[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Security alerts on OpenLDAP (CVE-2015-1545 / CVE-2015-1546)

Howard Chu wrote:
> Given that the deref overlay isn't even documented and is probably used by
> only a handful of OpenLDAP developers I don't believe it even merited a CVE
> record.

Hmm, not sure. Arthur de Jong implemented support for this control in
nss-pam-ldapd a year ago [1] and IIRC also discussed it on the
openldap-technical mailing list.

Ciao, Michael.

[1] http://arthurdejong.org/git/nss-pam-ldapd/tree/ChangeLog

2014-01-05  Arthur de Jong <arthur@arthurdejong.org>

        * [c6c317e] : Implement deref control handling

          This uses the LDAP_CONTROL_X_DEREF control as described in
          draft-masarati-ldap-deref-00 to request the LDAP server to
          dereference group member attribute values to uid attribute values.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature