<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=utf-8" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<h3>

Hugo Lefeuvre pushed to branch master

at <a href="https://salsa.debian.org/security-tracker-team/security-tracker">Debian Security Tracker / security-tracker</a>

</h3>

<h4>

Commits:

</h4>

<ul>

<li>

<strong><a href="https://salsa.debian.org/security-tracker-team/security-tracker/commit/84eb3bcae498c6e618dea2cc018513e4954d9e69">84eb3bca</a></strong>

<div>

<span>by Hugo Lefeuvre</span>

<i>at 2018-09-15T14:57:18Z</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">389-ds-base: mark CVE-2018-14638 not affected

CVE-2018-14638: two cloned pblocks share the same password policy,

and under certain circumstances the clone might be freed, consequently

freeing the shared password policy. Later, when the original password

policy is freed, it tries to free the password policy a second time

thus resulting in double free, crash and other undefined behavior.

It seems that this vulnerability first appeared in

74c666b83e3e1789c2ef3f7935c327bd7555193e (after 1.3.6.3), which

introduced the concept of cloning blocks

and

407d7d9de7e9c4db1e4c1f5a1a98890f2474c477 (after 1.3.7.0), which

refactored the pblock to a tree-like structure.

It is not completely clear to me when exactly the vulnerability first

appeared, but it is almost certain that the Jessie version (1.3.3.5)

is not affected since affected concepts are not present at all.

</pre>

</li>

</ul>

<h4>1 changed file:</h4>

<ul>

<li class="file-stats">

<a href="#4716ef5aa8f2742228ba3b3633215c8b808565e3">

data/CVE/list

</a>

</li>

</ul>

<h4>Changes:</h4>

<li id="4716ef5aa8f2742228ba3b3633215c8b808565e3">

<a href="https://salsa.debian.org/security-tracker-team/security-tracker/commit/84eb3bcae498c6e618dea2cc018513e4954d9e69#4716ef5aa8f2742228ba3b3633215c8b808565e3"><strong>data/CVE/list</strong></a>

<hr>

No preview for this file type

<br>

</li>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777;">

—

<br>

<a href="https://salsa.debian.org/security-tracker-team/security-tracker/commit/84eb3bcae498c6e618dea2cc018513e4954d9e69">View it on GitLab</a>.

<br>

You're receiving this email because of your account on salsa.debian.org.

If you'd like to receive fewer emails, you can

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Commit","url":"https://salsa.debian.org/security-tracker-team/security-tracker/commit/84eb3bcae498c6e618dea2cc018513e4954d9e69"}}</script>

</p>

</div>

</body>

</html>