Description of problem: in systemd logs, I have the following warning : Jun 10 22:20:01 hvrenat4 systemd[1]: /usr/lib/systemd/system/slapd.service:6: PIDFile= references path below legacy directory /var/run/, updating /var/run/ldap/slapd.pid → /run/ldap/slapd.pid; please update the unit file accordingly. in openldap packages, pid files are still in /var/run/ directory instead on /run It comes from /lib/systemd/system/slapd.service : line PIDFile=/var/run/ldap/slapd.pid Version-Release number of selected component (if applicable): openldap-servers-2.4.50-1.1.mga7 How reproducible: on each start/restart Steps to Reproduce: 1. urpmi openldap-servers 2. systemctl start slapd.service 3.
I fixed this in Cauldron with openldap-2.4.50-3.mga8. It needed changes in slapd.service and slapd.conf. Maintainer is buchan, probably should've left this bug. buchan: if you want to backport to Mageia 7, feel free. See http://svnweb.mageia.org/packages?view=revision&revision=1592442
CC: (none) => bgmilne, olav
Thanks Olav for your M8 fix. As this is a legitimate M7 bug, Buchan please do fix it for that. Assigning the bug to you.
Assignee: bugsquad => bgmilneCC: bgmilne => (none)
Thanks Olav! Fixed in Mageia 7 SVN in r1614197. Will be pushed with the next security update.
Summary: bad path for pid in slapd => openldap: bad path for pid in slapdCC: (none) => luigiwalser
Debian has issued an advisory on October 30: https://www.debian.org/security/2020/dsa-4782 Patched package uploaded for Mageia 7. Advisory: ======================== Updated openldap packages fix security vulnerability: A vulnerability in the handling of normalization with modrdn was discovered in OpenLDAP. An unauthenticated remote attacker can use this flaw to cause a denial of service (slapd daemon crash) via a specially crafted packet (ITS#9370). Also, the PID file path in the systemd service was fixed to use /run as the parent, rather than /var/run, eliminating warning messages in the logs. References: https://bugs.openldap.org/show_bug.cgi?id=9370 https://www.debian.org/security/2020/dsa-4782 ======================== Updated packages in core/updates_testing: ======================== openldap-2.4.50-1.2.mga7 openldap-servers-2.4.50-1.2.mga7 openldap-servers-devel-2.4.50-1.2.mga7 openldap-clients-2.4.50-1.2.mga7 libldap2.4_2-2.4.50-1.2.mga7 libldap2.4_2-devel-2.4.50-1.2.mga7 libldap2.4_2-static-devel-2.4.50-1.2.mga7 openldap-back_sql-2.4.50-1.2.mga7 openldap-back_bdb-2.4.50-1.2.mga7 openldap-back_mdb-2.4.50-1.2.mga7 openldap-doc-2.4.50-1.2.mga7 openldap-tests-2.4.50-1.2.mga7 openldap-testprogs-2.4.50-1.2.mga7 from openldap-2.4.50-1.2.mga7.src.rpm
Assignee: bgmilne => qa-bugsSummary: openldap: bad path for pid in slapd => openldap: bad path for pid in slapd, and security issue in modrdnQA Contact: (none) => securityComponent: RPM Packages => SecurityCC: (none) => bgmilne
MGA7-64 MATE on Peaq C1011 No installation issues. Ref to steps to reproduce above: # systemctl start slapd # systemctl -l status slapd ● slapd.service - OpenLDAP Server Daemon Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2020-11-09 11:10:40 CET; 25s ago Process: 13371 ExecStartPre=/usr/share/openldap/scripts/ldap-config check (code=exited, status=0/SUCCESS) Process: 13408 ExecStart=/usr/sbin/slapd -u ${LDAP_USER} -g ${LDAP_GROUP} -h ${SLAPDURLLIST} -l ${SLAPDSYSLOGLOCALUSER} -s ${SLAPDSYSLOGLEVEL} (code=exited, s> Main PID: 13409 (slapd) Tasks: 3 (limit: 2288) Memory: 5.5M CGroup: /system.slice/slapd.service └─13409 /usr/sbin/slapd -u ldap -g ldap -h ldap:/// ldapi:/// -l local4 -s 0 Nov 09 11:10:39 mach6.hviaene.thuis systemd[1]: Starting OpenLDAP Server Daemon... Nov 09 11:10:39 mach6.hviaene.thuis su[13379]: (to ldap) root on none Nov 09 11:10:40 mach6.hviaene.thuis su[13379]: pam_unix(su:session): session opened for user ldap by (uid=0) Nov 09 11:10:40 mach6.hviaene.thuis su[13379]: pam_unix(su:session): session closed for user ldap Nov 09 11:10:40 mach6.hviaene.thuis ldap-config[13371]: Checking config file /etc/openldap/slapd.conf: [ OK ] Nov 09 11:10:40 mach6.hviaene.thuis systemd[1]: Started OpenLDAP Server Daemon. and# journalctl -xe | grep slap -- Subject: A start job for unit slapd.service has begun execution -- A start job for unit slapd.service has begun execution. Nov 09 11:10:40 mach6.hviaene.thuis ldap-config[13371]: Checking config file /etc/openldap/slapd.conf: [ OK ] -- Subject: A start job for unit slapd.service has finished successfully -- A start job for unit slapd.service has finished successfully. So no more messages on /var/run Seems OK
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory pushed to SVN.
CC: (none) => ouaurelienCVE: (none) => CVE-2020-25692Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0407.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Summary: openldap: bad path for pid in slapd, and security issue in modrdn => openldap: bad path for pid in slapd, and security issue in modrdn (CVE-2020-25692)