CVE-2017-17740(https://nvd.nist.gov/vuln/detail/CVE-2017-17740): contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. @maintainer(s): In case of bump, please call for stabilization when ready, thank you. Gentoo Security Padawan (Jmbailey/mbailey_j)
we have newer versions in stable already
The vulnerability is still present. @ maintainer(s): Please rev bump and don't build contrib module "nops" from "nops-overlay".
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=276da7075cf8a92fa965fda056817d68eeac7b40 commit 276da7075cf8a92fa965fda056817d68eeac7b40 Author: Patrick McLean <chutzpah@gentoo.org> AuthorDate: 2020-03-18 01:25:56 +0000 Commit: Patrick McLean <chutzpah@gentoo.org> CommitDate: 2020-03-18 01:33:48 +0000 net-nds/openldap-2.4.49-r2: revbump, fix pkg_postinst, sec bug #641576 pkg_postinst currently die()-s if /var/run/openldap doesn't exist, this breaks many cases (chroot build, first install etc). Also disable build of nops module for security bug #641576 Bug: https://bugs.gentoo.org/641576 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> net-nds/openldap/openldap-2.4.49-r2.ebuild | 903 +++++++++++++++++++++++++++++ 1 file changed, 903 insertions(+)
Thanks for that. @maintainer(s), please advise if you are ready for stabilisation or call for stabilistion yourself.
@maintainer(s): ping.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4bf2f1709bbb8b087c56a2e01ce735d0dac58c2b commit 4bf2f1709bbb8b087c56a2e01ce735d0dac58c2b Author: Robin H. Johnson <robbat2@gentoo.org> AuthorDate: 2020-05-02 23:12:26 +0000 Commit: Robin H. Johnson <robbat2@gentoo.org> CommitDate: 2020-05-02 23:12:26 +0000 net-nds/openldap: bump for security CVE-2020-12243 Also update mirrors to use HTTPS/HTTPS, because upstream's official download URL is a FTP site which seems to be broken. Bug: https://bugs.gentoo.org/641576 Bug: https://bugs.gentoo.org/719960 Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> net-nds/openldap/Manifest | 1 + net-nds/openldap/openldap-2.4.50.ebuild | 907 ++++++++++++++++++++++++++++++++ 2 files changed, 908 insertions(+)
GLSA vote: no.