Your message dated Sat, 12 Aug 2017 16:17:11 +0000
with message-id <e1dgz67-0008jw...@fasolo.debian.org>
and subject line Bug#820244: fixed in openldap 2.4.44+dfsg-5+deb9u1
has caused the Debian Bug report #820244,
regarding libldap: use-after-free in GnuTLS-related code (patch available)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
820244: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820244
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: openldap
Version: 2.4.42+dfsg-2

Code located in file libraries/libldap/tls_g.c, containing an
interface to GnuTLS, suffers from a bug causing the configuration
variable tls_reqcert to be read from previously freed memory, thus
assuming random values or causing a segfault. This has been observed
in slapd during syncrepl connection retries, but may possibly happen
in other circumstances. Depending on the configuration, this can lead
to TLS handshake failures, a silent omission of certificate
verification (a security issue) or slapd unexpectedly crashing. This
bug cannot be worked around by configuration changes. In order to
avoid it, it is necessary to recompile package openldap either with a
patch or with OpenSSL support (in which case the problematic code path
is avoided).

Known affected versions are 2.4.41 to 2.4.44, but it is likely that
earlier versions also contain this bug. The bug has been reported to
OpenLDAP project and fixed in their git master:
OpenLDAP commit: 283f3ae1713df449cc170965b311b19157f7b7ea
Link: 
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=283f3ae1713df449cc170965b311b19157f7b7ea
More details are available on OpenLDAP bug tracker at:
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8385

Related Ubuntu bug:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1557248

Thank you

--- End Message ---
--- Begin Message ---
Source: openldap
Source-Version: 2.4.44+dfsg-5+deb9u1

We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 820...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ryan Tandy <r...@nardis.ca> (supplier of updated openldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 10 Aug 2017 12:12:46 -0700
Source: openldap
Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-common 
libldap-2.4-2-dbg libldap2-dev slapd-dbg
Architecture: source
Version: 2.4.44+dfsg-5+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian OpenLDAP Maintainers 
<pkg-openldap-de...@lists.alioth.debian.org>
Changed-By: Ryan Tandy <r...@nardis.ca>
Description:
 ldap-utils - OpenLDAP utilities
 libldap-2.4-2 - OpenLDAP libraries
 libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
 libldap-common - OpenLDAP common files for libraries
 libldap2-dev - OpenLDAP development libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
 slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd.
Closes: 820244 860774 860947 864719 868753
Changes:
 openldap (2.4.44+dfsg-5+deb9u1) stretch; urgency=medium
 .
   * Relax the dependency of libldap-2.4-2 on libldap-common to also permit
     later versions. (Closes: #860774)
   * Disable test060-mt-hot on ppc64el temporarily to avoid failing tests until
     the underlying kernel bug #866122 is fixed.
   * Fix upgrade failure when olcSuffix contains a backslash. (Closes: #864719)
   * Import upstream patch to avoid reading the value of the
     LDAP_OPT_X_TLS_REQUIRE_CERT option from previously freed memory.
     (ITS#8385) (Closes: #820244)
   * Import upstream patch to fix potential endless replication loop in a
     multi-master delta-syncrepl scenario with 3 or more nodes.
     (ITS#8432) (Closes: #868753)
   * Import upstream patches to fix memory corruption caused by calling
     sasl_client_init() multiple times and possibly concurrently.
     (ITS#8648) (Closes: #860947)
Checksums-Sha1:
 9cfaa4a157f37fd1e77df1605e0d7c886aecc42b 3009 openldap_2.4.44+dfsg-5+deb9u1.dsc
 9b7a6f58266c688ea90c8c79f989673330edebe9 165640 
openldap_2.4.44+dfsg-5+deb9u1.debian.tar.xz
Checksums-Sha256:
 49a6e5b8c90cd3743d29854e2c07a31cfc420075d3368832a7c4e16e47c6aaae 3009 
openldap_2.4.44+dfsg-5+deb9u1.dsc
 06c3aa004b251b5acd036f26db245bfc5207811acf42d20dc02850eb60afb6bd 165640 
openldap_2.4.44+dfsg-5+deb9u1.debian.tar.xz
Files:
 d243ee69c455d1433e9fd35db5fc04f0 3009 net optional 
openldap_2.4.44+dfsg-5+deb9u1.dsc
 5823b2c03024bb2fbad10cd9537239df 165640 net optional 
openldap_2.4.44+dfsg-5+deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEPSfh0nqdQTd5kOFlIp/PEvXWa7YFAlmN7QUPHHJ5YW5AbmFy
ZGlzLmNhAAoJECKfzxL11mu2+bMP/jxLApeKZ+FzusUfA7vILY4+K067M8/90uiR
sNWSditvedlVV+x6gd5RUuJpuJmZakVTorjeQQ0UQIIxWOXhyyOGvw/77Kzkc4rl
sZIeTZom9n1z0+NSKJwQKRmgRq1LPx4L43gOjwBdQsorEzEqKh5zwYOhheDJteCr
zVB3KAzOFGdW6ejhlYH4G/JhtIpPspK7cQipKT/j31OunNpYUcngAITNs2X8DOt0
1jXM6wJs3h67OZymXlHHH7mt8DSxn64SBCH6TuWFABdqa4WiczBOazNAatBVfhzn
zIfH2S1X6gLb7Z7lXx29XvHXIaSR2UvEZjmBEqP5zLyrH2mqoOEQuV0zcNelGWFo
OfAM/h8tbjp4gx+tG7EtS0WwEWEgMJsCozbCc/BKe5vgg8A8tEgpySNJIQGYYWz9
WL+b3iT/NoBodOirVw855EnmDKmE9EhI1sGpEgjy11S/l0yPeYb0Lyf+GQ7Qt6ql
/0M54RO85ITSEO1D6HBE1YnkEIR/WLFIriyL33/TucqkVP6fiCkfIT1gH5njNzHU
sod17cXgRbFK5/KzKXhZsXt2m1nGkP2QnCGIof88u/LeP+D9D4S3wrbZru6F8tRS
arGlp8upWIzbypuTE07UkbRNwffXNhKDChhr/EtnsMtr5WtuUpQExcws6AgfOv8x
BYX4mAMz
=nUgP
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to