[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Security alerts on OpenLDAP (CVE-2015-1545 / CVE-2015-1546)

To: Howard Chu <hyc@symas.com>
Subject: Re: Security alerts on OpenLDAP (CVE-2015-1545 / CVE-2015-1546)
From: Clément OUDOT <clem.oudot@gmail.com>
Date: Tue, 24 Feb 2015 08:59:19 +0100
Cc: openldap-devel@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=q9gvBg9OZnbX31pukZZk0qS6En3yIYRUKv1KHr4YYtw=; b=CfPndYiujwBRqZoX5rarbaooT5RzZUmF08egi+F9rjGPXw29pcWfpu4SC0/JQenja/ Tq6FzOD6o/sVawegF7QnE5PR28EEYnQJY29jsgJAVsCXiutNQi51nm3hm0QFjxcS4g1h G0H7pAWgzJ47X956Ah+exTktXhBbPqGBCQ7C8T9GmbLUFf6Xw91UmBFFVtfqcB9Geqzr Pcsko8RXR0s9tKriULEe2Hylrw+X/RS+eC4DyFIGvxC8+gBMwfROvvaXqw9BXXJBfe2v ibKJrSiWRCAMuLC5u69W44J5Xh4POZSBuRDXPXgWYt+IfkYWyDYZ5VFNMg7cIU1xFGLm moLg==
In-reply-to: <54EBC796.50108@symas.com>
References: <CAK_oV48OyoAbcbQ4hw67sMgc9wgeT8bpBT0vP3reu4BpDEsF-g@mail.gmail.com> <54EBC796.50108@symas.com>

2015-02-24 1:36 GMT+01:00 Howard Chu <hyc@symas.com>:
> Clément OUDOT wrote:
>>
>> Hi,
>>
>> I saw today two CVE on OpenLDAP:
>> *
>> http://vigilance.fr/vulnerability/OpenLDAP-NULL-pointer-dereference-via-deref-16124
>> *
>> http://vigilance.fr/vulnerability/OpenLDAP-use-after-free-via-Matched-Values-16125
>>
>> Don't know if they are reported in some ITS.
>
>
> That's because you're reading 2nd or 3rd-hand reports. Read the actual CVEs
> and you'll see that relevant ITSs already linked.
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1545
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546
>
> Given that the deref overlay isn't even documented and is probably used by
> only a handful of OpenLDAP developers I don't believe it even merited a CVE
> record.


Agreed for the deref CVE, but I confirm that the matched values bug is
present in 2.4.40 official version (and so in LTB packages). I saw
that 2.4.41 was in preparation, any idea of a release date?

Clément.

References:
- Security alerts on OpenLDAP (CVE-2015-1545 / CVE-2015-1546)
  - From: Clément OUDOT <clem.oudot@gmail.com>
- Re: Security alerts on OpenLDAP (CVE-2015-1545 / CVE-2015-1546)
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Security alerts on OpenLDAP (CVE-2015-1545 / CVE-2015-1546)
Next by Date: Re: Security alerts on OpenLDAP (CVE-2015-1545 / CVE-2015-1546)
Index(es):
- Chronological
- Thread