[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#8543) CVE-2015-3276: incorrect multi-keyword mode cipherstring parsing
- To: openldap-its@OpenLDAP.org
- Subject: (ITS#8543) CVE-2015-3276: incorrect multi-keyword mode cipherstring parsing
- From: he@NetBSD.org
- Date: Tue, 13 Dec 2016 10:18:17 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: Havard Eidnes
Version: 2.4.44
OS: NetBSD
URL:
Submission from: (NULL) (2001:700:1:0:eeb1:d7ff:fe59:fbaa)
Hi,
CVE-2015-3276 appears to be unfixed in 2.4.44, and from several
attempts at finding the bug reported in your mailing list archive
I came up empty. So ... The best I've found from this CVE is
RedHat's bugzilla entry at
https://bugzilla.redhat.com/show_bug.cgi?id=1238322
which contains a (suggested) patch.
Summarized:
The openldap (for NSS) emulation of the openssl cipherstring parsing code
incorrectly implements the multi-keyword mode.
As a consequence anyone using a combination like:
ECDH+SHA
will not get the expected set of ciphers [...]
(I'm somewhat dismayed that this was apparently not reported upstream
earlier...)
Best regards,
- Håvard