OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Bugs/8543
Full headers

From: he@NetBSD.org
Subject: CVE-2015-3276: incorrect multi-keyword mode cipherstring parsing
Compose comment
Download message
State:
0 replies:
3 followups: 1 2 3

Major security issue: yes  no

Notes:

Notification:


Date: Tue, 13 Dec 2016 10:18:17 +0000
From: he@NetBSD.org
To: openldap-its@OpenLDAP.org
Subject: CVE-2015-3276: incorrect multi-keyword mode cipherstring parsing
Full_Name: Havard Eidnes
Version: 2.4.44
OS: NetBSD
URL: 
Submission from: (NULL) (2001:700:1:0:eeb1:d7ff:fe59:fbaa)


Hi,

CVE-2015-3276 appears to be unfixed in 2.4.44, and from several
attempts at finding the bug reported in your mailing list archive
I came up empty.  So ...  The best I've found from this CVE is
RedHat's bugzilla entry at

https://bugzilla.redhat.com/show_bug.cgi?id=1238322

which contains a (suggested) patch.

Summarized:

   The openldap (for NSS) emulation of the openssl cipherstring parsing code
   incorrectly implements the multi-keyword mode.
   As a consequence anyone using a combination like:

      ECDH+SHA

   will not get the expected set of ciphers [...]

(I'm somewhat dismayed that this was apparently not reported upstream
earlier...)

Best regards,

- H.vard

Followup 1

Download message
Subject: Re: (ITS#8543) CVE-2015-3276: incorrect multi-keyword mode
 cipherstring parsing
To: he@NetBSD.org, openldap-its@OpenLDAP.org
From: Howard Chu <hyc@symas.com>
Date: Tue, 13 Dec 2016 10:44:11 +0000
he@NetBSD.org wrote:
> Full_Name: Havard Eidnes
> Version: 2.4.44
> OS: NetBSD
> URL:
> Submission from: (NULL) (2001:700:1:0:eeb1:d7ff:fe59:fbaa)
>
>
> Hi,
>
> CVE-2015-3276 appears to be unfixed in 2.4.44, and from several
> attempts at finding the bug reported in your mailing list archive
> I came up empty.  So ...  The best I've found from this CVE is
> RedHat's bugzilla entry at
>
> https://bugzilla.redhat.com/show_bug.cgi?id=3D1238322
>
> which contains a (suggested) patch.

We can integrate a suggested fix if the patch author submits their patch =
to=20
our ITS directly. Due to IPR concerns we don't accept or act on 3rd party=
=20
patch submissions.
>
> Summarized:
>
>    The openldap (for NSS) emulation of the openssl cipherstring parsing=
 code
>    incorrectly implements the multi-keyword mode.
>    As a consequence anyone using a combination like:
>
>       ECDH+SHA
>
>    will not get the expected set of ciphers [...]
>
> (I'm somewhat dismayed that this was apparently not reported upstream
> earlier...)
>
> Best regards,
>
> - H=C3=A5vard
>
>
>


--=20
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 2

Download message
Date: Tue, 13 Dec 2016 13:26:31 -0800
From: Quanah Gibson-Mount <quanah@symas.com>
To: openldap-its@OpenLDAP.org, he@NetBSD.org
Subject: Re: (ITS#8543) CVE-2015-3276: incorrect multi-keyword mode
 cipherstring parsing
--On Tuesday, December 13, 2016 10:44 AM +0000 hyc@symas.com wrote:

> he@NetBSD.org wrote:
>> Full_Name: Havard Eidnes
>> Version: 2.4.44
>> OS: NetBSD
>> URL:
>> Submission from: (NULL) (2001:700:1:0:eeb1:d7ff:fe59:fbaa)
>>
>>
>> Hi,
>>
>> CVE-2015-3276 appears to be unfixed in 2.4.44, and from several
>> attempts at finding the bug reported in your mailing list archive
>> I came up empty.  So ...  The best I've found from this CVE is
>> RedHat's bugzilla entry at
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=3D1238322
>>
>> which contains a (suggested) patch.
>
> We can integrate a suggested fix if the patch author submits their patch =
> to=20
> our ITS directly. Due to IPR concerns we don't accept or act on 3rd party=
> =20
> patch submissions.

I would also note that MozNSS is not an officially supported TLS library 
for OpenLDAP, and the hack that was added for 2.4 will be removed in the 
future (likely OpenLDAP 2.5 and later).  End administrators should 
generally avoid MozNSS entirely.

Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>




Followup 3

Download message
Date: Wed, 14 Dec 2016 13:45:09 +0100 (CET)
To: hyc@symas.com
Cc: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8543) CVE-2015-3276: incorrect multi-keyword mode
 cipherstring parsing
From: Havard Eidnes <he@NetBSD.org>
>> CVE-2015-3276 appears to be unfixed in 2.4.44, and from several
>> attempts at finding the bug reported in your mailing list archive
>> I came up empty.  So ...  The best I've found from this CVE is
>> RedHat's bugzilla entry at
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=3D1238322
>>
>> which contains a (suggested) patch.
>
> We can integrate a suggested fix if the patch author submits their
> patch to our ITS directly. Due to IPR concerns we don't accept or act=

> on 3rd party patch submissions.

Hm, ok.  I've submitted an update to the above bug entry
petitioning for them to release the fix.  We'll see if they act
on it.

Regards,

- H=E5vard


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org