[Pkg-openldap-devel] planning another jessie upload

Luca BRUNO lucab at debian.org
Wed Feb 4 19:00:41 UTC 2015


Hi security team,

Ryan Tandy <ryan at nardis.ca> ha scritto:

> I've tested the patches for #776988 and #776991 and intend to ask the 
> release team for approval to upload them, with the justification that 
> it's easy for an unauthenticated remote user to cause slapd to crash. 
> (Not even read access is needed.) #776988 only affects deref (not 
> enabled by default), but I don't know of a configuration that can 
> mitigate #776991. Any comments on these?

Should the two bugs above get a CVE assigned?
#776991 is a regression in 2.4.40, while #776988 affects all releases
but is not enabled by default. Both are remote crashers.
We plan to fix both in jessie and bpo, and the older one in wheezy.

Cheers, Luca

-- 
  .''`.  |               ~<[ Luca BRUNO ~ (kaeso) ]>~
 : :'  : | Email: lucab (AT) debian.org ~ Debian Developer
 `. `'`  | GPG Key ID: 0x3BFB9FB3       ~ Free Software supporter
   `-    | HAM-radio callsign: IZ1WGT   ~ Networking sorcerer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20150204/5a994023/attachment.sig>


More information about the Pkg-openldap-devel mailing list