| Summary: | net-nds/openldap: Long list of acceptable CA names breaks encryption | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | ldap-bugs |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openldap.org/software/release/changes.html | ||
| Whiteboard: | B3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
@maintainer(s): A patch is available: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=7b5181da8cdd47a13041f9ee36fa9590a0fa6e48. It has been merged in debian version 2.4.45+dfsg-1. Demetris Nakos -- Gentoo Security Padawan -- this is probably fixed in current stable versions (In reply to Pacho Ramos from comment #2) > this is probably fixed in current stable versions Patch: https://git.openldap.org/openldap/openldap/-/commit/7b5181da8cdd47a13041f9ee36fa9590a0fa6e48 looks like it landed in 2.4.46: >Fixed libldap GnuTLS with GNUTLS_E_AGAIN (ITS#8650) so tree is clean. GLSA Vote: No Thank you all for you work. Closing as [noglsa]. |
From ${URL} : It was found that using openldap with a long list of acceptable CA names might break encryption. Sending the credentials while the handshake is complete would cause them to go out unencrypted. References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861838 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.