389-ds-base (1.3.3.5-4+deb8u7) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Add patch to remove the SLAPI_ACL_SEARCH right flag when checking
    access for an attribute. (Fixes: CVE-2019-14824) (Closes: #944150)

 -- Utkarsh Gupta <guptautkarsh2102@gmail.com>  Mon, 25 Nov 2019 06:09:02 +0530

389-ds-base (1.3.3.5-4+deb8u6) jessie-security; urgency=medium

  * Non-maintainer upload by the LTS team.
  * CVE-2019-3883: Before reading from a secure socket, the LDAP consumer now
    polls the socket for a read. The socket is polled (with a 0.1s timeout)
    until read is possible or sum of poll timeout is greater than
    ioblocktimeout. (Closes: #927939).

 -- Mike Gabriel <sunweaver@debian.org>  Mon, 06 May 2019 18:42:39 +0200

389-ds-base (1.3.3.5-4+deb8u5) jessie-security; urgency=high

  * Non-maintainer upload by the LTS Team.
  * Fix regression introduced by +deb8u4: checking of empty attributes
    causes crash.

 -- Hugo Lefeuvre <hle@debian.org>  Thu, 25 Oct 2018 13:03:54 +0200

389-ds-base (1.3.3.5-4+deb8u4) jessie-security; urgency=high

  * Non-maintainer upload by the LTS Team.
  * CVE-2018-14648: A specially crafted search query could lead to
    excessive CPU consumption in the do_search() function. An
    unauthenticated attacker could leverage this flaw to cause a
    denial of service.

 -- Hugo Lefeuvre <hle@debian.org>  Wed, 24 Oct 2018 17:16:21 +0200

389-ds-base (1.3.3.5-4+deb8u3) jessie-security; urgency=high

  * Non-maintainer upload by the LTS Team.
  * CVE-2018-14624: The emergency logging system is affected by a race
    condition caused by the invalidation of the concurrently used log
    file FD without proper locking. This issue might be triggered by
    remote attackers to cause DoS (crash) and cause any other undefined
    behavior.

 -- Hugo Lefeuvre <hle@debian.org>  Sat, 15 Sep 2018 10:11:57 -0400

389-ds-base (1.3.3.5-4+deb8u2) jessie-security; urgency=medium

  * Non-maintainer upload by the LTS Team.
  * CVE-2018-10935:
    Check if the we are able to index the provided value. If we are not
    then slapd_qsort returns an error (LDAP_OPERATION_ERROR) .
    Fixes: Any authenticated user doing a search using ldapsearch with extended
    controls for server side sorting is bringing down the ldap server itself.
    (Closes: #906985).
  * CVE-2018-10871:
    Set nsslapd-unhashed-pw-switch by default to 'off'.
    Fixes: By default nsslapd-unhashed-pw-switch is set to 'on'. So a copy of
    the unhashed password is kept in modifiers and is possibly logged in
    changelog and retroCL.

 -- Mike Gabriel <mike.gabriel@das-netzwerkteam.de>  Thu, 30 Aug 2018 16:40:44 +0200

389-ds-base (1.3.3.5-4+deb8u1) jessie-security; urgency=high

  * Non-maintainer upload by the LTS Team. 
  * CVE-2015-1854
    A flaw was found while doing authorization of modrdn operations.
    An unauthenticated attacker able to issue an ldapmodrdn call to
    the directory server could perform unauthorized modifications
    of entries in the directory server.
  * CVE-2017-15134
    Improper handling of a search filter in slapi_filter_sprintf()
    in slapd/util.c can lead to remote server crash and denial 
    of service.
  * CVE-2018-1054
    When read access on <attribute_name> is enabled, a flaw in 
    SetUnicodeStringFromUTF_8 function in collate.c, can lead to 
    out-of-bounds memory operations.
    This might result in a server crash, caused by unauthorized 
    users.
  * CVE-2018-1089
    Any user (anonymous or authenticated) can crash ns-slapd with a 
    crafted ldapsearch query with very long filter value.
  * CVE-2018-10850
    Due to a race condition the server could crash in turbo mode
    (because of high traffic) or when a worker reads several requests 
    in the read buffer (more_data). Thus an anonymous attacker could
    trigger a denial of service.

 -- Thorsten Alteholz <debian@alteholz.de>  Thu, 12 Jul 2018 19:03:02 +0200

389-ds-base (1.3.3.5-4) unstable; urgency=medium

  * Security fixes (Closes: #779909)
    - cve-2014-8105.diff: Fix for CVE-2014-8105
    - cve-2014-8112.diff: Fix for CVE-2014-8112

 -- Timo Aaltonen <tjaalton@debian.org>  Mon, 09 Mar 2015 10:53:03 +0200

389-ds-base (1.3.3.5-3) unstable; urgency=medium

  * use-bash-instead-of-sh.diff: Drop admin_scripts.diff and patch the
    scripts to use bash instead of trying to fix bashisms. (Closes:
    #772195)

 -- Timo Aaltonen <tjaalton@debian.org>  Fri, 16 Jan 2015 15:40:23 +0200

389-ds-base (1.3.3.5-2) unstable; urgency=medium

  * fix-saslpath.diff: Fix SASL library path.

 -- Timo Aaltonen <tjaalton@debian.org>  Sat, 25 Oct 2014 01:48:34 +0300

389-ds-base (1.3.3.5-1) unstable; urgency=medium

  * New upstream bugfix release.
  * control: Bump policy, no changes.

 -- Timo Aaltonen <tjaalton@debian.org>  Mon, 20 Oct 2014 09:57:14 +0300

389-ds-base (1.3.3.3-1) unstable; urgency=medium

  * New upstream release.
  * Dropped upstreamed patches, refresh others.
  * control, rules, 389-ds-base.install: Add support for systemd.
  * fix-obsolete-target.diff: Drop syslog.target from the service files.
  * 389-ds-base.links: Mask the initscript so that it's not used with systemd.

 -- Timo Aaltonen <tjaalton@debian.org>  Mon, 06 Oct 2014 17:13:01 +0300

389-ds-base (1.3.2.23-2) unstable; urgency=medium

  * Team upload.
  * Add fix-bsd.patch and support-kfreebsd.patch to fix the build failure
    on kFreeBSD.

 -- Benjamin Drung <benjamin.drung@profitbricks.com>  Wed, 03 Sep 2014 15:32:22 +0200

389-ds-base (1.3.2.23-1) unstable; urgency=medium

  * New bugfix release.
  * watch: Update the url.
  * control: Update Vcs-Browser url to use cgit.

 -- Timo Aaltonen <tjaalton@debian.org>  Mon, 01 Sep 2014 13:32:59 +0300

389-ds-base (1.3.2.21-1) unstable; urgency=medium

  * New upstream release.
    - CVE-2014-3562 (Closes: #757437)

 -- Timo Aaltonen <tjaalton@ubuntu.com>  Fri, 08 Aug 2014 10:48:55 +0300

389-ds-base (1.3.2.19-1) unstable; urgency=medium

  * New upstream release.
  * admin_scripts.diff: Updated to fix more bashisms.
  * watch: Update the url.
  * Install failedbinds.py and logregex.py scripts.
  * init: Use status from init-functions.
  * control: Update my email.

 -- Timo Aaltonen <tjaalton@debian.org>  Tue, 08 Jul 2014 15:50:11 +0300

389-ds-base (1.3.2.9-1.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Apply fix for CVE-2014-0132, see like named patch (Closes: 741600)
  * Fix m4-macro for libsrvcore and add missing B-D on libpci-dev
    (Closes: #745821)

 -- Tobias Frost <tobi@coldtobi.de>  Fri, 25 Apr 2014 15:11:16 +0200

389-ds-base (1.3.2.9-1) unstable; urgency=low

  * New upstream release.
    - fixes CVE-2013-0336 (Closes: #704077)
    - fixes CVE-2013-1897 (Closes: #704421)
    - fixes CVE-2013-2219 (Closes: #718325)
    - fixes CVE-2013-4283 (Closes: #721222)
    - fixes CVE-2013-4485 (Closes: #730115)
  * Drop fix-CVE-2013-0312.diff, upstream.
  * rules: Add new scripts to rename.
  * fix-sasl-path.diff: Use a triplet path to find libsasl2. (LP:
    #1088822)
  * admin_scripts.diff: Add patch from upstream #47511 to fix bashisms.
  * control: Add ldap-utils to -base depends.
  * rules, rename-online-scripts.diff: Some scripts with .pl suffix are
    meant for an online server, so instead of overwriting the offline
    scripts use -online suffix.
  * rules: Enable parallel build, but limit the jobs to 1 for
    dh_auto_install.
  * control: Bump policy to 3.9.5, no changes.
  * rules: Add get-orig-source target.
  * lintian-overrides: Drop obsolete entries, add comments for the rest.

 -- Timo Aaltonen <tjaalton@ubuntu.com>  Mon, 03 Feb 2014 11:08:50 +0200

389-ds-base (1.3.0.3-1) unstable; urgency=low

  * New upstream release.
  * control: Bump the policy to 3.9.4, no changes.
  * fix-CVE-2013-0312.diff: Patch to fix handling LDAPv3 control data.

 -- Timo Aaltonen <tjaalton@ubuntu.com>  Mon, 11 Mar 2013 14:23:20 +0200

389-ds-base (1.2.11.17-1) UNRELEASED; urgency=low

  * New upstream release.
  * watch: Add a comment about the upstream git tree.
  * fix-cve-2012-4450.diff: Remove, upstream.

 -- Timo Aaltonen <tjaalton@ubuntu.com>  Sat, 01 Dec 2012 14:22:13 +0200

389-ds-base (1.2.11.15-1) unstable; urgency=low

  * New upstream release.
  * Add fix-cve-2012-4450.diff. (Closes: #688942)
  * dirsrv.init: Fix stop() to remove the pidfile only when the process
    is finished. (Closes: #689389)
  * copyright: Update the source url.
  * control: Drop quilt from build-depends, since using 3.0 (quilt)
  * lintian-overrides: Add an override for hardening-no-fortify-
    functions, since it's a false positive in this case.
  * control: Drop dpkg-dev from build-depends, no need to specify it
    directly.
  * copyright: Add myself as a copyright holder for debian/*.
  * 389-ds-base.prerm: Add 'set -e'.
  * rules: drop DEB_HOST_MULTIARCH, dh9 handles it.

 -- Timo Aaltonen <tjaalton@ubuntu.com>  Wed, 03 Oct 2012 19:33:52 +0300

389-ds-base (1.2.11.7-5) unstable; urgency=low

  * control: Drop debconf-utils and po-debconf from build-depends.
  * control: Add libnetaddr-ip-perl and libsocket-getaddrinfo-perl to
    389-ds-base Depends for ipv6 support. (Closes: #682847)

 -- Timo Aaltonen <tjaalton@ubuntu.com>  Mon, 30 Jul 2012 13:12:23 +0200

389-ds-base (1.2.11.7-4) unstable; urgency=low

  * debian/po: Remove, leftover from the template purge. (Closes: #681543)

 -- Timo Aaltonen <tjaalton@ubuntu.com>  Thu, 19 Jul 2012 23:12:01 +0300

389-ds-base (1.2.11.7-3) unstable; urgency=low

  * 389-ds-base.config: Removed, the debconf template is no more.
    (Closes: #680351)
  * control: Remove duplicate 'the' from the 389-ds description.

 -- Timo Aaltonen <tjaalton@ubuntu.com>  Wed, 11 Jul 2012 11:59:36 +0300

389-ds-base (1.2.11.7-2) unstable; urgency=low

  * control: Stop hardcoding libs to binary depends. (Closes: #679790)
  * control: Add libnspr4-dev and libldap2-dev to 389-ds-base-dev
    Depends. (Closes: #679742)
  * l10n review (Closes: #679870) :
    - Drop the debconf template, and rewrap README.Debian.
    - control: Update the descriptions

 -- Timo Aaltonen <tjaalton@ubuntu.com>  Tue, 03 Jul 2012 17:58:20 +0300

389-ds-base (1.2.11.7-1) unstable; urgency=low

  [ Timo Aaltonen ]
  * New upstream release.
  * watch: Fix the url.
  * patches/remove_license_prompt: Dropped, included upstream.
  * patches/default_user: Refreshed.
  * control: Change the VCS header to point to the git repository.
  * control: Rename last remnants of Fedora to 389.
  * changelog, control: Be consistent with the naming; renamed the source
    to just '389-ds-base', which matches upstream tarball naming.
  * control: Wrap Depends.
  * compat, control: Bump compat to 9, and debhelper build-dep to (>= 9).
  * rules: Switch to dh.
  * Move dirsrv.lintian to dirsrv.lintian-overrides, adjust dirsrv.install.
  * *.dirs: Clean up.
  * control: Build-depend on dh-autoreconf, drop duplicate bdeps.
  * Fold dirsrv-tools into the main package.
  * Build against libldap2-dev (>= 2.4.28).
  * Rename binary package to 389-ds-base.
  * -dev.install: Install the pkgconfig file.
  * rules: Enable PIE hardening.
  * Add a default file, currently sets LD_BIND_NOW=1.
  * control: 'dbgen' uses old perl libs, add libperl4-corelibs-perl
    dependency to 389-ds-base.
  * rules: Add --fail-missing for dh_install, remove files not needed
    and make sure to install the rest.
  * rules, control: Fix the installation name of ds-logpipe.py, add
    python dependency to 389-ds-base..
  * libns-dshttpd is internal to the server, ship it in 389-ds-base.
  * Rename libdirsrv{-dev,0} -> 389-ds-base-{dev,libs}, includes only
    libslapd and headers for external plugin development.
  * control: Breaks/Replaces old libdirsrv-dev/libdirsrv0/dirsrv.
  * Drop hyphen_used_as_minus, applied upstream.
  * copyright: Use DEP5 format.
  * Cherry-pick upstream commit ee320163c6 to get rid of unnecessary
    and non-free MIB's from the tree, and build a dfsg compliant tarball.
  * lintian-overrides: Update, create one for -libs.
  * Fix the initscript to create the lockdir, and refactor code into separate
    functions.
  * Drop obsolete entries from copyright, and make it lintian clean.
  * debian/po: Refer to the correct file after rename.
  * control: Bump Standards-Version to 3.9.3, no changes.
  * postinst: Drop unused 'lastversion'.
  * patches: Add DEP3 compliant headers.
  * rules, postinst: Add an error handler function for dh_installinit, so
    that clean installs don't fail due to missing configuration.
  * postinst: Run the update tool.
  * dirsrv.init:
    - Make the start and stop functions much simpler and LSB compliant
    - Fix starting multiple instances
    - Use '-b' for start-stop-daemon, since ns-slapd doesn't detach properly
  * control: Add 389-ds metapackage.
  * control: Change libdb4.8-dev build-depends to libdb-dev, since this version
    supports db5.x.
  * 389-ds-base.prerm: Add prerm script for removing installed instances on
    purge.

  [ Krzysztof Klimonda ]
  * dirsrv.init:
    - return 0 code if there are no instances configured and tweak message
      so it doesn't indicate a failure.

 -- Krzysztof Klimonda <kklimonda@syntaxhighlighted.com>  Tue, 27 Mar 2012 14:26:16 +0200

389-directory-server (1.2.6.1-5) unstable; urgency=low

  * Removed db_stop from dirsrv.postinst
  * Fix short description in libdirsrv0-dbg

 -- Michele Baldessari <michele@acksyn.org>  Wed, 20 Oct 2010 20:24:20 +0200

389-directory-server (1.2.6.1-4) unstable; urgency=low

  * Make libicu dep dependent on dpkg-vendor

 -- Michele Baldessari <michele@acksyn.org>  Mon, 18 Oct 2010 21:21:52 +0200

389-directory-server (1.2.6.1-3) unstable; urgency=low

  * Remove dirsrv user and group in postrm
  * Clean up postrm and postinst

 -- Michele Baldessari <michele@acksyn.org>  Sun, 17 Oct 2010 21:54:08 +0200

389-directory-server (1.2.6.1-2) unstable; urgency=low

  * Fix QUILT_STAMPFN

 -- Michele Baldessari <michele@acksyn.org>  Sun, 17 Oct 2010 15:03:34 +0200

389-directory-server (1.2.6.1-1) unstable; urgency=low

  * New upstream

 -- Michele Baldessari <michele@acksyn.org>  Sat, 16 Oct 2010 23:08:09 +0200

389-directory-server (1.2.6-2) unstable; urgency=low

  * Update my email address

 -- Michele Baldessari <michele@acksyn.org>  Sat, 16 Oct 2010 22:34:19 +0200

389-directory-server (1.2.6-1) unstable; urgency=low

  * New upstream
  * s/Fedora/389/g to clean up the branding
  * Remove automatic configuration (breaks too often with every update)
  * Remove dirsrv.config translation, no questions are asked anymore 
  * Fix old changelog versions with proper ~ on rc versions
  * Update policy to 3.9.1
  * Improve README.Debian
  * Depend on libicu44
  * Remove /var/run/dirsrv from the postinst scripts (managed by init script)

 -- Michele Baldessari <michele@pupazzo.org>  Sat, 04 Sep 2010 11:58:21 +0200

389-directory-server (1.2.6~rc7-1) unstable; urgency=low

  * New upstream

 -- Michele Baldessari <michele@pupazzo.org>  Fri, 03 Sep 2010 20:06:08 +0200

389-directory-server (1.2.6~a3-1) unstable; urgency=low

  * New upstream
  * Rename man page remove-ds.pl in remove-ds
  * Removed Debian.source

 -- Michele Baldessari <michele@pupazzo.org>  Sun, 23 May 2010 22:12:13 +0200

389-directory-server (1.2.6~a2-1) unstable; urgency=low

  * New upstream
  * Removed speling_fixes patch, applied upstream

 -- Michele Baldessari <michele@pupazzo.org>  Sun, 23 May 2010 13:36:25 +0200

389-directory-server (1.2.5-1) unstable; urgency=low

  * New upstream 
  * Add libpcre3-dev Build-dep
  * ldap-agent moved ti /usr/sbin
  * Fix spelling errors in code and manpages
  * Fix some lintian warnings
  * Bump policy to 3.8.3
  * Ignore lintian warning pkg-has-shlibs-control-file-but-no-actual-shared-libs
    as the shlibs file is for dirsrv plugins
  * Upgraded deps to libicu42 and libdb4.8
  * Do create /var/lib/dirsrv as dirsrv user's home
  * Added libsasl2-modules-gssapi-mit as a dependency for dirsrv (needed by
    mandatory LDAP SASL mechs)
  * Install all files of etc/dirsrv/config
  * Add some missing start scripts in usr/sbin
  * Fixed a bug in the dirsrv.init script
  * Switch to dpkg-source 3.0 (quilt) format
  * Bump policy to 3.8.4

 -- Michele Baldessari <michele@pupazzo.org>  Sun, 23 May 2010 12:31:24 +0200

389-directory-server (1.2.1-0) unstable; urgency=low

  * Rename of source package (note, since this is still staging work no 
    replace or upgrade is in place)
  * Update watch file
  * New Upstream

 -- Michele Baldessari <michele@pupazzo.org>  Fri, 12 Jun 2009 22:08:42 +0200

fedora-directory-server (1.2.0-1) unstable; urgency=low

  * New upstream release
  * Add missing libkrb5-dev dependency
  * Fix section of -dbg packages
  * Fix all "dpatch-missing-description" lintian warnings

 -- Michele Baldessari <michele@pupazzo.org>  Wed, 22 Apr 2009 23:36:22 +0200

fedora-directory-server (1.1.3-1) unstable; urgency=low

  * New upstream 
  * Added watch file
  * Make setup-ds use dirsrv:dirsrv user/group as defaults
  * Added VCS-* fields
  * --enable-autobind
  * Add ldap/servers/plugins/replication/winsync-plugin.h to libdirsrv-dev

 -- Michele Baldessari <michele@pupazzo.org>  Mon, 24 Nov 2008 22:42:26 +0100

fedora-directory-server (1.1.2-2) unstable; urgency=low

  * Fixed build+configure twice issue
  * Added Conflicts: slapd (thanks Alessandro)

 -- Michele Baldessari <michele@pupazzo.org>  Tue, 23 Sep 2008 21:12:44 +0200

fedora-directory-server (1.1.2-1) unstable; urgency=low

  * New upstream
  * Removed /usr/sbin PATH from postinst script

 -- Michele Baldessari <michele@pupazzo.org>  Sat, 20 Sep 2008 20:10:52 +0000

fedora-directory-server (1.1.1-0) unstable; urgency=low

  * New upstream
  * Don't apply patch for 439829, fixed upstream
  * Bump to policy 3.8.0
  * Added README.source

 -- Michele Baldessari <michele@pupazzo.org>  Fri, 22 Aug 2008 00:09:40 +0200

fedora-directory-server (1.1.0-4) unstable; urgency=low

  * dirsrv should depend on libmozilla-ldap-perl (thanks Mathias Kaufmann
    <steiger@mmforces.de>)

 -- Michele Baldessari <michele@pupazzo.org>  Sun, 20 Jul 2008 18:41:58 +0200

fedora-directory-server (1.1.0-3) unstable; urgency=low

  * Fix up some descriptions

 -- Michele Baldessari <michele@pupazzo.org>  Sun, 25 May 2008 21:36:32 +0200

fedora-directory-server (1.1.0-2) unstable; urgency=low

  * Silenced init warning messages when chowning pid directory

 -- Michele Baldessari <michele@pupazzo.org>  Wed, 21 May 2008 23:08:32 +0200

fedora-directory-server (1.1.0-1) unstable; urgency=low

  * Removed template lintian warning
  * Cleaned up manpages

 -- Michele Baldessari <michele@pupazzo.org>  Sun, 18 May 2008 13:39:58 +0200

fedora-directory-server (1.1.0-0) unstable; urgency=low

  * Initial release (Closes: #497098).
  * Fixed postinst after renaming setup-ds.pl to setup-ds
  * Applied patch from https://bugzilla.redhat.com/show_bug.cgi?id=439829 to
    fix segfault against late NSS versions
  * Switched to parseable copyright format
  * Source package is lintian clean now
  * Added initial manpage patch
  * Switched to dh_install

 -- Michele Baldessari <michele@pupazzo.org>  Thu, 27 Mar 2008 23:56:17 +0200
