[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8543) CVE-2015-3276: incorrect multi-keyword mode cipherstring parsing

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8543) CVE-2015-3276: incorrect multi-keyword mode cipherstring parsing
From: hyc@symas.com
Date: Tue, 13 Dec 2016 10:44:27 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

he@NetBSD.org wrote:
> Full_Name: Havard Eidnes
> Version: 2.4.44
> OS: NetBSD
> URL:
> Submission from: (NULL) (2001:700:1:0:eeb1:d7ff:fe59:fbaa)
>
>
> Hi,
>
> CVE-2015-3276 appears to be unfixed in 2.4.44, and from several
> attempts at finding the bug reported in your mailing list archive
> I came up empty.  So ...  The best I've found from this CVE is
> RedHat's bugzilla entry at
>
> https://bugzilla.redhat.com/show_bug.cgi?id=3D1238322
>
> which contains a (suggested) patch.

We can integrate a suggested fix if the patch author submits their patch =
to=20
our ITS directly. Due to IPR concerns we don't accept or act on 3rd party=
=20
patch submissions.
>
> Summarized:
>
>    The openldap (for NSS) emulation of the openssl cipherstring parsing=
 code
>    incorrectly implements the multi-keyword mode.
>    As a consequence anyone using a combination like:
>
>       ECDH+SHA
>
>    will not get the expected set of ciphers [...]
>
> (I'm somewhat dismayed that this was apparently not reported upstream
> earlier...)
>
> Best regards,
>
> - H=C3=A5vard
>
>
>


--=20
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#8543) CVE-2015-3276: incorrect multi-keyword mode cipherstring parsing
Next by Date: (ITS#8544) manpage fixes
Index(es):
- Chronological
- Thread