389-ds-base security, bug fix, and enhancement update

[1.3.3.1-13]

• release 1.3.3.1-13
• Resolves: bug 1183655 - Fixed Covscan FORWARD_NULL defects (DS 47988)
  [1.3.3.1-12]
• release 1.3.3.1-12
• Resolves: bug 1182477 - Windows Sync accidentally cleared raw_entry (DS 47989)
• Resolves: bug 1180325 - upgrade script fails if /etc and /var are on different file systems (DS 47991 )
• Resolves: bug 1183655 - Schema learning mechanism, in replication, unable to extend an existing definition (DS 47988)
  [1.3.3.1-11]
• release 1.3.3.1-11
• Resolves: bug 1080186 - During delete operation do not refresh cache entry if it is a tombstone (DS 47750)
  [1.3.3.1-10]
• release 1.3.3.1-10
• Resolves: bug 1172731 - CVE-2014-8112 password hashing bypassed when ‘nsslapd-unhashed-pw-switch’ is set to off
• Resolves: bug 1166265 - DS hangs during online total update (DS 47942)
• Resolves: bug 1168151 - CVE-2014-8105 information disclosure through ‘cn=changelog’ subtree
• Resolves: bug 1044170 - Allow memberOf suffixes to be configurable (DS 47526)
• Resolves: bug 1171356 - Bind DN tracking unable to write to internalModifiersName without special permissions (DS 47950)
• Resolves: bug 1153737 - logconv.pl – support parsing/showing/reporting different protocol versions (DS 47949)
• Resolves: bug 1171355 - start dirsrv after chrony on RHEL7 and Fedora (DS 47947)
• Resolves: bug 1170707 - cos_cache_build_definition_list does not stop during server shutdown (DS 47967)
• Resolves: bug 1170708 - COS memory leak when rebuilding the cache (DS - Ticket 47969)
• Resolves: bug 1170709 - Account lockout attributes incorrectly updated after failed SASL Bind (DS 47970)
• Resolves: bug 1166260 - cookie_change_info returns random negative number if there was no change in a tree (DS 47960)
• Resolves: bug 1012991 - Error log levels not displayed correctly (DS 47636)
• Resolves: bug 1108881 - rsearch filter error on any search filter (DS 47722)
• Resolves: bug 994690 - Allow dynamically adding/enabling/disabling/removing plugins without requiring a server restart (DS 47451)
• Resolves: bug 1162997 - Running a plugin task can crash the server (DS 47451)
• Resolves: bug 1166252 - RHEL7.1 ns-slapd segfault when ipa-replica-install restarts (DS 47451)
• Resolves: bug 1172597 - Crash if setting invalid plugin config area for MemberOf Plugin (DS 47525)
• Resolves: bug 1139882 - coverity defects found in 1.3.3.x (DS 47965)
  [1.3.3.1-9]
• release 1.3.3.1-9
• Resolves: bug 1153737 - Disable SSL v3, by default. (DS 47928)
• Resolves: bug 1163461 - Should not check aci syntax when deleting an aci (DS 47953)
  [1.3.3.1-8]
• release 1.3.3.1-8
• Resolves: bug 1156607 - Crash in entry_add_present_values_wsi_multi_valued (DS 47937)
• Resolves: bug 1153737 - Disable SSL v3, by default (DS 47928, DS 47945, DS 47948)
• Resolves: bug 1158804 - Malformed cookie for LDAP Sync makes DS crash (DS 47939)
  [1.3.3.1-7]
• release 1.3.3.1-7
• Resolves: bug 1153737 - Disable SSL v3, by default (DS 47928)
  [1.3.3.1-6]
• release 1.3.3.1-6
• Resolves: bug 1151287 - dynamically added macro aci is not evaluated on the fly (DS 47922)
• Resolves: bug 1080186 - Need to move slapi_pblock_set(pb, SLAPI_MODRDN_EXISTING_ENTRY, original_entry->ep_entry) prior to original_entry overwritten (DS 47897)
• Resolves: bug 1150694 - Encoding of SearchResultEntry is missing tag (DS 47920)
• Resolves: bug 1150695 - ldbm_back_modify SLAPI_PLUGIN_BE_PRE_MODIFY_FN does not return even if one of the preop plugins fails. (DS 47919)
• Resolves: bug 1139882 - Fix remaining compiler warnings (DS 47892)
• Resolves: bug 1150206 - result of dna_dn_is_shared_config is incorrectly used (DS 47918)
  [1.3.3.1-5]
• release 1.3.3.1-5
• Resolves: bug 1139882 - coverity defects found in 1.3.3.x (DS 47892)
  [1.3.3.1-4]
• release 1.3.3.1-4
• Resolves: bug 1080186 - Creating a glue fails if one above level is a conflict or missing (DS 47750)
• Resolves: bug 1145846 - 389-ds 1.3.3.0 does not adjust cipher suite configuration on upgrade, breaks itself and pki-server (DS 47908)
• Resolves: bug 1117979 - harden the list of ciphers available by default (phase 2) (DS 47838)
  - provide enabled ciphers as search result (DS 47880)
  [1.3.3.1-3]
• release 1.3.3.1-3
• Resolves: bug 1139882 - coverity defects found in 1.3.3.1
  [1.3.3.1-2]
• release 1.3.3.1-2
• Resolves: bug 1079099 - Simultaneous adding a user and binding as the user could fail in the password policy check (DS 47748)
• Resolves: bug 1080186 - Creating a glue fails if one above level is a conflict or missing (DS 47834)
• Resolves: bug 1139882 - coverity defects found in 1.3.3.1 (DS 47890)
• Resolves: bug 1112702 - Broken dereference control with the FreeIPA 4.0 ACIs (DS 47885 - deref plugin should not return references with noc access rights)
• Resolves: bug 1117979 - harden the list of ciphers available by default (DS 47838, DS 47895)
• Resolves: bug 1080186 - Creating a glue fails if one above level is a conflict or missing (DS 47889 - DS crashed during ipa-server-install on test_ava_filter)
  [1.3.3.1-1]
• release 1.3.3.1-1
• Resolves: bug 746646 - RFE: easy way to configure which users and groups to sync with winsync
• Resolves: bug 881372 - nsDS5BeginReplicaRefresh attribute accepts any value and it doesn’t throw any error when server restarts.
• Resolves: bug 920597 - Possible to add invalid ACI value
• Resolves: bug 921162 - Possible to add nonexistent target to ACI
• Resolves: bug 923799 - if nsslapd-cachememsize set to the number larger than the RAM available, should result in proper error message.
• Resolves: bug 924937 - Attribute ‘dsOnlyMemberUid’ not allowed when syncing nested posix groups from AD with posixWinsync
• Resolves: bug 951754 - Self entry access ACI not working properly
• Resolves: bug 952517 - Dirsrv instance failed to start with Segmentation fault (core dump) after modifying 7-bit check plugin
• Resolves: bug 952682 - nsslapd-db-transaction-batch-val turns to -1
• Resolves: bug 966443 - Plugin library path validation
• Resolves: bug 975176 - Non-directory manager can change the individual userPassword’s storage scheme
• Resolves: bug 979465 - IPA replica’s - ‘SASL encrypted packet length exceeds maximum allowed limit’
• Resolves: bug 982597 - Some attributes in cn=config should not be multivalued
• Resolves: bug 987009 - 389-ds-base - shebang with /usr/bin/env
• Resolves: bug 994690 - RFE: Allow dynamically adding/enabling/disabling/removing plugins without requiring a server restart
• Resolves: bug 1012991 - errorlog-level 16384 is listed as 0 in cn=config
• Resolves: bug 1013736 - Enabling/Disabling DNA plug-in throws ‘ldap_modify: Server Unwilling to Perform (53)’ error
• Resolves: bug 1014380 - setup-ds.pl doesn’t lookup the ‘root’ group correctly
• Resolves: bug 1020459 - rsa_null_sha should not be enabled by default
• Resolves: bug 1024541 - start dirsrv after ntpd
• Resolves: bug 1029959 - Managed Entries betxnpreoperation - transaction not aborted upon failure to create managed entry
• Resolves: bug 1031216 - add dbmon.sh
• Resolves: bug 1044133 - Indexed search with filter containing ‘&’ and ‘!’ with attribute subtypes gives wrong result
• Resolves: bug 1044134 - should set LDAP_OPT_X_SASL_NOCANON to LDAP_OPT_ON by default
• Resolves: bug 1044135 - make connection buffer size adjustable
• Resolves: bug 1044137 - posix winsync should support ADD user/group entries from DS to AD
• Resolves: bug 1044138 - mep_pre_op: Unable to fetch origin entry
• Resolves: bug 1044139 - [RFE] Support RFC 4527 Read Entry Controls
• Resolves: bug 1044140 - Allow search to look up ‘in memory RUV’
• Resolves: bug 1044141 - MMR stress test with dna enabled causes a deadlock
• Resolves: bug 1044142 - winsync doesn’t sync DN valued attributes if DS DN value doesn’t exist
• Resolves: bug 1044143 - modrdn + NSMMReplicationPlugin - Consumer failed to replay change
• Resolves: bug 1044144 - resurrected entry is not correctly indexed
• Resolves: bug 1044146 - Add a warning message when a connection hits the max number of threads
• Resolves: bug 1044147 - 7-bit check plugin does not work for userpassword attribute
• Resolves: bug 1044148 - The backend name provided to bak2db is not validated
• Resolves: bug 1044149 - Winsync should support range retrieval
• Resolves: bug 1044150 - 7-bit checking is not necessary for userPassword
• Resolves: bug 1044151 - With SeLinux, ports can be labelled per range. setup-ds.pl or setup-ds-admin.pl fail to detect already ranged labelled ports
• Resolves: bug 1044152 - ChainOnUpdate: ‘cn=directory manager’ can modify userRoot on consumer without changes being chained or replicated. Directory integrity compromised.
• Resolves: bug 1044153 - mods optimizer
• Resolves: bug 1044154 - multi master replication allows schema violation
• Resolves: bug 1044156 - DS crashes with some 7-bit check plugin configurations
• Resolves: bug 1044157 - Some updates of ‘passwordgraceusertime’ are useless when updating ‘userpassword’
• Resolves: bug 1044159 - [RFE] Support ‘Content Synchronization Operation’ (SyncRepl) - RFC 4533
• Resolves: bug 1044160 - remove-ds.pl should remove /var/lock/dirsrv
• Resolves: bug 1044162 - enhance retro changelog
• Resolves: bug 1044163 - updates to ruv entry are written to retro changelog
• Resolves: bug 1044164 - Password administrators should be able to violate password policy
• Resolves: bug 1044168 - Schema replication between DS versions may overwrite newer base schema
• Resolves: bug 1044169 - ACIs do not allow attribute subtypes in targetattr keyword
• Resolves: bug 1044170 - Allow memberOf suffixes to be configurable
• Resolves: bug 1044171 - Allow referential integrity suffixes to be configurable
• Resolves: bug 1044172 - Plugin library path validation prevents intentional loading of out-of-tree modules
• Resolves: bug 1044173 - make referential integrity configuration more flexible
• Resolves: bug 1044177 - allow configuring changelog trim interval
• Resolves: bug 1044179 - objectclass may, must lists skip rest of objectclass once first is found in sup
• Resolves: bug 1044180 - memberOf on a user is converted to lowercase
• Resolves: bug 1044181 - report unindexed internal searches
• Resolves: bug 1044183 - With 1.3.04 and subtree-renaming OFF, when a user is deleted after restarting the server, the same entry can’t be added
• Resolves: bug 1044185 - dbscan on entryrdn should show all matching values
• Resolves: bug 1044187 - logconv.pl - RFE - add on option for a minimum etime for unindexed search stats
• Resolves: bug 1044188 - Recognize compressed log files
• Resolves: bug 1044191 - support TLSv1.1 and TLSv1.2, if supported by NSS
• Resolves: bug 1044193 - default nsslapd-sasl-max-buffer-size should be 2MB
• Resolves: bug 1044194 - Complex filter in a search request doen’t work as expected.
• Resolves: bug 1044196 - Automember plug-in should treat MODRDN operations as ADD operations
• Resolves: bug 1044198 - Replication of the schema may overwrite consumer ‘attributetypes’ even if consumer definition is a superset
• Resolves: bug 1044202 - db2bak.pl issue when specifying non-default directory
• Resolves: bug 1044203 - Allow referint plugin to use an alternate config area
• Resolves: bug 1044205 - Allow memberOf to use an alternate config area
• Resolves: bug 1044210 - idl switch does not work
• Resolves: bug 1044211 - make old-idl tunable
• Resolves: bug 1044212 - IDL-style can become mismatched during partial restoration
• Resolves: bug 1044213 - backend performance - introduce optimization levels
• Resolves: bug 1044215 - using transaction batchval violates durability
• Resolves: bug 1044216 - examine replication code to reduce amount of stored state information
• Resolves: bug 1048980 - 7-bit check plugin not checking MODRDN operation
• Resolves: bug 1049030 - Windows Sync group issues
• Resolves: bug 1052751 - Page control does not work if effective rights control is specified
• Resolves: bug 1052754 - Allow nsDS5ReplicaBindDN to be a group DN
• Resolves: bug 1057803 - logconv errors when search has invalid bind dn
• Resolves: bug 1060032 - [RFE] Update lastLoginTime also in Account Policy plugin if account lockout is based on passwordExpirationTime.
• Resolves: bug 1061060 - betxn: retro changelog broken after cancelled transaction
• Resolves: bug 1061572 - improve dbgen rdn generation, output and man page.
• Resolves: bug 1063990 - single valued attribute replicated ADD does not work
• Resolves: bug 1064006 - Size returned by slapi_entry_size is not accurate
• Resolves: bug 1064986 - Replication retry time attributes cannot be added
• Resolves: bug 1067090 - Missing warning for invalid replica backoff configuration
• Resolves: bug 1072032 - Updating nsds5ReplicaHost attribute in a replication agreement fails with error 53
• Resolves: bug 1074306 - Under heavy stress, failure of turning a tombstone into glue makes the server hung
• Resolves: bug 1074447 - Part of DNA shared configuration is deleted after server restart
• Resolves: bug 1076729 - Continuous add/delete of an entry in MMR setup causes entryrdn-index conflict
• Resolves: bug 1077884 - ldap/servers/slapd/back-ldbm/dblayer.c: possible minor problem with sscanf
• Resolves: bug 1077897 - Memory leak with proxy auth control
• Resolves: bug 1079099 - Simultaneous adding a user and binding as the user could fail in the password policy check
• Resolves: bug 1080186 - Creating a glue fails if one above level is a conflict or missing
• Resolves: bug 1082967 - attribute uniqueness plugin fails when set as a chaining component
• Resolves: bug 1085011 - Directory Server crash reported from reliab15 execution
• Resolves: bug 1086890 - empty modify returns LDAP_INVALID_DN_SYNTAX
• Resolves: bug 1086902 - mem leak in do_bind when there is an error
• Resolves: bug 1086904 - mem leak in do_search - rawbase not freed upon certain errors
• Resolves: bug 1086908 - Performing deletes during tombstone purging results in operation errors
• Resolves: bug 1090178 - #481 breaks possibility to reassemble memberuid list
• Resolves: bug 1092099 - A replicated MOD fails (Unwilling to perform) if it targets a tombstone
• Resolves: bug 1092342 - nsslapd-ndn-cache-max-size accepts any invalid value.
• Resolves: bug 1092648 - Negative value of nsSaslMapPriority is not reset to lowest priority
• Resolves: bug 1097004 - Problem with deletion while replicated
• Resolves: bug 1098654 - db2bak.pl error with changelogdb
• Resolves: bug 1099654 - Normalization from old DN format to New DN format doesnt handel condition properly when there is space in a suffix after the seperator operator.
• Resolves: bug 1108405 - find a way to remove replication plugin errors messages ‘changelog iteration code returned a dummy entry with csn %s, skipping …’
• Resolves: bug 1108407 - managed entry plugin fails to update managed entry pointer on modrdn operation
• Resolves: bug 1108865 - memory leak in ldapsearch filter objectclass=*
• Resolves: bug 1108870 - ACI warnings in error log
• Resolves: bug 1108872 - Logconv.pl with an empty access log gives lots of errors
• Resolves: bug 1108874 - logconv.pl memory continually grows
• Resolves: bug 1108881 - rsearch filter error on any search filter
• Resolves: bug 1108895 - [RFE - RHDS9] CLI report to monitor replication
• Resolves: bug 1108902 - rhds91 389-ds-base-1.2.11.15-31.el6_5.x86_64 crash in db4 __dbc_get_pp env = 0x0 ?
• Resolves: bug 1108909 - single valued attribute replicated ADD does not work
• Resolves: bug 1109334 - 389 Server crashes if uniqueMember is invalid syntax and memberOf plugin is enabled.
• Resolves: bug 1109336 - Parent numsubordinate count can be incorrectly updated if an error occurs
• Resolves: bug 1109339 - Nested tombstones become orphaned after purge
• Resolves: bug 1109354 - Tombstone purging can crash the server if the backend is stopped/disabled
• Resolves: bug 1109357 - Coverity issue in 1.3.3
• Resolves: bug 1109364 - valgrind - value mem leaks, uninit mem usage
• Resolves: bug 1109375 - provide default syntax plugin
• Resolves: bug 1109378 - Environment variables are not passed when DS is started via service
• Resolves: bug 1111364 - Updating winsync one-way sync does not affect the behaviour dynamically
• Resolves: bug 1112824 - Broken dereference control with the FreeIPA 4.0 ACIs
• Resolves: bug 1113605 - server restart wipes out index config if there is a default index
• Resolves: bug 1115177 - attrcrypt_generate_key calls slapd_pk11_TokenKeyGenWithFlags with improper macro
• Resolves: bug 1117021 - Server deadlock if online import started while server is under load
• Resolves: bug 1117975 - paged results control is not working in some cases when we have a subsuffix.
• Resolves: bug 1117979 - harden the list of ciphers available by default
• Resolves: bug 1117981 - Fix various typos in manpages & code
• Resolves: bug 1117982 - Fix hyphens used as minus signed and other manpage mistakes
• Resolves: bug 1118002 - server crashes deleting a replication agreement
• Resolves: bug 1118006 - RFE - forcing passwordmustchange attribute by non-cn=directory manager
• Resolves: bug 1118007 - [RFE] Make it possible for privileges to be provided to an admin user to import an LDIF file containing hashed passwords
• Resolves: bug 1118014 - Enhance ACIs to have more control over MODRDN operations
• Resolves: bug 1118021 - Return all attributes in rootdse without explicit request
• Resolves: bug 1118025 - Slow ldapmodify operation time for large quantities of multi-valued attribute values
• Resolves: bug 1118032 - Schema Replication Issue
• Resolves: bug 1118034 - 389 DS Server crashes and dies while handles paged searches from clients
• Resolves: bug 1118043 - Failed deletion of aci: no such attribute
• Resolves: bug 1118048 - If be_txn plugin fails in ldbm_back_add, adding entry is double freed.
• Resolves: bug 1118051 - Add switch to disable pre-hashed password checking
• Resolves: bug 1118054 - Make ldbm_back_seq independently support transactions
• Resolves: bug 1118055 - Add operations rejected by betxn plugins remain in cache
• Resolves: bug 1118057 - online import crashes server if using verbose error logging
• Resolves: bug 1118059 - add fixup-memberuid.pl script
• Resolves: bug 1118060 - winsync plugin modify is broken
• Resolves: bug 1118066 - memberof scope: allow to exclude subtrees
• Resolves: bug 1118069 - 389-ds production segfault: __memcpy_sse2_unaligned () at …/sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:144
• Resolves: bug 1118074_DELETE_FN - plugin returned error’ messages
• Resolves: bug 1118076 - ds logs many ‘Operation error fetching Null DN’ messages
• Resolves: bug 1118077 - Improve import logging and abort handling
• Resolves: bug 1118079 - Multi master replication initialization incomplete after restore of one master
• Resolves: bug 1118080 - Don’t add unhashed password mod if we don’t have an unhashed value
• Resolves: bug 1118081 - Investigate betxn plugins to ensure they return the correct error code
• Resolves: bug 1118082 - The error result text message should be obtained just prior to sending result
• Resolves: bug 1123865 - CVE-2014-3562 389-ds-base: 389-ds: unauthenticated information disclosure [rhel-7.1]