[Pkg-openldap-devel] slapd: dangerous access rule in default config
Yves-Alexis Perez
corsac at debian.org
Mon Mar 30 13:56:02 UTC 2015
On Mon, Mar 30, 2015 at 02:16:30PM +0200, Luca Bruno wrote:
> On Sunday 29 March 2015 16:02:49 Yves-Alexis Perez wrote:
> > On sam., 2015-03-28 at 15:40 -0700, Ryan Tandy wrote:
> > > Hi! Thanks for picking this up again.
> > >
> > > On Sat, Mar 28, 2015 at 10:20:45PM +0100, Yves-Alexis Perez wrote:
> > > >Sorry for letting this falls through the cracks. I guess we should try
> > > >to finish this by pushing a DSA so people are aware of this.
> > > >
> > > >The patches looks ok, so I think we can proceed with the upload to
> > > >security-master. I didn't yet requested a CVE on oss-sec, so I'll do it
> > > >right now so we have it for the DSA.
> > > >
> > > >Any question? Again sorry for the delay.
> > >
> > > Sounds good. I assume "the patches" means you're ok with including the
> > > unrelated CVE fixes I linked a couple of messages ago [1].
> > >
> > > I'll try to provide an updated and tested debdiff asap after the CVE ID
> > > is assigned.
> >
> > The CVE is CVE-2014-9713, sorry I didn't put you in the loop when
> > requesting, but the thread can be found at
> > http://www.openwall.com/lists/oss-security/2015/03/28/7 (see also the
> > note about upstream documentation).
>
> Thanks, I've update the changelog with CVE reference.
> Current package is at
> http://anonscm.debian.org/cgit/pkg-openldap/openldap.git/log/?h=wheezy
>
> > You can upload to security-master, I'll check the debdiff there.
>
> I've just pushed the fixed package to security-master.
> I picked -2 as a revision as it never existed in our history, it is smaller
> than later versions, and I was not sure how to properly reset/version after
> previous NMU. I haven't yet tagged this in our git, feel free to suggest a
> better one if needed.
I'd go for 2.4.31-1+nmu2+deb7u1 since it's the first stable upload
targeted to Wheezy. Not really pretty but eh…
Regards,
--
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20150330/741c5eff/attachment.sig>
More information about the Pkg-openldap-devel
mailing list