Bug#965184: CVE-2020-15719
Moritz Mühlenhoff
jmm at inutil.org
Wed Jul 22 15:29:21 BST 2020
On Fri, Jul 17, 2020 at 09:07:57AM -0700, Ryan Tandy wrote:
> Control: tag -1 moreinfo
>
> Hi Moritz, thanks for the report.
Sorry for the late reply, had a bunch of other issues pending.
> On Fri, Jul 17, 2020 at 12:41:35PM +0200, Moritz Muehlenhoff wrote:
> > CVE-2020-15719 was assigned to an issue in OpenLDAP found by Red Hat:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1740070
> >
> > The underlying OpenLDAP bug is restricted, though:
> > https://bugs.openldap.org/show_bug.cgi?id=9266
>
> The OpenLDAP ticket has now been made public.
Thanks.
> There might be an argument to be made that the Common Name matching is
> described as something the implementation "may also" do, so we could tweak
> how it works without actually violating RFC 4513. However it's enough of a
> grey area (and a subtle enough difference) that I think I'd prefer to just
> follow upstream, especially if some existing setups might be depending on
> that behaviour (CN not duplicated in a SAN).
>
> What do you think?
We should definitely follow upstream, I think Howards's reasoning makes
a lot of sense. I'll mark it as a non-issue in the Debian Security Tracker.
Cheers,
Moritz
More information about the Pkg-openldap-devel
mailing list