From ${URL} : It was found that using openldap with a long list of acceptable CA names might break encryption. Sending the credentials while the handshake is complete would cause them to go out unencrypted. References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861838 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
@maintainer(s): A patch is available: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=7b5181da8cdd47a13041f9ee36fa9590a0fa6e48. It has been merged in debian version 2.4.45+dfsg-1. Demetris Nakos -- Gentoo Security Padawan --
this is probably fixed in current stable versions
(In reply to Pacho Ramos from comment #2) > this is probably fixed in current stable versions Patch: https://git.openldap.org/openldap/openldap/-/commit/7b5181da8cdd47a13041f9ee36fa9590a0fa6e48 looks like it landed in 2.4.46: >Fixed libldap GnuTLS with GNUTLS_E_AGAIN (ITS#8650) so tree is clean.
GLSA Vote: No Thank you all for you work. Closing as [noglsa].