On Mar 28, 2011, at 11:21 PM, Jonathan Wiltshire wrote: > On Mon, Mar 28, 2011 at 10:41:23PM +0200, Matthijs Möhlmann wrote: >> CVE-2011-1081: >> modrdn.c in slapd in OpenLDAP 2.4.x before 2.4.24 allows remote attackers to >> cause a denial of service (daemon crash) via a relative Distinguished Name >> (DN) modification request (aka MODRDN operation) that contains an empty >> value for the OldDN field. >> Fix: >> http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/modrdn.c.diff?hideattic=1&r1=text&tr1=1.181&r2=text&tr2=1.182&f=c >> Impact: High, possibility to remotely crash slapd. > > This is new in the tracker, and so might be DSA material. Security team, > can you decide if this should be a point release or a DSA please? > >> I would like to fix the above bugs and have it uploaded to squeeze. Am I >> allowed to fix these >> issues for squeeze? And should I upload these through >> stable-proposed-updates after you >> reviewed the debdiff of course? > > Not speaking for the release team, but from experience: the issues should > be fixed in unstable first (I notice the bug is pending) and then a debdiff > prepared and submitted to the release team for consideration. > > I'm tracking these three issues - it would help me greatly to keep PRSC > somewhere in the subject. > > Thanks,
An upload to unstable is prepared for next wednesday. Regards, Matthijs Möhlmann -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
