd manageDSAit with glue entries (ITS#5921) Fixed slapd syncrepl rename handling (ITS#5809) Fixed slapd syncrepl MMR when adding new server (ITS#5850) Fixed slapd syncrepl MMR with deleted entries (ITS#5843) Fixed slapd syncrepl replication with glued DB (ITS#5866) Fixed slapd syncrepl replication with moddn (ITS#5901) Fixed slapd syncrepl replication with referrals (ITS#5881) Fixed slapd syncrepl replication with config tree (ITS#5935) Fixed slapd wake_sds close on Windows (ITS#5855) Fixed slapd-bdb/hdb dncachesize handling (ITS#5860) Fixed slapd-bdb/hdb RFC4528 control support (ITS#5861) Fixed slapd-bdb/hdb trickle task usage (ITS#5864) Fixed slapd-hdb idlcache with empty suffix (ITS#5859) Fixed slapd-ldap idassert-bind validity checking (ITS#5863) Fixed slapd-ldap/meta RFC4525 increment support (ITS#5912) Fixed slapd-ldap/meta search dereferencing (ITS#5916) Fixed slapd-ldap/meta with intermediate response (ITS#5931) Fixed slapd-ldif numerous bugs (ITS#5408) Fixed slapd-ldif rename on same DN (ITS#5319) Fixed slapd-ldif deadlock (ITS#5329) Fixed slapd-meta double response sending (ITS#5854) Fixed slapd-meta alias deref for retry (ITS#5889) Fixed slapd-relay recursion detection (ITS#5943) Fixed slapd-sock descriptor leak (ITS#5939) Fixed slapo-accesslog on glued dbs (ITS#5907) Fixed slapo-dynlist handling of flags (ITS#5898) Fixed slapo-memberof multiple instantiation (ITS#5903) Fixed slapo-pcache filter sorting (ITS#5756) Fixed slapo-ppolicy to not be global (ITS#5858) Fixed slapo-rwm double free (ITS#5923) Fixed slapo-rwm with back-config (ITS#5906) Fixed slapo-rwm olcRwmRewrite modification (ITS#5940) Added slapo-rwm newRDN rewriting (ITS#5834) Added slapadd progress meter (ITS#5922) Updated contrib/addpartial module (ITS#5764) Added contrib/cloak module (ITS#5872) Added contrib/smbk5pwd gcrypt support (ITS#5410) Added contrib/passwd sha2 support (ITS#5660) admin24 added limits chapter (ITS#5818) admin24 access-control clarify global ACLS (ITS#5851,ITS#5852) admin24 search on nested naming contexts (ITS#5788) admin24 consistent loglevel documentation (ITS#5904) slapd-bdb/hdb expansion on dncachesize behavior (ITS#5721) slapo-constraint(5) example fix (ITS#5895) slap*(8) man pages should mention slapd-config (ITS#5828) slapacl(8c) fix wording (ITS#5918) slapd(8) document sid (ITS#5873) slapd.access(5) clarify global ACLS (ITS#5851,ITS#5852) slapadd/cat/index(8) note -n 0 for slapd-config (ITS#5891) Added SEE ALSO slapd-config(5) to relevant man pages (ITS#5914) Berkeley DB: No changes Heimdal Kerberos: No changes OpenSSL: No changes SASL: No changes Status of this release: This is release is still in development and is not ready for general use. As is always the case with any software, please test it in your own environment to make sure it meets your requirements, Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ January 31, 2009 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.13.0 (Unreleased) This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.13 BDB 4.6.26 Cyrus SASL 2.1.22 OpenSSL 0.9.8j Heimdal Kerberos 1.1 Changes for this release: Packaging: Back-hdb added to Silver edition (Symas #316) OpenLDAP: Added server side sort overlay (Symas #313) Added slapadd progress bar (Symas #18) Fixed pcache filter sorting (Symas #318) Added libldap dereference control support (ITS#5768) Fixed libldap parameter checking (ITS#5817) Fixed liblutil hex conversion (ITS#5699) Fixed liblutil returning undefined data (ITS#5748) Fixed libldap error code return (ITS#5762) Fixed libldap interaction with GnuTLS CN IP-based matches (ITS#5789) Fixed libldap MAXHOSTNAMELEN typo (ITS#5815) Fixed libldap Ipv6 detection (ITS#5739) Fixed libldap setuid usage with .ldaprc (ITS#4750) Fixed slapacl crasher (ITS#5820) Fixed slapd acl checks on ADD (ITS#4556,ITS#5723) Fixed slapd acl application to newly created backends (ITS#5572) Fixed slapd #if/#elif issues in thread includes (ITS#5824) Added slapd keyword add_content_acl for add checks (ITS#4556,ITS#5723) Fixed slapd concurrent access to connections (ITS#5814) Fixed slapd config backend olcLogFile support (ITS#5765) Fixed slapd contextCSN pending list (ITS#5709) Fixed slapd control criticality (ITS#5785) Added slapd dn.this search limits (ITS#5734) Fixed slapd error status on shutdown (ITS#5745) Fixed slapd filter substring handling (ITS#5803) Fixed slapd nameUIDPretty bitstring parsing (ITS#5750) Fixed slapd null termination of password (ITS#5794) Fixed slapd overlay/database open with real structure (ITS#5724) Fixed slapd parsing of read entry control (ITS#5741) Added slapd PMI schema (ITS#5695) Added slapd private databases in global overlays (ITS#5735,ITS#5736) Fixed slapd rdn generation when it isn't specified (ITS#5819) Fixed slapd slapd.conf validation to LDIF (ITS#5755) Fixed slapd startup scan for CSN (ITS#5640) Fixed slapd statslog printing of released entry (ITS#5775) Added slapd support for certificateListExactMatch (ITS#5700) Fixed slapd syncrepl event loss (ITS#5710) Fixed slapd syncrepl MOD of attrs with no EQ rule (ITS#5781) Fixed slapd syncrepl rename handling (ITS#5809) Fixed slapd syncrepl schema checking (ITS#5798) Fixed slapd syncrepl filter leak (ITS#5826) Fixed slapd undef promote (ITS#5783,ITS#5795) Added slapd What failed? control (ITS#5784) Fixed slapd-bdb/hdb invalid db crash (ITS#5698) Added slapd-bdb/hdb dbpagesize keyword Added slapd-bdb/hdb checksum keyword Fixed slapd-bdb/hdb indexing of entryDN (ITS#5790) Fixed slapd-bdb/hdb lookup of entryDN with equality (ITS#5791) Fixed slapd-bdb/hdb uninitialized bli_flag Fixed slapd-ldap snprintf buffer overflow test (ITS#4467) Fixed slapd-ldap search stop on minor failure (ITS#5816) Fixed slapd-ldif file rename on windows (ITS#5774) Fixed slapd-null read controls support (ITS#5757) Fixed slapd-sql value length with right index (ITS#5779) Fixed slapo-chain/translucent back-config support (ITS#5736) Fixed slapo-chain segv with search references (ITS#5742) Fixed slapo-collect compile with C89 (ITS#5747) Added slapo-constraint support for LDAP URI constraints (ITS#5704) Added slapo-constraint support for constraining rename (ITS#5703) Added slapo-constraint support for relax control (ITS#5705) Added slapo-constraint "set" type (ITS#5702) Fixed slapo-constraint filter parsing error (ITS#5751) Added slapo-dynlist URI restriction ability (ITS#5761) Fixed slapo-ppolicy unaligned BerElement (ITS#5770) Fixed slapo-rwm objectClass preservation (ITS#5760) Fixed slapo-rwm rewriting undefined filter (ITS#5731) Fixed slapo-rwm rewritten DN-valued attrs (ITS#5772) Fixed slapo-rwm reusing freed filter (ITS#5732) Fixed slapo-rwm entry get (ITS#5773) Fixed slapo-syncprov runqueue removal (ITS#5776) Fixed slapo-syncprov unreplicatable ops (ITS#5709) Fixed slapo-syncprov psearch leak (ITS#5827) Added slapo-translucent try local bind when remote fails (ITS#5656) Added slapo-translucent support for PasswordModify exop (ITS#5656) Fixed tools simple bind without SASL (ITS#5753) Fixed tools unaligned BerElement (ITS#5770) Fixed contrib nssov crash on empty groups (ITS#5800) Fixed contrib nssov crash with nssov-map (ITS#5801) Fixed contrib nssov filter and search limits (ITS#5802) Added contrib smbk5pwd honor principal expiration (ITS#5766) Added ldapurl command Added slapd GSSAPI refactoring (ITS#5369) Added slapo-deref overlay (ITS#5768) admin24 added olcLimits to example (ITS#5746) admin24 consolidated on whitespace (ITS#5759) slapd.conf,config(5) subordinate/olcSubordinate keyword (ITS#5788) slapd.conf(5) fixed disable keyword for limits (ITS#5821) slapo-dds(5) manageDIT to relax (ITS#5780) slapo-dds(5) rootdn requirement added (ITS#5811) slapo-syncprov(5) sessionlog clarification (ITS#5806) Berkeley DB: No changes Heimdal Kerberos: No changes OpenSSL: Properly check EVP_VerifyFinal() and similar return values (CVE-2008-5077). Enable TLS extensions by default. Use correct exit code if there is an error in dgst command. Set the comparison function in v3_addr_canonize(). Add support for XMPP STARTTLS in s_client. Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior to ensure that even with this option, only ciphersuites in the server's preference list will be accepted. (Note that the option applies only when resuming a session, so the earlier behavior was just about the algorithm choice for symmetric cryptography.) Fix a state transitition in s3_srvr.c and d1_srvr.c (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...). The fix in 0.9.8c that supposedly got rid of unsafe double-checked locking was incomplete for RSA blinding, addressing just one layer of what turns out to have been doubly unsafe triple-checked locking. So now fix this for real by retiring the MONT_HELPER macro in crypto/rsa/rsa_eay.c. Various precautionary measures: - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h). - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c). (NB: This would require knowledge of the secret session ticket key to exploit, in which case you'd be SOL either way.) - Change bn_nist.c so that it will properly handle input BIGNUMs outside the expected range. - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG builds. Allow engines to be "soft loaded" - i.e. optionally don't die if the load fails. Useful for distros. Add support for Local Machine Keyset attribute in PKCS#12 files. Expand ENGINE to support engine supplied SSL client certificate functions. Fix bug in X509_ATTRIBUTE creation: dont set attribute using ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain attribute creation routines such as certifcate requests and PKCS#12 files. Fix flaw if 'Server Key exchange message' is omitted from a TLS handshake which could lead to a cilent crash as found using the Codenomicon TLS test suite (CVE-2008-1672) Fix double free in TLS server name extensions which could lead to a remote crash found by Codenomicon TLS test suite (CVE-2008-0891) Clear error queue in SSL_CTX_use_certificate_chain_file() Clear the error queue to ensure that error entries left from older function calls do not interfere with the correct operation. Remove root CA certificates of commercial CAs: The OpenSSL project does not recommend any specific CA and does not have any policy with respect to including or excluding any CA. Therefore it does not make any sense to ship an arbitrary selection of root CA certificates with the OpenSSL software. RSA OAEP updates to fix two separate invalid memory reads. The first one involves inputs when 'lzero' is greater than 'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes before the beginning of from). The second one involves inputs where the 'db' section contains nothing but zeroes (there is a one-byte invalid read after the end of 'db'). Add TLS session ticket callback. This allows an application to set TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed values. This is useful for key rollover for example where several key sets may exist with different names. Reverse ENGINE-internal logic for caching default ENGINE handles. This was broken until now in 0.9.8 releases, such that the only way a registered ENGINE could be used (assuming it initialises successfully on the host) was to explicitly set it as the default for the relevant algorithms. This is in contradiction with 0.9.7 behaviour and the documentation. With this fix, when an ENGINE is registered into a given algorithm's table of implementations, the 'uptodate' flag is reset so that auto-discovery will be used next time a new context for that algorithm attempts to select an implementation. Update the GMP engine glue to do direct copies between BIGNUM and mpz_t when openssl and GMP use the same limb size. Otherwise the existing "conversion via a text string export" trick is still used. Zlib compression BIO. This is a filter BIO which compressed and uncompresses any data passed through it. Add AES_wrap_key() and AES_unwrap_key() functions to implement RFC3394 compatible AES key wrapping. Add utility functions to handle ASN1 structures. ASN1_STRING_set0(): sets string data without copying. X509_ALGOR_set0() and X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier) data. Attribute function X509at_get0_data_by_OBJ(): retrieves data from an X509_ATTRIBUTE structure optionally checking it occurs only once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied data. Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set() to get the expected BN_FLG_CONSTTIME behavior. Implement certificate status request TLS extension defined in RFC3546. A client can set the appropriate parameters and receive the encoded OCSP response via a callback. A server can query the supplied parameters and set the encoded OCSP response in the callback. Add simplified examples to s_client and s_server. SASL: Fixed problem where sasldb was still picking up bdb 4.2 if it was pre-existing on a platform. Status of this release: This is release is still in development and is not ready for general use. As is always the case with any software, please test it in your own environment to make sure it meets your requirements, Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ October 28, 2008 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.12.1 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.12 BDB 4.6.26 Cyrus SASL 2.1.22 OpenSSL 0.9.8g Heimdal Kerberos 1.1 Changes for this release: Packaging: Added exampledb-krb5.sh Added startup script for kdc OpenLDAP: No changes Berkeley DB: No changes Heimdal Kerberos: Cleaned up hdb-ldap build OpenSSL: No changes SASL: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ October 14, 2008 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.12.0 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.12 BDB 4.6.26 Cyrus SASL 2.1.22 OpenSSL 0.9.8g Heimdal Kerberos 1.1 Changes for this release: Packaging: Moved default location of krb5.conf to /opt/symas/etc/heimdal Added krb5.conf.default OpenLDAP: Fixed libldap ldap_utf8_strchar arguments (ITS#5720) Fixed libldap TLS_CRLFILE (ITS#5677) Fixed liblutil executables on Windows (ITS#5604) Fixed liblutil microsecond overflows on Windows (ITS#5668) Fixed librewrite memory handling (ITS#5691) Fixed slapd aci performance (ITS#5636) Fixed slapd aci's with sets (ITS#5627) Fixed slapd attribute leak (ITS#5683) Fixed slapd config backend with index greater than sibs (ITS#5684) Fixed slapd custom attribute inheritance (ITS#5642) Fixed slapd dynacl mask handling (ITS#5637) Fixed slapd firstComponentMatch normalization (ITS#5634) Added slapd caseIgnoreListMatch (ITS#5608) Fixed slapd connection events enabled twice (ITS#5725) Fixed slapd memory handling (ITS#5691) Fixed slapd objectClass canonicalization (ITS#5681) Fixed slapd objectClass termination (ITS#5682) Fixed slapd overlay control registration (ITS#5649) Fixed slapd runqueue checking (ITS#5726) Fixed slapd spurious text output (ITS#5688) Fixed slapd socket closing on Windows (ITS#5606) Fixed slapd sortvals comparison (ITS#5578) Added slapd substitute syntax support (ITS#5663) Fixed slapd syncrepl contextCSN detection (ITS#5675) Fixed slapd syncrepl error logging (ITS#5618) Fixed slapd syncrepl runqueue interval (ITS#5719) Fixed slapd-bdb entry return if attr not present (ITS#5650) Fixed slapd-bdb olcDbMode syntax (ITS#5713) Fixed slapd-bdb/hdb release search entries earlier (ITS#5728,ITS#5730) Fixed slapd-bdb/hdb subtree search with empty suffix (ITS#5729) Fixed slapd-dnssrv memory handling (ITS#5691) Fixed slapd-ldap,slapd-meta invalid filter behavior (ITS#5614) Fixed slapd-meta memory handling (ITS#5691) Fixed slapd-meta objectClass filtering (ITS#5647) Fixed slapd-meta quarantine behavior (ITS#5592) Fixed slapd-relay initialization (ITS#5643) Fixed slapd-sql freeing of connection (ITS#5607) Fixed slapd-sql fault on NULL fields (ITS#5653) Fixed slapo-accesslog entryCSN generation on purge (ITS#5694) Fixed slapo-constraint string termination (ITS#5609) Fixed slapo-dynlist expansion with mapped attributes (ITS#5717) Fixed slapo-memberof internal operations DN (ITS#5622) Fixed slapo-pcache attrset crash (ITS#5665) Fixed slapo-pcache caching with invalid schema (ITS#5680) Fixed slapo-ppolicy control return on password modify exop (ITS#5711) Fixed slapo-rwm callback cleanup (ITS#5601,ITS#5687) Fixed slapo-rwm attr mapping and merging (ITS#5624) Fixed slapo-rwm objectClass filtering (ITS#5647) Fixed slapo-translucent back-config support (ITS#5689) Fixed slapo-translucent filter usage on merged entries (ITS#5679) Fixed slapo-unique filter validation (ITS#5581) Fixed slapo-unique suffix testing (ITS#5641) Added slapo-collect overlay with enhancements(ITS#5659) Added slapd-ldap(5), slapd-meta(5) noundeffilter (ITS#5614) Fixed slapd-ldap(5), slapd-meta(5), slapo-pcache(5) \ schema requirements (ITS#5680) Added slapo-collect(5) man page (ITS#5706) Added slapo-pcache(5) proxycheckcacheability option (ITS#5680) Added slapo-retcode(5) retcode.conf location (ITS#5633) admin24 dontusecopy control update (ITS#5718) admin24 guide updates (ITS#5616) admin24 octetString fix (ITS#5670) Berkeley DB: No changes Heimdal Kerberos: No changes OpenSSL: No changes SASL: No changes Status of this release: This is a production release and is made available for general use. We have tested it in our labs and in the field and we believe it is suitable for use in production environments. However, as is always the case with any software, please test it in your own environment to make sure it meets your requirements, Maintain backups of critical data and make appropriate provisions for unexpected outages. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ July 23, 2008 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.11.0 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.11 BDB 4.6.26 Cyrus SASL 2.1.22 OpenSSL 0.9.8g Heimdal Kerberos 1.1 Changes for this release: Packaging: No changes OpenLDAP: Fixed liblber ber_get_next length decoding (ITS#5580) Added libldap assertion control (ITS#5560) Fixed libldap GnuTLS CRL result handling (ITS#5577) Fixed libldap GnuTLS SSF computation (ITS#5585) Fixed liblutil missing return code (ITS#5615) Fixed slapd cert serial number parsing (ITS#5588) Fixed slapd check for structural_class failures (ITS#5540) Fixed slapd config backend renumbering (ITS#5571) Fixed slapd configContext OID (ITS#5383) Fixed slapd crash with no listeners (ITS#5563) Fixed slapd equality rules for olcRootDN/olcSchemaDN (ITS#5540) Fixed slapd sets memory leak (ITS#5557) Fixed slapd sortvals binary search (ITS#5578) Fixed slapd syncrepl updates with multiple masters (ITS#5597) Fixed slapd syncrepl superior objectClass delete/add (ITS#5600) Fixed slapd syncrepl/slapo-syncprov contextCSN updates as internal ops (ITS#5596) Added slapd-ldap/slapd-meta option to filter out search references (ITS#5593) Fixed slapd-meta link to slapd-ldap (ITS#5355) Fixed slapd-sock, back-shell buffer count (ITS#5558) Fixed slapo-dynlist dg attrs lookup (ITS#5583) Fixed slapo-dynlist entry release (ITS#5135) Fixed slapo-memberof replace handling (ITS#5584) Added slapo-nssov contrib module Fixed slapo-pcache handling of negative search caches (ITS#5546) Fixed slapo-ppolicy DNs with whitespaces (ITS#5552) Fixed slapo-ppolicy modify with internal ops (ITS#5569) Fixed slapo-syncprov ACL evaluation (ITS#5548) Fixed slapo-syncprov crash with delcsn (ITS#5589) Fixed slapo-syncprov full reload (ITS#5564) Fixed slapo-syncprov missing olcSpReloadHint attr(ITS#5591) Fixed slapo-unique filter normalization (ITS#5581) Fixed contrib smbk5pwd terminator (ITS#5575) Berkeley DB: No changes Heimdal Kerberos: No changes OpenSSL: No changes SASL: No changes Status of this release: This is a test release and is made available for testing and experimental use only. Symas does not recommend or endorse its use in a production setting of any type. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================ July 16, 2008 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.10.1 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.10 BDB 4.6.26 Cyrus SASL 2.1.22 OpenSSL 0.9.8g Heimdal Kerberos 1.1 Changes for this release: Packaging: No changes OpenLDAP: Fixed slapadd core dumps (ITS#5583) Berkeley DB: No changes Heimdal Kerberos: No changes OpenSSL: No changes SASL: No changes Status of this release: This is a test release and is made available for testing and experimental use only. Symas does not recommend or endorse its use in a production setting of any type. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================= June 10, 2008 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.10.0 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.10 BDB 4.6.26 Cyrus SASL 2.1.22 OpenSSL 0.9.8g Heimdal Kerberos 1.1 Changes for this release: Packaging: Clean up problems with bdb doc files OpenLDAP: Fixed libldap file descriptor leak with SELinux (ITS#5507) Fixed libldap ld_defconn cleanup if it was freed (ITS#5518, ITS#5525) Fixed libldap msgid handling (ITS#5318) Fixed libldap t61 infinite loop (ITS#5542) Fixed libldap_r missing stubs (ITS#5519) Fixed slapd initialization of sr_msgid, rs->sr_tag (ITS#5461) Fixed slapd missing termination of integerFilter keys (ITS#5503) Fixed slapd multiple attrs in URI (ITS#5516) Fixed slapd sasl_ssf retrieval (ITS#5403) Fixed slapd socket assert (ITS#5489) Fixed slapd syncrepl cookie (ITS#5536) Fixed slapd-bdb/hdb MAXPATHLEN (ITS#5531) Fixed slapd-bdb indexing in single ADD/MOD (ITS#5521) Fixed slapd-ldap entry_get() op-dependent behavior (ITS#5513) Fixed slapd-meta quarantine crasher (ITS#5522) Fixed slapo-refint to allow setting modifiers name (ITS#5505) Fixed slapo-syncprov contextCSN passing on syncprov consumers (ITS#5488) Fixed slapo-syncprov csn update with delta-syncrepl (ITS#5493) Fixed slapo-syncprov op2.o_extra reset (ITS#5501, #5506) Fixed slapo-syncprov searching wrong backend (ITS#5487) Fixed slapo-syncprov sending ops without queued CSNs (ITS#5465) Fixed slapo-syncprov max csn search on startup (ITS#5537) Fixed slapo-unique config structs (ITS#5526) Fixed slapo-unique filter terminator (ITS#5511) Add search privileges documentation (ITS#5512) admin24 security document updates (ITS#5524) Berkeley DB: No changes Heimdal Kerberos: No changes OpenSSL: No changes SASL: Don't build sasldb components Status of this release: This is a test release and is made available for testing and experimental use only. Symas does not recommend or endorse its use in a production setting of any type. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================= June 3, 2008 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.9.2 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.9 BDB 4.6.26 Cyrus SASL 2.1.22 OpenSSL 0.9.8g Heimdal Kerberos 1.1 Changes for this release: Packaging: Remove sasldb, sasldblistusers2, and saslpasswd2 OpenLDAP: No Changes Berkeley DB: No changes Heimdal Kerberos: No changes OpenSSL: No changes SASL: Don't build sasldb components Status of this release: This is a test release and is made available for testing and experimental use only. Symas does not recommend or endorse its use in a production setting of any type. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================= May 26, 2008 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.9.1 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.9 BDB 4.6.26 Cyrus SASL 2.1.22 OpenSSL 0.9.8g Heimdal Kerberos 1.1 Changes for this release: Packaging: Add symas-openldap-gold-devel package Add symas-openldap-silver-devel package OpenLDAP: Install additional header files Berkeley DB: No changes Heimdal Kerberos: No changes OpenSSL: No changes SASL: No changes Status of this release: This is a test release and is made available for testing and experimental use only. Symas does not recommend or endorse its use in a production setting of any type. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================= May 8, 2008 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.9.0 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.9 BDB 4.6.26 Cyrus SASL 2.1.22 OpenSSL 0.9.8g Heimdal Kerberos 1.1 Changes for this release: OpenLDAP: Fixed libldap to use unsigned port (ITS#5436) Fixed libldap error message for missing close paren (ITS#5458) Fixed libldap_r tpool pause checks (ITS#5364, #5407) Fixed slapcat error checking (ITS#5387) Fixed slapd abstract objectClass inheritance check (ITS#5474) Fixed slapd add operations requiring naming attrs (ITS#5412) Fixed slapd connection handling (ITS#5469) Fixed slapd delta-syncrepl resync (ITS#5378) Fixed slapd frontendDB backend selection (ITS#5419) Fixed slapd pagedresults stale state (ITS#5409) Fixed slapd pointer dereference (ITS#5388) Fixed slapd null argument dereference (ITS#5435) Fixed slapd REP_ENTRY flags (ITS#5340) Fixed slapd sets attribute description parsing (ITS#5402) Fixed slapd syncrepl hang on back-config (ITS#5407) Fixed slapd syncrepl compare_csns crash (ITS#5413) Fixed slapd syncrepl contextCSN update clash (ITS#5426) Fixed slapd syncrepl/glue failure (ITS#5430) Fixed slapd syncrepl crash on empty CSN (ITS#5432) Fixed slapd syncrepl refreshAndPersist (ITS#5454) Fixed slapd syncrepl modrdn processing (ITS#5397) Fixed slapd syncrepl MMR partial refresh (ITS#5470) Fixed slapd value list termination (ITS#5450) Fixed slapd/slapo-accesslog rq mutex usage (ITS#5442) Fixed slapd-bdb ID_NOCACHE handling (ITS#5439) Fixed slapd-bdb entryinfo state if db_lock fails (ITS#5455) Fixed slapd-bdb referral rewrite (ITS#5339) Fixed slapd-config overlay stacking (ITS#5346) Fixed slapd-config attribute publishing (ITS#5383) Fixed slapd-ldap connection handler (ITS#5404) Fixed slapd-ldif file name handling & multi-suffix/dir catch (ITS#5408) Fixed slapd-meta connections on error (ITS#5440) Fixed slapd-meta crash on search (ITS#5481) Fixed slapo-accesslog null callback stack crash (ITS#5490) Fixed slapo-auditlog unnecessary syscall (ITS#5441) Added slapo-dynlist mapping to dynamic attrs generation (ITS#5466) Fixed slapo-refint dnSubtreeMatch (ITS#5427) Fixed slapo-refint global referential integrity (ITS#5428) Fixed slapo-syncprov psearch on closed connection (ITS#5401) Fixed slapo-syncprov psearch task delay (ITS#5405) Fixed slapo-syncprov psearch filter identity (ITS#5418, #5486) Fixed slapo-syncprov/glue contextCSN update (ITS#5433) Fixed slapo-syncprov/glue search ops (ITS#5434) Fixed slapo-syncprov null cookie (ITS#5437,#5444) Fixed slapo-syncprov double-free (ITS#5445) Fixed slapo-syncprov free syncop correctly (ITS#5484) Fixed slapo-syncprov glue deadlock (ITS#5451) Fixed slapd.access(5) authz-regexp documented behavior (ITS#5400) Fixed slapd.meta(5) idassert-* documentation (ITS#5406) Heimdal Kerberos: Cleaned up runpaths in Heimdal Build ldap-enabled kdc backend Status of this release: This is a test release and is made available for testing and experimental use only. Symas does not recommend or endorse its use in a production setting of any type. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================= February 27, 2008 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.8.0 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.8 BDB 4.6.26 Cyrus SASL 2.1.22 OpenSSL 0.9.8g Heimdal Kerberos 1.1 Changes for this release: Symas OpenLDAP: Added Heimdal Kerberos OpenLDAP: Fixed ldapmodify verbose logging (ITS#5247) Fixed ldapdelete with sizelimit (ITS#5294) Fixed ldapdelete with subentries control (ITS#5293) Fixed ldapsearch exit code init (ITS#5317) Fixed libldap extended decoding (ITS#5304) Fixed libldap filter abort (ITS#5300) Fixed libldap ldap_parse_sasl_bind_result (ITS#5263) Fixed libldap result codes for open (ITS#5338) Fixed libldap search timeout crash (ITS#5291) Fixed libldap paged results crash (ITS#5315) Fixed libldap cipher suite with GnuTLS (ITS#5341) Fixed slapd support for 2.1 CSN (ITS#5348) Fixed slapd include handling (ITS#5276) Fixed slapd modrdn check for valid new DN (ITS#5344) Fixed slapd multi-step SASL binds (ITS#5298) Fixed slapd non-atomic signal variables (ITS#5248) Fixed slapd overlay ordering when moving to slapd.d (ITS#5284) Fixed slapd NULL printf (ITS#5264) Fixed slapd NULL set values (ITS#5286) Fixed slapd segv with SASL/OTP (ITS#5259) Fixed slapd timestamp race condition (ITS#5370) Fixed slapd cn=config crash on delete (ITS#5343) Fixed slapd cn=config global acls (ITS#5352) Fixed slapd truncated cookie (ITS#5362) Fixed slapd sasl with CLEARTEXT (ITS#5368) Fixed slapd str2entry with no attrs (ITS#5308) Fixed slapd TLSVerifyClient default (ITS#5360) Fixed slapd HAVE_TLS dependency (ITS#5379) Fixed slapd delta-syncrepl refresh mode (ITS#5376) Fixed slapd ACL sets URI attrs (ITS#5384) Fixed slapd invalid entryUUID filter (ITS#5386) Fixed slapd-bdb idlcache on adds (ITS#5086) Fixed slapd-bdb crash with modrdn (ITS#5358) Fixed slapd-bdb segv with bdb4.6 (ITS#5322) Fixed slapd-bdb modrdn to same dn (ITS#5319) Fixed slapd-bdb MMR (ITS#5332) Added slapd-bdb/slapd-hdb DB encryption (ITS#5359) Fixed slapd-ldif delete (ITS#5265) Fixed slapd-meta link to slapd-ldap (ITS#5355) Fixed slapd-meta setting of sm_nvalues (ITS#5375) Fixed slapd-monitor crash (ITS#5311) Fixed slapd-relay compare (ITS#4937) Added slapd-sock (ITS#4094) Fixed slapo-accesslog cleanup on successful response (ITS#5374) Added slapo-autogroup contrib module (ITS#5145) Added slapo-constraint cross-attribute constraints (ITS#4987) Fixed slapo-memberof objectClass inheritance (ITS#5299) Added slapo-memberof global overlay support (ITS#5301) Fixed slapo-memberof leak (ITS#5302) Fixed slapo-ppolicy only password check with policy (ITS#5285) Fixed slapo-ppolicy del/replace password without new one (ITS#5373) Fixed slapo-syncprov hang on checkpoint (ITS#5261) Added slapo-translucent local searching (ITS#5283) ldapmodify(1) clarification for RFC2849 (ITS#5312) Status of this release: This is a test release and is made available for testing and experimental use only. Symas does not recommend or endorse its use in a production setting of any type. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you! ============================================================================= January 29, 2008 Release Notes for Symas OpenLDAP Gold and Silver, Version 2.4.7.0 This release of Symas OpenLDAP contains the following component versions: OpenLDAP 2.4.7 BDB 4.6.26 Cyrus SASL 2.1.22 OpenSSL 0.9.8g Changes for this release: Symas OpenLDAP: This is the first release OpenLDAP: Added slapd ordered indexing of integer attributes (ITS#5239) Fixed slapd paged results control handling (ITS#5191) Fixed slapd sasl-host parsing (ITS#5209) Fixed slapd filter normalization (ITS#5212) Fixed slapd multiple suffix checking (ITS#5186) Fixed slapd paged results handling when using rootdn (ITS#5230) Fixed slapd syncrepl presentlist handling (ITS#5231) Fixed slapd core schema 'c' definition for RFC4519 (ITS#5236) Fixed slapd 3-way Multi-Master Replication (ITS#5238) Fixed slapd hash collisions in index slots (ITS#5183) Fixed slapd replication of dSAOperation attributes (ITS#5268) Fixed slapadd contextCSN updating (ITS#5225) Fixed slapd-bdb/hdb to report and fail on internal errors (ITS#5232) Fixed slapd-bdb/hdb dn2entry lock bug (ITS#5257) Fixed slapd-bdb/hdb dn2id lock bug (ITS#5262) Fixed slapd-hdb caching on rename ops (ITS#5221) Fixed slapo-accesslog abandoned op cleanup (ITS#5161) Fixed slapo-dds deleting from nonexistent db (ITS#5267) Fixed slapo-memberOf deleted values saving (ITS#5258) Fixed slapo-pcache op->o_abandon handling (ITS#5187) Fixed slapo-ppolicy single password check on modify (ITS#5146) Fixed slapo-ppolicy internal search (ITS#5235) Fixed slapo-syncprov refresh and persist cookie sending (ITS#5210) Fixed slapo-syncprov ignore invalid cookies (ITS#5211) Fixed slapo-translucent interaction with slapo-rwm (ITS#4889) Updated contrib addpartial module (ITS#3593) Fixed documentation grammar errors (ITS#5223) Refint overlay doc contribution (ITS#5217) Dynamic Lists doc contribution to the admin guide (ITS#5216) Fixed ldappasswd(1) and ldapmodify(1) typos (ITS#5269) Fixed domain factor typos (ITS#5237) Fixed slapd.conf(5) maxderefdepth default value typo (ITS#5200) Clarified slapd.conf(5) limits issues in syncrepl (ITS#5243) Fixed slapd-config(5) maxderefdepth default value typo (ITS#5200) Updates for minor typos in man pages (ITS#5228) admin24/replication.sdf spelling (ITS#5270) Status of this release: This is a test release and is made available for testing and experimental use only. Symas does not recommend or endorse its use in a production setting of any type. Bug reports, comments, and suggestions can be submitted to support@symas.com. We look forward to hearing from you!