[Pkg-openldap-devel] Bug#488710: Bug#488710: Bug#488710: slapd: remote DoS

[Steve Langasek]

On Mon, Jun 30, 2008 at 01:58:32PM -0700, Quanah Gibson-Mount wrote:
> --On Monday, June 30, 2008 1:34 PM -0700 Steve Langasek <vorlon at debian.org> 
> wrote:

> >> An upstream patch seems to be here:
> >> http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c.diff?r1=
> >> 1.120&r2=1.121&hideattic=1&sortbydate=0

> > According to the bug state, this bug fix is still being tested upstream,
> > so it would be premature to upload this patch yet.

> You may wish to read the commit message. ;)

> 1.121 Fri Jun 27 00:36:41 2008 UTC; 3 days, 20 hours ago by hyc
> CVS Tags: HEAD
> Changed since 1.120: +6 -8 lines
> Diffs to 1.120 (colored diff)

> ITS#5580 fix length decoding, verified with PROTOS

Well, that can only prove that it's no longer vulnerable, right, not that it
still works after the fact? ;)

I'm still inclined to wait until I see upstream bless this patch before
pushing out a fix to unstable.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org