c***@apache.org
2014-10-11 21:18:45 UTC
Author: covener
Date: Sat Oct 11 21:18:45 2014
New Revision: 1631119
URL: http://svn.apache.org/r1631119
Log:
Merge r1613682 from trunk:
In 2.4.10, AuthLDAPBindDN might not be used for some LDAP searches, causing
LDAP authz failures if AuthLDAPBindDN was able to search through more of
LDAP than web users.
Modified:
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/modules/ldap/util_ldap.c
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1631119&r1=1631118&r2=1631119&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Sat Oct 11 21:18:45 2014
@@ -6,6 +6,10 @@ Changes with Apache 2.4.11
mod_cache: Avoid a crash when Content-Type has an empty value.
PR 56924. [Mark Montague <mark catseye.org>, Jan Kaluza]
+ *) mod_ldap: In 2.4.10, some LDAP searches or comparisons might be done with
+ the wrong credentials when a backend connection is reused.
+ [Eric Covener]
+
*) mod_macro: Add missing APLOGNO for some Warning log messages.
[Christophe Jaillet]
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1631119&r1=1631118&r2=1631119&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Sat Oct 11 21:18:45 2014
@@ -102,12 +102,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_ldap: 2.4.10 regression: Some authorization searches won't use AuthLDAPBindDN
- which can lead to LDAP authz failurs if AuthLDAPBindDN had extra access.
- trunk patch: http://svn.apache.org/r1613682
- 2.4.x patch: trunk works + CHANGES referencing 2.4.10 regression
- +1: covener, jim, rjung
-
* mod_dav: set r->status_line in dav_error_response.
It's used as argument in next ap_rvputs call. PR 55426.
trunk patch: http://svn.apache.org/r1527509
Modified: httpd/httpd/branches/2.4.x/modules/ldap/util_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ldap/util_ldap.c?rev=1631119&r1=1631118&r2=1631119&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ldap/util_ldap.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ldap/util_ldap.c Sat Oct 11 21:18:45 2014
@@ -1824,7 +1824,7 @@ start_over:
* combination, which might be reused unintentionally next time this
* connection is used from the connection pool.
*/
- ldc->must_rebind = 0;
+ ldc->must_rebind = 1;
ap_log_rerror(APLOG_MARK, APLOG_TRACE5, 0, r, "LDC %pp used for authn, must be rebound", ldc);
}
Date: Sat Oct 11 21:18:45 2014
New Revision: 1631119
URL: http://svn.apache.org/r1631119
Log:
Merge r1613682 from trunk:
In 2.4.10, AuthLDAPBindDN might not be used for some LDAP searches, causing
LDAP authz failures if AuthLDAPBindDN was able to search through more of
LDAP than web users.
Modified:
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/modules/ldap/util_ldap.c
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1631119&r1=1631118&r2=1631119&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Sat Oct 11 21:18:45 2014
@@ -6,6 +6,10 @@ Changes with Apache 2.4.11
mod_cache: Avoid a crash when Content-Type has an empty value.
PR 56924. [Mark Montague <mark catseye.org>, Jan Kaluza]
+ *) mod_ldap: In 2.4.10, some LDAP searches or comparisons might be done with
+ the wrong credentials when a backend connection is reused.
+ [Eric Covener]
+
*) mod_macro: Add missing APLOGNO for some Warning log messages.
[Christophe Jaillet]
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1631119&r1=1631118&r2=1631119&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Sat Oct 11 21:18:45 2014
@@ -102,12 +102,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_ldap: 2.4.10 regression: Some authorization searches won't use AuthLDAPBindDN
- which can lead to LDAP authz failurs if AuthLDAPBindDN had extra access.
- trunk patch: http://svn.apache.org/r1613682
- 2.4.x patch: trunk works + CHANGES referencing 2.4.10 regression
- +1: covener, jim, rjung
-
* mod_dav: set r->status_line in dav_error_response.
It's used as argument in next ap_rvputs call. PR 55426.
trunk patch: http://svn.apache.org/r1527509
Modified: httpd/httpd/branches/2.4.x/modules/ldap/util_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ldap/util_ldap.c?rev=1631119&r1=1631118&r2=1631119&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ldap/util_ldap.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ldap/util_ldap.c Sat Oct 11 21:18:45 2014
@@ -1824,7 +1824,7 @@ start_over:
* combination, which might be reused unintentionally next time this
* connection is used from the connection pool.
*/
- ldc->must_rebind = 0;
+ ldc->must_rebind = 1;
ap_log_rerror(APLOG_MARK, APLOG_TRACE5, 0, r, "LDC %pp used for authn, must be rebound", ldc);
}