From ${URL} : A flaw was found in the way the OpenLDAP server daemon (slapd) parsed certain BER data. A remote attacker could use this flaw to crash slapd via a specially crafted packet. Upstream advisory (including a reproducer): http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8240 Upstream patch: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=6fe51a9ab04fd28bbc171da3cf12f1c1040d6629 CVE assignment request: http://seclists.org/oss-sec/2015/q3/535 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Is version 2.4.44 contain the Fix or this vulnerability? If it does we can stabilize it for both this bug and 539044
This was fixed in =net-nds/openldap-2.4.43. From http://www.openldap.org/software/release/changes.html: > OpenLDAP 2.4.43 Release (2015/11/30) > Fixed liblber remove obsolete assert (ITS#8240, ITS#8301) > [...] @ Arches, please test and mark stable: =net-nds/openldap-2.4.44 Stable target(s): alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
amd64 stable
x86 stable
Stable on alpha.
sparc stable
arm stable
ppc stable
Stable for HPPA.
ia64 stable
ppc64 stable. Maintainer(s), please cleanup. Security, please vote.
https://github.com/gentoo/gentoo/pull/3621
Tree is clean and the security mask remains for 2.3.x versions per maintainers feedback.
(In reply to Aaron Bauman from comment #13) > Tree is clean and the security mask remains for 2.3.x versions per > maintainers feedback. please revert back openldap-2.4.15-ppolicy.patch ASAP. It is in use by the stable version. https://bugs.gentoo.org/show_bug.cgi?id=607560
(In reply to Anton Bolshakov from comment #14) > (In reply to Aaron Bauman from comment #13) > > Tree is clean and the security mask remains for 2.3.x versions per > > maintainers feedback. > > please revert back openldap-2.4.15-ppolicy.patch ASAP. It is in use by the > stable version. > > https://bugs.gentoo.org/show_bug.cgi?id=607560 reverted. thanks.
Can we please update the patch set and drop the vulnerable versions?
(In reply to Yury German from comment #16) > Can we please update the patch set and drop the vulnerable versions? The patch set is good. The reversion was for one that is needed. @maintainer, can we drop 2.3.x yet?
tree is clean https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=19c0a4ec55e0c9802b1b4fdf2bf7c1613ebfcd33