[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8543) CVE-2015-3276: incorrect multi-keyword mode cipherstring parsing
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8543) CVE-2015-3276: incorrect multi-keyword mode cipherstring parsing
- From: hyc@symas.com
- Date: Tue, 13 Dec 2016 10:44:27 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
he@NetBSD.org wrote:
> Full_Name: Havard Eidnes
> Version: 2.4.44
> OS: NetBSD
> URL:
> Submission from: (NULL) (2001:700:1:0:eeb1:d7ff:fe59:fbaa)
>
>
> Hi,
>
> CVE-2015-3276 appears to be unfixed in 2.4.44, and from several
> attempts at finding the bug reported in your mailing list archive
> I came up empty. So ... The best I've found from this CVE is
> RedHat's bugzilla entry at
>
> https://bugzilla.redhat.com/show_bug.cgi?id=3D1238322
>
> which contains a (suggested) patch.
We can integrate a suggested fix if the patch author submits their patch =
to=20
our ITS directly. Due to IPR concerns we don't accept or act on 3rd party=
=20
patch submissions.
>
> Summarized:
>
> The openldap (for NSS) emulation of the openssl cipherstring parsing=
code
> incorrectly implements the multi-keyword mode.
> As a consequence anyone using a combination like:
>
> ECDH+SHA
>
> will not get the expected set of ciphers [...]
>
> (I'm somewhat dismayed that this was apparently not reported upstream
> earlier...)
>
> Best regards,
>
> - H=C3=A5vard
>
>
>
--=20
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/