[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2020-15719/openldap

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
69e0366f by Salvatore Bonaccorso at 2020-07-17T21:21:03+02:00
Update notes for CVE-2020-15719/openldap

In general it looks we might simply consider this a Red Hat specific
problem. The issue was disputed upstream of beeing valid, with the
comment that the behaviour in libldap conforms with RFC4513 and it is
still authoritative for OpenLDAP as RFC6125 does not supersede the rules
for verifying service identity provided in specifications for existing
application like LDAP's. For details see the comments from Ryan Tandy as
raised in <https://bugs.debian.org/965184#10>.

It would seem reasonable to not diverge from upstream in Debian unless
this problem is considered severe enough.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -195,10 +195,13 @@ CVE-2020-15720 (In Dogtag PKI through 10.8.3, the pki.client.PKIConnection class
 	NOTE: https://github.com/dogtagpki/pki/commit/50c23ec146ee9abf28c9de87a5f7787d495f0b72
 CVE-2020-15719 (libldap in certain third-party OpenLDAP packages has a certificate-val ...)
 	- openldap <unfixed> (bug #965184)
-	NOTE: https://bugs.openldap.org/show_bug.cgi?id=9266 (private)
+	NOTE: https://bugs.openldap.org/show_bug.cgi?id=9266
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1740070
-	NOTE: RedHat/CentOS Patch: https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch
-	NOTE: Affected file is compiled but Debian openssl uses GnuTLS.
+	NOTE: RedHat/CentOS applied patch: https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch
+	NOTE: OpenLDAP upstream did dispute the issue as beeing valid, as the current libldap
+	NOTE: behaviour does conform with RFC4513. RFC6125 does not superseed the rules for
+	NOTE: verifying service identity provided in specifications for existing application
+	NOTE: protocols published prior to RFC6125, like RFC4513 for LDAP.
 CVE-2020-15718 (RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation o ...)
 	NOT-FOR-US: RosarioSIS
 CVE-2020-15717 (RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation o ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69e0366f2ae0bdfdfc4898690141afa6410b93f1

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69e0366f2ae0bdfdfc4898690141afa6410b93f1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200717/f6c3fbfe/attachment.html>