[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Calysto v1.5 reports on openldap_v2.4.4alpha

Domagoj Babic wrote:
> Pierangelo,
> I didn't understand the last part on marking submissions private.
> Pardon my ignorance. Could you please elaborate?

Please keep replies on the list.

>> For this purpose, the ITS allows to mark submissions as PRIVATE.

You posted to the openldap-bugs mailing list.  This list is for
discussion about bugs; but to track issues, like a bug report (as yours
seems to be) you're supposed to file an ITS using the ITS interface
<http://www.openldap.org/its/>.  This is necessary to keep track of the
status of your submission, otherwise it's just a bunch of emails,
eventually destined to the bin.

When you submit a bug, you can mark it as PRIVATE.  This means that the
bug will only be visible to authorized users (essentially, OpenLDAP
developers). A PRIVATE ITS means it's only temporarily private, until
the issue is solved; after that, all the traffic about that ITS becomes
public.  This feature is solely intended to deal with issues that may
potentially represent a threat to data security, or system vulnerabilities.

For example, if your static scan just checks for NULL pointer
dereferencing, without considering the context, as Kurt and Howard
already pointed out you could find that hundreds of occurrences that a
test client does not check malloc(3) results without being harmful, and
one occurrence of the server not checking a pointer at the culprit of
dealing with requests.  In the latter case, until fixed this would
expose all deployments of OpenLDAP to denial of service, but it could go
unnoticed because clobbered by the rest.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it