[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8543) CVE-2015-3276: incorrect multi-keyword mode cipherstring parsing

To: openldap-its@OpenLDAP.org
Subject: (ITS#8543) CVE-2015-3276: incorrect multi-keyword mode cipherstring parsing
From: he@NetBSD.org
Date: Tue, 13 Dec 2016 10:18:17 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Havard Eidnes
Version: 2.4.44
OS: NetBSD
URL: 
Submission from: (NULL) (2001:700:1:0:eeb1:d7ff:fe59:fbaa)


Hi,

CVE-2015-3276 appears to be unfixed in 2.4.44, and from several
attempts at finding the bug reported in your mailing list archive
I came up empty.  So ...  The best I've found from this CVE is
RedHat's bugzilla entry at

https://bugzilla.redhat.com/show_bug.cgi?id=1238322

which contains a (suggested) patch.

Summarized:

   The openldap (for NSS) emulation of the openssl cipherstring parsing code
   incorrectly implements the multi-keyword mode.
   As a consequence anyone using a combination like:

      ECDH+SHA

   will not get the expected set of ciphers [...]

(I'm somewhat dismayed that this was apparently not reported upstream
earlier...)

Best regards,

- Håvard

Prev by Date: (ITS#8542) mdb_dbi_open() can break mainDB cursors
Next by Date: Re: (ITS#8543) CVE-2015-3276: incorrect multi-keyword mode cipherstring parsing
Index(es):
- Chronological
- Thread