[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8543) CVE-2015-3276: incorrect multi-keyword mode cipherstring parsing

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8543) CVE-2015-3276: incorrect multi-keyword mode cipherstring parsing
From: quanah@symas.com
Date: Tue, 13 Dec 2016 21:26:43 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

--On Tuesday, December 13, 2016 10:44 AM +0000 hyc@symas.com wrote:

> he@NetBSD.org wrote:
>> Full_Name: Havard Eidnes
>> Version: 2.4.44
>> OS: NetBSD
>> URL:
>> Submission from: (NULL) (2001:700:1:0:eeb1:d7ff:fe59:fbaa)
>>
>>
>> Hi,
>>
>> CVE-2015-3276 appears to be unfixed in 2.4.44, and from several
>> attempts at finding the bug reported in your mailing list archive
>> I came up empty.  So ...  The best I've found from this CVE is
>> RedHat's bugzilla entry at
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=3D1238322
>>
>> which contains a (suggested) patch.
>
> We can integrate a suggested fix if the patch author submits their patch =
> to=20
> our ITS directly. Due to IPR concerns we don't accept or act on 3rd party=
> =20
> patch submissions.

I would also note that MozNSS is not an officially supported TLS library 
for OpenLDAP, and the hack that was added for 2.4 will be removed in the 
future (likely OpenLDAP 2.5 and later).  End administrators should 
generally avoid MozNSS entirely.

Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Prev by Date: (ITS#8544) manpage fixes
Next by Date: (ITS#8545) Undesired timeout when polling for results
Index(es):
- Chronological
- Thread