Bug 424167 (CVE-2012-2668)

Summary:	<net-nds/openldap-2.4.35 : weak cyphers lead to possible information leak (CVE-2012-2668)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	ldap-bugs
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B4 [glsa]
Package list:		Runtime testing required:	---
Bug Depends on:	480304
Bug Blocks:

Description GLSAMaker/CVETool Bot gentoo-dev

2012-06-29 21:12:05 UTC

CVE-2012-2668 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2668):
  libraries/libldap/tls_m.c in OpenLDAP, possibly 2.4.31 and earlier, when
  using the Mozilla NSS backend, always uses the default cipher suite even
  when TLSCipherSuite is set, which might cause OpenLDAP to use weaker ciphers
  than intended and make it easier for remote attackers to obtain sensitive
  information.

Comment 1 Agostino Sarubbo gentoo-dev

2012-06-29 21:20:34 UTC

http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blobdiff;f=libraries/libldap/tls_m.c;h=b608551e4dce051c12c27077ad1686e46c73c8aa;hp=23d843c0ec2c0d8697ad636f641630d3e4305845;hb=2c2bb2e;hpb=3f46f2e0bcc6b4eb3900c6686c26d7d3698a2255

upstream patch

Comment 2 Sergey Popov gentoo-dev

2013-10-07 09:27:15 UTC

Added to existing GLSA draft

Comment 3 GLSAMaker/CVETool Bot gentoo-dev

2014-07-01 00:22:12 UTC

This issue was resolved and addressed in
 GLSA 201406-36 at http://security.gentoo.org/glsa/glsa-201406-36.xml
by GLSA coordinator Yury German (BlueKnight).