diff -Nru openldap-2.4.42+dfsg/debian/changelog openldap-2.4.42+dfsg/debian/changelog
--- openldap-2.4.42+dfsg/debian/changelog	2020-11-16 13:41:27.000000000 +0000
+++ openldap-2.4.42+dfsg/debian/changelog	2021-02-02 16:51:22.000000000 +0000
@@ -1,3 +1,55 @@
+openldap (2.4.42+dfsg-2ubuntu3.12) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: integer underflow in Certificate Exact Assertion
+    processing
+    - debian/patches/CVE-2020-36221-1.patch: fix serialNumberAndIssuerCheck
+      in servers/slapd/schema_init.c.
+    - debian/patches/CVE-2020-36221-2.patch: fix serialNumberAndIssuerCheck
+      in servers/slapd/schema_init.c.
+    - CVE-2020-36221
+  * SECURITY UPDATE: assert failure in saslAuthzTo validation
+    - debian/patches/CVE-2020-36222-1.patch: remove saslauthz asserts in
+      servers/slapd/saslauthz.c.
+    - debian/patches/CVE-2020-36222-2.patch: fix debug msg in
+      servers/slapd/saslauthz.c.
+    - CVE-2020-36222
+  * SECURITY UPDATE: crash in Values Return Filter control handling
+    - debian/patches/CVE-2020-36223.patch: fix vrfilter double-free in
+      servers/slapd/controls.c.
+    - CVE-2020-36223
+  * SECURITY UPDATE: DoS in saslAuthzTo processing
+    - debian/patches/CVE-2020-36224-1.patch: use ch_free on normalized DN
+      in servers/slapd/saslauthz.c.
+    - debian/patches/CVE-2020-36224-2.patch: use slap_sl_free in prev
+      commit in servers/slapd/saslauthz.c.
+    - CVE-2020-36224
+  * SECURITY UPDATE: DoS in saslAuthzTo processing
+    - debian/patches/CVE-2020-36225.patch: fix AVA_Sort on invalid RDN in
+      servers/slapd/dn.c.
+    - CVE-2020-36225
+  * SECURITY UPDATE: DoS in saslAuthzTo processing
+    - debian/patches/CVE-2020-36226.patch: fix slap_parse_user in
+      servers/slapd/saslauthz.c.
+    - CVE-2020-36226
+  * SECURITY UPDATE: infinite loop in cancel_extop Cancel operation
+    - debian/patches/CVE-2020-36227.patch: fix cancel exop in
+      servers/slapd/cancel.c.
+    - CVE-2020-36227
+  * SECURITY UPDATE: DoS in Certificate List Exact Assertion processing
+    - debian/patches/CVE-2020-36228.patch: fix issuerAndThisUpdateCheck in
+      servers/slapd/schema_init.c.
+    - CVE-2020-36228
+  * SECURITY UPDATE: DoS in X.509 DN parsing in ad_keystring
+    - debian/patches/CVE-2020-36229.patch: add more checks to
+      ldap_X509dn2bv in libraries/libldap/tls2.c.
+    - CVE-2020-36229
+  * SECURITY UPDATE: DoS in X.509 DN parsing in ber_next_element
+    - debian/patches/CVE-2020-36230.patch: check for invalid BER after RDN
+      count in libraries/libldap/tls2.c.
+    - CVE-2020-36230
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 02 Feb 2021 11:51:22 -0500
+
 openldap (2.4.42+dfsg-2ubuntu3.11) xenial-security; urgency=medium
 
   * SECURITY UPDATE: assertion failure in Certificate List syntax
diff -Nru openldap-2.4.42+dfsg/debian/patches/CVE-2020-36221-1.patch openldap-2.4.42+dfsg/debian/patches/CVE-2020-36221-1.patch
--- openldap-2.4.42+dfsg/debian/patches/CVE-2020-36221-1.patch	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.4.42+dfsg/debian/patches/CVE-2020-36221-1.patch	2021-02-02 16:50:16.000000000 +0000
@@ -0,0 +1,53 @@
+From 38ac838e4150c626bbfa0082b7e2cf3a2bb4df31 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 23 Nov 2020 17:14:00 +0000
+Subject: [PATCH] ITS#9404 fix serialNumberAndIssuerCheck
+
+Tighten validity checks
+---
+ servers/slapd/schema_init.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -3189,7 +3189,7 @@ serialNumberAndIssuerCheck(
+ 
+ 	if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
+ 
+-	if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
++	if( in->bv_val[0] != '{' || in->bv_val[in->bv_len-1] != '}' ) {
+ 		/* Parse old format */
+ 		is->bv_val = ber_bvchr( in, '$' );
+ 		if( BER_BVISNULL( is ) ) return LDAP_INVALID_SYNTAX;
+@@ -3220,7 +3220,7 @@ serialNumberAndIssuerCheck(
+ 			HAVE_ALL = ( HAVE_ISSUER | HAVE_SN )
+ 		} have = HAVE_NONE;
+ 
+-		int numdquotes = 0;
++		int numdquotes = 0, gotquote;
+ 		struct berval x = *in;
+ 		struct berval ni;
+ 		x.bv_val++;
+@@ -3262,11 +3262,12 @@ serialNumberAndIssuerCheck(
+ 				is->bv_val = x.bv_val;
+ 				is->bv_len = 0;
+ 
+-				for ( ; is->bv_len < x.bv_len; ) {
++				for ( gotquote=0; is->bv_len < x.bv_len; ) {
+ 					if ( is->bv_val[is->bv_len] != '"' ) {
+ 						is->bv_len++;
+ 						continue;
+ 					}
++					gotquote = 1;
+ 					if ( is->bv_val[is->bv_len+1] == '"' ) {
+ 						/* double dquote */
+ 						numdquotes++;
+@@ -3275,6 +3276,8 @@ serialNumberAndIssuerCheck(
+ 					}
+ 					break;
+ 				}
++				if ( !gotquote ) return LDAP_INVALID_SYNTAX;
++
+ 				x.bv_val += is->bv_len + 1;
+ 				x.bv_len -= is->bv_len + 1;
+ 
diff -Nru openldap-2.4.42+dfsg/debian/patches/CVE-2020-36221-2.patch openldap-2.4.42+dfsg/debian/patches/CVE-2020-36221-2.patch
--- openldap-2.4.42+dfsg/debian/patches/CVE-2020-36221-2.patch	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.4.42+dfsg/debian/patches/CVE-2020-36221-2.patch	2021-02-02 16:50:21.000000000 +0000
@@ -0,0 +1,20 @@
+From 58c1748e81c843c5b6e61648d2a4d1d82b47e842 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 14 Dec 2020 19:03:27 +0000
+Subject: [PATCH] ITS#9424 fix serialNumberAndIssuerSerialCheck
+
+---
+ servers/slapd/schema_init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -4289,7 +4289,7 @@ serialNumberAndIssuerSerialCheck(
+ 	if ( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
+ 
+ 	/* no old format */
+-	if ( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) return LDAP_INVALID_SYNTAX;
++	if ( in->bv_val[0] != '{' || in->bv_val[in->bv_len-1] != '}' ) return LDAP_INVALID_SYNTAX;
+ 
+ 	x.bv_val++;
+ 	x.bv_len -= 2;
diff -Nru openldap-2.4.42+dfsg/debian/patches/CVE-2020-36222-1.patch openldap-2.4.42+dfsg/debian/patches/CVE-2020-36222-1.patch
--- openldap-2.4.42+dfsg/debian/patches/CVE-2020-36222-1.patch	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.4.42+dfsg/debian/patches/CVE-2020-36222-1.patch	2021-02-02 16:50:26.000000000 +0000
@@ -0,0 +1,69 @@
+From 6ed057b5b728b50746c869bcc9c1f85d0bbbf6ed Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Fri, 27 Nov 2020 14:37:10 +0000
+Subject: [PATCH] ITS#9406, #9407 remove saslauthz asserts
+
+---
+ servers/slapd/saslauthz.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
+index e05f3f9cf6..2e59eb5598 100644
+--- a/servers/slapd/saslauthz.c
++++ b/servers/slapd/saslauthz.c
+@@ -180,14 +180,16 @@ int slap_parse_user( struct berval *id, struct berval *user,
+ 	}
+ 
+ 	if ( !BER_BVISNULL( mech ) ) {
+-		assert( mech->bv_val == id->bv_val + 2 );
++		if ( mech->bv_val != id->bv_val + 2 )
++			return LDAP_PROTOCOL_ERROR;
+ 
+ 		AC_MEMCPY( mech->bv_val - 2, mech->bv_val, mech->bv_len + 1 );
+ 		mech->bv_val -= 2;
+ 	}
+ 
+ 	if ( !BER_BVISNULL( realm ) ) {
+-		assert( realm->bv_val >= id->bv_val + 2 );
++		if ( realm->bv_val < id->bv_val + 2 )
++			return LDAP_PROTOCOL_ERROR;
+ 
+ 		AC_MEMCPY( realm->bv_val - 2, realm->bv_val, realm->bv_len + 1 );
+ 		realm->bv_val -= 2;
+@@ -449,9 +451,12 @@ is_dn:		bv.bv_len = in->bv_len - ( bv.bv_val - in->bv_val );
+ 	}
+ 
+ 	/* Grab the searchbase */
+-	assert( ludp->lud_dn != NULL );
+-	ber_str2bv( ludp->lud_dn, 0, 0, &bv );
+-	rc = dnValidate( NULL, &bv );
++	if ( ludp->lud_dn != NULL ) {
++		ber_str2bv( ludp->lud_dn, 0, 0, &bv );
++		rc = dnValidate( NULL, &bv );
++	} else {
++		rc = LDAP_INVALID_SYNTAX;
++	}
+ 
+ done:
+ 	ldap_free_urldesc( ludp );
+@@ -813,7 +818,6 @@ is_dn:		bv.bv_len = val->bv_len - ( bv.bv_val - val->bv_val );
+ 	}
+ 
+ 	/* Grab the searchbase */
+-	assert( ludp->lud_dn != NULL );
+ 	if ( ludp->lud_dn ) {
+ 		struct berval	out = BER_BVNULL;
+ 
+@@ -831,6 +835,9 @@ is_dn:		bv.bv_len = val->bv_len - ( bv.bv_val - val->bv_val );
+ 		}
+ 
+ 		ludp->lud_dn = out.bv_val;
++	} else {
++		rc = LDAP_INVALID_SYNTAX;
++		goto done;
+ 	}
+ 
+ 	ludp->lud_port = 0;
+-- 
+GitLab
+
diff -Nru openldap-2.4.42+dfsg/debian/patches/CVE-2020-36222-2.patch openldap-2.4.42+dfsg/debian/patches/CVE-2020-36222-2.patch
--- openldap-2.4.42+dfsg/debian/patches/CVE-2020-36222-2.patch	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.4.42+dfsg/debian/patches/CVE-2020-36222-2.patch	2021-02-02 16:50:30.000000000 +0000
@@ -0,0 +1,33 @@
+From 02dfc32d658fadc25e4040f78e36592f6e1e1ca0 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Fri, 27 Nov 2020 14:48:26 +0000
+Subject: [PATCH] ITS#9406 fix debug msg
+
+---
+ servers/slapd/saslauthz.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
+index 2e59eb5598..982fe3120d 100644
+--- a/servers/slapd/saslauthz.c
++++ b/servers/slapd/saslauthz.c
+@@ -488,6 +488,7 @@ authzPrettyNormal(
+ 
+ 	assert( val != NULL );
+ 	assert( !BER_BVISNULL( val ) );
++	BER_BVZERO( normalized );
+ 
+ 	/*
+ 	 * 2) dn[.{exact|children|subtree|onelevel}]:{*|<DN>}
+@@ -906,7 +907,7 @@ authzPretty(
+ 	rc = authzPrettyNormal( val, out, ctx, 0 );
+ 
+ 	Debug( LDAP_DEBUG_TRACE, "<<< authzPretty: <%s> (%d)\n",
+-		out->bv_val, rc, 0 );
++		out->bv_val ? out->bv_val : "(null)" , rc, 0 );
+ 
+ 	return rc;
+ }
+-- 
+GitLab
+
diff -Nru openldap-2.4.42+dfsg/debian/patches/CVE-2020-36223.patch openldap-2.4.42+dfsg/debian/patches/CVE-2020-36223.patch
--- openldap-2.4.42+dfsg/debian/patches/CVE-2020-36223.patch	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.4.42+dfsg/debian/patches/CVE-2020-36223.patch	2021-02-02 16:50:39.000000000 +0000
@@ -0,0 +1,23 @@
+From 21981053a1195ae1555e23df4d9ac68d34ede9dd Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Sat, 28 Nov 2020 15:54:17 +0000
+Subject: [PATCH] ITS#9408 fix vrfilter double-free
+
+---
+ servers/slapd/controls.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/servers/slapd/controls.c
++++ b/servers/slapd/controls.c
+@@ -1577,7 +1577,10 @@ static int parseValuesReturnFilter (
+ 		} else {
+ 			send_ldap_result( op, rs );
+ 		}
+-		if( op->o_vrFilter != NULL) vrFilter_free( op, op->o_vrFilter ); 
++		if( op->o_vrFilter != NULL) {
++			vrFilter_free( op, op->o_vrFilter );
++			op->o_vrFilter = NULL;
++		}
+ 	}
+ #ifdef LDAP_DEBUG
+ 	else {
diff -Nru openldap-2.4.42+dfsg/debian/patches/CVE-2020-36224-1.patch openldap-2.4.42+dfsg/debian/patches/CVE-2020-36224-1.patch
--- openldap-2.4.42+dfsg/debian/patches/CVE-2020-36224-1.patch	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.4.42+dfsg/debian/patches/CVE-2020-36224-1.patch	2021-02-02 16:50:43.000000000 +0000
@@ -0,0 +1,25 @@
+From c0b61a9486508e5202aa2e0cfb68c9813731b439 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 30 Nov 2020 11:45:46 +0000
+Subject: [PATCH] ITS#9409 saslauthz: use ch_free on normalized DN
+
+---
+ servers/slapd/saslauthz.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
+index 982fe3120d..cc5a292de7 100644
+--- a/servers/slapd/saslauthz.c
++++ b/servers/slapd/saslauthz.c
+@@ -860,7 +860,7 @@ done:
+ 
+ 	if ( lud_dn ) {
+ 		if ( ludp->lud_dn != lud_dn ) {
+-			ber_memfree( ludp->lud_dn );
++			ch_free( ludp->lud_dn );
+ 		}
+ 		ludp->lud_dn = lud_dn;
+ 	}
+-- 
+GitLab
+
diff -Nru openldap-2.4.42+dfsg/debian/patches/CVE-2020-36224-2.patch openldap-2.4.42+dfsg/debian/patches/CVE-2020-36224-2.patch
--- openldap-2.4.42+dfsg/debian/patches/CVE-2020-36224-2.patch	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.4.42+dfsg/debian/patches/CVE-2020-36224-2.patch	2021-02-02 16:50:49.000000000 +0000
@@ -0,0 +1,25 @@
+From 554dff1927176579d652f2fe60c90e9abbad4c65 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 30 Nov 2020 16:20:18 +0000
+Subject: [PATCH] ITS#9409 saslauthz: use slap_sl_free in prev commit
+
+---
+ servers/slapd/saslauthz.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
+index cc5a292de7..4a9420b37c 100644
+--- a/servers/slapd/saslauthz.c
++++ b/servers/slapd/saslauthz.c
+@@ -860,7 +860,7 @@ done:
+ 
+ 	if ( lud_dn ) {
+ 		if ( ludp->lud_dn != lud_dn ) {
+-			ch_free( ludp->lud_dn );
++			slap_sl_free( ludp->lud_dn, ctx );
+ 		}
+ 		ludp->lud_dn = lud_dn;
+ 	}
+-- 
+GitLab
+
diff -Nru openldap-2.4.42+dfsg/debian/patches/CVE-2020-36225.patch openldap-2.4.42+dfsg/debian/patches/CVE-2020-36225.patch
--- openldap-2.4.42+dfsg/debian/patches/CVE-2020-36225.patch	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.4.42+dfsg/debian/patches/CVE-2020-36225.patch	2021-02-02 16:50:56.000000000 +0000
@@ -0,0 +1,42 @@
+From 5a2017d4e61a6ddc4dcb4415028e0d08eb6bca26 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Tue, 1 Dec 2020 18:32:35 +0000
+Subject: [PATCH] ITS#9412 fix AVA_Sort on invalid RDN
+
+---
+ servers/slapd/dn.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c
+index 06698b089e..7a095ba9e9 100644
+--- a/servers/slapd/dn.c
++++ b/servers/slapd/dn.c
+@@ -233,6 +233,7 @@ AVA_Sort( LDAPRDN rdn, int nAVAs )
+ {
+ 	LDAPAVA	*ava_i;
+ 	int		i;
++	int		rc = LDAP_SUCCESS;
+ 
+ 	assert( rdn != NULL );
+ 
+@@ -250,7 +251,7 @@ AVA_Sort( LDAPRDN rdn, int nAVAs )
+ 			/* RFC4512 does not allow multiple AVAs
+ 			 * with the same attribute type in RDN (ITS#5968) */
+ 			if ( a == 0 )
+-				return LDAP_INVALID_DN_SYNTAX;
++				rc = LDAP_INVALID_DN_SYNTAX;
+ 
+ 			if ( a > 0 )
+ 				break;
+@@ -259,7 +260,7 @@ AVA_Sort( LDAPRDN rdn, int nAVAs )
+ 		}
+ 		rdn[ j+1 ] = ava_i;
+ 	}
+-	return LDAP_SUCCESS;
++	return rc;
+ }
+ 
+ static int
+-- 
+GitLab
+
diff -Nru openldap-2.4.42+dfsg/debian/patches/CVE-2020-36226.patch openldap-2.4.42+dfsg/debian/patches/CVE-2020-36226.patch
--- openldap-2.4.42+dfsg/debian/patches/CVE-2020-36226.patch	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.4.42+dfsg/debian/patches/CVE-2020-36226.patch	2021-02-02 16:51:01.000000000 +0000
@@ -0,0 +1,38 @@
+From d169e7958a3e0dc70f59c8374bf8a59833b7bdd8 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Tue, 1 Dec 2020 19:03:24 +0000
+Subject: [PATCH] ITS#9413 fix slap_parse_user
+
+---
+ servers/slapd/saslauthz.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
+index 4a9420b37c..b17f34a211 100644
+--- a/servers/slapd/saslauthz.c
++++ b/servers/slapd/saslauthz.c
+@@ -156,10 +156,9 @@ int slap_parse_user( struct berval *id, struct berval *user,
+ 	user->bv_val++;
+ 	user->bv_len = id->bv_len - ( user->bv_val - id->bv_val );
+ 
+-	mech->bv_val = ber_bvchr( id, '.' );
+-	if ( !BER_BVISNULL( mech ) ) {
+-		mech->bv_val[ 0 ] = '\0';
+-		mech->bv_val++;
++	if ( id->bv_val[1] == '.' ) {
++		id->bv_val[1] = '\0';
++		mech->bv_val = id->bv_val + 2;
+ 		mech->bv_len = user->bv_val - mech->bv_val - 1;
+ 
+ 		realm->bv_val = ber_bvchr( mech, '/' );
+@@ -172,6 +171,7 @@ int slap_parse_user( struct berval *id, struct berval *user,
+ 		}
+ 
+ 	} else {
++		BER_BVZERO( mech );
+ 		BER_BVZERO( realm );
+ 	}
+ 
+-- 
+GitLab
+
diff -Nru openldap-2.4.42+dfsg/debian/patches/CVE-2020-36227.patch openldap-2.4.42+dfsg/debian/patches/CVE-2020-36227.patch
--- openldap-2.4.42+dfsg/debian/patches/CVE-2020-36227.patch	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.4.42+dfsg/debian/patches/CVE-2020-36227.patch	2021-02-02 16:51:05.000000000 +0000
@@ -0,0 +1,23 @@
+From 9d0e8485f3113505743baabf1167e01e4558ccf5 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Sun, 20 Dec 2020 21:31:15 +0000
+Subject: [PATCH] ITS#9428 fix cancel exop
+
+---
+ servers/slapd/cancel.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/servers/slapd/cancel.c
++++ b/servers/slapd/cancel.c
+@@ -64,6 +64,11 @@ int cancel_extop( Operation *op, SlapRep
+ 		return LDAP_PROTOCOL_ERROR;
+ 	}
+ 
++	if ( opid == op->o_msgid ) {
++		op->o_cancel = SLAP_CANCEL_DONE;
++		return LDAP_SUCCESS;
++	}
++
+ 	ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
+ 
+ 	if ( op->o_abandon ) {
diff -Nru openldap-2.4.42+dfsg/debian/patches/CVE-2020-36228.patch openldap-2.4.42+dfsg/debian/patches/CVE-2020-36228.patch
--- openldap-2.4.42+dfsg/debian/patches/CVE-2020-36228.patch	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.4.42+dfsg/debian/patches/CVE-2020-36228.patch	2021-02-02 16:51:09.000000000 +0000
@@ -0,0 +1,20 @@
+From 91dccd25c347733b365adc74cb07d074512ed5ad Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Wed, 16 Dec 2020 18:52:42 +0000
+Subject: [PATCH] ITS#9427 fix issuerAndThisUpdateCheck
+
+---
+ servers/slapd/schema_init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -3799,7 +3799,7 @@ issuerAndThisUpdateCheck(
+ 
+ 	if ( in->bv_len < STRLENOF( "{issuer \"\",thisUpdate \"YYMMDDhhmmssZ\"}" ) ) return LDAP_INVALID_SYNTAX;
+ 
+-	if ( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
++	if ( in->bv_val[0] != '{' || in->bv_val[in->bv_len-1] != '}' ) {
+ 		return LDAP_INVALID_SYNTAX;
+ 	}
+ 
diff -Nru openldap-2.4.42+dfsg/debian/patches/CVE-2020-36229.patch openldap-2.4.42+dfsg/debian/patches/CVE-2020-36229.patch
--- openldap-2.4.42+dfsg/debian/patches/CVE-2020-36229.patch	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.4.42+dfsg/debian/patches/CVE-2020-36229.patch	2021-02-02 16:51:17.000000000 +0000
@@ -0,0 +1,40 @@
+From 4bdfffd2889c0c5cdf58bebafbdc8fce4bb2bff0 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 14 Dec 2020 20:05:44 +0000
+Subject: [PATCH] ITS#9425 add more checks to ldap_X509dn2bv
+
+---
+ libraries/libldap/tls2.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -1216,6 +1216,8 @@ ldap_X509dn2bv( void *x509_name, struct
+ 		for ( tag = ber_first_element( ber, &len, &rdn_end );
+ 			tag == LBER_SEQUENCE;
+ 			tag = ber_next_element( ber, &len, rdn_end )) {
++			if ( rdn_end > dn_end )
++				return LDAP_DECODING_ERROR;
+ 			tag = ber_skip_tag( ber, &len );
+ 			ber_skip_data( ber, len );
+ 			navas++;
+@@ -1225,7 +1227,7 @@ ldap_X509dn2bv( void *x509_name, struct
+ 	/* Rewind and prepare to extract */
+ 	ber_rewind( ber );
+ 	tag = ber_first_element( ber, &len, &dn_end );
+-	if ( tag == LBER_DEFAULT )
++	if ( tag != LBER_SET )
+ 		return LDAP_DECODING_ERROR;
+ 
+ 	/* Allocate the DN/RDN/AVA stuff as a single block */    
+@@ -1338,6 +1340,10 @@ allocd:
+ 				/* X.690 bitString value converted to RFC4517 Bit String */
+ 				rc = der_to_ldap_BitString( &Val, &newAVA->la_value );
+ 				goto allocd;
++			case LBER_DEFAULT:
++				/* decode error */
++				rc = LDAP_DECODING_ERROR;
++				goto nomem;
+ 			default:
+ 				/* Not a string type at all */
+ 				newAVA->la_flags = 0;
diff -Nru openldap-2.4.42+dfsg/debian/patches/CVE-2020-36230.patch openldap-2.4.42+dfsg/debian/patches/CVE-2020-36230.patch
--- openldap-2.4.42+dfsg/debian/patches/CVE-2020-36230.patch	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.4.42+dfsg/debian/patches/CVE-2020-36230.patch	2021-02-02 16:51:13.000000000 +0000
@@ -0,0 +1,43 @@
+From 8c1d96ee36ed98b32cd0e28b7069c7b8ea09d793 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Sun, 13 Dec 2020 21:48:45 +0000
+Subject: [PATCH] ITS#9423 ldap_X509dn2bv: check for invalid BER after RDN
+ count
+
+---
+ libraries/libldap/tls2.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -1222,6 +1222,12 @@ ldap_X509dn2bv( void *x509_name, struct
+ 		}
+ 	}
+ 
++	/* Rewind and prepare to extract */
++	ber_rewind( ber );
++	tag = ber_first_element( ber, &len, &dn_end );
++	if ( tag == LBER_DEFAULT )
++		return LDAP_DECODING_ERROR;
++
+ 	/* Allocate the DN/RDN/AVA stuff as a single block */    
+ 	dnsize = sizeof(LDAPRDN) * (nrdns+1);
+ 	dnsize += sizeof(LDAPAVA *) * (navas+nrdns);
+@@ -1233,16 +1239,12 @@ ldap_X509dn2bv( void *x509_name, struct
+ 	} else {
+ 		newDN = (LDAPDN)(char *)ptrs;
+ 	}
+-	
++
+ 	newDN[nrdns] = NULL;
+ 	newRDN = (LDAPRDN)(newDN + nrdns+1);
+ 	newAVA = (LDAPAVA *)(newRDN + navas + nrdns);
+ 	baseAVA = newAVA;
+ 
+-	/* Rewind and start extracting */
+-	ber_rewind( ber );
+-
+-	tag = ber_first_element( ber, &len, &dn_end );
+ 	for ( i = nrdns - 1; i >= 0; i-- ) {
+ 		newDN[i] = newRDN;
+ 
diff -Nru openldap-2.4.42+dfsg/debian/patches/series openldap-2.4.42+dfsg/debian/patches/series
--- openldap-2.4.42+dfsg/debian/patches/series	2020-11-16 13:41:22.000000000 +0000
+++ openldap-2.4.42+dfsg/debian/patches/series	2021-02-02 16:51:17.000000000 +0000
@@ -42,3 +42,16 @@
 CVE-2020-25692.patch
 CVE-2020-25709.patch
 CVE-2020-25710.patch
+CVE-2020-36221-1.patch
+CVE-2020-36221-2.patch
+CVE-2020-36222-1.patch
+CVE-2020-36222-2.patch
+CVE-2020-36223.patch
+CVE-2020-36224-1.patch
+CVE-2020-36224-2.patch
+CVE-2020-36225.patch
+CVE-2020-36226.patch
+CVE-2020-36227.patch
+CVE-2020-36228.patch
+CVE-2020-36230.patch
+CVE-2020-36229.patch