[Pkg-openldap-devel] status check for openldap CVE-2015-3276
Luca Bruno
lucab at debian.org
Thu Jul 23 14:31:27 UTC 2015
Hi all,
I just noticed a pending CVE against openldap:
https://security-tracker.debian.org/tracker/CVE-2015-3276
This actually originates in RedHat and the patch (only?) seems to be still
under embargo:
https://bugzilla.redhat.com/show_bug.cgi?id=1238322
https://bugzilla.redhat.com/show_bug.cgi?id=1231522
From the few details there, this seems to only affect NSS usage.
To the best of my knowledge, all supported versions of openldap in Debian use
GnuTLS. Combinations like "ECDH+SHA" should not be valid as gnutls priority
specs. Thus, I think this could be marked as not affecting us.
It would be nice if someone else from the openldap or security team could
double-check my points above.
Ciao, Luca
--
.''`. ** Debian GNU/Linux ** | Luca Bruno (kaeso)
: :' : The Universal O.S. | lucab (AT) debian.org
`. `'` | GPG: 0xBB1A3A854F3BBEBF
`- http://www.debian.org | Debian GNU/Linux Developer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20150723/44f651e0/attachment.sig>
More information about the Pkg-openldap-devel
mailing list