Re: [Pkg-openldap-devel] [SRM] (PRSC) Security fixes and possible database corruption
Matthijs Möhlmann <matthijs@cacholong.nl> schrieb:
> On Mar 28, 2011, at 11:36 PM, Adam D. Barratt wrote:
>
>> Hi,
>>
>> Thanks for working on fixing issues in stable.
>>
>> On Mon, 2011-03-28 at 22:41 +0200, Matthijs Möhlmann wrote:
>>> According to bug #617606 there are currently 2 CVE's open.
>>> CVE-2011-1024:
>> [...]
>>> CVE-2011-1025:
>>
>> These look okay, although it doesn't appear that they've been resolved
>> in unstable yet? If so, that really should be done first. Once the
>> patches have been tested in unstable, we can then look again at applying
>> them to stable.
>>
>>> CVE-2011-1081:
>>> modrdn.c in slapd in OpenLDAP 2.4.x before 2.4.24 allows remote attackers to cause a denial of service (daemon crash) via a relative Distinguished Name (DN) modification request (aka MODRDN operation) that contains an empty value for the OldDN field.
>>> Fix: http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/modrdn.c.diff?hideattic=1&r1=text&tr1=1.181&r2=text&tr2=1.182&f=c
>>> Impact: High, possibility to remotely crash slapd.
>>
>> The security tracker indicates that this CVE hasn't yet been checked for
>> its applicability to and impact on Debian. Have you confirmed with the
>> security team that they don't wish to handle this?
>>
>
> No I havent confirmed with the security team. I'll file a ticket in their bug
> tracking and then they can decide what to do. As suggested by Michael Gilbert.
Please proceed with a stable point update.
Cheers,
Moritz
Reply to: