Full_Name: Havard Eidnes Version: 2.4.44 OS: NetBSD URL: Submission from: (NULL) (2001:700:1:0:eeb1:d7ff:fe59:fbaa) Hi, CVE-2015-3276 appears to be unfixed in 2.4.44, and from several attempts at finding the bug reported in your mailing list archive I came up empty. So ... The best I've found from this CVE is RedHat's bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=1238322 which contains a (suggested) patch. Summarized: The openldap (for NSS) emulation of the openssl cipherstring parsing code incorrectly implements the multi-keyword mode. As a consequence anyone using a combination like: ECDH+SHA will not get the expected set of ciphers [...] (I'm somewhat dismayed that this was apparently not reported upstream earlier...) Best regards, - H�vard
he@NetBSD.org wrote: > Full_Name: Havard Eidnes > Version: 2.4.44 > OS: NetBSD > URL: > Submission from: (NULL) (2001:700:1:0:eeb1:d7ff:fe59:fbaa) > > > Hi, > > CVE-2015-3276 appears to be unfixed in 2.4.44, and from several > attempts at finding the bug reported in your mailing list archive > I came up empty. So ... The best I've found from this CVE is > RedHat's bugzilla entry at > > https://bugzilla.redhat.com/show_bug.cgi?id=1238322 > > which contains a (suggested) patch. We can integrate a suggested fix if the patch author submits their patch to our ITS directly. Due to IPR concerns we don't accept or act on 3rd party patch submissions. > > Summarized: > > The openldap (for NSS) emulation of the openssl cipherstring parsing code > incorrectly implements the multi-keyword mode. > As a consequence anyone using a combination like: > > ECDH+SHA > > will not get the expected set of ciphers [...] > > (I'm somewhat dismayed that this was apparently not reported upstream > earlier...) > > Best regards, > > - Håvard > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
--On Tuesday, December 13, 2016 10:44 AM +0000 hyc@symas.com wrote: > he@NetBSD.org wrote: >> Full_Name: Havard Eidnes >> Version: 2.4.44 >> OS: NetBSD >> URL: >> Submission from: (NULL) (2001:700:1:0:eeb1:d7ff:fe59:fbaa) >> >> >> Hi, >> >> CVE-2015-3276 appears to be unfixed in 2.4.44, and from several >> attempts at finding the bug reported in your mailing list archive >> I came up empty. So ... The best I've found from this CVE is >> RedHat's bugzilla entry at >> >> https://bugzilla.redhat.com/show_bug.cgi?id=3D1238322 >> >> which contains a (suggested) patch. > > We can integrate a suggested fix if the patch author submits their patch = > to=20 > our ITS directly. Due to IPR concerns we don't accept or act on 3rd party= > =20 > patch submissions. I would also note that MozNSS is not an officially supported TLS library for OpenLDAP, and the hack that was added for 2.4 will be removed in the future (likely OpenLDAP 2.5 and later). End administrators should generally avoid MozNSS entirely. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>
>> CVE-2015-3276 appears to be unfixed in 2.4.44, and from several >> attempts at finding the bug reported in your mailing list archive >> I came up empty. So ... The best I've found from this CVE is >> RedHat's bugzilla entry at >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1238322 >> >> which contains a (suggested) patch. > > We can integrate a suggested fix if the patch author submits their > patch to our ITS directly. Due to IPR concerns we don't accept or act > on 3rd party patch submissions. Hm, ok. I've submitted an update to the above bug entry petitioning for them to release the fix. We'll see if they act on it. Regards, - Håvard
moved from Incoming to Software Bugs
MozNSS deprecated for 2.4, being removed for 2.5