[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Security alerts on OpenLDAP (CVE-2015-1545 / CVE-2015-1546)

To: Howard Chu <hyc@symas.com>, openldap-devel@openldap.org
Subject: Re: Security alerts on OpenLDAP (CVE-2015-1545 / CVE-2015-1546)
From: Michael Ströder <michael@stroeder.com>
Date: Tue, 24 Feb 2015 10:47:56 +0100
In-reply-to: <54EBC796.50108@symas.com>
References: <CAK_oV48OyoAbcbQ4hw67sMgc9wgeT8bpBT0vP3reu4BpDEsF-g@mail.gmail.com> <54EBC796.50108@symas.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 SeaMonkey/2.32.1

Howard Chu wrote:
> Given that the deref overlay isn't even documented and is probably used by
> only a handful of OpenLDAP developers I don't believe it even merited a CVE
> record.

Hmm, not sure. Arthur de Jong implemented support for this control in
nss-pam-ldapd a year ago [1] and IIRC also discussed it on the
openldap-technical mailing list.

Ciao, Michael.

[1] http://arthurdejong.org/git/nss-pam-ldapd/tree/ChangeLog

[..]
2014-01-05  Arthur de Jong <arthur@arthurdejong.org>

        * [c6c317e] : Implement deref control handling

          This uses the LDAP_CONTROL_X_DEREF control as described in
          draft-masarati-ldap-deref-00 to request the LDAP server to
          dereference group member attribute values to uid attribute values.
[..]

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- Security alerts on OpenLDAP (CVE-2015-1545 / CVE-2015-1546)
  - From: Clément OUDOT <clem.oudot@gmail.com>
- Re: Security alerts on OpenLDAP (CVE-2015-1545 / CVE-2015-1546)
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Security alerts on OpenLDAP (CVE-2015-1545 / CVE-2015-1546)
Next by Date: Fwd: multiple sequential lmdb readers + spinning media = slow / thrashes?
Index(es):
- Chronological
- Thread