[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Security alerts on OpenLDAP (CVE-2015-1545 / CVE-2015-1546)

To: Clément OUDOT <clem.oudot@gmail.com>, openldap-devel@openldap.org
Subject: Re: Security alerts on OpenLDAP (CVE-2015-1545 / CVE-2015-1546)
From: Howard Chu <hyc@symas.com>
Date: Tue, 24 Feb 2015 00:36:38 +0000
In-reply-to: <CAK_oV48OyoAbcbQ4hw67sMgc9wgeT8bpBT0vP3reu4BpDEsF-g@mail.gmail.com>
References: <CAK_oV48OyoAbcbQ4hw67sMgc9wgeT8bpBT0vP3reu4BpDEsF-g@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 SeaMonkey/2.35a1

Clément OUDOT wrote:

Hi,

I saw today two CVE on OpenLDAP:
* http://vigilance.fr/vulnerability/OpenLDAP-NULL-pointer-dereference-via-deref-16124
* http://vigilance.fr/vulnerability/OpenLDAP-use-after-free-via-Matched-Values-16125

Don't know if they are reported in some ITS.


That's because you're reading 2nd or 3rd-hand reports. Read the actual CVEs and you'll see that relevant ITSs already linked.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1545
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546

Given that the deref overlay isn't even documented and is probably used by only a handful of OpenLDAP developers I don't believe it even merited a CVE record.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Security alerts on OpenLDAP (CVE-2015-1545 / CVE-2015-1546)
  - From: Clément OUDOT <clem.oudot@gmail.com>
- Re: Security alerts on OpenLDAP (CVE-2015-1545 / CVE-2015-1546)
  - From: Michael Ströder <michael@stroeder.com>

References:
- Security alerts on OpenLDAP (CVE-2015-1545 / CVE-2015-1546)
  - From: Clément OUDOT <clem.oudot@gmail.com>

Prev by Date: Security alerts on OpenLDAP (CVE-2015-1545 / CVE-2015-1546)
Next by Date: Re: Security alerts on OpenLDAP (CVE-2015-1545 / CVE-2015-1546)
Index(es):
- Chronological
- Thread