@@ -1,14 +1,14 @@

 Summary:        A shared library implementation of IPMI and the basic tools

 Name:           openipmi

-Version:        2.0.24

-Release:        2%{?dist}

+Version:        2.0.25

+Release:        1%{?dist}

 URL:            https://sourceforge.net/projects/openipmi/

 License:        LGPLv2+ and GPLv2+ or BSD

 Group:          System Environment/Base

 Vendor:         VMware, Inc.

 Distribution:   Photon

 Source0:        https://sourceforge.net/projects/openipmi/files/latest/download/%{name}-%{version}.tar.gz

-%define sha1    openipmi=f37656813a826a3147ed557c32408f8daa399c28

+%define sha1    openipmi=06751d0cd4353edc9711405f829fa7039533239d

 Source1:        openipmi-helper

 Source2:        ipmi.service

 BuildRequires:  systemd

@@ -178,6 +178,8 @@ echo "disable ipmi.service" > %{buildroot}%{_libdir}/systemd/system-preset/50-ip

 %{_mandir}/man5/ipmi_sim_cmd.5.gz

 %changelog

+*   Mon Sep 10 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> 2.0.25-1

+-   Upgrade to 2.0.25

 *   Fri Sep 15 2017 Xiaolin Li <xiaolinl@vmware.com> 2.0.24-2

 -   openipmi-devel requires ncurses-devel

 *   Mon Sep 11 2017 Xiaolin Li <xiaolinl@vmware.com> 2.0.24-1

deleted file mode 100644

@@ -1,26 +0,0 @@

-From c32e74763f77675b9e144126e375977ed6dc562c Mon Sep 17 00:00:00 2001

-From: Howard Chu <hyc@openldap.org>

-Date: Mon, 19 Jan 2015 22:25:53 +0000

-Subject: [PATCH] ITS#8027 require non-empty AttributeList

-

- servers/slapd/overlays/deref.c |    3 ++-

- 1 file changed, 2 insertions(+), 1 deletion(-)

-

-diff --git a/servers/slapd/overlays/deref.c b/servers/slapd/overlays/deref.c

-index 9420e3e..05aa890 100644

-+++ b/servers/slapd/overlays/deref.c

-@@ -183,7 +183,8 @@ deref_parseCtrl (

- 		ber_len_t cnt = sizeof(struct berval);

- 		ber_len_t off = 0;

- 

--		if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR )

-+		if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR

-+			|| !cnt )

- 		{

- 			rs->sr_text = "Dereference control: derefSpec decoding error";

- 			rs->sr_err = LDAP_PROTOCOL_ERROR;

-1.7.10.4

-

deleted file mode 100644

@@ -1,34 +0,0 @@

-From 2f1a2dd329b91afe561cd06b872d09630d4edb6a Mon Sep 17 00:00:00 2001

-From: Howard Chu <hyc@openldap.org>

-Date: Wed, 4 Feb 2015 02:03:55 +0000

-Subject: [PATCH] ITS#8046 fix vrFilter_free

-

- servers/slapd/filter.c |   10 +++-------

- 1 file changed, 3 insertions(+), 7 deletions(-)

-

-diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c

-index b859f73..22c81c8 100644

-+++ b/servers/slapd/filter.c

-@@ -1158,14 +1158,10 @@ get_vrFilter( Operation *op, BerElement *ber,

- void

- vrFilter_free( Operation *op, ValuesReturnFilter *vrf )

- {

--	ValuesReturnFilter	*p, *next;

-+	ValuesReturnFilter	*next;

- 

--	if ( vrf == NULL ) {

--		return;

--	}

--

--	for ( p = vrf; p != NULL; p = next ) {

--		next = p->vrf_next;

-+	for ( ; vrf != NULL; vrf = next ) {

-+		next = vrf->vrf_next;

- 

- 		switch ( vrf->vrf_choice & SLAPD_FILTER_MASK ) {

- 		case LDAP_FILTER_PRESENT:

-1.7.10.4

-

deleted file mode 100755

@@ -1,188 +0,0 @@

-Submitted By:            Armin K. <krejzi at email dot com>

-Date:                    2012-04-06

-Initial Package Version: 2.4.30

-Upstream Status:         BLFS Specific

-Origin:                  Self

-Description:             Patch changes various installation options, such as ldap database path,

-                         configuration file options, slapd install location, etc.

-

-+++ openldap/doc/man/man5/slapd-bdb.5	2012-04-06 00:18:54.171136608 +0200

-@@ -131,7 +131,7 @@

- associated indexes live.

- A separate directory must be specified for each database.

- The default is

--.BR LOCALSTATEDIR/openldap\-data .

-+.BR LOCALSTATEDIR/lib/openldap .

- .TP

- .B dirtyread

- Allow reads of modified but not yet committed data.

-+++ openldap/doc/man/man5/slapd.conf.5	2012-04-06 00:18:54.174136671 +0200

-@@ -1987,7 +1987,7 @@

- # The database directory MUST exist prior to

- # running slapd AND should only be accessible

- # by the slapd/tools. Mode 0700 recommended.

--directory LOCALSTATEDIR/openldap\-data

-+directory LOCALSTATEDIR/lib/openldap

- # Indices to maintain

- index     objectClass  eq

- index     cn,sn,mail   pres,eq,approx,sub

-+++ openldap/doc/man/man5/slapd-config.5	2012-04-06 00:18:54.194137078 +0200

-@@ -2029,7 +2029,7 @@

- # The database directory MUST exist prior to

- # running slapd AND should only be accessible

- # by the slapd/tools. Mode 0700 recommended.

--olcDbDirectory: LOCALSTATEDIR/openldap\-data

-+olcDbDirectory: LOCALSTATEDIR/lib/openldap

- # Indices to maintain

- olcDbIndex:     objectClass  eq

- olcDbIndex:     cn,sn,mail   pres,eq,approx,sub

-+++ openldap/include/ldap_defaults.h	2012-04-06 00:18:54.200137199 +0200

-@@ -39,7 +39,7 @@

- #define LDAP_ENV_PREFIX "LDAP"

- 

- /* default ldapi:// socket */

--#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi"

-+#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "openldap" LDAP_DIRSEP "ldapi"

- 

- /*

-  * SLAPD DEFINITIONS

-@@ -47,7 +47,7 @@

- 	/* location of the default slapd config file */

- #define SLAPD_DEFAULT_CONFIGFILE	LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.conf"

- #define SLAPD_DEFAULT_CONFIGDIR		LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d"

--#define SLAPD_DEFAULT_DB_DIR		LDAP_RUNDIR LDAP_DIRSEP "openldap-data"

-+#define SLAPD_DEFAULT_DB_DIR		LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "openldap"

- #define SLAPD_DEFAULT_DB_MODE		0600

- #define SLAPD_DEFAULT_UCDATA		LDAP_DATADIR LDAP_DIRSEP "ucdata"

- 	/* default max deref depth for aliases */

-+++ openldap/libraries/liblber/Makefile.in	2012-04-06 00:18:54.204137280 +0200

-@@ -48,6 +48,6 @@

- 

- install-local: FORCE

- 	-$(MKDIR) $(DESTDIR)$(libdir)

--	$(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir)

-+	$(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir)

- 	$(LTFINISH) $(DESTDIR)$(libdir)

- 

-+++ openldap/libraries/libldap/Makefile.in	2012-04-06 00:18:54.204137280 +0200

-@@ -68,7 +68,7 @@

- 

- install-local: $(CFFILES) FORCE

- 	-$(MKDIR) $(DESTDIR)$(libdir)

--	$(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir)

-+	$(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir)

- 	$(LTFINISH) $(DESTDIR)$(libdir)

- 	-$(MKDIR) $(DESTDIR)$(sysconfdir)

- 	@for i in $(CFFILES); do \

-+++ openldap/libraries/libldap_r/Makefile.in	2012-04-06 00:18:54.208137362 +0200

-@@ -83,6 +83,6 @@

- 

- install-local: $(CFFILES) FORCE

- 	-$(MKDIR) $(DESTDIR)$(libdir)

--	$(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir)

-+	$(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir)

- 	$(LTFINISH) $(DESTDIR)$(libdir)

- 

-+++ openldap/servers/slapd/Makefile.in	2012-04-06 00:18:54.208137362 +0200

-@@ -370,10 +370,10 @@

- 	install-conf install-db-config install-schema install-tools

- 

- install-slapd: FORCE

--	-$(MKDIR) $(DESTDIR)$(libexecdir)

-+	-$(MKDIR) $(DESTDIR)$(sbindir)

- 	-$(MKDIR) $(DESTDIR)$(localstatedir)/run

- 	$(LTINSTALL) $(INSTALLFLAGS) $(STRIP) -m 755 \

--		slapd$(EXEEXT) $(DESTDIR)$(libexecdir)

-+		slapd$(EXEEXT) $(DESTDIR)$(sbindir)

- 	@for i in $(SUBDIRS); do \

- 	    if test -d $$i && test -f $$i/Makefile ; then \

- 		echo; echo "  cd $$i; $(MAKE) $(MFLAGS) install"; \

-@@ -439,9 +439,9 @@

- 

- install-db-config: FORCE

- 	@-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir)

--	@-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data

-+	@-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/openldap

- 	$(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \

--		$(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example

-+		$(DESTDIR)$(localstatedir)/lib/openldap/DB_CONFIG.example

- 	$(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \

- 		$(DESTDIR)$(sysconfdir)/DB_CONFIG.example

- 

-@@ -449,6 +449,6 @@

- 	-$(MKDIR) $(DESTDIR)$(sbindir)

- 	for i in $(SLAPTOOLS); do \

- 		$(RM) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \

--		$(LN_S) -f $(DESTDIR)$(libexecdir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \

-+		$(LN_S) -f $(DESTDIR)$(sbindir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \

- 	done

- 

-+++ openldap/servers/slapd/slapd.conf	2012-04-06 00:21:12.891992222 +0200

-@@ -10,14 +10,12 @@

- # service AND an understanding of referrals.

- #referral	ldap://root.openldap.org

- 

--pidfile		%LOCALSTATEDIR%/run/slapd.pid

--argsfile	%LOCALSTATEDIR%/run/slapd.args

-+pidfile		%LOCALSTATEDIR%/run/openldap/slapd.pid

-+argsfile	%LOCALSTATEDIR%/run/openldap/slapd.args

- 

- # Load dynamic backend modules:

--# modulepath	%MODULEDIR%

--# moduleload	back_bdb.la

--# moduleload	back_hdb.la

--# moduleload	back_ldap.la

-+modulepath	%MODULEDIR%

-+moduleload	back_bdb

- 

- # Sample security restrictions

- #	Require integrity protection (prevent hijacking)

-@@ -46,20 +44,26 @@

- #

- # rootdn can always read and write EVERYTHING!

- 

-+# Specific Backend Directives for bdb:

-+backend         bdb

-+

- #######################################################################

- # BDB database definitions

- #######################################################################

- 

- database	bdb

- suffix		"dc=my-domain,dc=com"

--rootdn		"cn=Manager,dc=my-domain,dc=com"

-+#rootdn		"cn=Manager,dc=my-domain,dc=com"

-+

- # Cleartext passwords, especially for the rootdn, should

- # be avoid.  See slappasswd(8) and slapd.conf(5) for details.

- # Use of strong authentication encouraged.

--rootpw		secret

-+#rootpw		secret

-+

- # The database directory MUST exist prior to running slapd AND 

- # should only be accessible by the slapd and slap tools.

- # Mode 700 recommended.

--directory	%LOCALSTATEDIR%/openldap-data

-+directory	%LOCALSTATEDIR%/lib/openldap

-+

- # Indices to maintain

- index	objectClass	eq

-+++ openldap/servers/slapd/slapi/Makefile.in	2012-04-06 00:18:54.210137403 +0200

-@@ -46,6 +46,6 @@

- install-local: FORCE

- 	if test "$(BUILD_MOD)" = "yes"; then \

- 		$(MKDIR) $(DESTDIR)$(libdir); \

--		$(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir); \

-+		$(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir); \

- 	fi

- 

deleted file mode 100755

@@ -1,160 +0,0 @@

-Submitted By:            Armin K. <krejzi at email dot com>

-Date:                    2012-04-06

-Initial Package Version: 2.4.30

-Upstream Status:         Unknown

-Origin:                  Debian

-Description:             This patch enables symbol versioning in ldap libraries. Without this

-                         patch some applications might generate a warning about missing symbol

-                         versions.

-

-+++ openldap/build/openldap.m4	2012-04-01 17:29:50.973881411 +0200

-@@ -1136,3 +1136,54 @@

- #endif

- 	], [ol_cv_ssl_crl_compat=yes], [ol_cv_ssl_crl_compat=no])])

- ])

-+

-+dnl ====================================================================

-+dnl check for symbol versioning support

-+AC_DEFUN([OL_SYMBOL_VERSIONING],

-+[AC_CACHE_CHECK([for .symver assembler directive],

-+	[ol_cv_asm_symver_directive],[

-+cat > conftest.s <<EOF

-+${libc_cv_dot_text}

-+_sym:

-+.symver _sym,sym@VERS

-+EOF

-+if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then

-+  ol_cv_asm_symver_directive=yes

-+else

-+  ol_cv_asm_symver_directive=no

-+fi

-+rm -f conftest*])

-+AC_CACHE_CHECK([for ld --version-script],

-+	[ol_cv_ld_version_script_option],[

-+if test $ol_cv_asm_symver_directive = yes; then

-+  cat > conftest.s <<EOF

-+${libc_cv_dot_text}

-+_sym:

-+.symver _sym,sym@VERS

-+EOF

-+  cat > conftest.map <<EOF

-+VERS_1 {

-+	global: sym;

-+};

-+

-+VERS_2 {

-+	global: sym;

-+} VERS_1;

-+EOF

-+  if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then

-+    if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS -shared

-+                                                 -o conftest.so conftest.o

-+                                                 -Wl,--version-script,conftest.map

-+                       1>&AS_MESSAGE_LOG_FD]);

-+    then

-+      ol_cv_ld_version_script_option=yes

-+    else

-+      ol_cv_ld_version_script_option=no

-+    fi

-+  else

-+    ol_cv_ld_version_script_option=no

-+  fi

-+else

-+  ol_cv_ld_version_script_option=no

-+fi

-+rm -f conftest*])])

-+++ openldap/build/top.mk	2012-04-01 17:29:50.972881390 +0200

-@@ -104,6 +104,9 @@

- # LINK_LIBS referenced in library and module link commands.

- LINK_LIBS = $(MOD_LIBS) $(@PLAT@_LINK_LIBS)

- 

-+# option to pass to $(CC) to support library symbol versioning, if any

-+VERSION_OPTION = @VERSION_OPTION@

-+

- LTSTATIC = @LTSTATIC@

- 

- LTLINK   = $(LIBTOOL) --mode=link \

-@@ -113,7 +116,7 @@

- 	$(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c

- 

- LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \

--	$(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB)

-+	$(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) $(VERSION_FLAGS)

- 

- LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \

- 	$(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c

-+++ openldap/configure.in	2012-04-01 17:29:50.981881580 +0200

-@@ -1907,6 +1907,13 @@

- fi

- AC_SUBST(LTSTATIC)dnl

- 

-+VERSION_OPTION=""

-+OL_SYMBOL_VERSIONING

-+if test $ol_cv_ld_version_script_option = yes ; then

-+  VERSION_OPTION="-Wl,--version-script="

-+fi

-+AC_SUBST(VERSION_OPTION)

-+

- dnl ----------------------------------------------------------------

- if test $ol_enable_wrappers != no ; then

- 	AC_CHECK_HEADERS(tcpd.h,[

-+++ openldap/libraries/liblber/liblber.map	2012-04-01 17:29:50.983881622 +0200

-@@ -0,0 +1,8 @@

-+OPENLDAP_2.4_2 {

-+  global:

-+    ber_*;

-+    der_alloc;

-+    lutil_*;

-+  local:

-+    *;

-+};

-+++ openldap/libraries/liblber/Makefile.in	2012-04-01 17:29:50.982881601 +0200

-@@ -38,6 +38,9 @@

- XXLIBS = 

- NT_LINK_LIBS = $(AC_LIBS)

- UNIX_LINK_LIBS = $(AC_LIBS)

-+ifneq (,$(VERSION_OPTION))

-+  VERSION_FLAGS = "$(VERSION_OPTION)$(srcdir)/liblber.map"

-+endif

- 

- dtest:    $(XLIBS) dtest.o

- 	$(LTLINK) -o $@ dtest.o $(LIBS)

-+++ openldap/libraries/libldap/libldap.map	2012-04-01 17:29:50.981881580 +0200

-@@ -0,0 +1,7 @@

-+OPENLDAP_2.4_2 {

-+  global:

-+    ldap_*;

-+    ldif_*;

-+  local:

-+    *;

-+};

-+++ openldap/libraries/libldap/Makefile.in	2012-04-01 17:29:50.982881601 +0200

-@@ -52,6 +52,9 @@

- XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS)

- NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)

- UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)

-+ifneq (,$(VERSION_OPTION))

-+  VERSION_FLAGS = $(VERSION_OPTION)$(srcdir)/libldap.map

-+endif

- 

- apitest:	$(XLIBS) apitest.o

- 	$(LTLINK) -o $@ apitest.o $(LIBS)

-+++ openldap/libraries/libldap_r/Makefile.in	2012-04-01 17:29:50.971881369 +0200

-@@ -61,6 +61,9 @@

- XXXLIBS = $(LTHREAD_LIBS)

- NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)

- UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS)

-+ifneq (,$(VERSION_OPTION))

-+  VERSION_FLAGS = "$(VERSION_OPTION)$(XXDIR)/libldap.map"

-+endif

- 

- .links : Makefile

- 	@for i in $(XXSRCS); do \

deleted file mode 100644

@@ -1,28 +0,0 @@

-From 0cee1ffb6021b1aae3fcc9581699da1c85a6dd6e Mon Sep 17 00:00:00 2001

-From: Ryan Tandy <ryan@nardis.ca>

-Date: Wed, 17 May 2017 20:07:39 -0700

-Subject: [PATCH] ITS#8655 fix double free on paged search with pagesize 0

-

-Fixes a double free when a search includes the Paged Results control

-with a page size of 0 and the search base matches the filter.

- servers/slapd/back-mdb/search.c |    3 ++-

- 1 file changed, 2 insertions(+), 1 deletion(-)

-

-diff --git a/servers/slapd/back-mdb/search.c b/servers/slapd/back-mdb/search.c

-index 301d1a4..43442aa 100644

-+++ b/servers/slapd/back-mdb/search.c

-@@ -1066,7 +1066,8 @@ notfound:

- 			/* check size limit */

- 			if ( get_pagedresults(op) > SLAP_CONTROL_IGNORED ) {

- 				if ( rs->sr_nentries >= ((PagedResultsState *)op->o_pagedresults_state)->ps_size ) {

--					mdb_entry_return( op, e );

-+					if (e != base)

-+						mdb_entry_return( op, e );

- 					e = NULL;

- 					send_paged_response( op, rs, &lastid, tentries );

- 					goto done;

-1.7.10.4

-

@@ -1,18 +1,17 @@

 %global _default_patch_fuzz 2

 Summary:	OpenLdap-2.4.43

 Name:		openldap

-Version:	2.4.44

-Release:	3%{?dist}

+Version:	2.4.46

+Release:	1%{?dist}

 License:	OpenLDAP

 URL:		http://cyrusimap.web.cmu.edu/

 Group:		System Environment/Security

 Vendor:		VMware, Inc.

 Distribution:	Photon

 Source0:	ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/%{name}-%{version}.tgz

-%define sha1 openldap=016a738d050a68d388602a74b5e991035cdba149

-Patch0:		openldap-2.4.44-consolidated-2.patch

-Patch1:     openldap-CVE-2017-9287.patch

-Patch2:		openldap-2.4.40-gssapi-1.patch

+%define sha1 openldap=a9ae2273eb9bdd70090dafe0d018a3132606bef6

+Patch0:         openldap-2.4.40-gssapi-1.patch

+Patch1:		openldap-2.4.44-consolidated-2.patch

 Requires:       openssl >= 1.0.1, cyrus-sasl >= 2.1

 BuildRequires:  cyrus-sasl >= 2.1

 BuildRequires:  openssl-devel >= 1.0.1

@@ -30,7 +29,6 @@ libraries, and documentation for OpenLDAP.

 %prep

 %setup -q

-%patch2 -p1

 %patch0 -p1

 %patch1 -p1

 %build

@@ -76,19 +74,21 @@ rm -rf %{buildroot}/*

 /etc/openldap/*

 %changelog

+*   Mon Sep 10 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> 2.4.46-1

+-   Upgrade to 2.4.46

 *   Fri Oct 13 2017 Alexey Makhalov <amakhalov@vmware.com> 2.4.44-3

 -   Use standard configure macros

-*	Tue Jul 11 2017 Divya Thaluru <dthaluru@vmware.com> 2.4.44-2

--	Applied patch for CVE-2017-9287

-*	Sat Apr 15 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.4.44-1

--	Update to 2.4.44

-*       Wed Oct 05 2016 ChangLee <changlee@vmware.com> 2.4.43-3

--       Modified %check

-*	Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.4.43-2

--	GA - Bump release of all rpms

-* 	Thu Jan 21 2016 Xiaolin Li <xiaolinl@vmware.com> 2.4.43-1

-- 	Updated to version 2.4.43

-*	Fri Aug 14 2015 Vinay Kulkarni <kulkarniv@vmware.com> 2.4.40-2

--	Patches for CVE-2015-1545 and CVE-2015-1546.

-*	Wed Oct 08 2014 Divya Thaluru <dthaluru@vmware.com> 2.4.40-1

--	Initial build.	First version

+*   Tue Jul 11 2017 Divya Thaluru <dthaluru@vmware.com> 2.4.44-2

+-   Applied patch for CVE-2017-9287

+*   Sat Apr 15 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.4.44-1

+-   Update to 2.4.44

+*   Wed Oct 05 2016 ChangLee <changlee@vmware.com> 2.4.43-3

+-   Modified %check

+*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.4.43-2

+-   GA - Bump release of all rpms

+*   Thu Jan 21 2016 Xiaolin Li <xiaolinl@vmware.com> 2.4.43-1

+-   Updated to version 2.4.43

+*   Fri Aug 14 2015 Vinay Kulkarni <kulkarniv@vmware.com> 2.4.40-2

+-   Patches for CVE-2015-1545 and CVE-2015-1546.

+*   Wed Oct 08 2014 Divya Thaluru <dthaluru@vmware.com> 2.4.40-1

+-   Initial build.	First version

@@ -1,11 +1,11 @@

 Summary:        Open Source Security Compliance Solution

 Name:           openscap

-Version:        1.2.14

-Release:        3%{?dist}

+Version:        1.2.17

+Release:        1%{?dist}

 License:        GPL2+

 URL:            https://www.open-scap.org

 Source0:        https://github.com/OpenSCAP/openscap/releases/download/%{version}/openscap-%{version}.tar.gz

-%define sha1    openscap=6c2f4ff0bbbd6b80e6c99f15a2e0d052a1f9afe1

+%define sha1    openscap=588676a56b6adf389140d6fdbc6a6685ef06e7b3

 Group:          System Environment/Libraries

 Vendor:         VMware, Inc.

 Distribution:   Photon

@@ -95,6 +95,8 @@ find %{buildroot} -name '*.la' -delete

 %{_libdir}/python2.7/*

 %changelog

+*   Mon Sep 10 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> 1.2.17-1

+-   Update to 1.2.17

 *   Thu Aug 10 2017 Rongrong Qiu <rqiu@vmware.com> 1.2.14-3

 -   Disable make check which need per-XML-XPATH for bug 1900358

 *   Fri May 5 2017 Alexey Makhalov <amakhalov@vmware.com> 1.2.14-2

deleted file mode 100644

@@ -1,298 +0,0 @@

-From b7727ac11601d06e63fa67c8975994cfdbb7e62f Mon Sep 17 00:00:00 2001

-From: Alexey Makhalov <amakhalov@vmware.com>

-Date: Sat, 20 May 2017 05:19:04 +0000

-Subject: [PATCH] Configure FIPS

-

-New parameter: FipsMode yes/no

-

-As soon as FipsMode option parsed FIPS_mode_set(1) will be called.

-See Bug #1872327 for details.

- readconf.c    | 38 +++++++++++++++++++++++++++++++++++++-

- readconf.h    |  1 +

- servconf.c    | 34 +++++++++++++++++++++++++++++++++-

- servconf.h    |  1 +

- ssh_config    |  1 +

- ssh_config.0  |  4 ++++

- ssh_config.5  |  4 ++++

- sshd_config   |  2 ++

- sshd_config.0 |  4 ++++

- sshd_config.5 |  4 ++++

- 10 files changed, 91 insertions(+), 2 deletions(-)

-

-diff --git a/readconf.c b/readconf.c

-index 7f401d6..2c970e2 100644

-+++ b/readconf.c

-@@ -171,7 +171,8 @@ typedef enum {

- 	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,

- 	oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,

- 	oPubkeyAcceptedKeyTypes, oProxyJump,

--	oIgnoredUnknownOption, oDeprecated, oUnsupported

-+	oIgnoredUnknownOption, oDeprecated, oUnsupported,

-+	oFipsMode

- } OpCodes;

- 

- /* Textual representations of the tokens. */

-@@ -291,6 +292,7 @@ static struct {

- 	{ "streamlocalbindunlink", oStreamLocalBindUnlink },

- 	{ "revokedhostkeys", oRevokedHostKeys },

- 	{ "fingerprinthash", oFingerprintHash },

-+	{ "fipsmode", oFipsMode },

- 	{ "updatehostkeys", oUpdateHostkeys },

- 	{ "hostbasedkeytypes", oHostbasedKeyTypes },

- 	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },

-@@ -965,6 +967,35 @@ parse_time:

- 		intptr = &options->gss_deleg_creds;

- 		goto parse_flag;

- 

-+        case oFipsMode:

-+		if (options->ciphers != NULL || options->cipher != -1)

-+			fatal("%.200s line %d: FipsMode should be set before "

-+			    "Ciphers option", filename, linenum);

-+		intptr = &options->fips_mode;

-+		multistate_ptr = multistate_flag;

-+		arg = strdelim(&s);

-+		if (!arg || *arg == '\0')

-+			fatal("%s line %d: missing argument.",

-+			    filename, linenum);

-+		value = -1;

-+		for (i = 0; multistate_ptr[i].key != NULL; i++) {

-+			if (strcasecmp(arg, multistate_ptr[i].key) == 0) {

-+				value = multistate_ptr[i].value;

-+				break;

-+			}

-+		}

-+		if (value == -1)

-+			fatal("%s line %d: unsupported option \"%s\".",

-+			    filename, linenum, arg);

-+		if (*activep && *intptr == -1) {

-+			*intptr = value;

-+			/* Call FIPS_mode_set as soon as possible */

-+			if (*intptr == 1)

-+				if (!FIPS_mode_set(1))

-+					fatal("FIPS mode could not be set");

-+		}

-+		break;

-+

- 	case oBatchMode:

- 		intptr = &options->batch_mode;

- 		goto parse_flag;

-@@ -1857,6 +1888,7 @@ initialize_options(Options * options)

- 	options->update_hostkeys = -1;

- 	options->hostbased_key_types = NULL;

- 	options->pubkey_key_types = NULL;

-+	options->fips_mode = -1;

- }

- 

- /*

-@@ -2044,6 +2076,9 @@ fill_default_options(Options * options)

- 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;

- 	if (options->update_hostkeys == -1)

- 		options->update_hostkeys = 0;

-+        if (options->fips_mode == -1)

-+                options->fips_mode = 0;

-+

- 	if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT

- 	        : KEX_CLIENT_ENCRYPT), &options->ciphers) != 0 ||

- 	    kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC

-@@ -2535,6 +2570,7 @@ dump_client_config(Options *o, const char *host)

- 	dump_cfg_fmtint(oVerifyHostKeyDNS, o->verify_host_key_dns);

- 	dump_cfg_fmtint(oVisualHostKey, o->visual_host_key);

- 	dump_cfg_fmtint(oUpdateHostkeys, o->update_hostkeys);

-+	dump_cfg_fmtint(oFipsMode, o->fips_mode);

- 

- 	/* Integer options */

- 	dump_cfg_int(oCanonicalizeMaxDots, o->canonicalize_max_dots);

-diff --git a/readconf.h b/readconf.h

-index cef55f7..875931e 100644

-+++ b/readconf.h

-@@ -157,6 +157,7 @@ typedef struct {

- 	char	*revoked_host_keys;

- 

- 	int	 fingerprint_hash;

-+	int	 fips_mode;

- 

- 	int	 update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */

- 

-diff --git a/servconf.c b/servconf.c

-index 4e5401c..107647a 100644

-+++ b/servconf.c

-@@ -164,6 +164,7 @@ initialize_server_options(ServerOptions *options)

- 	options->version_addendum = NULL;

- 	options->fingerprint_hash = -1;

- 	options->disable_forwarding = -1;

-+	options->fips_mode = -1;

- }

- 

- /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */

-@@ -336,6 +337,8 @@ fill_default_server_options(ServerOptions *options)

- 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;

- 	if (options->disable_forwarding == -1)

- 		options->disable_forwarding = 0;

-+	if (options->fips_mode == -1)

-+		options->fips_mode = 0;

- 

- 	assemble_algorithms(options);

- 

-@@ -421,7 +424,8 @@ typedef enum {

- 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,

- 	sStreamLocalBindMask, sStreamLocalBindUnlink,

- 	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,

--	sDeprecated, sIgnore, sUnsupported

-+	sDeprecated, sIgnore, sUnsupported,

-+	sFipsMode

- } ServerOpCodes;

- 

- #define SSHCFG_GLOBAL	0x01	/* allowed in main section of sshd_config */

-@@ -564,6 +568,7 @@ static struct {

- 	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },

- 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },

- 	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },

-+	{ "fipsmode", sFipsMode, SSHCFG_GLOBAL },

- 	{ NULL, sBadOption, 0 }

- };

- 

-@@ -1839,6 +1844,32 @@ process_server_config_line(ServerOptions *options, char *line,

- 			options->fingerprint_hash = value;

- 		break;

- 

-+	case sFipsMode:

-+		if (options->ciphers != NULL)

-+			fatal("%.200s line %d: FipsMode should be set before "

-+			    "Ciphers option", filename, linenum);

-+		intptr = &options->fips_mode;

-+		arg = strdelim(&cp);

-+		if (!arg || *arg == '\0')

-+			fatal("%s line %d: missing yes/no argument.",

-+			    filename, linenum);

-+		value = 0;	/* silence compiler */

-+		if (strcmp(arg, "yes") == 0)

-+			value = 1;

-+		else if (strcmp(arg, "no") == 0)

-+			value = 0;

-+		else

-+			fatal("%s line %d: Bad yes/no argument: %s",

-+				filename, linenum, arg);

-+		if (*activep && *intptr == -1) {

-+			*intptr = value;

-+			/* Call FIPS_mode_set as soon as possible */

-+			if (*intptr == 1)

-+				if (!FIPS_mode_set(1))

-+					fatal("FIPS mode could not be set");

-+		}

-+		break;

-+

- 	case sDeprecated:

- 	case sIgnore:

- 	case sUnsupported:

-@@ -2280,6 +2311,7 @@ dump_config(ServerOptions *o)

- 	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);

- 	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);

- 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);

-+	dump_cfg_fmtint(sFipsMode, o->fips_mode);

- 

- 	/* string arguments */

- 	dump_cfg_string(sPidFile, o->pid_file);

-diff --git a/servconf.h b/servconf.h

-index 5853a97..a9ec1a2 100644

-+++ b/servconf.h

-@@ -189,6 +189,7 @@ typedef struct {

- 	char   *auth_methods[MAX_AUTH_METHODS];

- 

- 	int	fingerprint_hash;

-+	int fips_mode;

- }       ServerOptions;

- 

- /* Information about the incoming connection as used by Match */

-diff --git a/ssh_config b/ssh_config

-index 90fb63f..fd6ab39 100644

-+++ b/ssh_config

-@@ -37,6 +37,7 @@

- #   IdentityFile ~/.ssh/id_ecdsa

- #   IdentityFile ~/.ssh/id_ed25519

- #   Port 22

-+#   FipsMode no

- #   Protocol 2

- #   Cipher 3des

- #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc

-diff --git a/ssh_config.0 b/ssh_config.0

-index 4ca9a5f..33ac338 100644

-+++ b/ssh_config.0

-@@ -362,6 +362,10 @@ DESCRIPTION

-              Specifies the hash algorithm used when displaying key

-              fingerprints.  Valid options are: md5 and sha256 (the default).

- 

-+     FipsMode

-+             Enables or disables FIPS mode. Requires FIPS capable ssl modules.

-+             The default is no.

-+

-      ForwardAgent

-              Specifies whether the connection to the authentication agent (if

-              any) will be forwarded to the remote machine.  The argument must

-diff --git a/ssh_config.5 b/ssh_config.5

-index 591365f..df46e0d 100644

-+++ b/ssh_config.5

-@@ -658,6 +658,10 @@ Valid options are:

- and

- .Cm sha256

- (the default).

-+.It Cm FipsMode

-+Enables or disables FIPS mode. Requires FIPS capable ssl modules.

-+The default is

-+.Cm no .

- .It Cm ForwardAgent

- Specifies whether the connection to the authentication agent (if any)

- will be forwarded to the remote machine.

-diff --git a/sshd_config b/sshd_config

-index 9f09e4a..1a0d68a 100644

-+++ b/sshd_config

-@@ -105,6 +105,8 @@ AuthorizedKeysFile	.ssh/authorized_keys

- #ChrootDirectory none

- #VersionAddendum none

- 

-+#FipsMode no

-+

- # no default banner path

- #Banner none

- 

-diff --git a/sshd_config.0 b/sshd_config.0

-index 022c052..af813b2 100644

-+++ b/sshd_config.0

-@@ -331,6 +331,10 @@ DESCRIPTION

-              Specifies the hash algorithm used when logging key fingerprints.

-              Valid options are: md5 and sha256.  The default is sha256.

- 

-+     FipsMode

-+             Enables or disables FIPS mode. Requires FIPS capable ssl modules.

-+             The default is no.

-+

-      ForceCommand

-              Forces the execution of the command specified by ForceCommand,

-              ignoring any command supplied by the client and ~/.ssh/rc if

-diff --git a/sshd_config.5 b/sshd_config.5

-index 32b29d2..c618359 100644

-+++ b/sshd_config.5

-@@ -578,6 +578,10 @@ and

- .Cm sha256 .

- The default is

- .Cm sha256 .

-+.It Cm FipsMode

-+Enables or disables FIPS mode. Requires FIPS capable ssl modules.

-+The default is

-+.Cm no .

- .It Cm ForceCommand

- Forces the execution of the command specified by

- .Cm ForceCommand ,

-2.8.1

-

deleted file mode 100644

@@ -1,441 +0,0 @@

-diff -rup openssh-7.5p1/cipher.c openssh-7.5p1-new/cipher.c

-+++ openssh-7.5p1-new/cipher.c	2017-11-14 16:04:07.735036305 -0800

-@@ -136,6 +136,26 @@ static const struct sshcipher ciphers[]

- 	{ NULL,		SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }

- };

- 

-+static const struct sshcipher fips_ciphers[] = {

-+	{ "none",	SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },

-+	{ "3des-cbc",	SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },

-+	{ "aes128-cbc",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },

-+	{ "aes192-cbc",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },

-+	{ "aes256-cbc",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },

-+	{ "rijndael-cbc@lysator.liu.se",

-+			SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },

-+	{ "aes128-ctr",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },

-+	{ "aes192-ctr",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },

-+	{ "aes256-ctr",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },

-+# ifdef OPENSSL_HAVE_EVPGCM

-+	{ "aes128-gcm@openssh.com",

-+			SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },

-+	{ "aes256-gcm@openssh.com",

-+			SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },

-+# endif /* OPENSSL_HAVE_EVPGCM */

-+	{ NULL,		SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }

-+};

-+

- /*--*/

- 

- /* Returns a comma-separated list of supported ciphers. */

-@@ -146,7 +166,7 @@ cipher_alg_list(char sep, int auth_only)

- 	size_t nlen, rlen = 0;

- 	const struct sshcipher *c;

- 

--	for (c = ciphers; c->name != NULL; c++) {

-+	for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) {

- 		if (c->number != SSH_CIPHER_SSH2)

- 			continue;

- 		if (auth_only && c->auth_len == 0)

-@@ -242,7 +262,7 @@ const struct sshcipher *

- cipher_by_name(const char *name)

- {