[Pkg-openldap-devel] Bug#465875: [Fwd: Fwd: [USN-584-1] OpenLDAP vulnerabilities]
Moritz Muehlenhoff
jmm at inutil.org
Fri Apr 4 21:07:11 UTC 2008
On Thu, Apr 03, 2008 at 11:30:12PM +0200, Moritz Muehlenhoff wrote:
> On Mon, Mar 24, 2008 at 11:56:43AM +0100, Moritz Muehlenhoff wrote:
> > On Sun, Mar 23, 2008 at 04:05:00PM -0700, Steve Langasek wrote:
> > > found 465875 2.3.30-5
> > > thanks
> > >
> > > On Wed, Mar 12, 2008 at 12:54:03PM +1100, Brian May wrote:
> > >
> > > > Can you please confirm if this is an issue for the Debian stable version
> > > > (2.3.30-5)? I get the impression that 2.3.30 is affected, and I can't
> > > > see any security updates.
> > >
> > > Yes, etch is affected. However, this is a DoS attack rather than a
> > > privilege escalation vector, which AIUI is not normally grounds for a DSA.
> > > Security team, the patch for this issue is attached - what say you? Should
> > > I upload it to stable-security, or to proposed-updates?
> >
> > Whether DoS issues warrants a security update depend highly on the
> > nature of the affected application. For core infrastructure packages
> > like slapd this is usually the case.
> >
> > I'll take care of an update based your diff (there are three more I'll
> > check, whether they affect Etch).
>
> Sorry, I've been busy so it took longer than expected. I have backported
> patches ready, I'll push this into the security buildd network tomorrow.
Packages are building. I need some additional testing, so if anyone could
run the packages from http://people.debian.org/~jmm/ldap/ on his/her production
system, that would be highly appreciated.
Cheers,
Moritz
More information about the Pkg-openldap-devel
mailing list